This commit was manufactured by cvs2git to create branch 'openssl'.

803 files changed, 170380 insertions, 0 deletions

diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
new file mode 100644
index 0000000000..d0db7eaf61
--- /dev/null
+++ b/src/lib/libssl/src/CHANGES
@@ -0,0 +1,1624 @@
+
+ OpenSSL CHANGES
+ _______________
+
+ Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
+  
+  *) Install libRSAglue.a when OpenSSL is built with RSAref.
+     [Ralf S. Engelschall]
+
+  *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
+     [Andrija Antonijevic <TheAntony2@bigfoot.com>]
+
+  *) Fix -startdate and -enddate (which was missing) arguments to 'ca'
+     program.
+     [Steve Henson]
+
+  *) New function DSA_dup_DH, which duplicates DSA parameters/keys as
+     DH parameters/keys (q is lost during that conversion, but the resulting
+     DH parameters contain its length).
+
+     For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
+     much faster than DH_generate_parameters (which creates parameters
+     where p = 2*q + 1), and also the smaller q makes DH computations
+     much more efficient (160-bit exponentiation instead of 1024-bit
+     exponentiation); so this provides a convenient way to support DHE
+     ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
+     utter importance to use
+         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     or
+         SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+     when such DH parameters are used, because otherwise small subgroup
+     attacks may become possible!
+     [Bodo Moeller]
+
+  *) Avoid memory leak in i2d_DHparams.
+     [Bodo Moeller]
+
+  *) Allow the -k option to be used more than once in the enc program:
+     this allows the same encrypted message to be read by multiple recipients.
+     [Steve Henson]
+
+  *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
+     an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
+     it will always use the numerical form of the OID, even if it has a short
+     or long name.
+     [Steve Henson]
+
+  *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
+     method only got called if p,q,dmp1,dmq1,iqmp components were present,
+     otherwise bn_mod_exp was called. In the case of hardware keys for example
+     no private key components need be present and it might store extra data
+     in the RSA structure, which cannot be accessed from bn_mod_exp. By setting
+     RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key
+     operations.
+     [Steve Henson]
+
+  *) Added support for SPARC Linux.
+     [Andy Polyakov]
+
+  *) pem_password_cb function type incompatibly changed from
+          typedef int pem_password_cb(char *buf, int size, int rwflag);
+     to
+          ....(char *buf, int size, int rwflag, void *userdata);
+     so that applications can pass data to their callbacks:
+     The PEM[_ASN1]_{read,write}... functions and macros now take an
+     additional void * argument, which is just handed through whenever
+     the password callback is called.
+     [Damien Miller <dmiller@ilogic.com.au>, with tiny changes by Bodo Moeller]
+
+     New function SSL_CTX_set_default_passwd_cb_userdata.
+
+     Compatibility note: As many C implementations push function arguments
+     onto the stack in reverse order, the new library version is likely to
+     interoperate with programs that have been compiled with the old
+     pem_password_cb definition (PEM_whatever takes some data that
+     happens to be on the stack as its last argument, and the callback
+     just ignores this garbage); but there is no guarantee whatsoever that
+     this will work.
+
+  *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
+     (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
+     problems not only on Windows, but also on some Unix platforms.
+     To avoid problematic command lines, these definitions are now in an
+     auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
+     for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
+     [Bodo Moeller]
+
+  *) MIPS III/IV assembler module is reimplemented.
+     [Andy Polyakov]
+
+  *) More DES library cleanups: remove references to srand/rand and
+     delete an unused file.
+     [Ulf Möller]
+
+  *) Add support for the the free Netwide assembler (NASM) under Win32,
+     since not many people have MASM (ml) and it can be hard to obtain.
+     This is currently experimental but it seems to work OK and pass all
+     the tests. Check out INSTALL.W32 for info.
+     [Steve Henson]
+
+  *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
+     without temporary keys kept an extra copy of the server key,
+     and connections with temporary keys did not free everything in case
+     of an error.
+     [Bodo Moeller]
+
+  *) New function RSA_check_key and new openssl rsa option -check
+     for verifying the consistency of RSA keys.
+     [Ulf Moeller, Bodo Moeller]
+
+  *) Various changes to make Win32 compile work: 
+     1. Casts to avoid "loss of data" warnings in p5_crpt2.c
+     2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
+        comparison" warnings.
+     3. Add sk_<TYPE>_sort to DEF file generator and do make update.
+     [Steve Henson]
+
+  *) Add a debugging option to PKCS#5 v2 key generation function: when
+     you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
+     derived keys are printed to stderr.
+     [Steve Henson]
+
+  *) Copy the flags in ASN1_STRING_dup().
+     [Roman E. Pavlov <pre@mo.msk.ru>]
+
+  *) The x509 application mishandled signing requests containing DSA
+     keys when the signing key was also DSA and the parameters didn't match.
+
+     It was supposed to omit the parameters when they matched the signing key:
+     the verifying software was then supposed to automatically use the CA's
+     parameters if they were absent from the end user certificate.
+
+     Omitting parameters is no longer recommended. The test was also
+     the wrong way round! This was probably due to unusual behaviour in
+     EVP_cmp_parameters() which returns 1 if the parameters match. 
+     This meant that parameters were omitted when they *didn't* match and
+     the certificate was useless. Certificates signed with 'ca' didn't have
+     this bug.
+     [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
+
+  *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
+     The interface is as follows:
+     Applications can use
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
+     "off" is now the default.
+     The library internally uses
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
+         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
+     to disable memory-checking temporarily.
+
+     Some inconsistent states that previously were possible (and were
+     even the default) are now avoided.
+
+     -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
+     with each memory chunk allocated; this is occasionally more helpful
+     than just having a counter.
+
+     -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
+
+     -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
+     extensions.
+     [Bodo Moeller]
+
+  *) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
+     which largely parallels "options", but is for changing API behaviour,
+     whereas "options" are about protocol behaviour.
+     Initial "mode" flags are:
+
+     SSL_MODE_ENABLE_PARTIAL_WRITE   Allow SSL_write to report success when
+                                     a single record has been written.
+     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER  Don't insist that SSL_write
+                                     retries use the same buffer location.
+                                     (But all of the contents must be
+                                     copied!)
+     [Bodo Moeller]
+
+  *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode
+     worked.
+
+  *) Fix problems with no-hmac etc.
+     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
+
+  *) New functions RSA_get_default_method(), RSA_set_method() and
+     RSA_get_method(). These allows replacement of RSA_METHODs without having
+     to mess around with the internals of an RSA structure.
+     [Steve Henson]
+
+  *) Fix memory leaks in DSA_do_sign and DSA_is_prime.
+     Also really enable memory leak checks in openssl.c and in some
+     test programs.
+     [Chad C. Mulligan, Bodo Moeller]
+
+  *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
+     up the length of negative integers. This has now been simplified to just
+     store the length when it is first determined and use it later, rather
+     than trying to keep track of where data is copied and updating it to
+     point to the end.
+     [Steve Henson, reported by Brien Wheeler
+      <bwheeler@authentica-security.com>]
+
+  *) Add a new function PKCS7_signatureVerify. This allows the verification
+     of a PKCS#7 signature but with the signing certificate passed to the
+     function itself. This contrasts with PKCS7_dataVerify which assumes the
+     certificate is present in the PKCS#7 structure. This isn't always the
+     case: certificates can be omitted from a PKCS#7 structure and be
+     distributed by "out of band" means (such as a certificate database).
+     [Steve Henson]
+
+  *) Complete the PEM_* macros with DECLARE_PEM versions to replace the
+     function prototypes in pem.h, also change util/mkdef.pl to add the
+     necessary function names. 
+     [Steve Henson]
+
+  *) mk1mf.pl (used by Windows builds) did not properly read the
+     options set by Configure in the top level Makefile, and Configure
+     was not even able to write more than one option correctly.
+     Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
+     [Bodo Moeller]
+
+  *) New functions CONF_load_bio() and CONF_load_fp() to allow a config
+     file to be loaded from a BIO or FILE pointer. The BIO version will
+     for example allow memory BIOs to contain config info.
+     [Steve Henson]
+
+  *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
+     Whoever hopes to achieve shared-library compatibility across versions
+     must use this, not the compile-time macro.
+     (Exercise 0.9.4: Which is the minimum library version required by
+     such programs?)
+     Note: All this applies only to multi-threaded programs, others don't
+     need locks.
+     [Bodo Moeller]
+
+  *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
+     through a BIO pair triggered the default case, i.e.
+     SSLerr(...,SSL_R_UNKNOWN_STATE).
+     [Bodo Moeller]
+
+  *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
+     can use the SSL library even if none of the specific BIOs is
+     appropriate.
+     [Bodo Moeller]
+
+  *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
+     for the encoded length.
+     [Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
+
+  *) Add initial documentation of the X509V3 functions.
+     [Steve Henson]
+
+  *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 
+     PEM_write_bio_PKCS8PrivateKey() that are equivalent to
+     PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
+     secure PKCS#8 private key format with a high iteration count.
+     [Steve Henson]
+
+  *) Fix determination of Perl interpreter: A perl or perl5
+     _directory_ in $PATH was also accepted as the interpreter.
+     [Ralf S. Engelschall]
+
+  *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
+     wrong with it but it was very old and did things like calling
+     PEM_ASN1_read() directly and used MD5 for the hash not to mention some
+     unusual formatting.
+     [Steve Henson]
+
+  *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
+     to use the new extension code.
+     [Steve Henson]
+
+  *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
+     with macros. This should make it easier to change their form, add extra
+     arguments etc. Fix a few PEM prototypes which didn't have cipher as a
+     constant.
+     [Steve Henson]
+
+  *) Add to configuration table a new entry that can specify an alternative
+     name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
+     according to Mark Crispin <MRC@Panda.COM>.
+     [Bodo Moeller]
+
+#if 0
+  *) DES CBC did not update the IV. Weird.
+     [Ben Laurie]
+#else
+     des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
+     Changing the behaviour of the former might break existing programs --
+     where IV updating is needed, des_ncbc_encrypt can be used.
+#endif
+
+  *) When bntest is run from "make test" it drives bc to check its
+     calculations, as well as internally checking them. If an internal check
+     fails, it needs to cause bc to give a non-zero result or make test carries
+     on without noticing the failure. Fixed.
+     [Ben Laurie]
+
+  *) DES library cleanups.
+     [Ulf Möller]
+
+  *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
+     used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
+     ciphers. NOTE: although the key derivation function has been verified
+     against some published test vectors it has not been extensively tested
+     yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
+     of v2.0.
+     [Steve Henson]
+
+  *) Instead of "mkdir -p", which is not fully portable, use new
+     Perl script "util/mkdir-p.pl".
+     [Bodo Moeller]
+
+  *) Rewrite the way password based encryption (PBE) is handled. It used to
+     assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
+     structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
+     but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
+     the 'parameter' field of the AlgorithmIdentifier is passed to the
+     underlying key generation function so it must do its own ASN1 parsing.
+     This has also changed the EVP_PBE_CipherInit() function which now has a
+     'parameter' argument instead of literal salt and iteration count values
+     and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
+     [Steve Henson]
+
+  *) Support for PKCS#5 v1.5 compatible password based encryption algorithms
+     and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
+     Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
+     KEY" because this clashed with PKCS#8 unencrypted string. Since this
+     value was just used as a "magic string" and not used directly its
+     value doesn't matter.
+     [Steve Henson]
+
+  *) Introduce some semblance of const correctness to BN. Shame C doesn't
+     support mutable.
+     [Ben Laurie]
+
+  *) "linux-sparc64" configuration (ultrapenguin).
+     [Ray Miller <ray.miller@oucs.ox.ac.uk>]
+     "linux-sparc" configuration.
+     [Christian Forster <fo@hawo.stw.uni-erlangen.de>]
+
+  *) config now generates no-xxx options for missing ciphers.
+     [Ulf Möller]
+
+  *) Support the EBCDIC character set (work in progress).
+     File ebcdic.c not yet included because it has a different license.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+  *) Support BS2000/OSD-POSIX.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+  *) Make callbacks for key generation use void * instead of char *.
+     [Ben Laurie]
+
+  *) Make S/MIME samples compile (not yet tested).
+     [Ben Laurie]
+
+  *) Additional typesafe stacks.
+     [Ben Laurie]
+
+  *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
+     [Bodo Moeller]
+
+
+ Changes between 0.9.3 and 0.9.3a  [29 May 1999]
+
+  *) New configuration variant "sco5-gcc".
+
+  *) Updated some demos.
+     [Sean O Riordain, Wade Scholine]
+
+  *) Add missing BIO_free at exit of pkcs12 application.
+     [Wu Zhigang]
+
+  *) Fix memory leak in conf.c.
+     [Steve Henson]
+
+  *) Updates for Win32 to assembler version of MD5.
+     [Steve Henson]
+
+  *) Set #! path to perl in apps/der_chop to where we found it
+     instead of using a fixed path.
+     [Bodo Moeller]
+
+  *) SHA library changes for irix64-mips4-cc.
+     [Andy Polyakov]
+
+  *) Improvements for VMS support.
+     [Richard Levitte]
+
+
+ Changes between 0.9.2b and 0.9.3  [24 May 1999]
+
+  *) Bignum library bug fix. IRIX 6 passes "make test" now!
+     This also avoids the problems with SC4.2 and unpatched SC5.  
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) New functions sk_num, sk_value and sk_set to replace the previous macros.
+     These are required because of the typesafe stack would otherwise break 
+     existing code. If old code used a structure member which used to be STACK
+     and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
+     sk_num or sk_value it would produce an error because the num, data members
+     are not present in STACK_OF. Now it just produces a warning. sk_set
+     replaces the old method of assigning a value to sk_value
+     (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
+     that does this will no longer work (and should use sk_set instead) but
+     this could be regarded as a "questionable" behaviour anyway.
+     [Steve Henson]
+
+  *) Fix most of the other PKCS#7 bugs. The "experimental" code can now
+     correctly handle encrypted S/MIME data.
+     [Steve Henson]
+
+  *) Change type of various DES function arguments from des_cblock
+     (which means, in function argument declarations, pointer to char)
+     to des_cblock * (meaning pointer to array with 8 char elements),
+     which allows the compiler to do more typechecking; it was like
+     that back in SSLeay, but with lots of ugly casts.
+
+     Introduce new type const_des_cblock.
+     [Bodo Moeller]
+
+  *) Reorganise the PKCS#7 library and get rid of some of the more obvious
+     problems: find RecipientInfo structure that matches recipient certificate
+     and initialise the ASN1 structures properly based on passed cipher.
+     [Steve Henson]
+
+  *) Belatedly make the BN tests actually check the results.
+     [Ben Laurie]
+
+  *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
+     to and from BNs: it was completely broken. New compilation option
+     NEG_PUBKEY_BUG to allow for some broken certificates that encode public
+     key elements as negative integers.
+     [Steve Henson]
+
+  *) Reorganize and speed up MD5.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) VMS support.
+     [Richard Levitte <richard@levitte.org>]
+
+  *) New option -out to asn1parse to allow the parsed structure to be
+     output to a file. This is most useful when combined with the -strparse
+     option to examine the output of things like OCTET STRINGS.
+     [Steve Henson]
+
+  *) Make SSL library a little more fool-proof by not requiring any longer
+     that SSL_set_{accept,connect}_state be called before
+     SSL_{accept,connect} may be used (SSL_set_..._state is omitted
+     in many applications because usually everything *appeared* to work as
+     intended anyway -- now it really works as intended).
+     [Bodo Moeller]
+
+  *) Move openssl.cnf out of lib/.
+     [Ulf Möller]
+
+  *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
+     -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
+     -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ 
+     [Ralf S. Engelschall]
+
+  *) Various fixes to the EVP and PKCS#7 code. It may now be able to
+     handle PKCS#7 enveloped data properly.
+     [Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve]
+
+  *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
+     copying pointers.  The cert_st handling is changed by this in
+     various ways (and thus what used to be known as ctx->default_cert
+     is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
+     any longer when s->cert does not give us what we need).
+     ssl_cert_instantiate becomes obsolete by this change.
+     As soon as we've got the new code right (possibly it already is?),
+     we have solved a couple of bugs of the earlier code where s->cert
+     was used as if it could not have been shared with other SSL structures.
+
+     Note that using the SSL API in certain dirty ways now will result
+     in different behaviour than observed with earlier library versions:
+     Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
+     does not influence s as it used to.
+     
+     In order to clean up things more thoroughly, inside SSL_SESSION
+     we don't use CERT any longer, but a new structure SESS_CERT
+     that holds per-session data (if available); currently, this is
+     the peer's certificate chain and, for clients, the server's certificate
+     and temporary key.  CERT holds only those values that can have
+     meaningful defaults in an SSL_CTX.
+     [Bodo Moeller]
+
+  *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
+     from the internal representation. Various PKCS#7 fixes: remove some
+     evil casts and set the enc_dig_alg field properly based on the signing
+     key type.
+     [Steve Henson]
+
+  *) Allow PKCS#12 password to be set from the command line or the
+     environment. Let 'ca' get its config file name from the environment
+     variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
+     and 'x509').
+     [Steve Henson]
+
+  *) Allow certificate policies extension to use an IA5STRING for the
+     organization field. This is contrary to the PKIX definition but
+     VeriSign uses it and IE5 only recognises this form. Document 'x509'
+     extension option.
+     [Steve Henson]
+
+  *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
+     without disallowing inline assembler and the like for non-pedantic builds.
+     [Ben Laurie]
+
+  *) Support Borland C++ builder.
+     [Janez Jere <jj@void.si>, modified by Ulf Möller]
+
+  *) Support Mingw32.
+     [Ulf Möller]
+
+  *) SHA-1 cleanups and performance enhancements.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Sparc v8plus assembler for the bignum library.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Accept any -xxx and +xxx compiler options in Configure.
+     [Ulf Möller]
+
+  *) Update HPUX configuration.
+     [Anonymous]
+  
+  *) Add missing sk_<type>_unshift() function to safestack.h
+     [Ralf S. Engelschall]
+
+  *) New function SSL_CTX_use_certificate_chain_file that sets the
+     "extra_cert"s in addition to the certificate.  (This makes sense
+     only for "PEM" format files, as chains as a whole are not
+     DER-encoded.)
+     [Bodo Moeller]
+
+  *) Support verify_depth from the SSL API.
+     x509_vfy.c had what can be considered an off-by-one-error:
+     Its depth (which was not part of the external interface)
+     was actually counting the number of certificates in a chain;
+     now it really counts the depth.
+     [Bodo Moeller]
+
+  *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
+     instead of X509err, which often resulted in confusing error
+     messages since the error codes are not globally unique
+     (e.g. an alleged error in ssl3_accept when a certificate
+     didn't match the private key).
+
+  *) New function SSL_CTX_set_session_id_context that allows to set a default
+     value (so that you don't need SSL_set_session_id_context for each
+     connection using the SSL_CTX).
+     [Bodo Moeller]
+
+  *) OAEP decoding bug fix.
+     [Ulf Möller]
+
+  *) Support INSTALL_PREFIX for package builders, as proposed by
+     David Harris.
+     [Bodo Moeller]
+
+  *) New Configure options "threads" and "no-threads".  For systems
+     where the proper compiler options are known (currently Solaris
+     and Linux), "threads" is the default.
+     [Bodo Moeller]
+
+  *) New script util/mklink.pl as a faster substitute for util/mklink.sh.
+     [Bodo Moeller]
+
+  *) Install various scripts to $(OPENSSLDIR)/misc, not to
+     $(INSTALLTOP)/bin -- they shouldn't clutter directories
+     such as /usr/local/bin.
+     [Bodo Moeller]
+
+  *) "make linux-shared" to build shared libraries.
+     [Niels Poppe <niels@netbox.org>]
+
+  *) New Configure option no-<cipher> (rsa, idea, rc5, ...).
+     [Ulf Möller]
+
+  *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
+     extension adding in x509 utility.
+     [Steve Henson]
+
+  *) Remove NOPROTO sections and error code comments.
+     [Ulf Möller]
+
+  *) Partial rewrite of the DEF file generator to now parse the ANSI
+     prototypes.
+     [Steve Henson]
+
+  *) New Configure options --prefix=DIR and --openssldir=DIR.
+     [Ulf Möller]
+
+  *) Complete rewrite of the error code script(s). It is all now handled
+     by one script at the top level which handles error code gathering,
+     header rewriting and C source file generation. It should be much better
+     than the old method: it now uses a modified version of Ulf's parser to
+     read the ANSI prototypes in all header files (thus the old K&R definitions
+     aren't needed for error creation any more) and do a better job of
+     translating function codes into names. The old 'ASN1 error code imbedded
+     in a comment' is no longer necessary and it doesn't use .err files which
+     have now been deleted. Also the error code call doesn't have to appear all
+     on one line (which resulted in some large lines...).
+     [Steve Henson]
+
+  *) Change #include filenames from <foo.h> to <openssl/foo.h>.
+     [Bodo Moeller]
+
+  *) Change behaviour of ssl2_read when facing length-0 packets: Don't return
+     0 (which usually indicates a closed connection), but continue reading.
+     [Bodo Moeller]
+
+  *) Fix some race conditions.
+     [Bodo Moeller]
+
+  *) Add support for CRL distribution points extension. Add Certificate
+     Policies and CRL distribution points documentation.
+     [Steve Henson]
+
+  *) Move the autogenerated header file parts to crypto/opensslconf.h.
+     [Ulf Möller]
+
+  *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
+     8 of keying material. Merlin has also confirmed interop with this fix
+     between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
+     [Merlin Hughes <merlin@baltimore.ie>]
+
+  *) Fix lots of warnings.
+     [Richard Levitte <levitte@stacken.kth.se>]
+ 
+  *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
+     the directory spec didn't end with a LIST_SEPARATOR_CHAR.
+     [Richard Levitte <levitte@stacken.kth.se>]
+ 
+  *) Fix problems with sizeof(long) == 8.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Change functions to ANSI C.
+     [Ulf Möller]
+
+  *) Fix typos in error codes.
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
+
+  *) Remove defunct assembler files from Configure.
+     [Ulf Möller]
+
+  *) SPARC v8 assembler BIGNUM implementation.
+     [Andy Polyakov <appro@fy.chalmers.se>]
+
+  *) Support for Certificate Policies extension: both print and set.
+     Various additions to support the r2i method this uses.
+     [Steve Henson]
+
+  *) A lot of constification, and fix a bug in X509_NAME_oneline() that could
+     return a const string when you are expecting an allocated buffer.
+     [Ben Laurie]
+
+  *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
+     types DirectoryString and DisplayText.
+     [Steve Henson]
+
+  *) Add code to allow r2i extensions to access the configuration database,
+     add an LHASH database driver and add several ctx helper functions.
+     [Steve Henson]
+
+  *) Fix an evil bug in bn_expand2() which caused various BN functions to
+     fail when they extended the size of a BIGNUM.
+     [Steve Henson]
+
+  *) Various utility functions to handle SXNet extension. Modify mkdef.pl to
+     support typesafe stack.
+     [Steve Henson]
+
+  *) Fix typo in SSL_[gs]et_options().
+     [Nils Frostberg <nils@medcom.se>]
+
+  *) Delete various functions and files that belonged to the (now obsolete)
+     old X509V3 handling code.
+     [Steve Henson]
+
+  *) New Configure option "rsaref".
+     [Ulf Möller]
+
+  *) Don't auto-generate pem.h.
+     [Bodo Moeller]
+
+  *) Introduce type-safe ASN.1 SETs.
+     [Ben Laurie]
+
+  *) Convert various additional casted stacks to type-safe STACK_OF() variants.
+     [Ben Laurie, Ralf S. Engelschall, Steve Henson]
+
+  *) Introduce type-safe STACKs. This will almost certainly break lots of code
+     that links with OpenSSL (well at least cause lots of warnings), but fear
+     not: the conversion is trivial, and it eliminates loads of evil casts. A
+     few STACKed things have been converted already. Feel free to convert more.
+     In the fullness of time, I'll do away with the STACK type altogether.
+     [Ben Laurie]
+
+  *) Add `openssl ca -revoke <certfile>' facility which revokes a certificate
+     specified in <certfile> by updating the entry in the index.txt file.
+     This way one no longer has to edit the index.txt file manually for
+     revoking a certificate. The -revoke option does the gory details now.
+     [Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall]
+
+  *) Fix `openssl crl -noout -text' combination where `-noout' killed the
+     `-text' option at all and this way the `-noout -text' combination was
+     inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.
+     [Ralf S. Engelschall]
+
+  *) Make sure a corresponding plain text error message exists for the
+     X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
+     verify callback function determined that a certificate was revoked.
+     [Ralf S. Engelschall]
+
+  *) Bugfix: In test/testenc, don't test "openssl <cipher>" for
+     ciphers that were excluded, e.g. by -DNO_IDEA.  Also, test
+     all available cipers including rc5, which was forgotten until now.
+     In order to let the testing shell script know which algorithms
+     are available, a new (up to now undocumented) command
+     "openssl list-cipher-commands" is used.
+     [Bodo Moeller]
+
+  *) Bugfix: s_client occasionally would sleep in select() when
+     it should have checked SSL_pending() first.
+     [Bodo Moeller]
+
+  *) New functions DSA_do_sign and DSA_do_verify to provide access to
+     the raw DSA values prior to ASN.1 encoding.
+     [Ulf Möller]
+
+  *) Tweaks to Configure
+     [Niels Poppe <niels@netbox.org>]
+
+  *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
+     yet...
+     [Steve Henson]
+
+  *) New variables $(RANLIB) and $(PERL) in the Makefiles.
+     [Ulf Möller]
+
+  *) New config option to avoid instructions that are illegal on the 80386.
+     The default code is faster, but requires at least a 486.
+     [Ulf Möller]
+  
+  *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
+     SSL2_SERVER_VERSION (not used at all) macros, which are now the
+     same as SSL2_VERSION anyway.
+     [Bodo Moeller]
+
+  *) New "-showcerts" option for s_client.
+     [Bodo Moeller]
+
+  *) Still more PKCS#12 integration. Add pkcs12 application to openssl
+     application. Various cleanups and fixes.
+     [Steve Henson]
+
+  *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
+     modify error routines to work internally. Add error codes and PBE init
+     to library startup routines.
+     [Steve Henson]
+
+  *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and
+     packing functions to asn1 and evp. Changed function names and error
+     codes along the way.
+     [Steve Henson]
+
+  *) PKCS12 integration: and so it begins... First of several patches to
+     slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
+     objects to objects.h
+     [Steve Henson]
+
+  *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1
+     and display support for Thawte strong extranet extension.
+     [Steve Henson]
+
+  *) Add LinuxPPC support.
+     [Jeff Dubrule <igor@pobox.org>]
+
+  *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
+     bn_div_words in alpha.s.
+     [Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie]
+
+  *) Make sure the RSA OAEP test is skipped under -DRSAref because
+     OAEP isn't supported when OpenSSL is built with RSAref.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 
+     so they no longer are missing under -DNOPROTO. 
+     [Soren S. Jorvang <soren@t.dk>]
+
+
+ Changes between 0.9.1c and 0.9.2b  [22 Mar 1999]
+
+  *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
+     doesn't work when the session is reused. Coming soon!
+     [Ben Laurie]
+
+  *) Fix a security hole, that allows sessions to be reused in the wrong
+     context thus bypassing client cert protection! All software that uses
+     client certs and session caches in multiple contexts NEEDS PATCHING to
+     allow session reuse! A fuller solution is in the works.
+     [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
+
+  *) Some more source tree cleanups (removed obsolete files
+     crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
+     permission on "config" script to be executable) and a fix for the INSTALL
+     document.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Remove some legacy and erroneous uses of malloc, free instead of
+     Malloc, Free.
+     [Lennart Bang <lob@netstream.se>, with minor changes by Steve]
+
+  *) Make rsa_oaep_test return non-zero on error.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Add support for native Solaris shared libraries. Configure
+     solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
+     if someone would make that last step automatic.
+     [Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>]
+
+  *) ctx_size was not built with the right compiler during "make links". Fixed.
+     [Ben Laurie]
+
+  *) Change the meaning of 'ALL' in the cipher list. It now means "everything
+     except NULL ciphers". This means the default cipher list will no longer
+     enable NULL ciphers. They need to be specifically enabled e.g. with
+     the string "DEFAULT:eNULL".
+     [Steve Henson]
+
+  *) Fix to RSA private encryption routines: if p < q then it would
+     occasionally produce an invalid result. This will only happen with
+     externally generated keys because OpenSSL (and SSLeay) ensure p > q.
+     [Steve Henson]
+
+  *) Be less restrictive and allow also `perl util/perlpath.pl
+     /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin',
+     because this way one can also use an interpreter named `perl5' (which is
+     usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
+     installed as `perl').
+     [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Let util/clean-depend.pl work also with older Perl 5.00x versions.
+     [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
+     advapi32.lib to Win32 build and change the pem test comparision
+     to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
+     suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
+     and crypto/des/ede_cbcm_enc.c.
+     [Steve Henson]
+
+  *) DES quad checksum was broken on big-endian architectures. Fixed.
+     [Ben Laurie]
+
+  *) Comment out two functions in bio.h that aren't implemented. Fix up the
+     Win32 test batch file so it (might) work again. The Win32 test batch file
+     is horrible: I feel ill....
+     [Steve Henson]
+
+  *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
+     in e_os.h. Audit of header files to check ANSI and non ANSI
+     sections: 10 functions were absent from non ANSI section and not exported
+     from Windows DLLs. Fixed up libeay.num for new functions.
+     [Steve Henson]
+
+  *) Make `openssl version' output lines consistent.
+     [Ralf S. Engelschall]
+
+  *) Fix Win32 symbol export lists for BIO functions: Added
+     BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
+     to ms/libeay{16,32}.def.
+     [Ralf S. Engelschall]
+
+  *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
+     fine under Unix and passes some trivial tests I've now added. But the
+     whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
+     added to make sure no one expects that this stuff really works in the
+     OpenSSL 0.9.2 release.  Additionally I've started to clean the XS sources
+     up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
+     openssl_bio.xs.
+     [Ralf S. Engelschall]
+
+  *) Fix the generation of two part addresses in perl.
+     [Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie]
+
+  *) Add config entry for Linux on MIPS.
+     [John Tobey <jtobey@channel1.com>]
+
+  *) Make links whenever Configure is run, unless we are on Windoze.
+     [Ben Laurie]
+
+  *) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
+     Currently only issuerAltName and AuthorityKeyIdentifier make any sense
+     in CRLs.
+     [Steve Henson]
+
+  *) Add a useful kludge to allow package maintainers to specify compiler and
+     other platforms details on the command line without having to patch the
+     Configure script everytime: One now can use ``perl Configure
+     <id>:<details>'', i.e. platform ids are allowed to have details appended
+     to them (seperated by colons). This is treated as there would be a static
+     pre-configured entry in Configure's %table under key <id> with value
+     <details> and ``perl Configure <id>'' is called.  So, when you want to
+     perform a quick test-compile under FreeBSD 3.1 with pgcc and without
+     assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"''
+     now, which overrides the FreeBSD-elf entry on-the-fly.
+     [Ralf S. Engelschall]
+
+  *) Disable new TLS1 ciphersuites by default: they aren't official yet.
+     [Ben Laurie]
+
+  *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
+     on the `perl Configure ...' command line. This way one can compile
+     OpenSSL libraries with Position Independent Code (PIC) which is needed
+     for linking it into DSOs.
+     [Ralf S. Engelschall]
+
+  *) Remarkably, export ciphers were totally broken and no-one had noticed!
+     Fixed.
+     [Ben Laurie]
+
+  *) Cleaned up the LICENSE document: The official contact for any license
+     questions now is the OpenSSL core team under openssl-core@openssl.org.
+     And add a paragraph about the dual-license situation to make sure people
+     recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
+     to the OpenSSL toolkit.
+     [Ralf S. Engelschall]
+
+  *) General source tree makefile cleanups: Made `making xxx in yyy...'
+     display consistent in the source tree and replaced `/bin/rm' by `rm'.
+     Additonally cleaned up the `make links' target: Remove unnecessary
+     semicolons, subsequent redundant removes, inline point.sh into mklink.sh
+     to speed processing and no longer clutter the display with confusing
+     stuff. Instead only the actually done links are displayed.
+     [Ralf S. Engelschall]
+
+  *) Permit null encryption ciphersuites, used for authentication only. It used
+     to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
+     It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
+     encryption.
+     [Ben Laurie]
+
+  *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
+     signed attributes when verifying signatures (this would break them), 
+     the detached data encoding was wrong and public keys obtained using
+     X509_get_pubkey() weren't freed.
+     [Steve Henson]
+
+  *) Add text documentation for the BUFFER functions. Also added a work around
+     to a Win95 console bug. This was triggered by the password read stuff: the
+     last character typed gets carried over to the next fread(). If you were 
+     generating a new cert request using 'req' for example then the last
+     character of the passphrase would be CR which would then enter the first
+     field as blank.
+     [Steve Henson]
+
+  *) Added the new `Includes OpenSSL Cryptography Software' button as
+     doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
+     button and can be used by applications based on OpenSSL to show the
+     relationship to the OpenSSL project.  
+     [Ralf S. Engelschall]
+
+  *) Remove confusing variables in function signatures in files
+     ssl/ssl_lib.c and ssl/ssl.h.
+     [Lennart Bong <lob@kulthea.stacken.kth.se>]
+
+  *) Don't install bss_file.c under PREFIX/include/
+     [Lennart Bong <lob@kulthea.stacken.kth.se>]
+
+  *) Get the Win32 compile working again. Modify mkdef.pl so it can handle
+     functions that return function pointers and has support for NT specific
+     stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
+     #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
+     unsigned to signed types: this was killing the Win32 compile.
+     [Steve Henson]
+
+  *) Add new certificate file to stack functions,
+     SSL_add_dir_cert_subjects_to_stack() and
+     SSL_add_file_cert_subjects_to_stack().  These largely supplant
+     SSL_load_client_CA_file(), and can be used to add multiple certs easily
+     to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
+     This means that Apache-SSL and similar packages don't have to mess around
+     to add as many CAs as they want to the preferred list.
+     [Ben Laurie]
+
+  *) Experiment with doxygen documentation. Currently only partially applied to
+     ssl/ssl_lib.c.
+     See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
+     openssl.doxy as the configuration file.
+     [Ben Laurie]
+  
+  *) Get rid of remaining C++-style comments which strict C compilers hate.
+     [Ralf S. Engelschall, pointed out by Carlos Amengual]
+
+  *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
+     compiled in by default: it has problems with large keys.
+     [Steve Henson]
+
+  *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
+     DH private keys and/or callback functions which directly correspond to
+     their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
+     is needed for applications which have to configure certificates on a
+     per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
+     (e.g. s_server). 
+        For the RSA certificate situation is makes no difference, but
+     for the DSA certificate situation this fixes the "no shared cipher"
+     problem where the OpenSSL cipher selection procedure failed because the
+     temporary keys were not overtaken from the context and the API provided
+     no way to reconfigure them. 
+        The new functions now let applications reconfigure the stuff and they
+     are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
+     SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
+     non-public-API function ssl_cert_instantiate() is used as a helper
+     function and also to reduce code redundancy inside ssl_rsa.c.
+     [Ralf S. Engelschall]
+
+  *) Move s_server -dcert and -dkey options out of the undocumented feature
+     area because they are useful for the DSA situation and should be
+     recognized by the users.
+     [Ralf S. Engelschall]
+
+  *) Fix the cipher decision scheme for export ciphers: the export bits are
+     *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
+     SSL_EXP_MASK.  So, the original variable has to be used instead of the
+     already masked variable.
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
+     from `int' to `unsigned int' because it's a length and initialized by
+     EVP_DigestFinal() which expects an `unsigned int *'.
+     [Richard Levitte <levitte@stacken.kth.se>]
+
+  *) Don't hard-code path to Perl interpreter on shebang line of Configure
+     script. Instead use the usual Shell->Perl transition trick.
+     [Ralf S. Engelschall]
+
+  *) Make `openssl x509 -noout -modulus' functional also for DSA certificates
+     (in addition to RSA certificates) to match the behaviour of `openssl dsa
+     -noout -modulus' as it's already the case for `openssl rsa -noout
+     -modulus'.  For RSA the -modulus is the real "modulus" while for DSA
+     currently the public key is printed (a decision which was already done by
+     `openssl dsa -modulus' in the past) which serves a similar purpose.
+     Additionally the NO_RSA no longer completely removes the whole -modulus
+     option; it now only avoids using the RSA stuff. Same applies to NO_DSA
+     now, too.
+     [Ralf S.  Engelschall]
+
+  *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
+     BIO. See the source (crypto/evp/bio_ok.c) for more info.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) Dump the old yucky req code that tried (and failed) to allow raw OIDs
+     to be added. Now both 'req' and 'ca' can use new objects defined in the
+     config file.
+     [Steve Henson]
+
+  *) Add cool BIO that does syslog (or event log on NT).
+     [Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie]
+
+  *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
+     TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
+     TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
+     Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
+     [Ben Laurie]
+
+  *) Add preliminary config info for new extension code.
+     [Steve Henson]
+
+  *) Make RSA_NO_PADDING really use no padding.
+     [Ulf Moeller <ulf@fitug.de>]
+
+  *) Generate errors when private/public key check is done.
+     [Ben Laurie]
+
+  *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
+     for some CRL extensions and new objects added.
+     [Steve Henson]
+
+  *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private
+     key usage extension and fuller support for authority key id.
+     [Steve Henson]
+
+  *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
+     padding method for RSA, which is recommended for new applications in PKCS
+     #1 v2.0 (RFC 2437, October 1998).
+     OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
+     foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
+     against Bleichbacher's attack on RSA.
+     [Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
+      Ben Laurie]
+
+  *) Updates to the new SSL compression code
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Fix so that the version number in the master secret, when passed
+     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
+     (because the server will not accept higher), that the version number
+     is 0x03,0x01, not 0x03,0x00
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
+     leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
+     in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c
+     [Steve Henson]
+
+  *) Support for RAW extensions where an arbitrary extension can be
+     created by including its DER encoding. See apps/openssl.cnf for
+     an example.
+     [Steve Henson]
+
+  *) Make sure latest Perl versions don't interpret some generated C array
+     code as Perl array code in the crypto/err/err_genc.pl script.
+     [Lars Weber <3weber@informatik.uni-hamburg.de>]
+
+  *) Modify ms/do_ms.bat to not generate assembly language makefiles since
+     not many people have the assembler. Various Win32 compilation fixes and
+     update to the INSTALL.W32 file with (hopefully) more accurate Win32
+     build instructions.
+     [Steve Henson]
+
+  *) Modify configure script 'Configure' to automatically create crypto/date.h
+     file under Win32 and also build pem.h from pem.org. New script
+     util/mkfiles.pl to create the MINFO file on environments that can't do a
+     'make files': perl util/mkfiles.pl >MINFO should work.
+     [Steve Henson]
+
+  *) Major rework of DES function declarations, in the pursuit of correctness
+     and purity. As a result, many evil casts evaporated, and some weirdness,
+     too. You may find this causes warnings in your code. Zapping your evil
+     casts will probably fix them. Mostly.
+     [Ben Laurie]
+
+  *) Fix for a typo in asn1.h. Bug fix to object creation script
+     obj_dat.pl. It considered a zero in an object definition to mean
+     "end of object": none of the objects in objects.h have any zeros
+     so it wasn't spotted.
+     [Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>]
+
+  *) Add support for Triple DES Cipher Block Chaining with Output Feedback
+     Masking (CBCM). In the absence of test vectors, the best I have been able
+     to do is check that the decrypt undoes the encrypt, so far. Send me test
+     vectors if you have them.
+     [Ben Laurie]
+
+  *) Correct calculation of key length for export ciphers (too much space was
+     allocated for null ciphers). This has not been tested!
+     [Ben Laurie]
+
+  *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage
+     message is now correct (it understands "crypto" and "ssl" on its
+     command line). There is also now an "update" option. This will update
+     the util/ssleay.num and util/libeay.num files with any new functions.
+     If you do a: 
+     perl util/mkdef.pl crypto ssl update
+     it will update them.
+     [Steve Henson]
+
+  *) Overhauled the Perl interface (perl/*):
+     - ported BN stuff to OpenSSL's different BN library
+     - made the perl/ source tree CVS-aware
+     - renamed the package from SSLeay to OpenSSL (the files still contain
+       their history because I've copied them in the repository)
+     - removed obsolete files (the test scripts will be replaced
+       by better Test::Harness variants in the future)
+     [Ralf S. Engelschall]
+
+  *) First cut for a very conservative source tree cleanup:
+     1. merge various obsolete readme texts into doc/ssleay.txt
+     where we collect the old documents and readme texts.
+     2. remove the first part of files where I'm already sure that we no
+     longer need them because of three reasons: either they are just temporary
+     files which were left by Eric or they are preserved original files where
+     I've verified that the diff is also available in the CVS via "cvs diff
+     -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
+     the crypto/md/ stuff).
+     [Ralf S. Engelschall]
+
+  *) More extension code. Incomplete support for subject and issuer alt
+     name, issuer and authority key id. Change the i2v function parameters
+     and add an extra 'crl' parameter in the X509V3_CTX structure: guess
+     what that's for :-) Fix to ASN1 macro which messed up
+     IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
+     [Steve Henson]
+
+  *) Preliminary support for ENUMERATED type. This is largely copied from the
+     INTEGER code.
+     [Steve Henson]
+
+  *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Make sure `make rehash' target really finds the `openssl' program.
+     [Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
+
+  *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
+     like to hear about it if this slows down other processors.
+     [Ben Laurie]
+
+  *) Add CygWin32 platform information to Configure script.
+     [Alan Batie <batie@aahz.jf.intel.com>]
+
+  *) Fixed ms/32all.bat script: `no_asm' -> `no-asm'
+     [Rainer W. Gerling <gerling@mpg-gv.mpg.de>]
+  
+  *) New program nseq to manipulate netscape certificate sequences
+     [Steve Henson]
+
+  *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
+     few typos.
+     [Steve Henson]
+
+  *) Fixes to BN code.  Previously the default was to define BN_RECURSION
+     but the BN code had some problems that would cause failures when
+     doing certificate verification and some other functions.
+     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
+
+  *) Add ASN1 and PEM code to support netscape certificate sequences.
+     [Steve Henson]
+
+  *) Add ASN1 and PEM code to support netscape certificate sequences.
+     [Steve Henson]
+
+  *) Add several PKIX and private extended key usage OIDs.
+     [Steve Henson]
+
+  *) Modify the 'ca' program to handle the new extension code. Modify
+     openssl.cnf for new extension format, add comments.
+     [Steve Henson]
+
+  *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
+     and add a sample to openssl.cnf so req -x509 now adds appropriate
+     CA extensions.
+     [Steve Henson]
+
+  *) Continued X509 V3 changes. Add to other makefiles, integrate with the
+     error code, add initial support to X509_print() and x509 application.
+     [Steve Henson]
+
+  *) Takes a deep breath and start addding X509 V3 extension support code. Add
+     files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
+     stuff is currently isolated and isn't even compiled yet.
+     [Steve Henson]
+
+  *) Continuing patches for GeneralizedTime. Fix up certificate and CRL
+     ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
+     Removed the versions check from X509 routines when loading extensions:
+     this allows certain broken certificates that don't set the version
+     properly to be processed.
+     [Steve Henson]
+
+  *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
+     Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
+     can still be regenerated with "make depend".
+     [Ben Laurie]
+
+  *) Spelling mistake in C version of CAST-128.
+     [Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>]
+
+  *) Changes to the error generation code. The perl script err-code.pl 
+     now reads in the old error codes and retains the old numbers, only
+     adding new ones if necessary. It also only changes the .err files if new
+     codes are added. The makefiles have been modified to only insert errors
+     when needed (to avoid needlessly modifying header files). This is done
+     by only inserting errors if the .err file is newer than the auto generated
+     C file. To rebuild all the error codes from scratch (the old behaviour)
+     either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
+     or delete all the .err files.
+     [Steve Henson]
+
+  *) CAST-128 was incorrectly implemented for short keys. The C version has
+     been fixed, but is untested. The assembler versions are also fixed, but
+     new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
+     to regenerate it if needed.
+     [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
+      Hagino <itojun@kame.net>]
+
+  *) File was opened incorrectly in randfile.c.
+     [Ulf Möller <ulf@fitug.de>]
+
+  *) Beginning of support for GeneralizedTime. d2i, i2d, check and print
+     functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
+     GeneralizedTime. ASN1_TIME is the proper type used in certificates et
+     al: it's just almost always a UTCTime. Note this patch adds new error
+     codes so do a "make errors" if there are problems.
+     [Steve Henson]
+
+  *) Correct Linux 1 recognition in config.
+     [Ulf Möller <ulf@fitug.de>]
+
+  *) Remove pointless MD5 hash when using DSA keys in ca.
+     [Anonymous <nobody@replay.com>]
+
+  *) Generate an error if given an empty string as a cert directory. Also
+     generate an error if handed NULL (previously returned 0 to indicate an
+     error, but didn't set one).
+     [Ben Laurie, reported by Anonymous <nobody@replay.com>]
+
+  *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
+     [Ben Laurie]
+
+  *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
+     parameters. This was causing a warning which killed off the Win32 compile.
+     [Steve Henson]
+
+  *) Remove C++ style comments from crypto/bn/bn_local.h.
+     [Neil Costigan <neil.costigan@celocom.com>]
+
+  *) The function OBJ_txt2nid was broken. It was supposed to return a nid
+     based on a text string, looking up short and long names and finally
+     "dot" format. The "dot" format stuff didn't work. Added new function
+     OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 
+     OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
+     OID is not part of the table.
+     [Steve Henson]
+
+  *) Add prototypes to X509 lookup/verify methods, fixing a bug in
+     X509_LOOKUP_by_alias().
+     [Ben Laurie]
+
+  *) Sort openssl functions by name.
+     [Ben Laurie]
+
+  *) Get the gendsa program working (hopefully) and add it to app list. Remove
+     encryption from sample DSA keys (in case anyone is interested the password
+     was "1234").
+     [Steve Henson]
+
+  *) Make _all_ *_free functions accept a NULL pointer.
+     [Frans Heymans <fheymans@isaserver.be>]
+
+  *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use
+     NULL pointers.
+     [Anonymous <nobody@replay.com>]
+
+  *) s_server should send the CAfile as acceptable CAs, not its own cert.
+     [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
+
+  *) Don't blow it for numeric -newkey arguments to apps/req.
+     [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
+
+  *) Temp key "for export" tests were wrong in s3_srvr.c.
+     [Anonymous <nobody@replay.com>]
+
+  *) Add prototype for temp key callback functions
+     SSL_CTX_set_tmp_{rsa,dh}_callback().
+     [Ben Laurie]
+
+  *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
+     DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
+     [Steve Henson]
+
+  *) X509_name_add_entry() freed the wrong thing after an error.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) rsa_eay.c would attempt to free a NULL context.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) BIO_s_socket() had a broken should_retry() on Windoze.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
+     [Arne Ansper <arne@ats.cyber.ee>]
+
+  *) Make sure the already existing X509_STORE->depth variable is initialized
+     in X509_STORE_new(), but document the fact that this variable is still
+     unused in the certificate verification process.
+     [Ralf S. Engelschall]
+
+  *) Fix the various library and apps files to free up pkeys obtained from
+     X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
+     [Steve Henson]
+
+  *) Fix reference counting in X509_PUBKEY_get(). This makes
+     demos/maurice/example2.c work, amongst others, probably.
+     [Steve Henson and Ben Laurie]
+
+  *) First cut of a cleanup for apps/. First the `ssleay' program is now named
+     `openssl' and second, the shortcut symlinks for the `openssl <command>'
+     are no longer created. This way we have a single and consistent command
+     line interface `openssl <command>', similar to `cvs <command>'.
+     [Ralf S. Engelschall, Paul Sutton and Ben Laurie]
+
+  *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
+     BIT STRING wrapper always have zero unused bits.
+     [Steve Henson]
+
+  *) Add CA.pl, perl version of CA.sh, add extended key usage OID.
+     [Steve Henson]
+
+  *) Make the top-level INSTALL documentation easier to understand.
+     [Paul Sutton]
+
+  *) Makefiles updated to exit if an error occurs in a sub-directory
+     make (including if user presses ^C) [Paul Sutton]
+
+  *) Make Montgomery context stuff explicit in RSA data structure.
+     [Ben Laurie]
+
+  *) Fix build order of pem and err to allow for generated pem.h.
+     [Ben Laurie]
+
+  *) Fix renumbering bug in X509_NAME_delete_entry().
+     [Ben Laurie]
+
+  *) Enhanced the err-ins.pl script so it makes the error library number 
+     global and can add a library name. This is needed for external ASN1 and
+     other error libraries.
+     [Steve Henson]
+
+  *) Fixed sk_insert which never worked properly.
+     [Steve Henson]
+
+  *) Fix ASN1 macros so they can handle indefinite length construted 
+     EXPLICIT tags. Some non standard certificates use these: they can now
+     be read in.
+     [Steve Henson]
+
+  *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
+     into a single doc/ssleay.txt bundle. This way the information is still
+     preserved but no longer messes up this directory. Now it's new room for
+     the new set of documenation files.
+     [Ralf S. Engelschall]
+
+  *) SETs were incorrectly DER encoded. This was a major pain, because they
+     shared code with SEQUENCEs, which aren't coded the same. This means that
+     almost everything to do with SETs or SEQUENCEs has either changed name or
+     number of arguments.
+     [Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>]
+
+  *) Fix test data to work with the above.
+     [Ben Laurie]
+
+  *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
+     was already fixed by Eric for 0.9.1 it seems.
+     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
+
+  *) Autodetect FreeBSD3.
+     [Ben Laurie]
+
+  *) Fix various bugs in Configure. This affects the following platforms:
+     nextstep
+     ncr-scde
+     unixware-2.0
+     unixware-2.0-pentium
+     sco5-cc.
+     [Ben Laurie]
+
+  *) Eliminate generated files from CVS. Reorder tests to regenerate files
+     before they are needed.
+     [Ben Laurie]
+
+  *) Generate Makefile.ssl from Makefile.org (to keep CVS happy).
+     [Ben Laurie]
+
+
+ Changes between 0.9.1b and 0.9.1c  [23-Dec-1998]
+
+  *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 
+     changed SSLeay to OpenSSL in version strings.
+     [Ralf S. Engelschall]
+  
+  *) Some fixups to the top-level documents.
+     [Paul Sutton]
+
+  *) Fixed the nasty bug where rsaref.h was not found under compile-time
+     because the symlink to include/ was missing.
+     [Ralf S. Engelschall]
+
+  *) Incorporated the popular no-RSA/DSA-only patches 
+     which allow to compile a RSA-free SSLeay.
+     [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall]
+
+  *) Fixed nasty rehash problem under `make -f Makefile.ssl links'
+     when "ssleay" is still not found.
+     [Ralf S. Engelschall]
+
+  *) Added more platforms to Configure: Cray T3E, HPUX 11, 
+     [Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>]
+
+  *) Updated the README file.
+     [Ralf S. Engelschall]
+
+  *) Added various .cvsignore files in the CVS repository subdirs
+     to make a "cvs update" really silent.
+     [Ralf S. Engelschall]
+
+  *) Recompiled the error-definition header files and added
+     missing symbols to the Win32 linker tables.
+     [Ralf S. Engelschall]
+
+  *) Cleaned up the top-level documents;
+     o new files: CHANGES and LICENSE
+     o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 
+     o merged COPYRIGHT into LICENSE
+     o removed obsolete TODO file
+     o renamed MICROSOFT to INSTALL.W32
+     [Ralf S. Engelschall]
+
+  *) Removed dummy files from the 0.9.1b source tree: 
+     crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
+     crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
+     crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
+     crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
+     util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
+     [Ralf S. Engelschall]
+
+  *) Added various platform portability fixes.
+     [Mark J. Cox]
+
+  *) The Genesis of the OpenSSL rpject:
+     We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
+     Young and Tim J. Hudson created while they were working for C2Net until
+     summer 1998.
+     [The OpenSSL Project]
+ 
+
+ Changes between 0.9.0b and 0.9.1b  [not released]
+
+  *) Updated a few CA certificates under certs/
+     [Eric A. Young]
+
+  *) Changed some BIGNUM api stuff.
+     [Eric A. Young]
+
+  *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 
+     DGUX x86, Linux Alpha, etc.
+     [Eric A. Young]
+
+  *) New COMP library [crypto/comp/] for SSL Record Layer Compression: 
+     RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
+     available).
+     [Eric A. Young]
+
+  *) Add -strparse option to asn1pars program which parses nested 
+     binary structures 
+     [Dr Stephen Henson <shenson@bigfoot.com>]
+
+  *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
+     [Eric A. Young]
+
+  *) DSA fix for "ca" program.
+     [Eric A. Young]
+
+  *) Added "-genkey" option to "dsaparam" program.
+     [Eric A. Young]
+
+  *) Added RIPE MD160 (rmd160) message digest.
+     [Eric A. Young]
+
+  *) Added -a (all) option to "ssleay version" command.
+     [Eric A. Young]
+
+  *) Added PLATFORM define which is the id given to Configure.
+     [Eric A. Young]
+
+  *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
+     [Eric A. Young]
+
+  *) Extended the ASN.1 parser routines.
+     [Eric A. Young]
+
+  *) Extended BIO routines to support REUSEADDR, seek, tell, etc.
+     [Eric A. Young]
+
+  *) Added a BN_CTX to the BN library.
+     [Eric A. Young]
+
+  *) Fixed the weak key values in DES library
+     [Eric A. Young]
+
+  *) Changed API in EVP library for cipher aliases.
+     [Eric A. Young]
+
+  *) Added support for RC2/64bit cipher.
+     [Eric A. Young]
+
+  *) Converted the lhash library to the crypto/mem.c functions.
+     [Eric A. Young]
+
+  *) Added more recognized ASN.1 object ids.
+     [Eric A. Young]
+
+  *) Added more RSA padding checks for SSL/TLS.
+     [Eric A. Young]
+
+  *) Added BIO proxy/filter functionality.
+     [Eric A. Young]
+
+  *) Added extra_certs to SSL_CTX which can be used
+     send extra CA certificates to the client in the CA cert chain sending
+     process. It can be configured with SSL_CTX_add_extra_chain_cert().
+     [Eric A. Young]
+
+  *) Now Fortezza is denied in the authentication phase because
+     this is key exchange mechanism is not supported by SSLeay at all.
+     [Eric A. Young]
+
+  *) Additional PKCS1 checks.
+     [Eric A. Young]
+
+  *) Support the string "TLSv1" for all TLS v1 ciphers.
+     [Eric A. Young]
+
+  *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
+     ex_data index of the SSL context in the X509_STORE_CTX ex_data.
+     [Eric A. Young]
+
+  *) Fixed a few memory leaks.
+     [Eric A. Young]
+
+  *) Fixed various code and comment typos.
+     [Eric A. Young]
+
+  *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 
+     bytes sent in the client random.
+     [Edward Bishop <ebishop@spyglass.com>]
+
diff --git a/src/lib/libssl/src/CHANGES.SSLeay b/src/lib/libssl/src/CHANGES.SSLeay
new file mode 100644
index 0000000000..dbb80b003d
--- /dev/null
+++ b/src/lib/libssl/src/CHANGES.SSLeay
@@ -0,0 +1,968 @@
+This file contains the changes for the SSLeay library up to version
+0.9.0b. For later changes, see the file "CHANGES".
+
+  SSLeay CHANGES
+  ______________
+
+Changes between 0.8.x and 0.9.0b
+
+10-Apr-1998
+
+I said the next version would go out at easter, and so it shall.
+I expect a 0.9.1 will follow with portability fixes in the next few weeks.
+
+This is a quick, meet the deadline.  Look to ssl-users for comments on what
+is new etc.
+
+eric (about to go bushwalking for the 4 day easter break :-)
+
+16-Mar-98
+    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
+    - Lots and lots of changes
+
+29-Jan-98
+    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
+      Goetz Babin-Ebell <babinebell@trustcenter.de>.
+    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
+      TLS1_VERSION.
+
+7-Jan-98
+    - Finally reworked the cipher string to ciphers again, so it
+      works correctly
+    - All the app_data stuff is now ex_data with funcion calls to access.
+      The index is supplied by a function and 'methods' can be setup
+      for the types that are called on XXX_new/XXX_free.  This lets
+      applications get notified on creation and destruction.  Some of
+      the RSA methods could be implemented this way and I may do so.
+    - Oh yes, SSL under perl5 is working at the basic level.
+
+15-Dec-97
+    - Warning - the gethostbyname cache is not fully thread safe,
+      but it should work well enough.
+    - Major internal reworking of the app_data stuff.  More functions
+      but if you were accessing ->app_data directly, things will
+      stop working.
+    - The perlv5 stuff is working.  Currently on message digests,
+      ciphers and the bignum library.
+
+9-Dec-97
+    - Modified re-negotiation so that server initated re-neg
+      will cause a SSL_read() to return -1 should retry.
+      The danger otherwise was that the server and the
+      client could end up both trying to read when using non-blocking
+      sockets.
+
+4-Dec-97
+    - Lots of small changes
+    - Fix for binaray mode in Windows for the FILE BIO, thanks to
+      Bob Denny <rdenny@dc3.com>
+
+17-Nov-97
+    - Quite a few internal cleanups, (removal of errno, and using macros
+      defined in e_os.h).
+    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
+      the automactic naming out output files was being stuffed up.
+
+29-Oct-97
+    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
+      for x86.
+
+21-Oct-97
+    - Fixed a bug in the BIO_gethostbyname() cache.
+
+15-Oct-97
+    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
+      has also been improved.  At this point in time, on the pentium,
+      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
+      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
+      is %62 faster.
+
+12-Oct-97
+    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
+      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
+      way to set the length value correctly.
+
+10-Oct-97
+    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
+      This breaks things again :-(.  This is efficent since I cache
+      the DER encoding of the RDN.
+    - The text DN now puts in the numeric OID instead of UNKNOWN.
+    - req can now process arbitary OIDs in the config file.
+    - I've been implementing md5 in x86 asm, much faster :-).
+    - Started sha1 in x86 asm, needs more work.
+    - Quite a few speedups in the BN stuff.  RSA public operation
+      has been made faster by caching the BN_MONT_CTX structure.
+      The calulating of the Ai where A*Ai === 1 mod m was rather
+      expensive.  Basically a 40-50% speedup on public operations.
+      The RSA speedup is now 15% on pentiums and %20 on pentium
+      pro.
+
+30-Sep-97
+    - After doing some profiling, I added x86 adm for bn_add_words(),
+      which just adds 2 arrays of longs together.  A %10 speedup
+      for 512 and 1024 bit RSA on the pentium pro.
+
+29-Sep-97
+    - Converted the x86 bignum assembler to us the perl scripts
+      for generation.
+
+23-Sep-97
+    - If SSL_set_session() is passed a NULL session, it now clears the
+      current session-id.
+
+22-Sep-97
+    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
+      certificates.
+    - Bug in crypto/evp/encode.c where by decoding of 65 base64
+      encoded lines, one line at a time (via a memory BIO) would report
+      EOF after the first line was decoded.
+    - Fix in X509_find_by_issuer_and_serial() from
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+19-Sep-97
+    - NO_FP_API and NO_STDIO added.
+    - Put in sh config command.  It auto runs Configure with the correct
+      parameters.
+
+18-Sep-97
+    - Fix x509.c so if a DSA cert has different parameters to its parent,
+      they are left in place.  Not tested yet.
+
+16-Sep-97
+    - ssl_create_cipher_list() had some bugs, fixes from
+      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
+    - Fixed a bug in the Base64 BIO, where it would return 1 instead
+      of -1 when end of input was encountered but should retry.
+      Basically a Base64/Memory BIO interaction problem.
+    - Added a HMAC set of functions in preporarion for TLS work.
+
+15-Sep-97
+    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
+    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
+      by using montgomery multiplication in the prime number test.
+
+11-Sep-97
+    - Ugly bug in ssl3_write_bytes().  Basically if application land
+      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
+      did not check the size and tried to copy the entire buffer.
+      This would tend to cause memory overwrites since SSLv3 has
+      a maximum packet size of 16k.  If your program uses
+      buffers <= 16k, you would probably never see this problem.
+    - Fixed a new errors that were cause by malloc() not returning
+      0 initialised memory..
+    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
+      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
+      since this flags stops SSLeay being able to handle client
+      cert requests correctly.
+
+08-Sep-97
+    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
+      on, the SSL server routines will not use a SSL_SESSION that is
+      held in it's cache.  This in intended to be used with the session-id
+      callbacks so that while the session-ids are still stored in the
+      cache, the decision to use them and how to look them up can be
+      done by the callbacks.  The are the 'new', 'get' and 'remove'
+      callbacks.  This can be used to determine the session-id
+      to use depending on information like which port/host the connection
+      is coming from.  Since the are also SSL_SESSION_set_app_data() and
+      SSL_SESSION_get_app_data() functions, the application can hold
+      information against the session-id as well.
+
+03-Sep-97
+    - Added lookup of CRLs to the by_dir method,
+      X509_load_crl_file() also added.  Basically it means you can
+      lookup CRLs via the same system used to lookup certificates.
+    - Changed things so that the X509_NAME structure can contain
+      ASN.1 BIT_STRINGS which is required for the unique
+      identifier OID.
+    - Fixed some problems with the auto flushing of the session-id
+      cache.  It was not occuring on the server side.
+
+02-Sep-97
+    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
+      which is the maximum number of entries allowed in the
+      session-id cache.  This is enforced with a simple FIFO list.
+      The default size is 20*1024 entries which is rather large :-).
+      The Timeout code is still always operating.
+
+01-Sep-97
+    - Added an argument to all the 'generate private key/prime`
+      callbacks.  It is the last parameter so this should not
+      break existing code but it is needed for C++.
+    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
+      BIO.  This lets the BIO read and write base64 encoded data
+      without inserting or looking for '\n' characters.  The '-A'
+      flag turns this on when using apps/enc.c.
+    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
+      very dangerous thing to use, since RSA private key
+      operations without random padding bytes (as PKCS#1 adds) can
+      be attacked such that the private key can be revealed.
+    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+31-Aug-97 (stuff added while I was away)    
+    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
+    - RSA_flags() added allowing bypass of pub/priv match check
+      in ssl/ssl_rsa.c - Tim Hudson.
+    - A few minor bugs.
+
+SSLeay 0.8.1 released.
+
+19-Jul-97
+    - Server side initated dynamic renegotiation is broken.  I will fix
+      it when I get back from holidays.
+
+15-Jul-97
+    - Quite a few small changes.
+    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
+
+09-Jul-97
+    - Added 2 new values to the SSL info callback.
+      SSL_CB_START which is passed when the SSL protocol is started
+      and SSL_CB_DONE when it has finished sucsessfully.
+
+08-Jul-97
+    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
+      that related to DSA public/private keys.
+    - Added all the relevent PEM and normal IO functions to support
+      reading and writing RSAPublic keys.
+    - Changed makefiles to use ${AR} instead of 'ar r'
+
+07-Jul-97
+    - Error in ERR_remove_state() that would leave a dangling reference
+      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
+    - s_client now prints the X509_NAMEs passed from the server
+      when requesting a client cert.
+    - Added a ssl->type, which is one of SSL_ST_CONNECT or
+      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
+      a connect or an accept after the handshake had finished.
+    - SSL_get_client_CA_list(SSL *s) now returns the CA names
+      passed by the server if called by a client side SSL.
+
+05-Jul-97
+    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
+      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
+
+04-Jul-97
+    - Fixed some things in X509_NAME_add_entry(), thanks to
+      Matthew Donald <matthew@world.net>.
+    - I had a look at the cipher section and though that it was a
+      bit confused, so I've changed it.
+    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
+      a MS special that appears in exported MS Money.
+    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
+      spec.  I was missing the two byte length header for the
+      ClientDiffieHellmanPublic value.  This is a packet sent from
+      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+      option will enable SSLeay server side SSLv3 accept either
+      the correct or my 080 packet format.
+    - Fixed a few typos in crypto/pem.org.
+
+02-Jul-97
+    - Alias mapping for EVP_get_(digest|cipher)byname is now
+      performed before a lookup for actual cipher.  This means
+      that an alias can be used to 're-direct' a cipher or a
+      digest.
+    - ASN1_read_bio() had a bug that only showed up when using a
+      memory BIO.  When EOF is reached in the memory BIO, it is
+      reported as a -1 with BIO_should_retry() set to true.
+
+01-Jul-97
+    - Fixed an error in X509_verify_cert() caused by my
+      miss-understanding how 'do { contine } while(0);' works.
+      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
+
+30-Jun-97
+    - Base64 decoding error.  If the last data line did not end with
+      a '=', sometimes extra data would be returned.
+    - Another 'cut and paste' bug in x509.c related to setting up the
+      STDout BIO.
+
+27-Jun-97
+    - apps/ciphers.c was not printing due to an editing error.
+    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
+      a library build error in util/mk1mf.pl
+
+26-Jun-97
+    - Still did not have the auto 'experimental' code removal
+      script correct.
+    - A few header tweaks for Watcom 11.0 under Win32 from
+      Rolf Lindemann <Lindemann@maz-hh.de>
+    - 0 length OCTET_STRING bug in asn1_parse
+    - A minor fix with an non-existent function in the MS .def files.
+    - A few changes to the PKCS7 stuff.
+
+25-Jun-97
+    SSLeay 0.8.0 finally it gets released.
+
+24-Jun-97
+    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
+    use a temporary RSA key.  This is experimental and needs some more work.
+    Fixed a few Win16 build problems.
+
+23-Jun-97
+    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
+    correctly. I was taking the SSL->ctx->default_cert when I should
+    have been using SSL->cert. The bug was in ssl/s3_srvr.c
+
+20-Jun-97
+    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
+    rest of the library. Even though I had the code required to do
+    it correctly, apps/req.c was doing the wrong thing.  I have fixed
+    and tested everything.
+
+    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
+
+19-Jun-97
+    Fixed a bug in the SSLv2 server side first packet handling. When
+    using the non-blocking test BIO, the ssl->s2->first_packet flag
+    was being reset when a would-block failure occurred when reading
+    the first 5 bytes of the first packet. This caused the checking
+    logic to run at the wrong time and cause an error.
+
+    Fixed a problem with specifying cipher. If RC4-MD5 were used,
+    only the SSLv3 version would be picked up.  Now this will pick
+    up both SSLv2 and SSLv3 versions. This required changing the
+    SSL_CIPHER->mask values so that they only mask the ciphers,
+    digests, authentication, export type and key-exchange algorithms.
+
+    I found that when a SSLv23 session is established, a reused
+    session, of type SSLv3 was attempting to write the SSLv2 
+    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
+    method has been modified so it will only write out cipher which
+    that method knows about.  
+
+
+ Changes between 0.8.0 and 0.8.1
+
+  *) Mostly bug fixes. 
+     There is an Ephemeral DH cipher problem which is fixed.
+
+ SSLeay 0.8.0
+
+This version of SSLeay has quite a lot of things different from the
+previous version.
+
+Basically check all callback parameters, I will be producing documentation
+about how to use things in th future.  Currently I'm just getting 080 out
+the door.  Please not that there are several ways to do everything, and
+most of the applications in the apps directory are hybrids, some using old
+methods and some using new methods.
+
+Have a look in demos/bio for some very simple programs and
+apps/s_client.c and apps/s_server.c for some more advanced versions.
+Notes are definitly needed but they are a week or so away.
+
+Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
+---
+Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
+get those people that want to move to using the new code base off to
+a quick start.
+
+Note that Eric has tidied up a lot of the areas of the API that were
+less than desirable and renamed quite a few things (as he had to break
+the API in lots of places anyrate). There are a whole pile of additional
+functions for making dealing with (and creating) certificates a lot
+cleaner.
+
+01-Jul-97
+Tim Hudson
+tjh@cryptsoft.com
+
+---8<---
+
+To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
+use something like the following (assuming you #include "crypto.h" which
+is something that you really should be doing).
+
+#if SSLEAY_VERSION_NUMBER >= 0x0800
+#define SSLEAY8
+#endif
+
+buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
+            too if you are working with BIO internal stuff (as distinct
+        from simply using the interface in an opaque manner)
+
+#include "bio.h"    - required along with "buffer.h" if you write
+              your own BIO routines as the buffer and bio
+              stuff that was intermixed has been separated
+              out 
+            
+envelope.h -> evp.h  (which should have been done ages ago)
+
+Initialisation ... don't forget these or you end up with code that
+is missing the bits required to do useful things (like ciphers):
+
+SSLeay_add_ssl_algorithms()
+(probably also want SSL_load_error_strings() too but you should have
+ already had that call in place)
+
+SSL_CTX_new()   - requires an extra method parameter
+              SSL_CTX_new(SSLv23_method()) 
+              SSL_CTX_new(SSLv2_method()) 
+              SSL_CTX_new(SSLv3_method()) 
+
+          OR to only have the server or the client code
+              SSL_CTX_new(SSLv23_server_method()) 
+              SSL_CTX_new(SSLv2_server_method()) 
+              SSL_CTX_new(SSLv3_server_method()) 
+          or  
+              SSL_CTX_new(SSLv23_client_method()) 
+              SSL_CTX_new(SSLv2_client_method()) 
+              SSL_CTX_new(SSLv3_client_method()) 
+
+SSL_set_default_verify_paths() ... renamed to the more appropriate
+SSL_CTX_set_default_verify_paths()
+
+If you want to use client certificates then you have to add in a bit
+of extra stuff in that a SSLv3 server sends a list of those CAs that
+it will accept certificates from ... so you have to provide a list to
+SSLeay otherwise certain browsers will not send client certs.
+
+SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
+
+
+X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
+               or provide a buffer and size to copy the
+               result into
+
+X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
+          notes on X509_NAME structure changes too)
+
+
+VERIFICATION CODE
+=================
+
+The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
+more accurately reflect things.
+
+The verification callback args are now packaged differently so that
+extra fields for verification can be added easily in future without
+having to break things by adding extra parameters each release :-)
+
+X509_cert_verify_error_string -> X509_verify_cert_error_string
+
+
+BIO INTERNALS
+=============
+
+Eric has fixed things so that extra flags can be introduced in
+the BIO layer in future without having to play with all the BIO
+modules by adding in some macros.
+
+The ugly stuff using 
+    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_clear_retry_flags(b)
+
+    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_set_retry_read(b)
+
+Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
+
+
+
+OTHER THINGS
+============
+
+X509_NAME has been altered so that it isn't just a STACK ... the STACK
+is now in the "entries" field ... and there are a pile of nice functions
+for getting at the details in a much cleaner manner.
+
+SSL_CTX has been altered ... "cert" is no longer a direct member of this
+structure ... things are now down under "cert_store" (see x509_vfy.h) and
+things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
+If your code "knows" about this level of detail then it will need some 
+surgery.
+
+If you depending on the incorrect spelling of a number of the error codes
+then you will have to change your code as these have been fixed.
+
+ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
+has been all along so this makes things clearer.
+ify_cert_error_string(ctx->error));
+
+SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
+            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
+
+
+
+ Changes between 0.7.x and 0.8.0
+  
+  *) There have been lots of changes, mostly the addition of SSLv3.
+     There have been many additions from people and amongst
+     others, C2Net has assisted greatly.
+ 
+ Changes between 0.7.x and 0.7.x
+
+  *) Internal development version only
+
+SSLeay 0.6.6 13-Jan-1997
+
+The main additions are
+
+- assember for x86 DES improvments.
+  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
+  loop and the IP/FP modifications are from
+  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
+  contribution.
+- The 'DES macros' introduced in 0.6.5 now have 3 types.
+  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
+  is best and there is a summery of mine in crypto/des/options.txt
+- A few bug fixes.
+- Added blowfish.  It is not used by SSL but all the other stuff that
+  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
+  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
+  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
+  the 'Configure' script.
+- There is now a 'get client certificate' callback which can be
+  'non-blocking'.  If more details are required, let me know.  It will
+  documented more in SSLv3 when I finish it.
+- Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
+  now tests the ca program.
+- Lots of little things modified and tweaked.
+
+ SSLeay 0.6.5
+
+After quite some time (3 months), the new release.  I have been very busy
+for the last few months and so this is mostly bug fixes and improvments.
+
+The main additions are
+
+- assember for x86 DES.  For all those gcc based systems, this is a big
+  improvement.  From 117,000 DES operation a second on a pentium 100,
+  I now get 191,000.  I have also reworked the C version so it
+  now gives 148,000 DESs per second.  
+- As mentioned above, the inner DES macros now have some more variant that
+  sometimes help, sometimes hinder performance.  There are now 3 options
+  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
+  and DES_RISC (a more register intensive version of the inner macro).
+  The crypto/des/des_opts.c program, when compiled and run, will give
+  an indication of the correct options to use.
+- The BIO stuff has been improved.  Read doc/bio.doc.  There are now
+  modules for encryption and base64 encoding and a BIO_printf() function.
+- The CA program will accept simple one line X509v3 extensions in the
+  ssleay.cnf file.  Have a look at the example.  Currently this just
+  puts the text into the certificate as an OCTET_STRING so currently
+  the more advanced X509v3 data types are not handled but this is enough
+  for the netscape extensions.
+- There is the start of a nicer higher level interface to the X509
+  strucutre.
+- Quite a lot of bug fixes.
+- CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
+  to define the malloc(), free() and realloc() routines to use
+  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
+  using DLLs and mixing CRT libraries.
+
+In general, read the 'VERSION' file for changes and be aware that some of
+the new stuff may not have been tested quite enough yet, so don't just plonk
+in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
+
+SSLeay 0.6.4 30/08/96 eay
+
+I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
+Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
+
+The main changes in this release
+
+- Thread safe.  have a read of doc/threads.doc and play in the mt directory.
+  For anyone using 0.6.3 with threads, I found 2 major errors so consider
+  moving to 0.6.4.  I have a test program that builds under NT and
+  solaris.
+- The get session-id callback has changed.  Have a read of doc/callback.doc.
+- The X509_cert_verify callback (the SSL_verify callback) now
+  has another argument.  Have a read of doc/callback.doc
+- 'ca -preserve', sign without re-ordering the DN.  Not tested much.
+- VMS support.
+- Compile time memory leak detection can now be built into SSLeay.
+  Read doc/memory.doc
+- CONF routines now understand '\', '\n', '\r' etc.  What this means is that
+  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
+- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
+- RC2 key setup is now compatable with Netscape.
+- Modifed server side of SSL implementation, big performance difference when
+      using session-id reuse.
+
+0.6.3
+
+Bug fixes and the addition of some nice stuff to the 'ca' program.
+Have a read of doc/ns-ca.doc for how hit has been modified so
+it can be driven from a CGI script.  The CGI script is not provided,
+but that is just being left as an excersize for the reader :-).
+
+0.6.2
+
+This is most bug fixes and functionality improvements.
+
+Additions are
+- More thread debugging patches, the thread stuff is still being
+  tested, but for those keep to play with stuff, have a look in
+  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
+  a second) callback that is used to implement locking.  Compiling
+  with LOCK_DEBUG spits out lots of locking crud :-).
+  This is what I'm currently working on.
+- SSL_CTX_set_default_passwd_cb() can be used to define the callback
+  function used in the SSL*_file() functions used to load keys.  I was
+  always of the opinion that people should call
+  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
+  it appears they just want to use the SSL_*_file() function() :-(.
+- 'enc' now has a -kfile so a key can be read from a file.  This is
+  mostly used so that the passwd does not appear when using 'ps',
+  which appears imposible to stop under solaris.
+- X509v3 certificates now work correctly.  I even have more examples
+  in my tests :-).  There is now a X509_EXTENSION type that is used in
+  X509v3 certificates and CRLv2.
+- Fixed that signature type error :-(
+- Fixed quite a few potential memory leaks and problems when reusing
+  X509, CRL and REQ structures.
+- EVP_set_pw_prompt() now sets the library wide default password
+  prompt.
+- The 'pkcs7' command will now, given the -print_certs flag, output in
+  pem format, all certificates and CRL contained within.  This is more
+  of a pre-emtive thing for the new verisign distribution method.  I
+  should also note, that this also gives and example in code, of how
+  to do this :-), or for that matter, what is involved in going the
+  other way (list of certs and crl -> pkcs7).
+- Added RSA's DESX to the DES library.  It is also available via the
+  EVP_desx_cbc() method and via 'enc desx'. 
+
+SSLeay 0.6.1
+
+The main functional changes since 0.6.0 are as follows
+- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
+  that from now on, I'll keep the .def numbers the same so they will be.
+- RSA private key operations are about 2 times faster that 0.6.0
+- The SSL_CTX now has more fields so default values can be put against
+  it.  When an SSL structure is created, these default values are used
+  but can be overwritten.  There are defaults for cipher, certificate,
+  private key, verify mode and callback.  This means SSL session
+  creation can now be
+  ssl=SSL_new()
+  SSL_set_fd(ssl,sock);
+  SSL_accept(ssl)
+  ....
+  All the other uglyness with having to keep a global copy of the
+  private key and certificate/verify mode in the server is now gone.
+- ssl/ssltest.c - one process talking SSL to its self for testing.
+- Storage of Session-id's can be controled via a session_cache_mode
+  flag.  There is also now an automatic default flushing of 
+  old session-id's.
+- The X509_cert_verify() function now has another parameter, this
+  should not effect most people but it now means that the reason for
+  the failure to verify is now available via SSL_get_verify_result(ssl).
+  You don't have to use a global variable.
+- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
+  application data against the SSL structure.  It is upto the application
+  to free the data.  I don't use it, but it is available.
+- SSL_CTX_set_cert_verify_callback() can be used to specify a
+  verify callback function that completly replaces my certificate
+  verification code.  Xcert should be able to use this :-).
+  The callback is of the form int app_verify_callback(arg,ssl,cert).
+  This needs to be documented more.
+- I have started playing with shared library builds, have a look in
+  the shlib directory.  It is very simple.  If you need a numbered
+  list of functions, have a look at misc/crypto.num and misc/ssl.num.
+- There is some stuff to do locking to make the library thread safe.
+  I have only started this stuff and have not finished.  If anyone is
+  keen to do so, please send me the patches when finished.
+
+So I have finally made most of the additions to the SSL interface that
+I thought were needed.
+
+There will probably be a pause before I make any non-bug/documentation
+related changes to SSLeay since I'm feeling like a bit of a break.
+
+eric - 12 Jul 1996
+I saw recently a comment by some-one that we now seem to be entering
+the age of perpetual Beta software.
+Pioneered by packages like linux but refined to an art form by
+netscape.
+
+I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
+
+There are quite a large number of sections that are 'works in
+progress' in this package.  I will also list the major changes and
+what files you should read.
+
+BIO - this is the new IO structure being used everywhere in SSLeay.  I
+started out developing this because of microsoft, I wanted a mechanism
+to callback to the application for all IO, so Windows 3.1 DLL
+perversion could be hidden from me and the 15 different ways to write
+to a file under NT would also not be dictated by me at library build
+time.  What the 'package' is is an API for a data structure containing
+functions.  IO interfaces can be written to conform to the
+specification.  This in not intended to hide the underlying data type
+from the application, but to hide it from SSLeay :-).
+I have only really finished testing the FILE * and socket/fd modules.
+There are also 'filter' BIO's.  Currently I have only implemented
+message digests, and it is in use in the dgst application.  This
+functionality will allow base64/encrypto/buffering modules to be
+'push' into a BIO without it affecting the semantics.  I'm also
+working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
+from an event loop which uses the interface.
+It is also possible to 'attach' callbacks to a BIO so they get called
+before and after each operation, alowing extensive debug output
+to be generated (try running dgst with -d).
+
+Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
+functions that used to take FILE *, now take BIO *.
+The wrappers are easy to write
+
+function_fp(fp,x)
+FILE *fp;
+    {
+    BIO *b;
+    int ret;
+
+    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
+    BIO_set_fp(b,fp,BIO_NOCLOSE);
+    ret=function_bio(b,x);
+    BIO_free(b);
+    return(ret);
+    }
+Remember, there are no functions that take FILE * in SSLeay when
+compiled for Windows 3.1 DLL's.
+
+--
+I have added a general EVP_PKEY type that can hold a public/private
+key.  This is now what is used by the EVP_ functions and is passed
+around internally.  I still have not done the PKCS#8 stuff, but
+X509_PKEY is defined and waiting :-)
+
+--
+For a full function name listings, have a look at ms/crypt32.def and
+ms/ssl32.def.  These are auto-generated but are complete.
+Things like ASN1_INTEGER_get() have been added and are in here if you
+look.  I have renamed a few things, again, have a look through the
+function list and you will probably find what you are after.  I intend
+to at least put a one line descrition for each one.....
+
+--
+Microsoft - thats what this release is about, read the MICROSOFT file.
+
+--
+Multi-threading support.  I have started hunting through the code and
+flaging where things need to be done.  In a state of work but high on
+the list.
+
+--
+For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
+be be you random data device, otherwise 'RFILE' in e_os.h
+will be used, in your home directory.  It will be updated
+periodically.  The environment variable RANDFILE will override this
+choice and read/write to that file instead.  DEVRANDOM is used in
+conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
+number generator, pick on one of these files.
+
+--
+
+The list of things to read and do
+
+dgst -d
+s_client -state (this uses a callback placed in the SSL state loop and
+        will be used else-where to help debug/monitor what
+        is happening.)
+
+doc/why.doc
+doc/bio.doc <- hmmm, needs lots of work.
+doc/bss_file.doc <- one that is working :-)
+doc/session.doc <- it has changed
+doc/speed.doc
+ also play with ssleay version -a.  I have now added a SSLeay()
+ function that returns a version number, eg 0600 for this release
+ which is primarily to be used to check DLL version against the
+ application.
+util/*  Quite a few will not interest people, but some may, like
+ mk1mf.pl, mkdef.pl,
+util/do_ms.sh
+
+try
+cc -Iinclude -Icrypto -c crypto/crypto.c
+cc -Iinclude -Issl -c ssl/ssl.c
+You have just built the SSLeay libraries as 2 object files :-)
+
+Have a general rummage around in the bin stall directory and look at
+what is in there, like CA.sh and c_rehash
+
+There are lots more things but it is 12:30am on a Friday night and I'm
+heading home :-).
+
+eric 22-Jun-1996
+This version has quite a few major bug fixes and improvements.  It DOES NOT
+do SSLv3 yet.
+
+The main things changed
+- A Few days ago I added the s_mult application to ssleay which is
+  a demo of an SSL server running in an event loop type thing.
+  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
+  can operate in non-blocking IO mode, look at the code to see how :-).
+  Have a read of doc/s_mult as well.  This program leaks memory and
+  file descriptors everywhere but I have not cleaned it up yet.
+  This is a demo of how to do non-blocking IO.
+- The SSL session management has been 'worked over' and there is now
+  quite an expansive set of functions to manipulate them.  Have a read of
+  doc/session.doc for some-things I quickly whipped up about how it now works.
+  This assume you know the SSLv2 protocol :-)
+- I can now read/write the netscape certificate format, use the
+  -inform/-outform  'net' options to the x509 command.  I have not put support
+  for this type in the other demo programs, but it would be easy to add.
+- asn1parse and 'enc' have been modified so that when reading base64
+  encoded files (pem format), they do not require '-----BEGIN' header lines.
+  The 'enc' program had a buffering bug fixed, it can be used as a general
+  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
+  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
+  into a form of 'cat'.
+- The 'x509' and 'req' programs have been fixed and modified a little so
+  that they generate self-signed certificates correctly.  The test
+  script actually generates a 'CA' certificate and then 'signs' a
+  'user' certificate.  Have a look at this shell script (test/sstest)
+  to see how things work, it tests most possible combinations of what can
+  be done.
+- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
+  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
+  If this function is used in the client, only the specified ciphers can
+  be used, with preference given to the order the ciphers were listed.
+  For the server, if this is used, only the specified ciphers will be used
+  to accept connections.  If this 'option' is not used, a default set of
+  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
+  list for all ciphers started against the SSL_CTX.  So the order is
+  SSL cipher_list, if not present, SSL_CTX cipher list, if not
+  present, then the library default.
+  What this means is that normally ciphers like
+  NULL-MD5 will never be used.  The only way this cipher can be used
+  for both ends to specify to use it.
+  To enable or disable ciphers in the library at build time, modify the
+  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
+  This file also contains the 'pref_cipher' list which is the default
+  cipher preference order.
+- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
+  options work.  They should, and they enable loading and writing the
+  netscape rsa private key format.  I will be re-working this section of
+  SSLeay for the next version.  What is currently in place is a quick and
+  dirty hack.
+- I've re-written parts of the bignum library.  This gives speedups
+  for all platforms.  I now provide assembler for use under Windows NT.
+  I have not tested the Windows 3.1 assembler but it is quite simple code.
+  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
+  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
+  Basically the times available under linux/solaris x86 can be achieve under
+  Windows NT.  I still don't know how these times compare to RSA's BSAFE
+  library but I have been emailing with people and with their help, I should
+  be able to get my library's quite a bit faster still (more algorithm changes).
+  The object file crypto/bn/asm/x86-32.obj should be used when linking
+  under NT.
+- 'make makefile.one' in the top directory will generate a single makefile
+  called 'makefile.one'  This makefile contains no perl references and
+  will build the SSLeay library into the 'tmp' and 'out' directories.
+  util/mk1mf.pl >makefile.one is how this makefile is
+  generated.  The mk1mf.pl command take several option to generate the
+  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
+  still under development.  I have only build .lib's for NT and MSDOS
+  I will be working on this more.  I still need to play with the
+  correct compiler setups for these compilers and add some more stuff but
+  basically if you just want to compile the library
+  on a 'non-unix' platform, this is a very very good file to start with :-).
+  Have a look in the 'microsoft' directory for my current makefiles.
+  I have not yet modified things to link with sockets under Windows NT.
+  You guys should be able to do this since this is actually outside of the
+  SSLeay scope :-).  I will be doing it for myself soon.
+  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
+  to build without RC2/RC4, to require RSAref for linking, and to
+  build with no socket code.
+
+- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
+  that was posted to sci.crypt has been added to the library and SSL.
+  I take the view that if RC2 is going to be included in a standard,
+  I'll include the cipher to make my package complete.
+  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
+  at compile time.  I have not tested this recently but it should all work
+  and if you are in the USA and don't want RSA threatening to sue you,
+  you could probably remove the RC4/RC2 code inside these sections.
+  I may in the future include a perl script that does this code
+  removal automatically for those in the USA :-).
+- I have removed all references to sed in the makefiles.  So basically,
+  the development environment requires perl and sh.  The build environment
+  does not (use the makefile.one makefile).
+  The Configure script still requires perl, this will probably stay that way
+  since I have perl for Windows NT :-).
+
+eric (03-May-1996)
+
+PS Have a look in the VERSION file for more details on the changes and
+   bug fixes.
+I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
+things up.  This version will be quite stable, mostly because I'm on
+holidays until 10-March-1996.  For any problems in the interum, send email
+to Tim Hudson <tjh@mincom.oz.au>.
+
+SSLeay 0.5.0
+
+12-12-95
+This is going out before it should really be released.
+
+I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
+this for 11 weeks or get things out.  It is still going to change a
+lot in the next week so if you do grab this version, please test and
+give me feed back ASAP, inculuding questions on how to do things with
+the library.  This will prompt me to write documentation so I don't
+have to answer the same question again :-).
+
+This 'pre' release version is for people who are interested in the
+library.  The applications will have to be changed to use
+the new version of the SSL interface.  I intend to finish more
+documentation before I leave but until then, look at the programs in
+the apps directory.  As far as code goes, it is much much nicer than
+the old version.
+
+The current library works, has no memory leaks (as far as I can tell)
+and is far more bug free that 0.4.5d.  There are no global variable of
+consequence (I believe) and I will produce some documentation that
+tell where to look for those people that do want to do multi-threaded
+stuff.
+
+There should be more documentation.  Have a look in the
+doc directory.  I'll be adding more before I leave, it is a start
+by mostly documents the crypto library.  Tim Hudson will update
+the web page ASAP.  The spelling and grammar are crap but
+it is better than nothing :-)
+
+Reasons to start playing with version 0.5.0
+- All the programs in the apps directory build into one ssleay binary.
+- There is a new version of the 'req' program that generates certificate
+  requests, there is even documentation for this one :-)
+- There is a demo certification authorithy program.  Currently it will
+  look at the simple database and update it.  It will generate CRL from
+  the data base.  You need to edit the database by hand to revoke a
+  certificate, it is my aim to use perl5/Tk but I don't have time to do
+  this right now.  It will generate the certificates but the management
+  scripts still need to be written.  This is not a hard task.
+- Things have been cleaned up alot.
+- Have a look at the enc and dgst programs in the apps directory.
+- It supports v3 of x509 certiticates.
+
+
+Major things missing.
+- I have been working on (and thinging about) the distributed x509
+  hierachy problem.  I have not had time to put my solution in place.
+  It will have to wait until I come back.
+- I have not put in CRL checking in the certificate verification but
+  it would not be hard to do.  I was waiting until I could generate my
+  own CRL (which has only been in the last week) and I don't have time
+  to put it in correctly.
+- Montgomery multiplication need to be implemented.  I know the
+  algorithm, just ran out of time.
+- PKCS#7.  I can load and write the DER version.  I need to re-work
+  things to support BER (if that means nothing, read the ASN1 spec :-).
+- Testing of the higher level digital envelope routines.  I have not
+  played with the *_seal() and *_open() type functions.  They are
+  written but need testing.  The *_sign() and *_verify() functions are
+  rock solid. 
+- PEM.  Doing this and PKCS#7 have been dependant on the distributed
+  x509 heirachy problem.  I started implementing my ideas, got
+  distracted writing a CA program and then ran out of time.  I provide
+  the functionality of RSAref at least.
+- Re work the asm. code for the x86.  I've changed by low level bignum
+  interface again, so I really need to tweak the x86 stuff.  gcc is
+  good enough for the other boxes.
+
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
new file mode 100644
index 0000000000..ab84a3f9e8
--- /dev/null
+++ b/src/lib/libssl/src/FAQ
@@ -0,0 +1,130 @@
+OpenSSL  -  Frequently Asked Questions
+--------------------------------------
+
+* Which is the current version of OpenSSL?
+* Where is the documentation?
+* How can I contact the OpenSSL developers?
+* Do I need patent licenses to use OpenSSL?
+* Is OpenSSL thread-safe?
+* Why do I get a "PRNG not seeded" error message?
+* Why does the linker complain about undefined symbols?
+* Where can I get a compiled version of OpenSSL?
+
+
+* Which is the current version of OpenSSL?
+
+The current version is available from <URL: http://www.openssl.org>.
+OpenSSL 0.9.5 was released on February 28th, 2000.
+
+In addition to the current stable release, you can also access daily
+snapshots of the OpenSSL development version at <URL:
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+
+
+* Where is the documentation?
+
+OpenSSL is a library that provides cryptographic functionality to
+applications such as secure web servers.  Be sure to read the
+documentation of the application you want to use.  The INSTALL file
+explains how to install this library.
+
+OpenSSL includes a command line utility that can be used to perform a
+variety of cryptographic functions.  It is described in the openssl(1)
+manpage.  Documentation for developers is currently being written.  A
+few manual pages already are available; overviews over libcrypto and
+libssl are given in the crypto(3) and ssl(3) manpages.
+
+The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
+different directory if you specified one as described in INSTALL).
+In addition, you can read the most current versions at
+<URL: http://www.openssl.org/docs/>.
+
+For information on parts of libcrypto that are not yet documented, you
+might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
+predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
+of this still applies to OpenSSL.
+
+There is some documentation about certificate extensions and PKCS#12
+in doc/openssl.txt
+
+The original SSLeay documentation is included in OpenSSL as
+doc/ssleay.txt.  It may be useful when none of the other resources
+help, but please note that it reflects the obsolete version SSLeay
+0.6.6.
+
+
+* How can I contact the OpenSSL developers?
+
+The README file describes how to submit bug reports and patches to
+OpenSSL.  Information on the OpenSSL mailing lists is available from
+<URL: http://www.openssl.org>.
+
+
+* Do I need patent licenses to use OpenSSL?
+
+The patents section of the README file lists patents that may apply to
+you if you want to use OpenSSL.  For information on intellectual
+property rights, please consult a lawyer.  The OpenSSL team does not
+offer legal advice.
+
+You can configure OpenSSL so as not to use RC5 and IDEA by using
+ ./config no-rc5 no-idea
+
+Until the RSA patent expires, U.S. users may want to use
+ ./config no-rc5 no-idea no-rsa
+
+Please note that you will *not* be able to communicate with most of
+the popular web browsers without RSA support.
+
+
+* Is OpenSSL thread-safe?
+
+Yes.  On Windows and many Unix systems, OpenSSL automatically uses the
+multi-threaded versions of the standard libraries.  If your platform
+is not one of these, consult the INSTALL file.
+
+Multi-threaded applications must provide two callback functions to
+OpenSSL.  This is described in the threads(3) manpage.
+
+
+* Why do I get a "PRNG not seeded" error message?
+
+Cryptographic software needs a source of unpredictable data to work
+correctly.  Many open source operating systems provide a "randomness
+device" that serves this purpose.  On other systems, applications have
+to call the RAND_add() or RAND_seed() function with appropriate data
+before generating keys or performing public key encryption.
+
+Some broken applications do not do this.  As of version 0.9.5, the
+OpenSSL functions that need randomness report an error if the random
+number generator has not been seeded with at least 128 bits of
+randomness.  If this error occurs, please contact the author of the
+application you are using.  It is likely that it never worked
+correctly.  OpenSSL 0.9.5 makes the error visible by refusing to
+perform potentially insecure encryption.
+
+
+* Why does the linker complain about undefined symbols?
+
+Maybe the compilation was interrupted, and make doesn't notice that
+something is missing.  Run "make clean; make".
+
+If you used ./Configure instead of ./config, make sure that you
+selected the right target.  File formats may differ slightly between
+OS versions (for example sparcv8/sparcv9, or a.out/elf).
+
+If that doesn't help, you may want to try using the current snapshot.
+If the problem persists, please submit a bug report.
+
+
+* Where can I get a compiled version of OpenSSL?
+
+Some applications that use OpenSSL are distributed in binary form.
+When using such an application, you don't need to install OpenSSL
+yourself; the application will include the required parts (e.g. DLLs).
+
+If you want to install OpenSSL on a Windows system and you don't have
+a C compiler, read the "Mingw32" section of INSTALL.W32 for information
+on how to obtain and install the free GNU C compiler.
+
+A number of Linux and *BSD distributions include OpenSSL.
diff --git a/src/lib/libssl/src/INSTALL.MacOS b/src/lib/libssl/src/INSTALL.MacOS
new file mode 100644
index 0000000000..a8c4f7f1da
--- /dev/null
+++ b/src/lib/libssl/src/INSTALL.MacOS
@@ -0,0 +1,72 @@
+OpenSSL - Port To The Macintosh
+===============================
+
+Thanks to Roy Wood <roy@centricsystems.ca> initial support for MacOS (pre
+X) is now provided. "Initial" means that unlike other platforms where you
+get an SDK and a "swiss army" openssl application, on Macintosh you only
+get one sample application which fetches a page over HTTPS(*) and dumps it
+in a window. We don't even build the test applications so that we can't
+guarantee that all algorithms are operational.
+
+Required software:
+
+- StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
+- Scriptable Finder;
+- CodeWarrior Pro 5;
+
+Installation procedure:
+
+- fetch the source at ftp://ftp.openssl.org/ (well, you probably already
+  did, huh?)
+- unpack the .tar.gz file:
+        - if you have StuffIt Expander then just drag it over it;
+        - otherwise uncompress it with MacGzip and then unpack with SUNtar;
+- locate MacOS folder in OpenSSL source tree and open it;
+- unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
+  "in-place", i.e. unpacked files should end-up in the very same folder;
+- execute mklinks.as;
+- open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
+- that's it for now;
+
+(*)     URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
+        to 42, change appropriately.
+(**)    If you use SUNtar, then it might have already unbinhexed the files
+        in question.
+(***)   The project file was saved with CW Pro 5.3. If you have earlier
+        version and it refuses to open it, then download
+        http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
+        overwriting the original OpenSSL.mcp.
+(****)  Other targets are work in progress. If you feel like giving 'em a
+        shot, then you should know that OpenSSL* and Lib* targets are
+        supposed to be built with the GUSI, MacOS library which mimics
+        BSD sockets and some other POSIX APIs. The GUSI distribution is
+        expected to be found in the same directory as openssl source tree,
+        i.e. in the parent directory to the one where this very file,
+        namely INSTALL.MacOS. For more informations about GUSI, see
+        http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
+
+Finally some essential comments from our generous contributor:-)
+
+"I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
+hack, but it works for what I'm doing. If you don't like the way I've done
+it, then feel free to change what I've done. I freely admit that I've done
+some less-than-ideal things in my port, and if you don't like the way I've
+done something, then feel free to change it-- I won't be offended!
+
+... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
+library I wrote. My MacSocket library is a wrapper around OpenTransport,
+handling stuff like endpoint creation, reading, writing, etc. It is not
+designed as a high-performance package such as you'd use in a webserver,
+but is fine for lots of other applications. MacSocket also uses some other
+code libraries I've written to deal with string manipulations and error
+handling. Feel free to use these things in your own code, but give me
+credit and/or send me free stuff in appreciation! :-)
+
+...
+
+If you have any questions, feel free to email me as the following:
+
+roy@centricsystems.ca
+
+-Roy Wood"
+
diff --git a/src/lib/libssl/src/INSTALL.OS2 b/src/lib/libssl/src/INSTALL.OS2
new file mode 100644
index 0000000000..d4cc0e319b
--- /dev/null
+++ b/src/lib/libssl/src/INSTALL.OS2
@@ -0,0 +1,22 @@
+ 
+ Installation on OS/2
+ --------------------
+
+ You need to have the following tools installed:
+
+  * EMX GCC
+  * PERL
+  * GNU make
+
+
+ To build the makefile, run
+
+ > os2\os2-emx
+
+ This will configure OpenSSL and create OS2-EMX.mak which you then use to 
+ build the OpenSSL libraries & programs by running
+
+ > make -f os2-emx.mak
+
+ If that finishes successfully you will find the libraries and programs in the
+ "out" directory.
diff --git a/src/lib/libssl/src/INSTALL.VMS b/src/lib/libssl/src/INSTALL.VMS
new file mode 100644
index 0000000000..4c01560d3d
--- /dev/null
+++ b/src/lib/libssl/src/INSTALL.VMS
@@ -0,0 +1,245 @@
+                        VMS Installation instructions
+                        written by Richard Levitte
+                        <richard@levitte.org>
+
+
+Intro:
+======
+
+This file is divided in the following parts:
+
+  Compilation                   - Mandatory reading.
+  Test                          - Mandatory reading.
+  Installation                  - Mandatory reading.
+  Backward portability          - Read if it's an issue.
+  Possible bugs or quirks       - A few warnings on things that
+                                  may go wrong or may surprise you.
+  Report                        - How to get in touch with me.
+
+Compilation:
+============
+
+I've used the very good command procedures written by Robert Byer
+<byer@mail.all-net.net>, and just slightly modified them, making
+them slightly more general and easier to maintain.
+
+You can actually compile in almost any directory separately.  Look
+for a command procedure name xxx-LIB.COM (in the library directories)
+or MAKExxx.COM (in the program directories) and read the comments at
+the top to understand how to use them.  However, if you want to
+compile all you can get, the simplest is to use MAKEVMS.COM in the top
+directory.  The syntax is trhe following:
+
+  @MAKEVMS <option> <rsaref-p> <debug-p> [<compiler>]
+
+<option> must be one of the following:
+
+      ALL       Just build "everything".
+      DATE      Just build the "[.INCLUDE]DATE.H" file.
+      SOFTLINKS Just copies some files, to simulate Unix soft links.
+      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
+      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
+      SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
+      SSL_TASK  Just build the "[.xxx.EXE.SSL]SSL_TASK.EXE" program.
+      TEST      Just build the "test" programs for OpenSSL.
+      APPS      Just build the "application" programs for OpenSSL.
+
+<rsaref-p> must be one of the following:
+
+      RSAREF    compile using the RSAREF Library
+      NORSAREF  compile without using RSAREF
+
+Note: The RSAREF libraries are NOT INCLUDED and you have to
+      download it from "ftp://ftp.rsa.com/rsaref".  You have to
+      get the ".tar-Z" file as the ".zip" file dosen't have the
+      directory structure stored.  You have to extract the file
+      into the [.RSAREF] directory as that is where the scripts
+      will look for the files.
+
+Note 2: I have never done this, so I've no idea if it works or not.
+
+<debug-p> must be one of the following:
+
+      DEBUG     compile with debugging info (will not optimize)
+      NODEBUG   compile without debugging info (will optimize)
+
+<compiler> must be one of the following:
+
+      VAXC      For VAX C.
+      DECC      For DEC C.
+      GNUC      For GNU C.
+
+
+You will find the crypto library in [.xxx.EXE.CRYPTO], called LIBCRYPTO.OLB,
+where xxx is VAX or AXP.  You will find the SSL library in [.xxx.EXE.SSL],
+named LIBSSL.OLB, and you will find a bunch of useful programs in
+[.xxx.EXE.APPS].  However, these shouldn't be used right off unless it's
+just to test them.  For production use, make sure you install first, see
+Installation below.
+
+Note: Some programs in this package require a TCP/IP library.
+
+Note 2: if you want to compile the crypto library only, please make sure
+        you have at least done a @MAKEVMS DATE and a @MAKEVMS SOFTLINKS.
+        A lot of things will break if you don't.
+
+Note 3: Alpha users will get a number of informational messages when
+        compiling the [.asm]vms.mar file in the BN (bignum) part of
+        the crypto library.  These can be safely ignored.
+
+Test:
+=====
+
+Testing is very simple, just do the following:
+
+  @[.TEST]TESTS
+
+If a test fails, try with defining the logical name OPENSSL_NO_ASM (yes,
+it's an ugly hack!) and rebuild. Please send a bug report to
+<openssl-bugs@openssl.org>, including the output of "openssl version -a"
+and of the failed test.
+
+Installation:
+=============
+
+Installation is easy, just do the following:
+
+  @INSTALL <root>
+
+<root> is the directory in which everything will be installed,
+subdirectories, libraries, header files, programs and startup command
+procedures.
+
+N.B.: INSTALL.COM builds a new directory structure, different from
+the directory tree where you have now build OpenSSL.
+
+In the [.VMS] subdirectory of the installation, you will find the
+following command procedures:
+
+  OPENSSL_STARTUP.COM
+
+        defines all needed logical names.  Takes one argument that
+        tells it in what logical name table to insert the logical
+        names.  If you insert if it SYS$MANAGER:SYSTARTUP_VMS.COM, the
+        call should look like this: 
+
+          @openssldev:[openssldir.VMS]OPENSSL_STARTUP "/SYSTEM"
+
+  OPENSSL_UTILS.COM
+
+        sets up the symbols to the applications.  Should be called
+        from for example SYS$MANAGER:SYLOGIN.COM 
+
+The logical names that are set up are the following:
+
+  SSLROOT       a dotted concealed logical name pointing at the
+                root directory.
+
+  SSLCERTS      Initially an empty directory, this is the default
+                location for certificate files.
+  SSLMISC       Various scripts.
+  SSLPRIVATE    Initially an empty directory, this is the default
+                location for private key files.
+
+  SSLEXE        Contains the openssl binary and a few other utility
+                programs.
+  SSLINCLUDE    Contains the header files needed if you want to
+                compile programs with libcrypto or libssl.
+  SSLLIB        Contains the OpenSSL library files (LIBCRYPTO.OLB
+                and LIBSSL.OLB) themselves.
+
+  OPENSSL       Same as SSLINCLUDE.  This is because the standard
+                way to include OpenSSL header files from version
+                0.9.3 and on is:
+
+                        #include <openssl/header.h>
+
+                For more info on this issue, see the INSTALL. file
+                (the NOTE in section 4 of "Installation in Detail").
+                You don't need to "deleting old header files"!!!
+
+Backward portability:
+=====================
+
+One great problem when you build a library is making sure it will work
+on as many versions of VMS as possible.  Especially, code compiled on
+OpenVMS version 7.x and above tend to be unusable in version 6.x or
+lower, because some C library routines have changed names internally
+(the C programmer won't usually see it, because the old name is
+maintained through C macros).  One obvious solution is to make sure
+you have a development machine with an old enough version of OpenVMS.
+However, if you are stuck with a bunch of Alphas running OpenVMS version
+7.1, you seem to be out of luck.  Fortunately, the DEC C header files
+are cluttered with conditionals that make some declarations and definitions
+dependent on the OpenVMS version or the C library version, *and* you
+can use those macros to simulate older OpenVMS or C library versions,
+by defining the macros _VMS_V6_SOURCE, __VMS_VER and __CTRL_VER with
+correct values.  In the compilation scripts, I've provided the possibility
+for the user to influense the creation of such macros, through a bunch of
+symbols, all having names starting with USER_.  Here's the list of them:
+
+  USER_CCFLAGS           - Used to give additional qualifiers to the
+                           compiler.  It can't be used to define macros
+                           since the scripts will do such things as well.
+                           To do such things, use USER_CCDEFS.
+  USER_CCDEFS            - Used to define macros on the command line.  The
+                           value of this symbol will be inserted inside a
+                           /DEFINE=(...).
+  USER_CCDISABLEWARNINGS - Used to disable some warnings.  The value is
+                           inserted inside a /DISABLE=WARNING=(...).
+
+So, to maintain backward compatibility with older VMS versions, do the
+following before you start compiling:
+
+  $ USER_CCDEFS := _VMS_V6_SOURCE=1,__VMS_VER=60000000,__CRTL_VER=60000000
+  $ USER_CCDISABLEWARNINGS := PREOPTW
+
+The USER_CCDISABLEWARNINGS is there because otherwise, DEC C will complain
+that those macros have been changed.
+
+Note: Currently, this is only usefull for library compilation.  The
+      programs will still be linked with the current version of the
+      C library shareable image, and will thus complain if they are
+      faced with an older version of the same C library shareable image.
+      This will probably be fixed in a future revision of OpenSSL.
+
+
+Possible bugs or quirks:
+========================
+
+I'm not perfectly sure all the programs will use the SSLCERTS:
+directory by default, it may very well be that you have to give them
+extra arguments.  Please experiment.
+
+
+Report:
+=======
+
+I maintain a few mailinglists for bug reports and such on software that
+I develop/port/enhance/destroy.  Please look at http://www.free.lp.se/
+for further info.
+
+
+-- 
+Richard Levitte <richard@levitte.org>
+1999-03-09
+
+
+TODO:
+=====
+
+There are a few things that need to be worked out in the VMS version of
+OpenSSL, still:
+
+- Description files. ("Makefile's" :-))
+- Script code to link an already compiled build tree.
+- A VMSINSTALlable version (way in the future, unless someone else hacks).
+- shareable images (DLL for you Windows folks).
+
+There may be other things that I have missed and that may be desirable.
+Please send mail to <openssl-users@openssl.org> or to me directly if you
+have any ideas.
+
+--
+Richard Levitte <richard@levitte.org>
+1999-05-24
diff --git a/src/lib/libssl/src/INSTALL.W32 b/src/lib/libssl/src/INSTALL.W32
new file mode 100644
index 0000000000..4550aa0621
--- /dev/null
+++ b/src/lib/libssl/src/INSTALL.W32
@@ -0,0 +1,323 @@
+ 
+ INSTALLATION ON THE WIN32 PLATFORM
+ ----------------------------------
+
+ Heres a few comments about building OpenSSL in Windows environments. Most of
+ this is tested on Win32 but it may also work in Win 3.1 with some
+ modification.  See the end of this file for Eric's original comments.
+
+ You need Perl for Win32 (available from http://www.activestate.com/ActivePerl)
+ and one of the following C compilers:
+
+  * Visual C++
+  * Borland C
+  * GNU C (Mingw32 or Cygwin32)
+
+ If you want to compile in the assembly language routines with Visual C++ then
+ you will need an assembler. This is worth doing because it will result in
+ faster code: for example it will typically result in a 2 times speedup in the
+ RSA routines. Currently the following assemblers are supported:
+
+  * Microsoft MASM (aka "ml")
+  * Free Netwide Assembler NASM.
+
+ MASM was I believe distributed in the past with VC++ and it is also part of
+ the MSDN SDKs. It is no longer distributed as part of VC++ and can be hard
+ to get hold of. It can be purchased: see Microsoft's site for details at:
+ http://www.microsoft.com/
+
+ NASM is freely available. Version 0.98 was used during testing: other versions
+ may also work. It is available from many places, see for example:
+ http://www.kernel.org/pub/software/devel/nasm/binaries/win32/
+ The NASM binary nasmw.exe needs to be installed anywhere on your PATH.
+
+ If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ may well be not up to date. This may mean that some "tweaking" is required to
+ get it all to work. See the trouble shooting section later on for if (when?)
+ it goes wrong.
+
+ Visual C++
+ ----------
+
+ Firstly you should run Configure:
+
+ > perl Configure VC-WIN32
+
+ Next you need to build the Makefiles and optionally the assembly language
+ files:
+
+ - If you are using MASM then run:
+
+   > ms\do_masm
+
+ - If you are using NASM then run:
+
+   > ms\do_nasm
+
+ - If you don't want to use the assembly language files at all then run:
+
+   > ms\do_ms
+
+ If you get errors about things not having numbers assigned then check the
+ troubleshooting section: you probably wont be able to compile it as it
+ stands.
+
+ Then from the VC++ environment at a prompt do:
+
+ > nmake -f ms\ntdll.mak
+
+ If all is well it should compile and you will have some DLLs and executables
+ in out32dll. If you want to try the tests then do:
+ 
+ > cd out32dll
+ > ..\ms\test
+
+ Tweaks:
+
+ There are various changes you can make to the Win32 compile environment. By
+ default the library is not compiled with debugging symbols. If you add 'debug'
+ to the mk1mk.pl lines in the do_* batch file then debugging symbols will be
+ compiled in.
+
+ The default Win32 environment is to leave out any Windows NT specific
+ features.
+
+ If you want to enable the NT specific features of OpenSSL (currently only the
+ logging BIO) follow the instructions above but call the batch file do_nt.bat
+ instead of do_ms.bat.
+
+ You can also build a static version of the library using the Makefile
+ ms\nt.mak
+
+ Borland C++ builder 3 and 4
+ ---------------------------
+
+ * Setup PATH. First must be GNU make then bcb4/bin 
+
+ * Run ms\bcb4.bat
+
+ * Run make:
+   > make -f bcb.mak
+
+ GNU C (Mingw32)
+ ---------------
+
+ To build OpenSSL, you need the Mingw32 package and GNU make.
+
+ * Compiler installation:
+
+   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/gnu-win32/
+   mingw32/egcs-1.1.2/egcs-1.1.2-mingw32.zip>. GNU make is at
+   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
+   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
+   C:\egcs-1.1.2\mingw32.bat to set the PATH.
+
+ * Compile OpenSSL:
+
+   > perl Configure Mingw32
+   > ms\mw.bat
+
+   This will create the library and binaries in out.
+
+   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+   link with libeay32.a and libssl32.a instead.
+
+   See troubleshooting if you get error messages about functions not having
+   a number assigned.
+
+ * You can now try the tests:
+
+   > cd out
+   > ..\ms\test
+
+ Troubleshooting
+ ---------------
+
+ Since the Win32 build is only occasionally tested it may not always compile
+ cleanly.  If you get an error about functions not having numbers assigned
+ when you run ms\do_ms then this means the Win32 ordinal files are not up to
+ date. You can do:
+
+ > perl util\mkdef.pl crypto ssl update
+
+ then ms\do_XXX should not give a warning any more. However the numbers that
+ get assigned by this technique may not match those that eventually get
+ assigned in the CVS tree: so anything linked against this version of the
+ library may need to be recompiled.
+
+ If you get errors about unresolved externals then this means that either you
+ didn't read the note above about functions not having numbers assigned or
+ someone forgot to add a function to the header file.
+
+ In this latter case check out the header file to see if the function is
+ defined in the header file.
+
+ If you get warnings in the code then the compilation will halt.
+
+ The default Makefile for Win32 halts whenever any warnings occur. Since VC++
+ has its own ideas about warnings which don't always match up to other
+ environments this can happen. The best fix is to edit the file with the
+ warning in and fix it. Alternatively you can turn off the halt on warnings by
+ editing the CFLAG line in the Makefile and deleting the /WX option.
+
+ You might get compilation errors. Again you will have to fix these or report
+ them.
+
+ One final comment about compiling applications linked to the OpenSSL library.
+ If you don't use the multithreaded DLL runtime library (/MD option) your
+ program will almost certainly crash: see the original SSLeay description
+ below for more details.
+
+--------------------------------------------------------------------------------
+The orignal Windows build instructions from SSLeay follow. 
+Note: some of this may be out of date and no longer applicable. In particular
+the Crypto_malloc_init() comment appears to be wrong: you always need to use
+the same runtime library as the DLL itself.
+--------------------------------------------------------------------------------
+
+The Microsoft World.
+
+The good news, to build SSLeay for the Microsft World
+
+Windows 3.1 DLL's
+perl Configure VC-WIN16
+nmake -f ms\w31dll.mak
+
+Windows NT/95 DLL's
+perl Configure VC-WIN32
+nmake -f ms\ntdll.mak
+
+Now the bad news
+All builds were done using Microsofts Visual C++ 1.52c and [45].x.
+If you are a borland person, you are probably going to have to help me
+finish the stuff in util/pl/BC*pl
+
+All builds were made under Windows NT - this means long filenames, so
+you may have problems under Windows 3.1 but probably not under 95.
+
+Because file pointers don't work in DLL's under Windows 3.1 (well at
+least stdin/stdout don't and I don't like having to differentiate
+between these and other file pointers), I now use the BIO file-pointer
+module, which needs to be linked into your application.  You can either
+use the memory buffer BIO for IO, or compile bss_file.c into your
+application, it is in the apps directory and is just a copy of
+crypto/buffer/bss_file.c with #define APPS_WIN16 added.
+I have not yet automated the makefile to automatically copy it into 'out'
+for a win 3.1 build....
+
+All callbacks passed into SSLeay for Windows 3.1 need to be of type
+_far _loadds.
+
+I don't support building with the pascal calling convention.
+
+The DLL and static builds are large memory model.
+
+To build static libraries for NT/95 or win 3.1
+
+perl util/mk1mf.pl VC-WIN32 > mf-stat.nt
+perl util/mk1mf.pl VC-WIN16 > mf-stat.w31
+for DLL's
+perl util/mk1mf.pl dll VC-WIN32 > mf-dll.nt
+perl util/mk1mf.pl dll VC-WIN16 > mf-dll.w31
+
+Again you will notice that if you dont have perl, you cannot do this.
+
+Now the next importaint issue.  Running Configure!
+I have small assember code files for critical big number library operation
+in crypto/bn/asm.  There is, asm code, object files and uuencode
+object files.  They are
+x86nt32.asm     - 32bit flat memory model assember - suitable Win32
+x86w16.asm      - 16bit assember - used in the msdos build.
+x86w32.asm      - 32bit assember, win 3.1 segments, used for win16 build.
+
+If you feel compelled to build the 16bit maths routines in the windows 3.1
+build,
+perl Configure VC-W31-16
+perl util/mk1mf.pl dll VC-W31-16 > mf-dll.w31
+
+If you hate assember and don't want anything to do with it,
+perl util/mk1mf.pl no-asm VC-WIN16 > mf-dll.w31
+will work for any of the makefile generations.
+
+There are more options to mk1mf.pl but these all leave the temporary
+files in 'tmp' and the output files in 'out' by default.
+
+The NT build is done for console mode.
+
+The Windows 3.1 version of SSLeay uses quickwin, the interface is ugly
+but it is better than nothing.  If you want ugly, try doing anything
+that involves getting a password.  I decided to be ugly instead of
+echoing characters.  For Windows 3.1 I would just sugest using the
+msdos version of the ssleay application for command line work.
+The QuickWin build is primarily for testing.
+
+For both NT and Windows 3.1, I have not written the code so that
+s_client, s_server can take input from the keyboard.  You can happily
+start applications up in separate windows, watch them handshake, and then sit
+there for-ever.  I have not had the time to get this working, and I've
+been able to test things from a unix box to the NT box :-).
+Try running ssleay s_server on the windows box
+(with either -cert ../apps/server.pem -www)
+and run ssleay s_time from another window.
+This often stuffs up on Windows 3.1, but I'm not worried since this is
+probably a problem with my demo applications, not the libraries.
+
+After a build of one of the version of microsoft SSLeay,
+'cd ms' and then run 'test'.  This should check everything out and
+even does a trial run of generating certificates.
+'test.bat' requires that perl be install, you be in the ms directory
+(not the test directory, thats for unix so stay out :-) and that the
+build output directory be ../out 
+
+On a last note, you will probably get division by zero errors and
+stuff after a build.  This is due to your own inability to follow
+instructions :-).
+
+The reasons for the problem is probably one of the following.
+
+1)      You did not run Configure.  This is critical for windows 3.1 when
+        using assember.  The values in crypto/bn/bn.h must match the
+        ones requred for the assember code.  (remember that if you
+        edit crypto/bn/bn.h by hand, it will be clobered the next time
+        you run Configure by the contents of crypto/bn/bn.org).
+        SSLeay version -o will list the compile options.
+        For VC-WIN32 you need bn(64,32) or bn(32,32)
+        For VC-W31-32/VC-WIN16 you need bn(32,32)
+        For VC-W31-16 you need bn(32,16) or bn(16,16)
+        For VC-MSDOS you need bn(32,16) or bn(16,16).
+
+        The first number will be 2 times bigger than the second if
+        BN_LLONG is defined in bn.h and the size of the second number
+        depends on the 'bits' defined at the start of bn.h.  Have a
+        look, it's all reasonably clear.
+        If you want to start messing with 8 bit builds and things like
+        that, build without the assember by re-generating a makefile
+        via 'perl util/mk1mf.pl no-asm'.
+2)      You tried to build under MS-DOS or Windows 3.1 using the /G3
+        option.  Don't.  It is buggy (thats why you just got that
+        error) and unless you want to work out which optimising flag
+        to turn off, I'm not going to help you :-).  I also noticed
+        that code often ran slower when compiled with /G3.
+3)      Under NT/95, malloc goes stupid.  You are probably linking with
+        the wrong library, there are problems if you mix the threaded
+        and non-threaded libraries (due to the DLL being staticly
+        linked with one and the applicaion using another.
+
+Well hopefully thats most of the MS issues handled, see you in ssl-users :-).
+
+eric 30-Aug-1996
+
+SSLeay 0.6.5
+For Windows 95/NT, add CRYPTO_malloc_init() to your program before any
+calls to the SSLeay libraries.  This function will insert callbacks so that
+the SSLeay libraries will use the same malloc(), free() and realloc() as
+your application so 'problem 3)' mentioned above will go away.
+
+There is now DES assember for Windows NT/95.  The file is
+crypto/des/asm/win32.asm and replaces crypto/des/des_enc.c in the build.
+
+There is also Blowfish assember for Windows NT/95.  The file is
+crypto/bf/asm/win32.asm and replaces crypto/bf/bf_enc.c in the build.
+
+eric 25-Jun-1997
+
diff --git a/src/lib/libssl/src/LICENSE b/src/lib/libssl/src/LICENSE
new file mode 100644
index 0000000000..b9e18d5e7b
--- /dev/null
+++ b/src/lib/libssl/src/LICENSE
@@ -0,0 +1,127 @@
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts. Actually both licenses are BSD-style
+  Open Source licenses. In case of any license issues related to OpenSSL
+  please contact openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff --git a/src/lib/libssl/src/MacOS/GUSI_Init.cpp b/src/lib/libssl/src/MacOS/GUSI_Init.cpp
new file mode 100644
index 0000000000..d8223dba2c
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GUSI_Init.cpp
@@ -0,0 +1,62 @@
+/**************** BEGIN GUSI CONFIGURATION ****************************
+ *
+ * GUSI Configuration section generated by GUSI Configurator
+ * last modified: Wed Jan  5 20:33:51 2000
+ *
+ * This section will be overwritten by the next run of Configurator.
+ */
+
+#define GUSI_SOURCE
+#include <GUSIConfig.h>
+#include <sys/cdefs.h>
+
+/* Declarations of Socket Factories */
+
+__BEGIN_DECLS
+void GUSIwithInetSockets();
+void GUSIwithLocalSockets();
+void GUSIwithMTInetSockets();
+void GUSIwithMTTcpSockets();
+void GUSIwithMTUdpSockets();
+void GUSIwithOTInetSockets();
+void GUSIwithOTTcpSockets();
+void GUSIwithOTUdpSockets();
+void GUSIwithPPCSockets();
+void GUSISetupFactories();
+__END_DECLS
+
+/* Configure Socket Factories */
+
+void GUSISetupFactories()
+{
+#ifdef GUSISetupFactories_BeginHook
+        GUSISetupFactories_BeginHook
+#endif
+        GUSIwithInetSockets();
+#ifdef GUSISetupFactories_EndHook
+        GUSISetupFactories_EndHook
+#endif
+}
+
+/* Declarations of File Devices */
+
+__BEGIN_DECLS
+void GUSIwithDConSockets();
+void GUSIwithNullSockets();
+void GUSISetupDevices();
+__END_DECLS
+
+/* Configure File Devices */
+
+void GUSISetupDevices()
+{
+#ifdef GUSISetupDevices_BeginHook
+        GUSISetupDevices_BeginHook
+#endif
+        GUSIwithNullSockets();
+#ifdef GUSISetupDevices_EndHook
+        GUSISetupDevices_EndHook
+#endif
+}
+
+/**************** END GUSI CONFIGURATION *************************/
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.cpp
new file mode 100644
index 0000000000..617aae2c70
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.cpp
@@ -0,0 +1,2753 @@
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+ 
+ 
+ 
+ #include "CPStringUtils.hpp"
+#include "ErrorHandling.hpp"
+
+
+
+#define kNumberFormatString                     "\p########0.00#######;-########0.00#######"
+
+
+
+//      Useful utility functions which could be optimized a whole lot
+
+
+void CopyPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength)
+{
+int             i,numPChars;
+
+
+        if (thePStr != nil && theCStr != nil && maxCStrLength > 0)
+        {
+                numPChars = thePStr[0];
+                
+                for (i = 0;;i++)
+                {
+                        if (i >= numPChars || i >= maxCStrLength - 1)
+                        {
+                                theCStr[i] = 0;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theCStr[i] = thePStr[i + 1];
+                        }
+                }
+        }
+}
+
+
+void CopyPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength)
+{
+int             theMaxDstStrLength;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+        
+        
+        if (theDstPStr != nil && theSrcPStr != nil && theMaxDstStrLength > 0)
+        {
+                if (theMaxDstStrLength > 255)
+                {
+                        theMaxDstStrLength = 255;
+                }
+                
+                
+                if (theMaxDstStrLength - 1 < theSrcPStr[0])
+                {
+                        BlockMove(theSrcPStr + 1,theDstPStr + 1,theMaxDstStrLength - 1);
+                        
+                        theDstPStr[0] = theMaxDstStrLength - 1;
+                }
+                
+                else
+                {
+                        BlockMove(theSrcPStr,theDstPStr,theSrcPStr[0] + 1);
+                }
+        }
+}
+
+
+void CopyCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxDstStrLength)
+{
+int             i;
+
+
+        if (theDstCStr != nil && theSrcCStr != nil && maxDstStrLength > 0)
+        {
+                for (i = 0;;i++)
+                {
+                        if (theSrcCStr[i] == 0 || i >= maxDstStrLength - 1)
+                        {
+                                theDstCStr[i] = 0;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstCStr[i] = theSrcCStr[i];
+                        }
+                }
+        }
+}
+
+
+
+void CopyCSubstrToCStr(const char *theSrcCStr,const int maxCharsToCopy,char *theDstCStr,const int maxDstStrLength)
+{
+int             i;
+
+
+        if (theDstCStr != nil && theSrcCStr != nil && maxDstStrLength > 0)
+        {
+                for (i = 0;;i++)
+                {
+                        if (theSrcCStr[i] == 0 || i >= maxDstStrLength - 1 || i >= maxCharsToCopy)
+                        {
+                                theDstCStr[i] = 0;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstCStr[i] = theSrcCStr[i];
+                        }
+                }
+        }
+}
+
+
+
+void CopyCSubstrToPStr(const char *theSrcCStr,const int maxCharsToCopy,unsigned char *theDstPStr,const int maxDstStrLength)
+{
+int             i;
+int             theMaxDstStrLength;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+
+        if (theDstPStr != nil && theSrcCStr != nil && theMaxDstStrLength > 0)
+        {
+                if (theMaxDstStrLength > 255)
+                {
+                        theMaxDstStrLength = 255;
+                }
+                
+                
+                for (i = 0;;i++)
+                {
+                        if (theSrcCStr[i] == 0 || i >= theMaxDstStrLength - 1 || i >= maxCharsToCopy)
+                        {
+                                theDstPStr[0] = i;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstPStr[i + 1] = theSrcCStr[i];
+                        }
+                }
+        }
+}
+
+
+
+void CopyCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength)
+{
+int             i;
+int             theMaxDstStrLength;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+
+        if (theDstPStr != nil && theSrcCStr != nil && theMaxDstStrLength > 0)
+        {
+                if (theMaxDstStrLength > 255)
+                {
+                        theMaxDstStrLength = 255;
+                }
+                
+                
+                for (i = 0;;i++)
+                {
+                        if (i >= theMaxDstStrLength - 1 || theSrcCStr[i] == 0)
+                        {
+                                theDstPStr[0] = i;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstPStr[i + 1] = theSrcCStr[i];
+                        }
+                }
+        }
+}
+
+
+void ConcatPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength)
+{
+int             i,numPChars,cStrLength;
+
+
+        if (thePStr != nil && theCStr != nil && maxCStrLength > 0)
+        {
+                for (cStrLength = 0;theCStr[cStrLength] != 0;cStrLength++)
+                {
+                
+                }
+                
+
+                numPChars = thePStr[0];
+                
+                
+                for (i = 0;;i++)
+                {
+                        if (i >= numPChars || cStrLength >= maxCStrLength - 1)
+                        {
+                                theCStr[cStrLength++] = 0;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theCStr[cStrLength++] = thePStr[i + 1];
+                        }
+                }
+        }
+}
+
+
+
+void ConcatPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength)
+{
+int             theMaxDstStrLength;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+        
+        if (theSrcPStr != nil && theDstPStr != nil && theMaxDstStrLength > 0)
+        {
+                if (theMaxDstStrLength > 255)
+                {
+                        theMaxDstStrLength = 255;
+                }
+                
+                
+                if (theMaxDstStrLength - theDstPStr[0] - 1 < theSrcPStr[0])
+                {
+                        BlockMove(theSrcPStr + 1,theDstPStr + theDstPStr[0] + 1,theMaxDstStrLength - 1 - theDstPStr[0]);
+                        
+                        theDstPStr[0] = theMaxDstStrLength - 1;
+                }
+                
+                else
+                {
+                        BlockMove(theSrcPStr + 1,theDstPStr + theDstPStr[0] + 1,theSrcPStr[0]);
+                        
+                        theDstPStr[0] += theSrcPStr[0];
+                }
+        }
+}
+
+
+
+void ConcatCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength)
+{
+int             i,thePStrLength;
+int             theMaxDstStrLength;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+
+        if (theSrcCStr != nil && theDstPStr != nil && theMaxDstStrLength > 0)
+        {
+                if (theMaxDstStrLength > 255)
+                {
+                        theMaxDstStrLength = 255;
+                }
+                
+                
+                thePStrLength = theDstPStr[0];
+                
+                for (i = 0;;i++)
+                {
+                        if (theSrcCStr[i] == 0 || thePStrLength >= theMaxDstStrLength - 1)
+                        {
+                                theDstPStr[0] = thePStrLength;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstPStr[thePStrLength + 1] = theSrcCStr[i];
+                                
+                                thePStrLength++;
+                        }
+                }
+        }
+}
+
+
+
+void ConcatCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxCStrLength)
+{
+int             cStrLength;
+
+
+        if (theSrcCStr != nil && theDstCStr != nil && maxCStrLength > 0)
+        {
+                for (cStrLength = 0;theDstCStr[cStrLength] != 0;cStrLength++)
+                {
+                
+                }
+                
+
+                for (;;)
+                {
+                        if (*theSrcCStr == 0 || cStrLength >= maxCStrLength - 1)
+                        {
+                                theDstCStr[cStrLength++] = 0;
+                                
+                                break;
+                        }
+                        
+                        else
+                        {
+                                theDstCStr[cStrLength++] = *theSrcCStr++;
+                        }
+                }
+        }
+}
+
+
+
+void ConcatCharToCStr(const char theChar,char *theDstCStr,const int maxCStrLength)
+{
+int             cStrLength;
+
+
+        if (theDstCStr != nil && maxCStrLength > 0)
+        {
+                cStrLength = CStrLength(theDstCStr);
+                
+                if (cStrLength < maxCStrLength - 1)
+                {
+                        theDstCStr[cStrLength++] = theChar;
+                        theDstCStr[cStrLength++] = '\0';
+                }
+        }
+}
+
+
+
+void ConcatCharToPStr(const char theChar,unsigned char *theDstPStr,const int maxPStrLength)
+{
+int             pStrLength;
+
+
+        if (theDstPStr != nil && maxPStrLength > 0)
+        {
+                pStrLength = PStrLength(theDstPStr);
+                
+                if (pStrLength < maxPStrLength - 1 && pStrLength < 255)
+                {
+                        theDstPStr[pStrLength + 1] = theChar;
+                        theDstPStr[0] += 1;
+                }
+        }
+}
+
+
+
+
+int CompareCStrs(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase)
+{
+int             returnValue;
+char    firstChar,secondChar;
+
+        
+        returnValue = 0;
+        
+        
+        if (theFirstCStr != nil && theSecondCStr != nil)
+        {
+                for (;;)
+                {
+                        firstChar = *theFirstCStr;
+                        secondChar = *theSecondCStr;
+                        
+                        if (ignoreCase == true)
+                        {
+                                if (firstChar >= 'A' && firstChar <= 'Z')
+                                {
+                                        firstChar = 'a' + (firstChar - 'A');
+                                }
+                                
+                                if (secondChar >= 'A' && secondChar <= 'Z')
+                                {
+                                        secondChar = 'a' + (secondChar - 'A');
+                                }
+                        }
+                        
+                        
+                        if (firstChar == 0 && secondChar != 0)
+                        {
+                                returnValue = -1;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar != 0 && secondChar == 0)
+                        {
+                                returnValue = 1;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar == 0 && secondChar == 0)
+                        {
+                                returnValue = 0;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar < secondChar)
+                        {
+                                returnValue = -1;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar > secondChar)
+                        {
+                                returnValue = 1;
+                                
+                                break;
+                        }
+                        
+                        theFirstCStr++;
+                        theSecondCStr++;
+                }
+        }
+        
+        
+        return(returnValue);
+}
+
+
+
+Boolean CStrsAreEqual(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase)
+{
+        if (CompareCStrs(theFirstCStr,theSecondCStr,ignoreCase) == 0)
+        {
+                return true;
+        }
+        
+        else
+        {
+                return false;
+        }
+}
+
+
+Boolean PStrsAreEqual(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase)
+{
+        if (ComparePStrs(theFirstPStr,theSecondPStr,ignoreCase) == 0)
+        {
+                return true;
+        }
+        
+        else
+        {
+                return false;
+        }
+}
+
+
+
+int ComparePStrs(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase)
+{
+int             i,returnValue;
+char    firstChar,secondChar;
+
+        
+        returnValue = 0;
+        
+        
+        if (theFirstPStr != nil && theSecondPStr != nil)
+        {
+                for (i = 1;;i++)
+                {
+                        firstChar = theFirstPStr[i];
+                        secondChar = theSecondPStr[i];
+
+                        if (ignoreCase == true)
+                        {
+                                if (firstChar >= 'A' && firstChar <= 'Z')
+                                {
+                                        firstChar = 'a' + (firstChar - 'A');
+                                }
+                                
+                                if (secondChar >= 'A' && secondChar <= 'Z')
+                                {
+                                        secondChar = 'a' + (secondChar - 'A');
+                                }
+                        }
+
+
+                        if (theFirstPStr[0] < i && theSecondPStr[0] >= i)
+                        {
+                                returnValue = -1;
+                                
+                                break;
+                        }
+                        
+                        else if (theFirstPStr[0] >= i && theSecondPStr[0] < i)
+                        {
+                                returnValue = 1;
+                                
+                                break;
+                        }
+                        
+                        else if (theFirstPStr[0] < i && theSecondPStr[0] < i)
+                        {
+                                returnValue = 0;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar < secondChar)
+                        {
+                                returnValue = -1;
+                                
+                                break;
+                        }
+                        
+                        else if (firstChar > secondChar)
+                        {
+                                returnValue = 1;
+                                
+                                break;
+                        }
+                }
+        }
+        
+        
+        return(returnValue);
+}
+
+
+
+int CompareCStrToPStr(const char *theCStr,const unsigned char *thePStr,const Boolean ignoreCase)
+{
+int             returnValue;
+char    tempString[256];
+
+        
+        returnValue = 0;
+        
+        if (theCStr != nil && thePStr != nil)
+        {
+                CopyPStrToCStr(thePStr,tempString,sizeof(tempString));
+                
+                returnValue = CompareCStrs(theCStr,tempString,ignoreCase);
+        }
+        
+        
+        return(returnValue);
+}
+
+
+
+void ConcatLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits)
+{
+Str255          theStr255;
+
+
+        NumToString(theNum,theStr255);
+
+
+        if (numDigits > 0)
+        {
+        int     charsToInsert;
+        
+                
+                charsToInsert = numDigits - PStrLength(theStr255);
+                
+                if (charsToInsert > 0)
+                {
+                char    tempString[256];
+                        
+                        CopyCStrToCStr("",tempString,sizeof(tempString));
+                        
+                        for (;charsToInsert > 0;charsToInsert--)
+                        {
+                                ConcatCStrToCStr("0",tempString,sizeof(tempString));
+                        }
+                        
+                        ConcatPStrToCStr(theStr255,tempString,sizeof(tempString));
+                        
+                        CopyCStrToPStr(tempString,theStr255,sizeof(theStr255));
+                }
+        }
+
+
+        ConcatPStrToCStr(theStr255,theCStr,maxCStrLength);
+}
+
+
+
+
+void ConcatLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits)
+{
+Str255          theStr255;
+
+
+        NumToString(theNum,theStr255);
+
+
+        if (numDigits > 0)
+        {
+        int     charsToInsert;
+        
+                
+                charsToInsert = numDigits - PStrLength(theStr255);
+                
+                if (charsToInsert > 0)
+                {
+                char    tempString[256];
+                        
+                        CopyCStrToCStr("",tempString,sizeof(tempString));
+                        
+                        for (;charsToInsert > 0;charsToInsert--)
+                        {
+                                ConcatCStrToCStr("0",tempString,sizeof(tempString));
+                        }
+                        
+                        ConcatPStrToCStr(theStr255,tempString,sizeof(tempString));
+                        
+                        CopyCStrToPStr(tempString,theStr255,sizeof(theStr255));
+                }
+        }
+
+
+        ConcatPStrToPStr(theStr255,thePStr,maxPStrLength);
+}
+
+
+
+void CopyCStrAndConcatLongIntToCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength)
+{
+        CopyCStrToCStr(theSrcCStr,theDstCStr,maxDstStrLength);
+        
+        ConcatLongIntToCStr(theNum,theDstCStr,maxDstStrLength);
+}
+
+
+
+void CopyLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits)
+{
+Str255          theStr255;
+
+
+        NumToString(theNum,theStr255);
+
+
+        if (numDigits > 0)
+        {
+        int     charsToInsert;
+        
+                
+                charsToInsert = numDigits - PStrLength(theStr255);
+                
+                if (charsToInsert > 0)
+                {
+                char    tempString[256];
+                        
+                        CopyCStrToCStr("",tempString,sizeof(tempString));
+                        
+                        for (;charsToInsert > 0;charsToInsert--)
+                        {
+                                ConcatCStrToCStr("0",tempString,sizeof(tempString));
+                        }
+                        
+                        ConcatPStrToCStr(theStr255,tempString,sizeof(tempString));
+                        
+                        CopyCStrToPStr(tempString,theStr255,sizeof(theStr255));
+                }
+        }
+
+
+        CopyPStrToCStr(theStr255,theCStr,maxCStrLength);
+}
+
+
+
+
+
+void CopyUnsignedLongIntToCStr(const unsigned long theNum,char *theCStr,const int maxCStrLength)
+{
+char                    tempString[256];
+int                             srcCharIndex,dstCharIndex;
+unsigned long   tempNum,quotient,remainder;
+
+        
+        if (theNum == 0)
+        {
+                CopyCStrToCStr("0",theCStr,maxCStrLength);
+        }
+        
+        else
+        {
+                srcCharIndex = 0;
+                
+                tempNum = theNum;
+                
+                for (;;)
+                {
+                        if (srcCharIndex >= sizeof(tempString) - 1 || tempNum == 0)
+                        {
+                                for (dstCharIndex = 0;;)
+                                {
+                                        if (dstCharIndex >= maxCStrLength - 1 || srcCharIndex <= 0)
+                                        {
+                                                theCStr[dstCharIndex] = 0;
+                                                
+                                                break;
+                                        }
+                                        
+                                        theCStr[dstCharIndex++] = tempString[--srcCharIndex];
+                                }
+                                
+                                break;
+                        }
+                        
+
+                        quotient = tempNum / 10;
+                        
+                        remainder = tempNum - (quotient * 10);
+                        
+                        tempString[srcCharIndex] = '0' + remainder;
+                        
+                        srcCharIndex++;
+                        
+                        tempNum = quotient;
+                }
+        }
+}
+
+
+
+
+void CopyLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits)
+{
+char    tempString[256];
+
+
+        CopyLongIntToCStr(theNum,tempString,sizeof(tempString),numDigits);
+        
+        CopyCStrToPStr(tempString,thePStr,maxPStrLength);
+}
+
+
+
+OSErr CopyLongIntToNewHandle(const long inTheLongInt,Handle *theHandle)
+{
+OSErr           errCode = noErr;
+char            tempString[32];
+        
+        
+        CopyLongIntToCStr(inTheLongInt,tempString,sizeof(tempString));
+        
+        errCode = CopyCStrToNewHandle(tempString,theHandle);
+
+        return(errCode);
+}
+
+
+OSErr CopyLongIntToExistingHandle(const long inTheLongInt,Handle theHandle)
+{
+OSErr           errCode = noErr;
+char            tempString[32];
+        
+        
+        CopyLongIntToCStr(inTheLongInt,tempString,sizeof(tempString));
+        
+        errCode = CopyCStrToExistingHandle(tempString,theHandle);
+
+        return(errCode);
+}
+
+
+
+
+OSErr CopyCStrToExistingHandle(const char *theCString,Handle theHandle)
+{
+OSErr   errCode = noErr;
+long    stringLength;
+
+        
+        if (theCString == nil)
+        {
+                SetErrorMessageAndBail(("CopyCStrToExistingHandle: Bad parameter, theCString == nil"));
+        }
+
+        if (theHandle == nil)
+        {
+                SetErrorMessageAndBail(("CopyCStrToExistingHandle: Bad parameter, theHandle == nil"));
+        }
+
+        if (*theHandle == nil)
+        {
+                SetErrorMessageAndBail(("CopyCStrToExistingHandle: Bad parameter, *theHandle == nil"));
+        }
+
+
+
+        stringLength = CStrLength(theCString) + 1;
+        
+        SetHandleSize(theHandle,stringLength);
+        
+        if (GetHandleSize(theHandle) < stringLength)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyCStrToExistingHandle: Can't set Handle size, MemError() = ",MemError());
+        }
+        
+        
+        ::BlockMove(theCString,*theHandle,stringLength);
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+
+
+
+OSErr CopyCStrToNewHandle(const char *theCString,Handle *theHandle)
+{
+OSErr   errCode = noErr;
+long    stringLength;
+
+        
+        if (theCString == nil)
+        {
+                SetErrorMessageAndBail(("CopyCStrToNewHandle: Bad parameter, theCString == nil"));
+        }
+
+        if (theHandle == nil)
+        {
+                SetErrorMessageAndBail(("CopyCStrToNewHandle: Bad parameter, theHandle == nil"));
+        }
+
+
+
+        stringLength = CStrLength(theCString) + 1;
+        
+        *theHandle = NewHandle(stringLength);
+        
+        if (*theHandle == nil)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyCStrToNewHandle: Can't allocate Handle, MemError() = ",MemError());
+        }
+        
+        
+        ::BlockMove(theCString,**theHandle,stringLength);
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+
+OSErr CopyPStrToNewHandle(const unsigned char *thePString,Handle *theHandle)
+{
+OSErr   errCode = noErr;
+long    stringLength;
+
+        
+        if (thePString == nil)
+        {
+                SetErrorMessageAndBail(("CopyPStrToNewHandle: Bad parameter, thePString == nil"));
+        }
+
+        if (theHandle == nil)
+        {
+                SetErrorMessageAndBail(("CopyPStrToNewHandle: Bad parameter, theHandle == nil"));
+        }
+
+
+
+        stringLength = PStrLength(thePString) + 1;
+        
+        *theHandle = NewHandle(stringLength);
+        
+        if (*theHandle == nil)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyPStrToNewHandle: Can't allocate Handle, MemError() = ",MemError());
+        }
+        
+        
+        if (stringLength > 1)
+        {
+                BlockMove(thePString + 1,**theHandle,stringLength - 1);
+        }
+        
+        (**theHandle)[stringLength - 1] = 0;
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+OSErr AppendPStrToHandle(const unsigned char *thePString,Handle theHandle,long *currentLength)
+{
+OSErr           errCode = noErr;
+char            tempString[256];
+
+        
+        CopyPStrToCStr(thePString,tempString,sizeof(tempString));
+        
+        errCode = AppendCStrToHandle(tempString,theHandle,currentLength);
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+
+OSErr AppendCStrToHandle(const char *theCString,Handle theHandle,long *currentLength,long *maxLength)
+{
+OSErr           errCode = noErr;
+long            handleMaxLength,handleCurrentLength,stringLength,byteCount;
+
+
+        if (theCString == nil)
+        {
+                SetErrorMessageAndBail(("AppendCStrToHandle: Bad parameter, theCString == nil"));
+        }
+
+        if (theHandle == nil)
+        {
+                SetErrorMessageAndBail(("AppendCStrToHandle: Bad parameter, theHandle == nil"));
+        }
+        
+        
+        if (maxLength != nil)
+        {
+                handleMaxLength = *maxLength;
+        }
+        
+        else
+        {
+                handleMaxLength = GetHandleSize(theHandle);
+        }
+        
+        
+        if (currentLength != nil && *currentLength >= 0)
+        {
+                handleCurrentLength = *currentLength;
+        }
+        
+        else
+        {
+                handleCurrentLength = CStrLength(*theHandle);
+        }
+        
+        
+        stringLength = CStrLength(theCString);
+        
+        byteCount = handleCurrentLength + stringLength + 1;
+        
+        if (byteCount > handleMaxLength)
+        {
+                SetHandleSize(theHandle,handleCurrentLength + stringLength + 1);
+                
+                if (maxLength != nil)
+                {
+                        *maxLength = GetHandleSize(theHandle);
+                        
+                        handleMaxLength = *maxLength;
+                }
+                
+                else
+                {
+                        handleMaxLength = GetHandleSize(theHandle);
+                }
+
+                if (byteCount > handleMaxLength)
+                {
+                        SetErrorMessageAndLongIntAndBail("AppendCStrToHandle: Can't increase Handle allocation, MemError() = ",MemError());
+                }
+        }
+        
+        
+        BlockMove(theCString,*theHandle + handleCurrentLength,stringLength + 1);
+        
+        
+        if (currentLength != nil)
+        {
+                *currentLength += stringLength;
+        }
+
+
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr AppendCharsToHandle(const char *theChars,const int numChars,Handle theHandle,long *currentLength,long *maxLength)
+{
+OSErr           errCode = noErr;
+long            handleMaxLength,handleCurrentLength,byteCount;
+
+
+        if (theChars == nil)
+        {
+                SetErrorMessageAndBail(("AppendCharsToHandle: Bad parameter, theChars == nil"));
+        }
+
+        if (theHandle == nil)
+        {
+                SetErrorMessageAndBail(("AppendCharsToHandle: Bad parameter, theHandle == nil"));
+        }
+        
+        
+        if (maxLength != nil)
+        {
+                handleMaxLength = *maxLength;
+        }
+        
+        else
+        {
+                handleMaxLength = GetHandleSize(theHandle);
+        }
+        
+        
+        if (currentLength != nil && *currentLength >= 0)
+        {
+                handleCurrentLength = *currentLength;
+        }
+        
+        else
+        {
+                handleCurrentLength = CStrLength(*theHandle);
+        }
+        
+        
+        byteCount = handleCurrentLength + numChars + 1;
+        
+        if (byteCount > handleMaxLength)
+        {
+                SetHandleSize(theHandle,handleCurrentLength + numChars + 1);
+                
+                if (maxLength != nil)
+                {
+                        *maxLength = GetHandleSize(theHandle);
+                        
+                        handleMaxLength = *maxLength;
+                }
+                
+                else
+                {
+                        handleMaxLength = GetHandleSize(theHandle);
+                }
+
+                if (byteCount > handleMaxLength)
+                {
+                        SetErrorMessageAndLongIntAndBail("AppendCharsToHandle: Can't increase Handle allocation, MemError() = ",MemError());
+                }
+        }
+        
+        
+        BlockMove(theChars,*theHandle + handleCurrentLength,numChars);
+        
+        (*theHandle)[handleCurrentLength + numChars] = '\0';
+        
+        if (currentLength != nil)
+        {
+                *currentLength += numChars;
+        }
+
+
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr AppendLongIntToHandle(const long inTheLongInt,Handle theHandle,long *currentLength)
+{
+OSErr           errCode = noErr;
+char            tempString[32];
+        
+        
+        CopyLongIntToCStr(inTheLongInt,tempString,sizeof(tempString));
+        
+        errCode = AppendCStrToHandle(tempString,theHandle,currentLength);
+
+        return(errCode);
+}
+
+
+
+
+long CStrLength(const char *theCString)
+{
+long    cStrLength = 0;
+
+        
+        if (theCString != nil)
+        {
+                for (cStrLength = 0;theCString[cStrLength] != 0;cStrLength++)
+                {
+                
+                }
+        }
+        
+        
+        return(cStrLength);
+}
+
+
+
+long PStrLength(const unsigned char *thePString)
+{
+long    pStrLength = 0;
+
+        
+        if (thePString != nil)
+        {
+                pStrLength = thePString[0];
+        }
+        
+        
+        return(pStrLength);
+}
+
+
+
+
+
+void ZeroMem(void *theMemPtr,const unsigned long numBytes)
+{
+unsigned char   *theBytePtr;
+unsigned long   *theLongPtr;
+unsigned long   numSingleBytes;
+unsigned long   theNumBytes;
+
+        
+        theNumBytes = numBytes;
+        
+        if (theMemPtr != nil && theNumBytes > 0)
+        {
+                theBytePtr = (unsigned char     *) theMemPtr;
+                
+                numSingleBytes = (unsigned long) theBytePtr & 0x0003;
+                
+                while (numSingleBytes > 0)
+                {
+                        *theBytePtr++ = 0;
+                        
+                        theNumBytes--;
+                        numSingleBytes--;
+                }
+                
+
+                theLongPtr = (unsigned long     *) theBytePtr;
+                
+                while (theNumBytes >= 4)
+                {
+                        *theLongPtr++ = 0;
+                        
+                        theNumBytes -= 4;
+                }
+                
+                
+                theBytePtr = (unsigned char     *) theLongPtr;
+                
+                while (theNumBytes > 0)
+                {
+                        *theBytePtr++ = 0;
+                        
+                        theNumBytes--;
+                }
+        }
+}
+
+
+
+
+char *FindCharInCStr(const char theChar,const char *theCString)
+{
+char    *theStringSearchPtr;
+
+        
+        theStringSearchPtr = (char      *) theCString;
+        
+        if (theStringSearchPtr != nil)
+        {
+                while (*theStringSearchPtr != '\0' && *theStringSearchPtr != theChar)
+                {
+                        theStringSearchPtr++;
+                }
+                
+                if (*theStringSearchPtr == '\0')
+                {
+                        theStringSearchPtr = nil;
+                }
+        }
+        
+        return(theStringSearchPtr);
+}
+
+
+
+long FindCharOffsetInCStr(const char theChar,const char *theCString,const Boolean inIgnoreCase)
+{
+long    theOffset = -1;
+
+
+        if (theCString != nil)
+        {
+                theOffset = 0;
+                
+
+                if (inIgnoreCase)
+                {
+                char    searchChar = theChar;
+                
+                        if (searchChar >= 'a' && searchChar <= 'z')
+                        {
+                                searchChar = searchChar - 'a' + 'A';
+                        }
+                        
+                        
+                        while (*theCString != 0)
+                        {
+                        char    currentChar = *theCString;
+                        
+                                if (currentChar >= 'a' && currentChar <= 'z')
+                                {
+                                        currentChar = currentChar - 'a' + 'A';
+                                }
+                        
+                                if (currentChar == searchChar)
+                                {
+                                        break;
+                                }
+                                
+                                theCString++;
+                                theOffset++;
+                        }
+                }
+                
+                else
+                {
+                        while (*theCString != 0 && *theCString != theChar)
+                        {
+                                theCString++;
+                                theOffset++;
+                        }
+                }
+                
+                if (*theCString == 0)
+                {
+                        theOffset = -1;
+                }
+        }
+        
+        return(theOffset);
+}
+
+
+long FindCStrOffsetInCStr(const char *theCSubstring,const char *theCString,const Boolean inIgnoreCase)
+{
+long    theOffset = -1;
+
+
+        if (theCSubstring != nil && theCString != nil)
+        {
+                for (theOffset = 0;;theOffset++)
+                {
+                        if (theCString[theOffset] == 0)
+                        {
+                                theOffset = -1;
+                                
+                                goto EXITPOINT;
+                        }
+                        
+                        
+                        for (const char *tempSubstringPtr = theCSubstring,*tempCStringPtr = theCString + theOffset;;tempSubstringPtr++,tempCStringPtr++)
+                        {
+                                if (*tempSubstringPtr == 0)
+                                {
+                                        goto EXITPOINT;
+                                }
+                                
+                                else if (*tempCStringPtr == 0)
+                                {
+                                        break;
+                                }
+                        
+                        char    searchChar = *tempSubstringPtr;
+                        char    currentChar = *tempCStringPtr;
+                        
+                                if (inIgnoreCase && searchChar >= 'a' && searchChar <= 'z')
+                                {
+                                        searchChar = searchChar - 'a' + 'A';
+                                }
+                                
+                                if (inIgnoreCase && currentChar >= 'a' && currentChar <= 'z')
+                                {
+                                        currentChar = currentChar - 'a' + 'A';
+                                }
+                                
+                                if (currentChar != searchChar)
+                                {
+                                        break;
+                                }
+                        }
+                }
+                
+                theOffset = -1;
+        }
+
+
+EXITPOINT:
+        
+        return(theOffset);
+}
+
+
+
+void InsertCStrIntoCStr(const char *theSrcCStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength)
+{
+int             currentLength;
+int             insertLength;
+int             numCharsToInsert;
+int             numCharsToShift;
+
+        
+        if (theDstCStr != nil && theSrcCStr != nil && maxDstStrLength > 0 && theInsertionOffset < maxDstStrLength - 1)
+        {
+                currentLength = CStrLength(theDstCStr);
+                
+                insertLength = CStrLength(theSrcCStr);
+                
+
+                if (theInsertionOffset + insertLength < maxDstStrLength - 1)
+                {
+                        numCharsToInsert = insertLength;
+                }
+                
+                else
+                {
+                        numCharsToInsert = maxDstStrLength - 1 - theInsertionOffset;
+                }
+                
+
+                if (numCharsToInsert + currentLength < maxDstStrLength - 1)
+                {
+                        numCharsToShift = currentLength - theInsertionOffset;
+                }
+                
+                else
+                {
+                        numCharsToShift = maxDstStrLength - 1 - theInsertionOffset - numCharsToInsert;
+                }
+
+                
+                if (numCharsToShift > 0)
+                {
+                        BlockMove(theDstCStr + theInsertionOffset,theDstCStr + theInsertionOffset + numCharsToInsert,numCharsToShift);
+                }
+                
+                if (numCharsToInsert > 0)
+                {
+                        BlockMove(theSrcCStr,theDstCStr + theInsertionOffset,numCharsToInsert);
+                }
+                
+                theDstCStr[theInsertionOffset + numCharsToInsert + numCharsToShift] = 0;
+        }
+}
+
+
+
+void InsertPStrIntoCStr(const unsigned char *theSrcPStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength)
+{
+int             currentLength;
+int             insertLength;
+int             numCharsToInsert;
+int             numCharsToShift;
+
+        
+        if (theDstCStr != nil && theSrcPStr != nil && maxDstStrLength > 0 && theInsertionOffset < maxDstStrLength - 1)
+        {
+                currentLength = CStrLength(theDstCStr);
+                
+                insertLength = PStrLength(theSrcPStr);
+                
+
+                if (theInsertionOffset + insertLength < maxDstStrLength - 1)
+                {
+                        numCharsToInsert = insertLength;
+                }
+                
+                else
+                {
+                        numCharsToInsert = maxDstStrLength - 1 - theInsertionOffset;
+                }
+                
+
+                if (numCharsToInsert + currentLength < maxDstStrLength - 1)
+                {
+                        numCharsToShift = currentLength - theInsertionOffset;
+                }
+                
+                else
+                {
+                        numCharsToShift = maxDstStrLength - 1 - theInsertionOffset - numCharsToInsert;
+                }
+
+                
+                if (numCharsToShift > 0)
+                {
+                        BlockMove(theDstCStr + theInsertionOffset,theDstCStr + theInsertionOffset + numCharsToInsert,numCharsToShift);
+                }
+                
+                if (numCharsToInsert > 0)
+                {
+                        BlockMove(theSrcPStr + 1,theDstCStr + theInsertionOffset,numCharsToInsert);
+                }
+                
+                theDstCStr[theInsertionOffset + numCharsToInsert + numCharsToShift] = 0;
+        }
+}
+
+
+
+OSErr InsertCStrIntoHandle(const char *theCString,Handle theHandle,const long inInsertOffset)
+{
+OSErr   errCode;
+int             currentLength;
+int             insertLength;
+
+        
+        SetErrorMessageAndBailIfNil(theCString,"InsertCStrIntoHandle: Bad parameter, theCString == nil");
+
+        SetErrorMessageAndBailIfNil(theHandle,"InsertCStrIntoHandle: Bad parameter, theHandle == nil");
+        
+        currentLength = CStrLength(*theHandle);
+        
+        if (currentLength + 1 > ::GetHandleSize(theHandle))
+        {
+                SetErrorMessageAndBail("InsertCStrIntoHandle: Handle has been overflowed");
+        }
+        
+        if (inInsertOffset > currentLength)
+        {
+                SetErrorMessageAndBail("InsertCStrIntoHandle: Insertion offset is greater than string length");
+        }
+        
+        insertLength = CStrLength(theCString);
+        
+        ::SetHandleSize(theHandle,currentLength + 1 + insertLength);
+        
+        if (::GetHandleSize(theHandle) < currentLength + 1 + insertLength)
+        {
+                SetErrorMessageAndLongIntAndBail("InsertCStrIntoHandle: Can't expand storage for Handle, MemError() = ",MemError());
+        }
+        
+        ::BlockMove(*theHandle + inInsertOffset,*theHandle + inInsertOffset + insertLength,currentLength - inInsertOffset + 1);
+        
+        ::BlockMove(theCString,*theHandle + inInsertOffset,insertLength);
+
+
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+
+void CopyCStrAndInsert1LongIntIntoCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength)
+{
+        CopyCStrAndInsertCStrLongIntIntoCStr(theSrcCStr,nil,theNum,theDstCStr,maxDstStrLength);
+}
+
+
+void CopyCStrAndInsert2LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,char *theDstCStr,const int maxDstStrLength)
+{
+const long      theLongInts[] = { long1,long2 };
+
+        CopyCStrAndInsertCStrsLongIntsIntoCStr(theSrcCStr,nil,theLongInts,theDstCStr,maxDstStrLength);
+}
+
+
+void CopyCStrAndInsert3LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,const long long3,char *theDstCStr,const int maxDstStrLength)
+{
+const long      theLongInts[] = { long1,long2,long3 };
+
+        CopyCStrAndInsertCStrsLongIntsIntoCStr(theSrcCStr,nil,theLongInts,theDstCStr,maxDstStrLength);
+}
+
+
+void CopyCStrAndInsertCStrIntoCStr(const char *theSrcCStr,const char *theInsertCStr,char *theDstCStr,const int maxDstStrLength)
+{
+const char      *theCStrs[2] = { theInsertCStr,nil };
+
+        CopyCStrAndInsertCStrsLongIntsIntoCStr(theSrcCStr,theCStrs,nil,theDstCStr,maxDstStrLength);
+}
+
+
+
+void CopyCStrAndInsertCStrLongIntIntoCStr(const char *theSrcCStr,const char *theInsertCStr,const long theNum,char *theDstCStr,const int maxDstStrLength)
+{
+const char      *theCStrs[2] = { theInsertCStr,nil };
+const long      theLongInts[1] = { theNum };
+
+        CopyCStrAndInsertCStrsLongIntsIntoCStr(theSrcCStr,theCStrs,theLongInts,theDstCStr,maxDstStrLength);
+}
+
+
+
+void CopyCStrAndInsertCStrsLongIntsIntoCStr(const char *theSrcCStr,const char **theInsertCStrs,const long *theLongInts,char *theDstCStr,const int maxDstStrLength)
+{
+int                     dstCharIndex,srcCharIndex,theMaxDstStrLength;
+int                     theCStrIndex = 0;
+int                     theLongIntIndex = 0;
+
+        
+        theMaxDstStrLength = maxDstStrLength;
+        
+        if (theDstCStr != nil && theSrcCStr != nil && theMaxDstStrLength > 0)
+        {
+                dstCharIndex = 0;
+                
+                srcCharIndex = 0;
+                
+                
+                //      Allow room for NULL at end of string
+                
+                theMaxDstStrLength--;
+                
+                
+                for (;;)
+                {
+                        //      Hit end of buffer?
+                        
+                        if (dstCharIndex >= theMaxDstStrLength)
+                        {
+                                theDstCStr[dstCharIndex++] = 0;
+                                
+                                goto EXITPOINT;
+                        }
+                        
+                        //      End of source string?
+                        
+                        else if (theSrcCStr[srcCharIndex] == 0)
+                        {
+                                theDstCStr[dstCharIndex++] = 0;
+                                
+                                goto EXITPOINT;
+                        }
+                        
+                        //      Did we find a '%s'?
+                        
+                        else if (theInsertCStrs != nil && theInsertCStrs[theCStrIndex] != nil && theSrcCStr[srcCharIndex] == '%' && theSrcCStr[srcCharIndex + 1] == 's')
+                        {
+                                //      Skip over the '%s'
+                                
+                                srcCharIndex += 2;
+                                
+                                
+                                //      Terminate the dest string and then concat the string
+                                
+                                theDstCStr[dstCharIndex] = 0;
+                                
+                                ConcatCStrToCStr(theInsertCStrs[theCStrIndex],theDstCStr,theMaxDstStrLength);
+                                
+                                dstCharIndex = CStrLength(theDstCStr);
+                                
+                                theCStrIndex++;
+                        }
+                        
+                        //      Did we find a '%ld'?
+                        
+                        else if (theLongInts != nil && theSrcCStr[srcCharIndex] == '%' && theSrcCStr[srcCharIndex + 1] == 'l' && theSrcCStr[srcCharIndex + 2] == 'd')
+                        {
+                                //      Skip over the '%ld'
+                                
+                                srcCharIndex += 3;
+                                
+                                
+                                //      Terminate the dest string and then concat the number
+                                
+                                theDstCStr[dstCharIndex] = 0;
+                                
+                                ConcatLongIntToCStr(theLongInts[theLongIntIndex],theDstCStr,theMaxDstStrLength);
+                                
+                                theLongIntIndex++;
+                                
+                                dstCharIndex = CStrLength(theDstCStr);
+                        }
+                        
+                        else
+                        {
+                                theDstCStr[dstCharIndex++] = theSrcCStr[srcCharIndex++];
+                        }
+                }
+        }
+
+
+
+EXITPOINT:
+
+        return;
+}
+
+
+
+
+
+OSErr CopyCStrAndInsertCStrLongIntIntoHandle(const char *theSrcCStr,const char *theInsertCStr,const long theNum,Handle *theHandle)
+{
+OSErr   errCode;
+long    byteCount;
+
+        
+        if (theHandle != nil)
+        {
+                byteCount = CStrLength(theSrcCStr) + CStrLength(theInsertCStr) + 32;
+                
+                *theHandle = NewHandle(byteCount);
+                
+                if (*theHandle == nil)
+                {
+                        SetErrorMessageAndLongIntAndBail("CopyCStrAndInsertCStrLongIntIntoHandle: Can't allocate Handle, MemError() = ",MemError());
+                }
+                
+                
+                HLock(*theHandle);
+                
+                CopyCStrAndInsertCStrLongIntIntoCStr(theSrcCStr,theInsertCStr,theNum,**theHandle,byteCount);
+                
+                HUnlock(*theHandle);
+        }
+        
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+
+
+OSErr CopyIndexedWordToCStr(char *theSrcCStr,int whichWord,char *theDstCStr,int maxDstCStrLength)
+{
+OSErr           errCode;
+char            *srcCharPtr,*dstCharPtr;
+int                     wordCount;
+int                     byteCount;
+
+
+        if (theSrcCStr == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToCStr: Bad parameter, theSrcCStr == nil"));
+        }
+        
+        if (theDstCStr == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToCStr: Bad parameter, theDstCStr == nil"));
+        }
+        
+        if (whichWord < 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToCStr: Bad parameter, whichWord < 0"));
+        }
+        
+        if (maxDstCStrLength <= 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToCStr: Bad parameter, maxDstCStrLength <= 0"));
+        }
+
+        
+        *theDstCStr = '\0';
+        
+        srcCharPtr = theSrcCStr;
+
+        while (*srcCharPtr == ' ' || *srcCharPtr == '\t')
+        {
+                srcCharPtr++;
+        }
+        
+
+        for (wordCount = 0;wordCount < whichWord;wordCount++)
+        {
+                while (*srcCharPtr != ' ' && *srcCharPtr != '\t' && *srcCharPtr != '\r' && *srcCharPtr != '\n' && *srcCharPtr != '\0')
+                {
+                        srcCharPtr++;
+                }
+                
+                if (*srcCharPtr == '\r' || *srcCharPtr == '\n' || *srcCharPtr == '\0')
+                {
+                        errCode = noErr;
+                        
+                        goto EXITPOINT;
+                }
+
+                while (*srcCharPtr == ' ' || *srcCharPtr == '\t')
+                {
+                        srcCharPtr++;
+                }
+                
+                if (*srcCharPtr == '\r' || *srcCharPtr == '\n' || *srcCharPtr == '\0')
+                {
+                        errCode = noErr;
+                        
+                        goto EXITPOINT;
+                }
+        }
+
+
+        dstCharPtr = theDstCStr;
+        byteCount = 0;
+        
+        
+        for(;;)
+        {
+                if (byteCount >= maxDstCStrLength - 1 || *srcCharPtr == '\0' || *srcCharPtr == ' ' || *srcCharPtr == '\t' || *srcCharPtr == '\r' || *srcCharPtr == '\n')
+                {
+                        *dstCharPtr = '\0';
+                        break;
+                }
+                
+                *dstCharPtr++ = *srcCharPtr++;
+                
+                byteCount++;
+        }
+
+
+        errCode = noErr;
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+
+
+OSErr CopyIndexedWordToNewHandle(char *theSrcCStr,int whichWord,Handle *outTheHandle)
+{
+OSErr           errCode;
+char            *srcCharPtr;
+int                     wordCount;
+int                     byteCount;
+
+
+        if (theSrcCStr == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToNewHandle: Bad parameter, theSrcCStr == nil"));
+        }
+        
+        if (outTheHandle == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToNewHandle: Bad parameter, outTheHandle == nil"));
+        }
+        
+        if (whichWord < 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedWordToNewHandle: Bad parameter, whichWord < 0"));
+        }
+
+        
+        *outTheHandle = nil;
+        
+
+        srcCharPtr = theSrcCStr;
+
+        while (*srcCharPtr == ' ' || *srcCharPtr == '\t')
+        {
+                srcCharPtr++;
+        }
+        
+
+        for (wordCount = 0;wordCount < whichWord;wordCount++)
+        {
+                while (*srcCharPtr != ' ' && *srcCharPtr != '\t' && *srcCharPtr != '\r' && *srcCharPtr != '\n' && *srcCharPtr != '\0')
+                {
+                        srcCharPtr++;
+                }
+                
+                if (*srcCharPtr == '\r' || *srcCharPtr == '\n' || *srcCharPtr == '\0')
+                {
+                        break;
+                }
+
+                while (*srcCharPtr == ' ' || *srcCharPtr == '\t')
+                {
+                        srcCharPtr++;
+                }
+                
+                if (*srcCharPtr == '\r' || *srcCharPtr == '\n' || *srcCharPtr == '\0')
+                {
+                        break;
+                }
+        }
+
+
+        for (byteCount = 0;;byteCount++)
+        {
+                if (srcCharPtr[byteCount] == ' ' || srcCharPtr[byteCount] == '\t' || srcCharPtr[byteCount] == '\r' || srcCharPtr[byteCount] == '\n' || srcCharPtr[byteCount] == '\0')
+                {
+                        break;
+                }
+        }
+
+        
+        *outTheHandle = NewHandle(byteCount + 1);
+        
+        if (*outTheHandle == nil)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyIndexedWordToNewHandle: Can't allocate Handle, MemError() = ",MemError());
+        }
+        
+        
+        ::BlockMove(srcCharPtr,**outTheHandle,byteCount);
+        
+        (**outTheHandle)[byteCount] = '\0';
+
+        errCode = noErr;
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr CopyIndexedLineToCStr(const char *theSrcCStr,int inWhichLine,int *lineEndIndex,Boolean *gotLastLine,char *theDstCStr,const int maxDstCStrLength)
+{
+OSErr           errCode;
+int                     theCurrentLine;
+int                     theCurrentLineOffset;
+int                     theEOSOffset;
+
+
+        if (theSrcCStr == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedLineToCStr: Bad parameter, theSrcCStr == nil"));
+        }
+        
+        if (theDstCStr == nil)
+        {
+                SetErrorMessageAndBail(("CopyIndexedLineToCStr: Bad parameter, theDstCStr == nil"));
+        }
+        
+        if (inWhichLine < 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedLineToCStr: Bad parameter, inWhichLine < 0"));
+        }
+        
+        if (maxDstCStrLength <= 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedLineToCStr: Bad parameter, maxDstCStrLength <= 0"));
+        }
+        
+        
+        if (gotLastLine != nil)
+        {
+                *gotLastLine = false;
+        }
+
+        
+        *theDstCStr = 0;
+        
+        theCurrentLineOffset = 0;
+        
+        theCurrentLine = 0;
+        
+        
+        while (theCurrentLine < inWhichLine)
+        {
+                while (theSrcCStr[theCurrentLineOffset] != '\r' && theSrcCStr[theCurrentLineOffset] != 0)
+                {
+                        theCurrentLineOffset++;
+                }
+                
+                if (theSrcCStr[theCurrentLineOffset] == 0)
+                {
+                        break;
+                }
+                
+                theCurrentLineOffset++;
+                theCurrentLine++;
+        }
+                
+        if (theSrcCStr[theCurrentLineOffset] == 0)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyIndexedLineToCStr: Too few lines in source text, can't get line ",inWhichLine);
+        }
+
+
+        theEOSOffset = FindCharOffsetInCStr('\r',theSrcCStr + theCurrentLineOffset);
+        
+        if (theEOSOffset >= 0)
+        {
+                CopyCSubstrToCStr(theSrcCStr + theCurrentLineOffset,theEOSOffset,theDstCStr,maxDstCStrLength);
+                
+                if (gotLastLine != nil)
+                {
+                        *gotLastLine = false;
+                }
+        
+                if (lineEndIndex != nil)
+                {
+                        *lineEndIndex = theEOSOffset;
+                }
+        }
+        
+        else
+        {
+                theEOSOffset = CStrLength(theSrcCStr + theCurrentLineOffset);
+
+                CopyCSubstrToCStr(theSrcCStr + theCurrentLineOffset,theEOSOffset,theDstCStr,maxDstCStrLength);
+                
+                if (gotLastLine != nil)
+                {
+                        *gotLastLine = true;
+                }
+        
+                if (lineEndIndex != nil)
+                {
+                        *lineEndIndex = theEOSOffset;
+                }
+        }
+        
+
+        errCode = noErr;
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr CopyIndexedLineToNewHandle(const char *theSrcCStr,int inWhichLine,Handle *outNewHandle)
+{
+OSErr           errCode;
+int                     theCurrentLine;
+int                     theCurrentLineOffset;
+int                     byteCount;
+
+
+        SetErrorMessageAndBailIfNil(theSrcCStr,"CopyIndexedLineToNewHandle: Bad parameter, theSrcCStr == nil");
+        SetErrorMessageAndBailIfNil(outNewHandle,"CopyIndexedLineToNewHandle: Bad parameter, outNewHandle == nil");
+        
+        if (inWhichLine < 0)
+        {
+                SetErrorMessageAndBail(("CopyIndexedLineToNewHandle: Bad parameter, inWhichLine < 0"));
+        }
+        
+
+        theCurrentLineOffset = 0;
+        
+        theCurrentLine = 0;
+        
+        
+        while (theCurrentLine < inWhichLine)
+        {
+                while (theSrcCStr[theCurrentLineOffset] != '\r' && theSrcCStr[theCurrentLineOffset] != '\0')
+                {
+                        theCurrentLineOffset++;
+                }
+                
+                if (theSrcCStr[theCurrentLineOffset] == '\0')
+                {
+                        break;
+                }
+                
+                theCurrentLineOffset++;
+                theCurrentLine++;
+        }
+                
+        if (theSrcCStr[theCurrentLineOffset] == '\0')
+        {
+                SetErrorMessageAndLongIntAndBail("CopyIndexedLineToNewHandle: Too few lines in source text, can't get line #",inWhichLine);
+        }
+
+        
+        byteCount = 0;
+        
+        while (theSrcCStr[theCurrentLineOffset + byteCount] != '\r' && theSrcCStr[theCurrentLineOffset + byteCount] != '\0')
+        {
+                byteCount++;
+        }
+                
+        
+        *outNewHandle = NewHandle(byteCount + 1);
+        
+        if (*outNewHandle == nil)
+        {
+                SetErrorMessageAndLongIntAndBail("CopyIndexedLineToNewHandle: Can't allocate Handle, MemError() = ",MemError());
+        }
+        
+        ::BlockMove(theSrcCStr + theCurrentLineOffset,**outNewHandle,byteCount);
+        
+        (**outNewHandle)[byteCount] = '\0';
+
+        errCode = noErr;
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+
+OSErr CountDigits(const char *inCStr,int *outNumIntegerDigits,int *outNumFractDigits)
+{
+OSErr   errCode = noErr;
+int             numIntDigits = 0;
+int             numFractDigits = 0;
+int     digitIndex = 0;
+
+        
+        SetErrorMessageAndBailIfNil(inCStr,"CountDigits: Bad parameter, theSrcCStr == nil");
+        SetErrorMessageAndBailIfNil(outNumIntegerDigits,"CountDigits: Bad parameter, outNumIntegerDigits == nil");
+        SetErrorMessageAndBailIfNil(outNumFractDigits,"CountDigits: Bad parameter, outNumFractDigits == nil");
+        
+        digitIndex = 0;
+        
+        while (inCStr[digitIndex] >= '0' && inCStr[digitIndex] <= '9')
+        {
+                digitIndex++;
+                numIntDigits++;
+        }
+        
+        if (inCStr[digitIndex] == '.')
+        {
+                digitIndex++;
+                
+                while (inCStr[digitIndex] >= '0' && inCStr[digitIndex] <= '9')
+                {
+                        digitIndex++;
+                        numFractDigits++;
+                }
+        }
+        
+        *outNumIntegerDigits = numIntDigits;
+        
+        *outNumFractDigits = numFractDigits;
+        
+        errCode = noErr;
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr ExtractIntFromCStr(const char *theSrcCStr,int *outInt,Boolean skipLeadingSpaces)
+{
+OSErr           errCode;
+int                     theCharIndex;
+
+
+        if (theSrcCStr == nil)
+        {
+                SetErrorMessageAndBail(("ExtractIntFromCStr: Bad parameter, theSrcCStr == nil"));
+        }
+        
+        if (outInt == nil)
+        {
+                SetErrorMessageAndBail(("ExtractIntFromCStr: Bad parameter, outInt == nil"));
+        }       
+
+        
+        *outInt = 0;
+        
+        theCharIndex = 0;
+        
+        if (skipLeadingSpaces == true)
+        {
+                while (theSrcCStr[theCharIndex] == ' ')
+                {
+                        theCharIndex++;
+                }
+        }
+        
+        if (theSrcCStr[theCharIndex] < '0' || theSrcCStr[theCharIndex] > '9')
+        {
+                SetErrorMessageAndBail(("ExtractIntFromCStr: Bad parameter, theSrcCStr contains a bogus numeric representation"));
+        }
+
+
+        while (theSrcCStr[theCharIndex] >= '0' && theSrcCStr[theCharIndex] <= '9')
+        {
+                *outInt = (*outInt * 10) + (theSrcCStr[theCharIndex] - '0');
+                
+                theCharIndex++;
+        }
+        
+
+        errCode = noErr;
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+OSErr ExtractIntFromPStr(const unsigned char *theSrcPStr,int *outInt,Boolean skipLeadingSpaces)
+{
+OSErr           errCode;
+char            theCStr[256];
+
+
+        if (theSrcPStr == nil)
+        {
+                SetErrorMessageAndBail(("ExtractIntFromPStr: Bad parameter, theSrcPStr == nil"));
+        }
+        
+        if (outInt == nil)
+        {
+                SetErrorMessageAndBail(("ExtractIntFromPStr: Bad parameter, outInt == nil"));
+        }
+        
+        
+        CopyPStrToCStr(theSrcPStr,theCStr,sizeof(theCStr));
+        
+        
+        errCode = ExtractIntFromCStr(theCStr,outInt,skipLeadingSpaces);
+
+
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+int CountOccurencesOfCharInCStr(const char inChar,const char *inSrcCStr)
+{
+int             theSrcCharIndex;
+int             numOccurrences = -1;
+
+
+        if (inSrcCStr != nil && inChar != '\0')
+        {
+                numOccurrences = 0;
+                
+                for (theSrcCharIndex = 0;inSrcCStr[theSrcCharIndex] != '\0';theSrcCharIndex++)
+                {
+                        if (inSrcCStr[theSrcCharIndex] == inChar)
+                        {
+                                numOccurrences++;
+                        }
+                }
+        }
+        
+        return(numOccurrences);
+}
+
+
+int CountWordsInCStr(const char *inSrcCStr)
+{
+int             numWords = -1;
+
+
+        if (inSrcCStr != nil)
+        {
+                numWords = 0;
+                
+                //      Skip lead spaces
+                
+                while (*inSrcCStr == ' ')
+                {
+                        inSrcCStr++;
+                }
+
+                while (*inSrcCStr != '\0')
+                {
+                        numWords++;
+
+                        while (*inSrcCStr != ' ' && *inSrcCStr != '\0')
+                        {
+                                inSrcCStr++;
+                        }
+                        
+                        while (*inSrcCStr == ' ')
+                        {
+                                inSrcCStr++;
+                        }
+                }
+        }
+        
+        return(numWords);
+}
+
+
+
+
+void ConvertCStrToUpperCase(char *theSrcCStr)
+{
+char            *theCharPtr;
+
+
+        if (theSrcCStr != nil)
+        {
+                theCharPtr = theSrcCStr;
+                
+                while (*theCharPtr != 0)
+                {
+                        if (*theCharPtr >= 'a' && *theCharPtr <= 'z')
+                        {
+                                *theCharPtr = *theCharPtr - 'a' + 'A';
+                        }
+                        
+                        theCharPtr++;
+                }
+        }
+}
+
+
+
+
+
+
+
+void ExtractCStrItemFromCStr(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,char *outDstCharPtr,const int inDstCharPtrMaxLength,const Boolean inTreatMultipleDelimsAsSingleDelim)
+{
+int             theItem;
+int             theSrcCharIndex;
+int             theDstCharIndex;
+
+
+        if (foundItem != nil)
+        {
+                *foundItem = false;
+        }
+        
+        
+        if (outDstCharPtr != nil && inDstCharPtrMaxLength > 0 && inItemNumber >= 0 && inItemDelimiter != 0)
+        {
+                *outDstCharPtr = 0;
+                
+
+                theSrcCharIndex = 0;
+                
+                for (theItem = 0;theItem < inItemNumber;theItem++)
+                {
+                        while (inSrcCStr[theSrcCharIndex] != inItemDelimiter && inSrcCStr[theSrcCharIndex] != '\0')
+                        {
+                                theSrcCharIndex++;
+                        }
+                        
+                        if (inSrcCStr[theSrcCharIndex] == inItemDelimiter)
+                        {
+                                theSrcCharIndex++;
+                                
+                                if (inTreatMultipleDelimsAsSingleDelim)
+                                {
+                                        while (inSrcCStr[theSrcCharIndex] == inItemDelimiter)
+                                        {
+                                                theSrcCharIndex++;
+                                        }
+                                }
+                        }
+                        
+                        
+                        if (inSrcCStr[theSrcCharIndex] == '\0')
+                        {
+                                goto EXITPOINT;
+                        }
+                }
+                
+
+                if (foundItem != nil)
+                {
+                        *foundItem = true;
+                }
+                
+                
+                theDstCharIndex = 0;
+                
+                for (;;)
+                {
+                        if (inSrcCStr[theSrcCharIndex] == 0 || inSrcCStr[theSrcCharIndex] == inItemDelimiter || theDstCharIndex >= inDstCharPtrMaxLength - 1)
+                        {
+                                outDstCharPtr[theDstCharIndex] = 0;
+                                
+                                break;
+                        }
+                        
+                        outDstCharPtr[theDstCharIndex++] = inSrcCStr[theSrcCharIndex++];
+                }
+        }
+        
+        
+EXITPOINT:
+
+        return;
+}
+
+
+
+OSErr ExtractCStrItemFromCStrIntoNewHandle(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,Handle *outNewHandle,const Boolean inTreatMultipleDelimsAsSingleDelim)
+{
+OSErr   errCode;
+int             theItem;
+int             theSrcCharIndex;
+int             theItemLength;
+
+
+        if (inSrcCStr == nil)
+        {
+                SetErrorMessage("ExtractCStrItemFromCStrIntoNewHandle: Bad parameter, inSrcCStr == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (outNewHandle == nil)
+        {
+                SetErrorMessage("ExtractCStrItemFromCStrIntoNewHandle: Bad parameter, outNewHandle == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (foundItem == nil)
+        {
+                SetErrorMessage("ExtractCStrItemFromCStrIntoNewHandle: Bad parameter, foundItem == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (inItemNumber < 0)
+        {
+                SetErrorMessage("ExtractCStrItemFromCStrIntoNewHandle: Bad parameter, inItemNumber < 0");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (inItemDelimiter == 0)
+        {
+                SetErrorMessage("ExtractCStrItemFromCStrIntoNewHandle: Bad parameter, inItemDelimiter == 0");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+
+        *foundItem = false;
+        
+        theSrcCharIndex = 0;
+        
+        for (theItem = 0;theItem < inItemNumber;theItem++)
+        {
+                while (inSrcCStr[theSrcCharIndex] != inItemDelimiter && inSrcCStr[theSrcCharIndex] != '\0')
+                {
+                        theSrcCharIndex++;
+                }
+                
+                if (inSrcCStr[theSrcCharIndex] == inItemDelimiter)
+                {
+                        theSrcCharIndex++;
+                        
+                        if (inTreatMultipleDelimsAsSingleDelim)
+                        {
+                                while (inSrcCStr[theSrcCharIndex] == inItemDelimiter)
+                                {
+                                        theSrcCharIndex++;
+                                }
+                        }
+                }
+                
+                
+                if (inSrcCStr[theSrcCharIndex] == '\0')
+                {
+                        errCode = noErr;
+                        
+                        goto EXITPOINT;
+                }
+        }
+        
+
+        *foundItem = true;
+        
+        
+        for (theItemLength = 0;;theItemLength++)
+        {
+                if (inSrcCStr[theSrcCharIndex + theItemLength] == 0 || inSrcCStr[theSrcCharIndex + theItemLength] == inItemDelimiter)
+                {
+                        break;
+                }
+        }
+        
+
+        *outNewHandle = NewHandle(theItemLength + 1);
+        
+        if (*outNewHandle == nil)
+        {
+                SetErrorMessageAndLongIntAndBail("ExtractCStrItemFromCStrIntoNewHandle: Can't allocate Handle, MemError() = ",MemError());
+        }
+        
+        
+        BlockMove(inSrcCStr + theSrcCharIndex,**outNewHandle,theItemLength);
+        
+        (**outNewHandle)[theItemLength] = 0;
+        
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        return(errCode);
+}
+
+
+
+
+
+
+OSErr ExtractFloatFromCStr(const char *inCString,extended80 *outFloat)
+{
+OSErr                           errCode;
+Str255                          theStr255;
+Handle                          theNumberPartsTableHandle = nil;
+long                            theNumberPartsOffset,theNumberPartsLength;
+FormatResultType        theFormatResultType;
+NumberParts                     theNumberPartsTable;
+NumFormatStringRec      theNumFormatStringRec;
+
+
+        if (inCString == nil)
+        {
+                SetErrorMessage("ExtractFloatFromCStr: Bad parameter, inCString == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+        if (outFloat == nil)
+        {
+                SetErrorMessage("ExtractFloatFromCStr: Bad parameter, outFloat == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        
+//      GetIntlResourceTable(smRoman,smNumberPartsTable,&theNumberPartsTableHandle,&theNumberPartsOffset,&theNumberPartsLength);
+
+        GetIntlResourceTable(GetScriptManagerVariable(smSysScript),smNumberPartsTable,&theNumberPartsTableHandle,&theNumberPartsOffset,&theNumberPartsLength);  
+        
+        if (theNumberPartsTableHandle == nil)
+        {
+                SetErrorMessage("ExtractFloatFromCStr: Can't get number parts table for converting string representations to/from numeric representations");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (theNumberPartsLength > sizeof(theNumberPartsTable))
+        {
+                SetErrorMessage("ExtractFloatFromCStr: Number parts table has bad length");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+
+        BlockMove(*theNumberPartsTableHandle + theNumberPartsOffset,&theNumberPartsTable,theNumberPartsLength);
+        
+        
+        theFormatResultType = (FormatResultType) StringToFormatRec(kNumberFormatString,&theNumberPartsTable,&theNumFormatStringRec);
+        
+        if (theFormatResultType != fFormatOK)
+        {
+                SetErrorMessage("ExtractFloatFromCStr: StringToFormatRec() != fFormatOK");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+        
+        CopyCStrToPStr(inCString,theStr255,sizeof(theStr255));
+
+
+        theFormatResultType = (FormatResultType) StringToExtended(theStr255,&theNumFormatStringRec,&theNumberPartsTable,outFloat);
+        
+        if (theFormatResultType != fFormatOK && theFormatResultType != fBestGuess)
+        {
+                SetErrorMessageAndLongIntAndBail("ExtractFloatFromCStr: StringToExtended() = ",theFormatResultType);
+        }
+
+        
+        errCode = noErr;
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+
+OSErr CopyFloatToCStr(const extended80 *theFloat,char *theCStr,const int maxCStrLength,const int inMaxNumIntDigits,const int inMaxNumFractDigits)
+{
+OSErr                           errCode;
+Str255                          theStr255;
+Handle                          theNumberPartsTableHandle = nil;
+long                            theNumberPartsOffset,theNumberPartsLength;
+FormatResultType        theFormatResultType;
+NumberParts                     theNumberPartsTable;
+NumFormatStringRec      theNumFormatStringRec;
+
+
+        if (theCStr == nil)
+        {
+                SetErrorMessage("CopyFloatToCStr: Bad parameter, theCStr == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+        if (theFloat == nil)
+        {
+                SetErrorMessage("CopyFloatToCStr: Bad parameter, theFloat == nil");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+
+//      GetIntlResourceTable(smRoman,smNumberPartsTable,&theNumberPartsTableHandle,&theNumberPartsOffset,&theNumberPartsLength);
+
+        GetIntlResourceTable(GetScriptManagerVariable(smSysScript),smNumberPartsTable,&theNumberPartsTableHandle,&theNumberPartsOffset,&theNumberPartsLength);  
+        
+        if (theNumberPartsTableHandle == nil)
+        {
+                SetErrorMessage("CopyFloatToCStr: Can't get number parts table for converting string representations to/from numeric representations");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        if (theNumberPartsLength > sizeof(theNumberPartsTable))
+        {
+                SetErrorMessage("CopyFloatToCStr: Number parts table has bad length");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+        
+        
+        BlockMove(*theNumberPartsTableHandle + theNumberPartsOffset,&theNumberPartsTable,theNumberPartsLength);
+        
+        
+        if (inMaxNumIntDigits >= 0 || inMaxNumFractDigits >= 0)
+        {
+        char    numberFormat[64];
+        int             numberFormatLength = 0;
+        
+                for (int i = 0;i < inMaxNumIntDigits && numberFormatLength < sizeof(numberFormat) - 1;i++)
+                {
+                        numberFormat[numberFormatLength++] = '0';
+                }
+                
+                if (inMaxNumFractDigits > 0 && numberFormatLength < sizeof(numberFormat) - 1)
+                {
+                        numberFormat[numberFormatLength++] = '.';
+                        
+                        for (int i = 0;i < inMaxNumFractDigits && numberFormatLength < sizeof(numberFormat) - 1;i++)
+                        {
+                                numberFormat[numberFormatLength++] = '0';
+                        }
+                }
+
+                
+                if (numberFormatLength < sizeof(numberFormat) - 1)
+                {
+                        numberFormat[numberFormatLength++] = ';';
+                }
+                
+                if (numberFormatLength < sizeof(numberFormat) - 1)
+                {
+                        numberFormat[numberFormatLength++] = '-';
+                }
+                
+
+                for (int i = 0;i < inMaxNumIntDigits && numberFormatLength < sizeof(numberFormat) - 1;i++)
+                {
+                        numberFormat[numberFormatLength++] = '0';
+                }
+                
+                if (inMaxNumFractDigits > 0 && numberFormatLength < sizeof(numberFormat) - 1)
+                {
+                        numberFormat[numberFormatLength++] = '.';
+                        
+                        for (int i = 0;i < inMaxNumFractDigits && numberFormatLength < sizeof(numberFormat) - 1;i++)
+                        {
+                                numberFormat[numberFormatLength++] = '0';
+                        }
+                }
+                
+                numberFormat[numberFormatLength] = '\0';
+
+
+        Str255  tempStr255;
+        
+                CopyCStrToPStr(numberFormat,tempStr255,sizeof(tempStr255));
+                
+                theFormatResultType = (FormatResultType) StringToFormatRec(tempStr255,&theNumberPartsTable,&theNumFormatStringRec);
+        }
+        
+        else
+        {
+                theFormatResultType = (FormatResultType) StringToFormatRec(kNumberFormatString,&theNumberPartsTable,&theNumFormatStringRec);
+        }
+        
+        if (theFormatResultType != fFormatOK)
+        {
+                SetErrorMessage("CopyFloatToCStr: StringToFormatRec() != fFormatOK");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+
+        theFormatResultType = (FormatResultType) ExtendedToString(theFloat,&theNumFormatStringRec,&theNumberPartsTable,theStr255);
+        
+        if (theFormatResultType != fFormatOK)
+        {
+                SetErrorMessage("CopyFloatToCStr: ExtendedToString() != fFormatOK");
+                errCode = kGenericError;
+                goto EXITPOINT;
+        }
+
+        
+        CopyPStrToCStr(theStr255,theCStr,maxCStrLength);
+        
+        errCode = noErr;
+        
+
+EXITPOINT:
+        
+        return(errCode);
+}
+
+
+
+
+
+void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL)
+{
+        if (ioSrcCharPtr != nil && *ioSrcCharPtr != nil)
+        {
+                if (inStopAtEOL)
+                {
+                        while ((**ioSrcCharPtr == ' ' || **ioSrcCharPtr == '\t') && **ioSrcCharPtr != '\r' && **ioSrcCharPtr != '\n')
+                        {
+                                *ioSrcCharPtr++;
+                        }
+                }
+                
+                else
+                {
+                        while (**ioSrcCharPtr == ' ' || **ioSrcCharPtr == '\t')
+                        {
+                                *ioSrcCharPtr++;
+                        }
+                }
+        }
+}
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.hpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.hpp
new file mode 100644
index 0000000000..5045c41019
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/CPStringUtils.hpp
@@ -0,0 +1,104 @@
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void CopyPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void CopyPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void CopyCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void ConcatPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxCStrLength);
+
+void ConcatCharToCStr(const char theChar,char *theDstCStr,const int maxCStrLength);
+void ConcatCharToPStr(const char theChar,unsigned char *theDstPStr,const int maxPStrLength);
+
+int ComparePStrs(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase = true);
+int CompareCStrs(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+int CompareCStrToPStr(const char *theCStr,const unsigned char *thePStr,const Boolean ignoreCase = true);
+
+Boolean CStrsAreEqual(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+Boolean PStrsAreEqual(const unsigned char *theFirstCStr,const unsigned char *theSecondCStr,const Boolean ignoreCase = true);
+
+void CopyLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyUnsignedLongIntToCStr(const unsigned long theNum,char *theCStr,const int maxCStrLength);
+void ConcatLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyCStrAndConcatLongIntToCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+
+void CopyLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+void ConcatLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+
+long CStrLength(const char *theCString);
+long PStrLength(const unsigned char *thePString);
+
+OSErr CopyCStrToExistingHandle(const char *theCString,Handle theHandle);
+OSErr CopyLongIntToExistingHandle(const long inTheLongInt,Handle theHandle);
+
+OSErr CopyCStrToNewHandle(const char *theCString,Handle *theHandle);
+OSErr CopyPStrToNewHandle(const unsigned char *thePString,Handle *theHandle);
+OSErr CopyLongIntToNewHandle(const long inTheLongInt,Handle *theHandle);
+
+OSErr AppendCStrToHandle(const char *theCString,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendCharsToHandle(const char *theChars,const int numChars,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendPStrToHandle(const unsigned char *thePString,Handle theHandle,long *currentLength = nil);
+OSErr AppendLongIntToHandle(const long inTheLongInt,Handle theHandle,long *currentLength = nil);
+
+void ZeroMem(void *theMemPtr,const unsigned long numBytes);
+
+char *FindCharInCStr(const char theChar,const char *theCString);
+long FindCharOffsetInCStr(const char theChar,const char *theCString,const Boolean inIgnoreCase = false);
+long FindCStrOffsetInCStr(const char *theCSubstring,const char *theCString,const Boolean inIgnoreCase = false);
+
+void CopyCSubstrToCStr(const char *theSrcCStr,const int maxCharsToCopy,char *theDstCStr,const int maxDstStrLength);
+void CopyCSubstrToPStr(const char *theSrcCStr,const int maxCharsToCopy,unsigned char *theDstPStr,const int maxDstStrLength);
+
+void InsertCStrIntoCStr(const char *theSrcCStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+void InsertPStrIntoCStr(const unsigned char *theSrcPStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+OSErr InsertCStrIntoHandle(const char *theCString,Handle theHandle,const long inInsertOffset);
+
+void CopyCStrAndInsertCStrIntoCStr(const char *theSrcCStr,const char *theInsertCStr,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrsLongIntsIntoCStr(const char *theSrcCStr,const char **theInsertCStrs,const long *theLongInts,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsert1LongIntIntoCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert2LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert3LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,const long long3,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrLongIntIntoCStr(const char *theSrcCStr,const char *theInsertCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+OSErr CopyCStrAndInsertCStrLongIntIntoHandle(const char *theSrcCStr,const char *theInsertCStr,const long theNum,Handle *theHandle);
+
+
+OSErr CopyIndexedWordToCStr(char *theSrcCStr,int whichWord,char *theDstCStr,int maxDstCStrLength);
+OSErr CopyIndexedWordToNewHandle(char *theSrcCStr,int whichWord,Handle *outTheHandle);
+
+OSErr CopyIndexedLineToCStr(const char *theSrcCStr,int inWhichLine,int *lineEndIndex,Boolean *gotLastLine,char *theDstCStr,const int maxDstCStrLength);
+OSErr CopyIndexedLineToNewHandle(const char *theSrcCStr,int inWhichLine,Handle *outNewHandle);
+
+OSErr ExtractIntFromCStr(const char *theSrcCStr,int *outInt,Boolean skipLeadingSpaces = true);
+OSErr ExtractIntFromPStr(const unsigned char *theSrcPStr,int *outInt,Boolean skipLeadingSpaces = true);
+
+
+void ConvertCStrToUpperCase(char *theSrcCStr);
+
+
+int CountOccurencesOfCharInCStr(const char inChar,const char *inSrcCStr);
+int CountWordsInCStr(const char *inSrcCStr);
+
+OSErr CountDigits(const char *inCStr,int *outNumIntegerDigits,int *outNumFractDigits);
+
+void ExtractCStrItemFromCStr(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,char *outDstCharPtr,const int inDstCharPtrMaxLength,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+OSErr ExtractCStrItemFromCStrIntoNewHandle(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,Handle *outNewHandle,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+
+
+OSErr ExtractFloatFromCStr(const char *inCString,extended80 *outFloat);
+OSErr CopyFloatToCStr(const extended80 *theFloat,char *theCStr,const int maxCStrLength,const int inMaxNumIntDigits = -1,const int inMaxNumFractDigits = -1);
+
+void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL = false);
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.cpp
new file mode 100644
index 0000000000..80b6a675f4
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.cpp
@@ -0,0 +1,170 @@
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+ 
+ 
+ 
+ #include "ErrorHandling.hpp"
+#include "CPStringUtils.hpp"
+
+#ifdef __EXCEPTIONS_ENABLED__
+        #include "CMyException.hpp"
+#endif
+
+
+static char                                     gErrorMessageBuffer[512];
+
+char                                            *gErrorMessage = gErrorMessageBuffer;
+int                                                     gErrorMessageMaxLength = sizeof(gErrorMessageBuffer);
+
+
+
+void SetErrorMessage(const char *theErrorMessage)
+{
+        if (theErrorMessage != nil)
+        {
+                CopyCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
+        }
+}
+
+
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt)
+{
+        if (theErrorMessage != nil)
+        {
+                CopyCStrAndConcatLongIntToCStr(theErrorMessage,theLongInt,gErrorMessage,gErrorMessageMaxLength);
+        }
+}
+
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt)
+{
+        if (theErrorMessage != nil)
+        {
+                CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,theLongInt,gErrorMessage,gErrorMessageMaxLength);
+        }
+
+}
+
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr)
+{
+        if (theErrorMessage != nil)
+        {
+                CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,-1,gErrorMessage,gErrorMessageMaxLength);
+        }
+}
+
+
+void AppendCStrToErrorMessage(const char *theErrorMessage)
+{
+        if (theErrorMessage != nil)
+        {
+                ConcatCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
+        }
+}
+
+
+void AppendLongIntToErrorMessage(const long theLongInt)
+{
+        ConcatLongIntToCStr(theLongInt,gErrorMessage,gErrorMessageMaxLength);
+}
+
+
+
+char *GetErrorMessage(void)
+{
+        return gErrorMessage;
+}
+
+
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle)
+{
+OSErr           errCode;
+
+
+        errCode = CopyCStrToNewHandle(gErrorMessage,inoutHandle);
+        
+        return(errCode);
+}
+
+
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle)
+{
+OSErr           errCode;
+
+
+        errCode = CopyCStrToExistingHandle(gErrorMessage,inoutHandle);
+        
+        return(errCode);
+}
+
+
+
+OSErr AppendErrorMessageToHandle(Handle inoutHandle)
+{
+OSErr           errCode;
+
+
+        errCode = AppendCStrToHandle(gErrorMessage,inoutHandle,nil);
+        
+        return(errCode);
+}
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+
+void ThrowErrorMessageException(void)
+{
+        ThrowDescriptiveException(gErrorMessage);
+}
+
+#endif
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
new file mode 100644
index 0000000000..3036df7ee0
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/ErrorHandling.hpp
@@ -0,0 +1,147 @@
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef kGenericError
+        #define kGenericError           -1
+#endif
+
+extern char     *gErrorMessage;
+
+
+void SetErrorMessage(const char *theErrorMessage);
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt);
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt);
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr);
+void AppendCStrToErrorMessage(const char *theErrorMessage);
+void AppendLongIntToErrorMessage(const long theLongInt);
+
+
+char *GetErrorMessage(void);
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle);
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle);
+OSErr AppendErrorMessageToHandle(Handle inoutHandle);
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+        void ThrowErrorMessageException(void);
+#endif
+
+
+
+//      A bunch of evil macros that would be uneccessary if I were always using C++ !
+
+#define SetErrorMessageAndBailIfNil(theArg,theMessage)                                                          \
+{                                                                                                                                                                       \
+        if (theArg == nil)                                                                                                                              \
+        {                                                                                                                                                               \
+                SetErrorMessage(theMessage);                                                                                            \
+                errCode = kGenericError;                                                                                                        \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define SetErrorMessageAndBail(theMessage)                                                                                      \
+{                                                                                                                                                                       \
+                SetErrorMessage(theMessage);                                                                                            \
+                errCode = kGenericError;                                                                                                        \
+                goto EXITPOINT;                                                                                                                         \
+}
+
+
+#define SetErrorMessageAndLongIntAndBail(theMessage,theLongInt)                                         \
+{                                                                                                                                                                       \
+                SetErrorMessageAndAppendLongInt(theMessage,theLongInt);                                         \
+                errCode = kGenericError;                                                                                                        \
+                goto EXITPOINT;                                                                                                                         \
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfError(theErrCode,theMessage,theLongInt)       \
+{                                                                                                                                                                       \
+        if (theErrCode != noErr)                                                                                                                \
+        {                                                                                                                                                               \
+                SetErrorMessageAndAppendLongInt(theMessage,theLongInt);                                         \
+                errCode = theErrCode;                                                                                                           \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define SetErrorMessageCStrLongIntAndBailIfError(theErrCode,theMessage,theCStr,theLongInt)      \
+{                                                                                                                                                                       \
+        if (theErrCode != noErr)                                                                                                                \
+        {                                                                                                                                                               \
+                SetErrorMessageAndCStrAndLongInt(theMessage,theCStr,theLongInt);                        \
+                errCode = theErrCode;                                                                                                           \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define SetErrorMessageAndCStrAndBail(theMessage,theCStr)                                                       \
+{                                                                                                                                                                       \
+        SetErrorMessageAndCStr(theMessage,theCStr);                                                                             \
+        errCode = kGenericError;                                                                                                                \
+        goto EXITPOINT;                                                                                                                                 \
+}
+
+
+#define SetErrorMessageAndBailIfError(theErrCode,theMessage)                                            \
+{                                                                                                                                                                       \
+        if (theErrCode != noErr)                                                                                                                \
+        {                                                                                                                                                               \
+                SetErrorMessage(theMessage);                                                                                            \
+                errCode = theErrCode;                                                                                                           \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfNil(theArg,theMessage,theLongInt)                     \
+{                                                                                                                                                                       \
+        if (theArg == nil)                                                                                                                              \
+        {                                                                                                                                                               \
+                SetErrorMessageAndAppendLongInt(theMessage,theLongInt);                                         \
+                errCode = kGenericError;                                                                                                        \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define BailIfError(theErrCode)                                                                                                         \
+{                                                                                                                                                                       \
+        if ((theErrCode) != noErr)                                                                                                              \
+        {                                                                                                                                                               \
+                goto EXITPOINT;                                                                                                                         \
+        }                                                                                                                                                               \
+}
+
+
+#define SetErrCodeAndBail(theErrCode)                                                                                           \
+{                                                                                                                                                                       \
+        errCode = theErrCode;                                                                                                                   \
+                                                                                                                                                                        \
+        goto EXITPOINT;                                                                                                                                 \
+}
+
+
+#define SetErrorCodeAndMessageAndBail(theErrCode,theMessage)                                            \
+{                                                                                                                                                                       \
+        SetErrorMessage(theMessage);                                                                                                    \
+        errCode = theErrCode;                                                                                                                   \
+        goto EXITPOINT;                                                                                                                                 \
+}
+
+
+#define BailNow()                                                                                                                                       \
+{                                                                                                                                                                       \
+        errCode = kGenericError;                                                                                                                \
+        goto EXITPOINT;                                                                                                                                 \
+}
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/GetHTTPS.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/GetHTTPS.cpp
new file mode 100644
index 0000000000..ed8e1cc962
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/GetHTTPS.cpp
@@ -0,0 +1,215 @@
+/*
+ *      An demo illustrating how to retrieve a URI from a secure HTTP server.
+ *
+ *      Author:         Roy Wood
+ *      Date:           September 7, 1999
+ *      Comments:       This relies heavily on my MacSockets library.
+ *                              This project is also set up so that it expects the OpenSSL source folder (0.9.4 as I write this)
+ *                              to live in a folder called "OpenSSL-0.9.4" in this project's parent folder.  For example:
+ *
+ *                                      Macintosh HD:
+ *                                              Development:
+ *                                                      OpenSSL-0.9.4:
+ *                                                              (OpenSSL sources here)
+ *                                                      OpenSSL Example:
+ *                                                              (OpenSSL example junk here)
+ *
+ *
+ *                              Also-- before attempting to compile this, make sure the aliases in "OpenSSL-0.9.4:include:openssl" 
+ *                              are installed!  Use the AppleScript applet in the "openssl-0.9.4" folder to do this!
+ */
+/* modified to seed the PRNG */
+
+
+//      Include some funky libs I've developed over time
+
+#include "CPStringUtils.hpp"
+#include "ErrorHandling.hpp"
+#include "MacSocket.h"
+
+
+//      We use the OpenSSL implementation of SSL....
+//      This was a lot of work to finally get going, though you wouldn't know it by the results!
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#include <timer.h>
+
+//      Let's try grabbing some data from here:
+
+#define kHTTPS_DNS              "www.apache-ssl.org"
+#define kHTTPS_Port             443
+#define kHTTPS_URI              "/"
+
+
+//      Forward-declare this
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr);
+
+
+
+
+
+//      My idle-wait callback.  Doesn't do much, does it?  Silly cooperative multitasking.
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
+{
+#pragma unused(inUserRefPtr)
+
+EventRecord             theEvent;
+
+        ::EventAvail(everyEvent,&theEvent);
+
+        return(noErr);
+}
+
+
+
+//      Finally!
+
+void main(void)
+{
+OSErr                           errCode;
+int                                     theSocket = -1;
+int                                     theTimeout = 30;
+
+SSL_CTX                         *ssl_ctx = nil;
+SSL                                     *ssl = nil;
+
+char                            tempString[256];
+UnsignedWide            microTickCount;
+        
+#warning   -- USE A TRUE RANDOM SEED, AND ADD ENTROPY WHENEVER POSSIBLE. --
+const char seed[] = "uyq9,7-b(VHGT^%$&^F/,876;,;./lkJHGFUY{PO*";        // Just gobbledygook
+
+        printf("OpenSSL Demo by Roy Wood, roy@centricsystems.ca\n\n");
+        
+        BailIfError(errCode = MacSocket_Startup());
+
+
+
+        //      Create a socket-like object
+        
+        BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,nil));
+
+        
+        //      Set up the connect string and try to connect
+        
+        CopyCStrAndInsertCStrLongIntIntoCStr("%s:%ld",kHTTPS_DNS,kHTTPS_Port,tempString,sizeof(tempString));
+        
+        printf("Connecting to %s....\n",tempString);
+
+        BailIfError(errCode = MacSocket_connect(theSocket,tempString));
+        
+        
+        //      Init SSL stuff
+        
+        SSL_load_error_strings();
+        
+        SSLeay_add_ssl_algorithms();
+        
+        
+        //      Pick the SSL method
+        
+//      ssl_ctx = SSL_CTX_new(SSLv2_client_method());
+        ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+//      ssl_ctx = SSL_CTX_new(SSLv3_client_method());
+                        
+
+        RAND_seed (seed, sizeof (seed));
+        Microseconds (&microTickCount);
+        RAND_add (&microTickCount, sizeof (microTickCount), 0);         // Entropy is actually > 0, needs an estimate
+
+        //      Create an SSL thingey and try to negotiate the connection
+        
+        ssl = SSL_new(ssl_ctx);
+        
+        SSL_set_fd(ssl,theSocket);
+        
+        errCode = SSL_connect(ssl);
+        
+        if (errCode < 0)
+        {
+                SetErrorMessageAndLongIntAndBail("OpenSSL: Can't initiate SSL connection, SSL_connect() = ",errCode);
+        }
+        
+        //      Request the URI from the host
+        
+        CopyCStrToCStr("GET ",tempString,sizeof(tempString));
+        ConcatCStrToCStr(kHTTPS_URI,tempString,sizeof(tempString));
+        ConcatCStrToCStr(" HTTP/1.0\r\n\r\n",tempString,sizeof(tempString));
+
+        
+        errCode = SSL_write(ssl,tempString,CStrLength(tempString));
+        
+        if (errCode < 0)
+        {
+                SetErrorMessageAndLongIntAndBail("OpenSSL: Error writing data via ssl, SSL_write() = ",errCode);
+        }
+        
+
+        for (;;)
+        {
+        char    tempString[256];
+        int             bytesRead;
+                
+
+                //      Read some bytes and dump them to the console
+                
+                bytesRead = SSL_read(ssl,tempString,sizeof(tempString) - 1);
+                
+                if (bytesRead == 0 && MacSocket_RemoteEndIsClosing(theSocket))
+                {
+                        break;
+                }
+                
+                else if (bytesRead < 0)
+                {
+                        SetErrorMessageAndLongIntAndBail("OpenSSL: Error reading data via ssl, SSL_read() = ",bytesRead);
+                }
+                
+                
+                tempString[bytesRead] = '\0';
+                
+                printf(tempString);
+        }
+        
+        printf("\n\n\n");
+        
+        //      All done!
+        
+        errCode = noErr;
+        
+        
+EXITPOINT:
+
+        //      Clean up and go home
+        
+        if (theSocket >= 0)
+        {
+                MacSocket_close(theSocket);
+        }
+        
+        if (ssl != nil)
+        {
+                SSL_free(ssl);
+        }
+        
+        if (ssl_ctx != nil)
+        {
+                SSL_CTX_free(ssl_ctx);
+        }
+        
+        
+        if (errCode != noErr)
+        {
+                printf("An error occurred:\n");
+                
+                printf(GetErrorMessage());
+        }
+        
+        
+        MacSocket_Shutdown();
+}
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp
new file mode 100644
index 0000000000..aaf2a68ca9
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.cpp
@@ -0,0 +1,1607 @@
+/*
+ *      A simple socket-like package.  
+ *      This could undoubtedly be improved, since it does polling and busy-waiting.  
+ *      At least it uses asynch I/O and implements timeouts!
+ *
+ *      Other funkiness includes the use of my own (possibly brain-damaged) error-handling infrastructure.
+ *
+ *      -Roy Wood (roy@centricsystems.ca)
+ *
+ */
+
+
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+ 
+
+
+
+
+#include "MacSocket.h"
+
+#include <Threads.h>
+
+#include <OpenTransport.h>
+#include <OpenTpTInternet.h>
+#include <OpenTptClient.h>
+
+
+
+#include "CPStringUtils.hpp"
+#include "ErrorHandling.hpp"
+
+
+//      #define MACSOCKET_DEBUG         1
+
+#ifdef MACSOCKET_DEBUG
+        #include <stdio.h>
+#endif
+
+
+
+extern int errno;
+
+
+#define kMaxNumSockets                  4
+
+
+struct SocketStruct
+{
+        Boolean                                         mIsInUse;
+
+        Boolean                                         mEndpointIsBound;
+
+        Boolean                                         mLocalEndIsConnected;
+        Boolean                                         mRemoteEndIsConnected;
+
+        Boolean                                         mReceivedTOpenComplete;
+        Boolean                                         mReceivedTBindComplete;
+        Boolean                                         mReceivedTConnect;
+        Boolean                                         mReceivedTListen;
+        Boolean                                         mReceivedTPassCon;
+        Boolean                                         mReceivedTDisconnect;
+        Boolean                                         mReceivedTOrdRel;
+        Boolean                                         mReceivedTDisconnectComplete;
+        
+        long                                            mTimeoutTicks;
+        long                                            mOperationStartTicks;
+        
+        MacSocket_IdleWaitCallback      mIdleWaitCallback;
+        void                                            *mUserRefPtr;
+        
+        OTEventCode                                     mExpectedCode;
+        OTResult                                        mAsyncOperationResult;
+        
+        EndpointRef                                     mEndPointRef;
+        TBind                                           *mBindRequestedAddrInfo;
+        TBind                                           *mAssignedAddrInfo;
+        TCall                                           *mRemoteAddrInfo;
+        
+        Boolean                                         mReadyToReadData;
+        Boolean                                         mReadyToWriteData;
+        
+        Ptr                                                     mReadBuffer;
+        Ptr                                                     mWriteBuffer;
+        
+        int                                                     mLastError;
+        char                                            mErrMessage[256];
+};
+
+typedef struct SocketStruct     SocketStruct;
+
+
+static SocketStruct                     sSockets[kMaxNumSockets];
+static Boolean                          sSocketsSetup = false;
+
+
+
+
+static OSErr MyBusyWait(SocketStruct *ioSocket,Boolean returnImmediatelyOnError,OTResult *outOTResult,Boolean *inAsyncOperationCompleteFlag);
+
+static pascal void OTNonYieldingNotifier(void *contextPtr,OTEventCode code,OTResult result,void *cookie);
+
+static Boolean  SocketIndexIsValid(const int inSocketNum);
+
+static void InitSocket(SocketStruct *ioSocket);
+
+static void PrepareForAsyncOperation(SocketStruct *ioSocket,const OTEventCode inExpectedCode);
+
+static Boolean TimeoutElapsed(const SocketStruct *inSocket);
+
+static OSStatus NegotiateIPReuseAddrOption(EndpointRef inEndpoint,const Boolean inEnableReuseIP);
+
+
+
+void MacSocket_GetSocketErrorInfo(const int inSocketNum,int *outSocketErrCode,char *outSocketErrString,const int inSocketErrStringMaxLength)
+{
+        if (outSocketErrCode != nil)
+        {
+                *outSocketErrCode = -1;
+        }
+        
+        if (outSocketErrString != nil)
+        {
+                CopyCStrToCStr("",outSocketErrString,inSocketErrStringMaxLength);
+        }
+        
+        
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+        
+                
+                if (outSocketErrCode != nil)
+                {
+                        *outSocketErrCode = theSocketStruct->mLastError;
+                }
+
+                if (outSocketErrString != nil)
+                {
+                        CopyCStrToCStr(theSocketStruct->mErrMessage,outSocketErrString,inSocketErrStringMaxLength);
+                }
+        }
+}
+
+
+void MacSocket_SetUserRefPtr(const int inSocketNum,void *inNewRefPtr)
+{
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+
+                theSocketStruct->mUserRefPtr = inNewRefPtr;
+        }
+}
+
+
+
+void MacSocket_GetLocalIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength)
+{
+        if (outIPAndPort != nil && SocketIndexIsValid(inSocketNum))
+        {
+        char                    tempString[256];
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+        
+                
+                CopyCStrToCStr("",tempString,sizeof(tempString));
+
+                if (theSocketStruct->mAssignedAddrInfo != nil)
+                {
+                InetAddress             *theInetAddress = (InetAddress *) theSocketStruct->mAssignedAddrInfo->addr.buf;
+                InetHost                theInetHost = theInetAddress->fHost;
+                        
+                        if (theInetHost == 0)
+                        {
+                        InetInterfaceInfo       theInetInterfaceInfo;
+                                
+                                if (::OTInetGetInterfaceInfo(&theInetInterfaceInfo,kDefaultInetInterface) == noErr)
+                                {
+                                        theInetHost = theInetInterfaceInfo.fAddress;
+                                }
+                        }
+                
+                        ::OTInetHostToString(theInetHost,tempString);
+                        
+                        ConcatCStrToCStr(":",tempString,sizeof(tempString));
+                        ConcatLongIntToCStr(theInetAddress->fPort,tempString,sizeof(tempString));
+                }
+                
+                CopyCStrToCStr(tempString,outIPAndPort,inIPAndPortLength);
+        }
+}
+
+
+
+void MacSocket_GetRemoteIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength)
+{
+        if (outIPAndPort != nil && SocketIndexIsValid(inSocketNum))
+        {
+        char                    tempString[256];
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+        
+                
+                CopyCStrToCStr("",tempString,sizeof(tempString));
+
+                if (theSocketStruct->mRemoteAddrInfo != nil)
+                {
+                InetAddress             *theInetAddress = (InetAddress *) theSocketStruct->mRemoteAddrInfo->addr.buf;
+                InetHost                theInetHost = theInetAddress->fHost;
+                        
+                        if (theInetHost == 0)
+                        {
+                        InetInterfaceInfo       theInetInterfaceInfo;
+                                
+                                if (::OTInetGetInterfaceInfo(&theInetInterfaceInfo,kDefaultInetInterface) == noErr)
+                                {
+                                        theInetHost = theInetInterfaceInfo.fAddress;
+                                }
+                        }
+                
+                        ::OTInetHostToString(theInetHost,tempString);
+                        
+                        ConcatCStrToCStr(":",tempString,sizeof(tempString));
+                        ConcatLongIntToCStr(theInetAddress->fPort,tempString,sizeof(tempString));
+                }
+                
+                CopyCStrToCStr(tempString,outIPAndPort,inIPAndPortLength);
+        }
+}
+
+
+
+Boolean MacSocket_RemoteEndIsClosing(const int inSocketNum)
+{
+Boolean         theResult = false;
+
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+
+                theResult = theSocketStruct->mReceivedTOrdRel;
+        }
+
+        return(theResult);
+}
+
+
+
+Boolean MacSocket_ListenCompleted(const int inSocketNum)
+{
+Boolean         theResult = false;
+
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+
+                theResult = theSocketStruct->mReceivedTPassCon;
+        }
+
+        return(theResult);
+}
+
+
+
+Boolean MacSocket_RemoteEndIsOpen(const int inSocketNum)
+{
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+        
+                return(theSocketStruct->mRemoteEndIsConnected);
+        }
+        
+        else
+        {
+                return(false);
+        }
+}
+
+
+
+Boolean MacSocket_LocalEndIsOpen(const int inSocketNum)
+{
+        if (SocketIndexIsValid(inSocketNum))
+        {
+        SocketStruct    *theSocketStruct = &(sSockets[inSocketNum]);
+        
+                return(theSocketStruct->mLocalEndIsConnected);
+        }
+        
+        else
+        {
+                return(false);
+        }
+}
+
+
+
+static Boolean TimeoutElapsed(const SocketStruct *inSocket)
+{
+Boolean         timeIsUp = false;
+
+        if (inSocket != nil && inSocket->mTimeoutTicks > 0 && ::TickCount() > inSocket->mOperationStartTicks + inSocket->mTimeoutTicks)
+        {
+                timeIsUp = true;
+        }
+        
+        
+        return(timeIsUp);
+}
+
+
+
+static Boolean SocketIndexIsValid(const int inSocketNum)
+{
+        if (inSocketNum >= 0 && inSocketNum < kMaxNumSockets && sSockets[inSocketNum].mEndPointRef != kOTInvalidEndpointRef)
+        {
+                return(true);
+        }
+        
+        else
+        {
+                return(false);
+        }
+}
+
+
+
+static void InitSocket(SocketStruct *ioSocket)
+{
+        ioSocket->mIsInUse = false;
+        
+        ioSocket->mEndpointIsBound = false;
+        
+        ioSocket->mLocalEndIsConnected = false;
+        ioSocket->mRemoteEndIsConnected = false;
+        
+        ioSocket->mReceivedTOpenComplete = false;
+        ioSocket->mReceivedTBindComplete = false;
+        ioSocket->mReceivedTConnect = false;
+        ioSocket->mReceivedTListen = false;
+        ioSocket->mReceivedTPassCon = false;
+        ioSocket->mReceivedTDisconnect = false;
+        ioSocket->mReceivedTOrdRel = false;
+        ioSocket->mReceivedTDisconnectComplete = false;
+        
+        ioSocket->mTimeoutTicks = 30 * 60;
+        ioSocket->mOperationStartTicks = -1;
+        
+        ioSocket->mIdleWaitCallback = nil;
+        ioSocket->mUserRefPtr = nil;
+        
+        ioSocket->mExpectedCode = 0;
+        ioSocket->mAsyncOperationResult = noErr;
+        
+        ioSocket->mEndPointRef = kOTInvalidEndpointRef;
+        
+        ioSocket->mBindRequestedAddrInfo = nil;
+        ioSocket->mAssignedAddrInfo = nil;
+        ioSocket->mRemoteAddrInfo = nil;
+        
+        ioSocket->mReadyToReadData = false;
+        ioSocket->mReadyToWriteData = true;
+        
+        ioSocket->mReadBuffer = nil;
+        ioSocket->mWriteBuffer = nil;
+
+        ioSocket->mLastError = noErr;
+        CopyCStrToCStr("",ioSocket->mErrMessage,sizeof(ioSocket->mErrMessage));
+}
+
+
+
+static void PrepareForAsyncOperation(SocketStruct *ioSocket,const OTEventCode inExpectedCode)
+{
+        ioSocket->mOperationStartTicks = ::TickCount();
+        
+        ioSocket->mAsyncOperationResult = noErr;
+        
+        ioSocket->mExpectedCode = inExpectedCode;
+}
+
+
+//      The wait function....
+
+static OSErr MyBusyWait(SocketStruct *ioSocket,Boolean returnImmediatelyOnError,OTResult *outOTResult,Boolean *inAsyncOperationCompleteFlag)
+{
+OSErr           errCode = noErr;
+OTResult        theOTResult = noErr;
+
+        
+        SetErrorMessageAndBailIfNil(ioSocket,"MyBusyWait: Bad parameter, ioSocket = nil");
+        SetErrorMessageAndBailIfNil(inAsyncOperationCompleteFlag,"MyBusyWait: Bad parameter, inAsyncOperationCompleteFlag = nil");
+        
+        for (;;) 
+        {
+                if (*inAsyncOperationCompleteFlag)
+                {
+                        theOTResult = ioSocket->mAsyncOperationResult;
+                        
+                        break;
+                }
+                
+                if (ioSocket->mIdleWaitCallback != nil)
+                {
+                        theOTResult = (*(ioSocket->mIdleWaitCallback))(ioSocket->mUserRefPtr);
+                        
+                        if (theOTResult != noErr && returnImmediatelyOnError)
+                        {
+                                break;
+                        }
+                }
+                
+                if (TimeoutElapsed(ioSocket))
+                {
+                        theOTResult = kMacSocket_TimeoutErr;
+                        
+                        break;
+                }
+        }
+
+
+EXITPOINT:
+        
+        if (outOTResult != nil)
+        {
+                *outOTResult = theOTResult;
+        }
+        
+        return(errCode);
+}
+
+
+
+//      I used to do thread switching, but stopped.  It could easily be rolled back in though....
+
+static pascal void OTNonYieldingNotifier(void *contextPtr,OTEventCode code,OTResult result,void *cookie)
+{
+SocketStruct *theSocketStruct = (SocketStruct *) contextPtr;
+        
+        if (theSocketStruct != nil)
+        {
+                if (theSocketStruct->mExpectedCode != 0 && code == theSocketStruct->mExpectedCode)
+                {
+                        theSocketStruct->mAsyncOperationResult = result;
+                        
+                        theSocketStruct->mExpectedCode = 0;
+                }
+                
+                
+                switch (code) 
+                {
+                        case T_OPENCOMPLETE:
+                        {
+                                theSocketStruct->mReceivedTOpenComplete = true;
+                                
+                                theSocketStruct->mEndPointRef = (EndpointRef) cookie;
+                                
+                                break;
+                        }
+
+                        
+                        case T_BINDCOMPLETE:
+                        {
+                                theSocketStruct->mReceivedTBindComplete = true;
+                                
+                                break;
+                        }
+                        
+
+                        case T_CONNECT:
+                        {
+                                theSocketStruct->mReceivedTConnect = true;
+
+                                theSocketStruct->mLocalEndIsConnected = true;
+                                
+                                theSocketStruct->mRemoteEndIsConnected = true;
+
+                                break;
+                        }
+                        
+
+                        case T_LISTEN:
+                        {
+                                theSocketStruct->mReceivedTListen = true;
+                                
+                                break;
+                        }
+                        
+
+                        case T_PASSCON:
+                        {
+                                theSocketStruct->mReceivedTPassCon = true;
+                                
+                                theSocketStruct->mLocalEndIsConnected = true;
+                                
+                                theSocketStruct->mRemoteEndIsConnected = true;
+
+                                break;
+                        }
+
+
+                        case T_DATA:
+                        {
+                                theSocketStruct->mReadyToReadData = true;
+                                
+                                break;
+                        }
+                        
+                        case T_GODATA:
+                        {
+                                theSocketStruct->mReadyToWriteData = true;
+                                
+                                break;
+                        }
+                        
+                        case T_DISCONNECT:
+                        {
+                                theSocketStruct->mReceivedTDisconnect = true;
+                                
+                                theSocketStruct->mRemoteEndIsConnected = false;
+                                
+                                theSocketStruct->mLocalEndIsConnected = false;
+                                
+                                ::OTRcvDisconnect(theSocketStruct->mEndPointRef,nil);
+                                
+                                break;
+                        }
+
+                        case T_ORDREL:
+                        {
+                                theSocketStruct->mReceivedTOrdRel = true;
+                                
+                                //      We can still write data, so don't clear mRemoteEndIsConnected
+                                
+                                ::OTRcvOrderlyDisconnect(theSocketStruct->mEndPointRef);
+                                
+                                break;
+                        }
+                        
+                        case T_DISCONNECTCOMPLETE:
+                        {
+                                theSocketStruct->mReceivedTDisconnectComplete = true;
+                                
+                                theSocketStruct->mRemoteEndIsConnected = false;
+                                
+                                theSocketStruct->mLocalEndIsConnected = false;
+                                
+                                break;
+                        }
+                }
+        }
+/*
+T_LISTEN OTListen
+T_CONNECT OTRcvConnect
+T_DATA OTRcv, OTRcvUData
+T_DISCONNECT OTRcvDisconnect
+T_ORDREL OTRcvOrderlyDisconnect
+T_GODATA OTSnd, OTSndUData, OTLook
+T_PASSCON none
+
+T_EXDATA OTRcv
+T_GOEXDATA OTSnd, OTLook
+T_UDERR OTRcvUDErr
+*/
+}
+
+
+
+//      Initialize the main socket data structure
+
+OSErr MacSocket_Startup(void)
+{
+        if (!sSocketsSetup)
+        {
+                for (int i = 0;i < kMaxNumSockets;i++)
+                {
+                        InitSocket(&(sSockets[i]));
+                }
+
+                ::InitOpenTransport();
+                
+                sSocketsSetup = true;
+        }
+        
+        
+        return(noErr);
+}
+
+
+
+//      Cleanup before exiting
+
+OSErr MacSocket_Shutdown(void)
+{
+        if (sSocketsSetup)
+        {
+                for (int i = 0;i < kMaxNumSockets;i++)
+                {
+                SocketStruct *theSocketStruct = &(sSockets[i]);
+                
+                        if (theSocketStruct->mIsInUse)
+                        {
+                                if (theSocketStruct->mEndPointRef != kOTInvalidEndpointRef)
+                                {
+                                OTResult        theOTResult;
+                                
+                                
+                                        //      Since we're killing the endpoint, I don't bother to send the disconnect (sorry!)
+
+/*
+                                        if (theSocketStruct->mLocalEndIsConnected)
+                                        {
+                                                //      This is an abortive action, so we do a hard disconnect instead of an OTSndOrderlyDisconnect
+                                                
+                                                theOTResult = ::OTSndDisconnect(theSocketStruct->mEndPointRef, nil);
+                                                
+                                                //      Now we have to watch for T_DISCONNECTCOMPLETE event
+                                                
+                                                theSocketStruct->mLocalEndIsConnected = false;
+                                        }
+*/                                      
+                                        
+                                        theOTResult = ::OTCloseProvider(theSocketStruct->mEndPointRef);
+                                        
+                                        
+                                        theSocketStruct->mEndPointRef = kOTInvalidEndpointRef;
+                                }
+                                
+                                if (theSocketStruct->mBindRequestedAddrInfo != nil)
+                                {
+                                        ::OTFree((void *) theSocketStruct->mBindRequestedAddrInfo,T_BIND);
+                                        
+                                        theSocketStruct->mBindRequestedAddrInfo = nil;
+                                }
+                                
+                                if (theSocketStruct->mAssignedAddrInfo != nil)
+                                {
+                                        ::OTFree((void *) theSocketStruct->mAssignedAddrInfo,T_BIND);
+                                        
+                                        theSocketStruct->mAssignedAddrInfo = nil;
+                                }
+                                
+                                if (theSocketStruct->mRemoteAddrInfo != nil)
+                                {
+                                        ::OTFree((void *) theSocketStruct->mRemoteAddrInfo,T_CALL);
+                                        
+                                        theSocketStruct->mRemoteAddrInfo = nil;
+                                }
+                                
+                                
+                        }
+                }
+                
+                ::CloseOpenTransport();
+
+                sSocketsSetup = false;
+        }
+        
+        return(noErr);
+}
+
+
+
+
+
+
+//      Allocate a socket
+
+OSErr MacSocket_socket(int *outSocketNum,const Boolean inDoThreadSwitching,const long inTimeoutTicks,MacSocket_IdleWaitCallback inIdleWaitCallback,void *inUserRefPtr)
+{
+//      Gotta roll support back in for threads eventually.....
+
+#pragma unused(inDoThreadSwitching)
+
+
+OSErr   errCode = noErr;
+
+        
+        SetErrorMessageAndBailIfNil(outSocketNum,"MacSocket_socket: Bad parameter, outSocketNum == nil");
+        
+        *outSocketNum = -1;
+        
+        
+        //      Find an unused socket
+        
+        for (int i = 0;i < kMaxNumSockets;i++)
+        {
+                if (sSockets[i].mIsInUse == false)
+                {
+                OTResult                theOTResult;
+                SocketStruct    *theSocketStruct = &(sSockets[i]);
+                
+                        
+                        InitSocket(theSocketStruct);
+                        
+                        theSocketStruct->mIdleWaitCallback = inIdleWaitCallback;
+                        theSocketStruct->mUserRefPtr = inUserRefPtr;
+                        
+                        theSocketStruct->mTimeoutTicks = inTimeoutTicks;
+                        
+
+                        //      Set up OT endpoint
+                        
+                        PrepareForAsyncOperation(theSocketStruct,T_OPENCOMPLETE);
+                        
+                        theOTResult = ::OTAsyncOpenEndpoint(OTCreateConfiguration(kTCPName),0,nil,OTNonYieldingNotifier,(void *) theSocketStruct);
+                        
+                        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_socket: Can't create OT endpoint, OTAsyncOpenEndpoint() = ",theOTResult);
+                        
+                        BailIfError(MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTOpenComplete)));
+                                                                                                                                                                                
+                        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_socket: Can't create OT endpoint, OTAsyncOpenEndpoint() = ",theOTResult);
+                        
+                        
+                        *outSocketNum = i;
+                        
+                        errCode = noErr;
+                        
+                        theSocketStruct->mIsInUse = true;
+                        
+                        break;
+                }
+                
+                else if (i == kMaxNumSockets - 1)
+                {
+                        SetErrorMessageAndBail("MacSocket_socket: No sockets available");
+                }
+        }
+
+
+EXITPOINT:
+        
+        errno = errCode;
+        
+        return(errCode);
+}
+
+
+
+
+OSErr MacSocket_listen(const int inSocketNum,const int inPortNum)
+{
+OSErr                   errCode = noErr;
+SocketStruct    *theSocketStruct = nil;
+
+
+        if (!SocketIndexIsValid(inSocketNum))
+        {
+                SetErrorMessageAndBail("MacSocket_listen: Invalid socket number specified");
+        }
+
+
+        theSocketStruct = &(sSockets[inSocketNum]);
+
+
+OTResult                theOTResult;
+        
+        
+        if (theSocketStruct->mBindRequestedAddrInfo == nil)
+        {
+                theSocketStruct->mBindRequestedAddrInfo = (TBind *) ::OTAlloc(theSocketStruct->mEndPointRef,T_BIND,T_ADDR,&theOTResult);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't allocate OT T_BIND structure, OTAlloc() = ",theOTResult);
+                SetErrorMessageAndBailIfNil(theSocketStruct->mBindRequestedAddrInfo,"MacSocket_listen: Can't allocate OT T_BIND structure, OTAlloc() returned nil");
+        }
+        
+        if (theSocketStruct->mAssignedAddrInfo == nil)
+        {
+                theSocketStruct->mAssignedAddrInfo = (TBind *) ::OTAlloc(theSocketStruct->mEndPointRef,T_BIND,T_ADDR,&theOTResult);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't allocate OT T_BIND structure, OTAlloc() = ",theOTResult);
+                SetErrorMessageAndBailIfNil(theSocketStruct->mAssignedAddrInfo,"MacSocket_listen: Can't allocate OT T_BIND structure, OTAlloc() returned nil");
+        }
+        
+        if (theSocketStruct->mRemoteAddrInfo == nil)
+        {
+                theSocketStruct->mRemoteAddrInfo = (TCall *) ::OTAlloc(theSocketStruct->mEndPointRef,T_CALL,T_ADDR,&theOTResult);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't allocate OT T_CALL structure, OTAlloc() = ",theOTResult);
+                SetErrorMessageAndBailIfNil(theSocketStruct->mRemoteAddrInfo,"MacSocket_listen: Can't allocate OT T_CALL structure, OTAlloc() returned nil");
+        }
+        
+
+        if (!theSocketStruct->mEndpointIsBound)
+        {
+        InetInterfaceInfo       theInetInterfaceInfo;
+                
+                theOTResult = ::OTInetGetInterfaceInfo(&theInetInterfaceInfo,kDefaultInetInterface);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't determine OT interface info, OTInetGetInterfaceInfo() = ",theOTResult);
+
+
+        InetAddress     *theInetAddress = (InetAddress *) theSocketStruct->mBindRequestedAddrInfo->addr.buf;
+                
+//              theInetAddress->fAddressType = AF_INET;
+//              theInetAddress->fPort = inPortNum;
+//              theInetAddress->fHost = theInetInterfaceInfo.fAddress;
+                
+                ::OTInitInetAddress(theInetAddress,inPortNum,theInetInterfaceInfo.fAddress);
+
+                theSocketStruct->mBindRequestedAddrInfo->addr.len = sizeof(InetAddress);
+                
+                theSocketStruct->mBindRequestedAddrInfo->qlen = 1;
+                
+                
+                theOTResult = ::OTSetSynchronous(theSocketStruct->mEndPointRef);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't set OT endpoint mode, OTSetSynchronous() = ",theOTResult);
+                
+                theOTResult = NegotiateIPReuseAddrOption(theSocketStruct->mEndPointRef,true);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't set OT IP address reuse flag, NegotiateIPReuseAddrOption() = ",theOTResult);
+                
+                theOTResult = ::OTSetAsynchronous(theSocketStruct->mEndPointRef);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't set OT endpoint mode, OTSetAsynchronous() = ",theOTResult);
+
+                
+                PrepareForAsyncOperation(theSocketStruct,T_BINDCOMPLETE);
+                                
+                theOTResult = ::OTBind(theSocketStruct->mEndPointRef,theSocketStruct->mBindRequestedAddrInfo,theSocketStruct->mAssignedAddrInfo);
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't bind OT endpoint, OTBind() = ",theOTResult);
+                
+                BailIfError(MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTBindComplete)));
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't bind OT endpoint, OTBind() = ",theOTResult);
+                
+                
+                theSocketStruct->mEndpointIsBound = true;
+        }
+
+
+        PrepareForAsyncOperation(theSocketStruct,T_LISTEN);
+
+        theOTResult = ::OTListen(theSocketStruct->mEndPointRef,theSocketStruct->mRemoteAddrInfo);
+        
+        if (theOTResult == noErr)
+        {
+                PrepareForAsyncOperation(theSocketStruct,T_PASSCON);
+                
+                theOTResult = ::OTAccept(theSocketStruct->mEndPointRef,theSocketStruct->mEndPointRef,theSocketStruct->mRemoteAddrInfo);
+                
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't begin OT accept, OTAccept() = ",theOTResult);
+                
+                BailIfError(MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTPassCon)));
+                                                                                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_listen: Can't accept OT connection, OTAccept() = ",theOTResult);
+        }
+        
+        else if (theOTResult == kOTNoDataErr)
+        {
+                theOTResult = noErr;
+        }
+        
+        else
+        {
+                SetErrorMessageAndLongIntAndBail("MacSocket_listen: Can't begin OT listen, OTListen() = ",theOTResult);
+        }
+
+
+        errCode = noErr;
+
+
+EXITPOINT:
+        
+        if (theSocketStruct != nil)
+        {
+                theSocketStruct->mLastError = noErr;
+                
+                CopyCStrToCStr("",theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+
+                if (errCode != noErr)
+                {
+                        theSocketStruct->mLastError = errCode;
+                        
+                        CopyCStrToCStr(GetErrorMessage(),theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+                }
+        }
+        
+        errno = errCode;
+        
+        return(errCode);
+}
+
+
+
+
+OSErr MacSocket_connect(const int inSocketNum,char *inTargetAddressAndPort)
+{
+OSErr                   errCode = noErr;
+SocketStruct    *theSocketStruct = nil;
+
+
+        if (!SocketIndexIsValid(inSocketNum))
+        {
+                SetErrorMessageAndBail("MacSocket_connect: Invalid socket number specified");
+        }
+
+        theSocketStruct = &(sSockets[inSocketNum]);
+
+        if (theSocketStruct->mEndpointIsBound)
+        {
+                SetErrorMessageAndBail("MacSocket_connect: Socket previously bound");
+        }
+
+        
+OTResult                theOTResult;
+
+        theSocketStruct->mBindRequestedAddrInfo = (TBind *) ::OTAlloc(theSocketStruct->mEndPointRef,T_BIND,T_ADDR,&theOTResult);
+                                                                                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't allocate OT T_BIND structure, OTAlloc() = ",theOTResult);
+        SetErrorMessageAndBailIfNil(theSocketStruct->mBindRequestedAddrInfo,"MacSocket_connect: Can't allocate OT T_BIND structure, OTAlloc() returned nil");
+        
+
+        theSocketStruct->mAssignedAddrInfo = (TBind *) ::OTAlloc(theSocketStruct->mEndPointRef,T_BIND,T_ADDR,&theOTResult);
+                                                                                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't allocate OT T_BIND structure, OTAlloc() = ",theOTResult);
+        SetErrorMessageAndBailIfNil(theSocketStruct->mAssignedAddrInfo,"MacSocket_connect: Can't allocate OT T_BIND structure, OTAlloc() returned nil");
+
+
+        theSocketStruct->mRemoteAddrInfo = (TCall *) ::OTAlloc(theSocketStruct->mEndPointRef,T_CALL,T_ADDR,&theOTResult);
+                                                                                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't allocate OT T_CALL structure, OTAlloc() = ",theOTResult);
+        SetErrorMessageAndBailIfNil(theSocketStruct->mRemoteAddrInfo,"MacSocket_connect: Can't allocate OT T_CALL structure, OTAlloc() returned nil");
+
+        
+        PrepareForAsyncOperation(theSocketStruct,T_BINDCOMPLETE);
+
+        theOTResult = ::OTBind(theSocketStruct->mEndPointRef,nil,theSocketStruct->mAssignedAddrInfo);
+                                                                                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't bind OT endpoint, OTBind() = ",theOTResult);
+        
+        BailIfError(MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTBindComplete)));
+                                                                                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't bind OT endpoint, OTBind() = ",theOTResult);
+        
+        theSocketStruct->mEndpointIsBound = true;
+        
+
+TCall           sndCall;
+DNSAddress      hostDNSAddress;
+        
+        //      Set up target address
+        
+        sndCall.addr.buf = (UInt8 *) &hostDNSAddress;
+        sndCall.addr.len = ::OTInitDNSAddress(&hostDNSAddress,inTargetAddressAndPort);
+        sndCall.opt.buf = nil;
+        sndCall.opt.len = 0;
+        sndCall.udata.buf = nil;
+        sndCall.udata.len = 0;
+        sndCall.sequence = 0;
+                
+        //      Connect!
+        
+        PrepareForAsyncOperation(theSocketStruct,T_CONNECT);
+
+        theOTResult = ::OTConnect(theSocketStruct->mEndPointRef,&sndCall,nil);
+        
+        if (theOTResult == kOTNoDataErr)
+        {
+                theOTResult = noErr;
+        }
+                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't connect OT endpoint, OTConnect() = ",theOTResult);
+        
+        BailIfError(MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTConnect)));
+        
+        if (theOTResult == kMacSocket_TimeoutErr)
+        {
+                SetErrorMessageAndBail("MacSocket_connect: Can't connect OT endpoint, OTConnect() = kMacSocket_TimeoutErr");
+        }
+        
+        else
+        {
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't connect OT endpoint, OTConnect() = ",theOTResult);
+        }
+
+        theOTResult = ::OTRcvConnect(theSocketStruct->mEndPointRef,nil);
+                                                                                                
+        SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_connect: Can't complete connect on OT endpoint, OTRcvConnect() = ",theOTResult);
+
+
+        errCode = noErr;
+
+
+#ifdef MACSOCKET_DEBUG
+        printf("MacSocket_connect: connect completed\n");
+#endif
+
+EXITPOINT:
+        
+        if (theSocketStruct != nil)
+        {
+                theSocketStruct->mLastError = noErr;
+                
+                CopyCStrToCStr("",theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+
+                if (errCode != noErr)
+                {
+                        theSocketStruct->mLastError = errCode;
+                        
+                        CopyCStrToCStr(GetErrorMessage(),theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+                }
+        }
+        
+        errno = errCode;
+        
+        return(errCode);
+}
+
+
+
+
+//      Close a connection
+
+OSErr MacSocket_close(const int inSocketNum)
+{
+OSErr                   errCode = noErr;
+SocketStruct    *theSocketStruct = nil;
+
+
+        if (!SocketIndexIsValid(inSocketNum))
+        {
+                SetErrorMessageAndBail("MacSocket_close: Invalid socket number specified");
+        }
+
+
+        theSocketStruct = &(sSockets[inSocketNum]);
+        
+        if (theSocketStruct->mEndPointRef != kOTInvalidEndpointRef)
+        {
+        OTResult                theOTResult = noErr;
+        
+                //      Try to play nice
+                
+                if (theSocketStruct->mReceivedTOrdRel)
+                {
+                        //      Already did an OTRcvOrderlyDisconnect() in the notifier
+                
+                        if (theSocketStruct->mLocalEndIsConnected)
+                        {
+                                theOTResult = ::OTSndOrderlyDisconnect(theSocketStruct->mEndPointRef);
+                                
+                                theSocketStruct->mLocalEndIsConnected = false;
+                        }
+                }
+                
+                else if (theSocketStruct->mLocalEndIsConnected)
+                {
+                        theOTResult = ::OTSndOrderlyDisconnect(theSocketStruct->mEndPointRef);
+                        
+                        theSocketStruct->mLocalEndIsConnected = false;
+                        
+                        //      Wait for other end to hang up too!
+                        
+//                      PrepareForAsyncOperation(theSocketStruct,T_ORDREL);
+//
+//                      errCode = MyBusyWait(theSocketStruct,false,&theOTResult,&(theSocketStruct->mReceivedTOrdRel));
+                }
+                
+                
+                if (theOTResult != noErr)
+                {
+                        ::OTCloseProvider(theSocketStruct->mEndPointRef);
+                }
+                
+                else
+                {
+                        theOTResult = ::OTCloseProvider(theSocketStruct->mEndPointRef);
+                }
+
+                theSocketStruct->mEndPointRef = kOTInvalidEndpointRef;
+                
+                errCode = theOTResult;
+        }
+
+
+        theSocketStruct->mIsInUse = false;
+
+        
+EXITPOINT:
+        
+        if (theSocketStruct != nil)
+        {
+                theSocketStruct->mLastError = noErr;
+                
+                CopyCStrToCStr("",theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+
+                if (errCode != noErr)
+                {
+                        theSocketStruct->mLastError = errCode;
+                        
+                        CopyCStrToCStr(GetErrorMessage(),theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+                }
+        }
+
+        errno = errCode;
+                
+        return(errCode);
+}
+
+
+
+
+//      Receive some bytes
+
+int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const Boolean inBlock)
+{
+OSErr                   errCode = noErr;
+int                             totalBytesRead = 0;
+SocketStruct    *theSocketStruct = nil;
+
+        
+        SetErrorMessageAndBailIfNil(outBuff,"MacSocket_recv: Bad parameter, outBuff = nil");
+        
+        if (outBuffLength <= 0)
+        {
+                SetErrorMessageAndBail("MacSocket_recv: Bad parameter, outBuffLength <= 0");
+        }
+        
+        if (!SocketIndexIsValid(inSocketNum))
+        {
+                SetErrorMessageAndBail("MacSocket_recv: Invalid socket number specified");
+        }
+
+        theSocketStruct = &(sSockets[inSocketNum]);
+
+        if (!theSocketStruct->mLocalEndIsConnected)
+        {
+                SetErrorMessageAndBail("MacSocket_recv: Socket not connected");
+        }
+
+        if (theSocketStruct->mReceivedTOrdRel)
+        {
+                totalBytesRead = 0;
+                
+                goto EXITPOINT;
+        }
+
+        
+        PrepareForAsyncOperation(theSocketStruct,0);
+        
+        for (;;)
+        {
+        int                     bytesRead;
+        OTResult        theOTResult;
+        
+        
+                theOTResult = ::OTRcv(theSocketStruct->mEndPointRef,(void *) ((unsigned long) outBuff + (unsigned long) totalBytesRead),outBuffLength - totalBytesRead,nil);
+                
+                if (theOTResult >= 0)
+                {
+                        bytesRead = theOTResult;
+                        
+#ifdef MACSOCKET_DEBUG
+        printf("MacSocket_recv: read %d bytes in part\n",bytesRead);
+#endif
+                }
+                
+                else if (theOTResult == kOTNoDataErr)
+                {
+                        bytesRead = 0;
+                }
+                
+                else
+                {
+                        SetErrorMessageAndLongIntAndBail("MacSocket_recv: Can't receive OT data, OTRcv() = ",theOTResult);
+                }
+                
+                
+                totalBytesRead += bytesRead;
+                
+                
+                if (totalBytesRead <= 0)
+                {
+                        if (theSocketStruct->mReceivedTOrdRel)
+                        {
+                                break;
+                        }
+                        
+                        //      This seems pretty stupid to me now.  Maybe I'll delete this blocking garbage.
+                        
+                        if (inBlock)
+                        {
+                                if (TimeoutElapsed(theSocketStruct))
+                                {
+                                        SetErrorCodeAndMessageAndBail(kMacSocket_TimeoutErr,"MacSocket_recv: Receive operation timed-out");
+                                }
+                                
+                                if (theSocketStruct->mIdleWaitCallback != nil)
+                                {
+                                        theOTResult = (*(theSocketStruct->mIdleWaitCallback))(theSocketStruct->mUserRefPtr);
+                                        
+                                        SetErrorMessageAndBailIfError(theOTResult,"MacSocket_recv: User cancelled operation");
+                                }
+                                
+                                continue;
+                        }
+                }
+                
+                
+                break;
+        }
+        
+        errCode = noErr;
+
+
+#ifdef MACSOCKET_DEBUG
+        printf("MacSocket_recv: read %d bytes in total\n",totalBytesRead);
+#endif
+        
+        
+EXITPOINT:
+        
+        if (theSocketStruct != nil)
+        {
+                theSocketStruct->mLastError = noErr;
+                
+                CopyCStrToCStr("",theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+
+                if (errCode != noErr)
+                {
+                        theSocketStruct->mLastError = errCode;
+                        
+                        CopyCStrToCStr(GetErrorMessage(),theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+                }
+        }
+
+        errno = errCode;
+        
+        return(totalBytesRead);
+}
+
+
+
+//      Send some bytes
+
+int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength)
+{
+OSErr                   errCode = noErr;
+int                             bytesSent = 0;
+SocketStruct    *theSocketStruct = nil;
+
+
+        SetErrorMessageAndBailIfNil(inBuff,"MacSocket_send: Bad parameter, inBuff = nil");
+        
+        if (inBuffLength <= 0)
+        {
+                SetErrorMessageAndBail("MacSocket_send: Bad parameter, inBuffLength <= 0");
+        }
+
+        if (!SocketIndexIsValid(inSocketNum))
+        {
+                SetErrorMessageAndBail("MacSocket_send: Invalid socket number specified");
+        }
+        
+
+        theSocketStruct = &(sSockets[inSocketNum]);
+        
+        if (!theSocketStruct->mLocalEndIsConnected)
+        {
+                SetErrorMessageAndBail("MacSocket_send: Socket not connected");
+        }
+
+
+OTResult                theOTResult;
+        
+
+        PrepareForAsyncOperation(theSocketStruct,0);
+
+        while (bytesSent < inBuffLength)
+        {
+                if (theSocketStruct->mIdleWaitCallback != nil)
+                {
+                        theOTResult = (*(theSocketStruct->mIdleWaitCallback))(theSocketStruct->mUserRefPtr);
+                        
+                        SetErrorMessageAndBailIfError(theOTResult,"MacSocket_send: User cancelled");
+                }
+
+
+                theOTResult = ::OTSnd(theSocketStruct->mEndPointRef,(void *) ((unsigned long) inBuff + bytesSent),inBuffLength - bytesSent,0);
+                
+                if (theOTResult >= 0)
+                {
+                        bytesSent += theOTResult;
+                        
+                        theOTResult = noErr;
+                        
+                        //      Reset timer....
+                        
+                        PrepareForAsyncOperation(theSocketStruct,0);
+                }
+                
+                if (theOTResult == kOTFlowErr)
+                {
+                        if (TimeoutElapsed(theSocketStruct))
+                        {
+                                SetErrorCodeAndMessageAndBail(kMacSocket_TimeoutErr,"MacSocket_send: Send timed-out")
+                        }
+
+                        theOTResult = noErr;
+                }
+                                                                                                        
+                SetErrorMessageAndLongIntAndBailIfError(theOTResult,"MacSocket_send: Can't send OT data, OTSnd() = ",theOTResult);
+        }
+
+        
+        errCode = noErr;
+
+#ifdef MACSOCKET_DEBUG
+        printf("MacSocket_send: sent %d bytes\n",bytesSent);
+#endif
+        
+        
+EXITPOINT:
+        
+        if (theSocketStruct != nil)
+        {
+                theSocketStruct->mLastError = noErr;
+                
+                CopyCStrToCStr("",theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+
+                if (errCode != noErr)
+                {
+                        theSocketStruct->mLastError = errCode;
+                        
+                        CopyCStrToCStr(GetErrorMessage(),theSocketStruct->mErrMessage,sizeof(theSocketStruct->mErrMessage));
+                }
+        }
+        
+        if (errCode != noErr)
+        {
+                ::SysBeep(1);
+        }
+        
+        errno = errCode;
+        
+        return(bytesSent);
+}
+
+
+
+
+
+static OSStatus NegotiateIPReuseAddrOption(EndpointRef inEndpoint,const Boolean inEnableReuseIP)
+{
+OSStatus        errCode;
+UInt8           buf[kOTFourByteOptionSize];
+TOption*        theOTOption;
+TOptMgmt        theOTRequest;
+TOptMgmt        theOTResult;
+        
+
+        if (!OTIsSynchronous(inEndpoint))
+        {
+                SetErrorMessageAndBail("NegotiateIPReuseAddrOption: Open Transport endpoint is not synchronous");
+        }
+        
+        theOTRequest.opt.buf = buf;
+        theOTRequest.opt.len = sizeof(buf);
+        theOTRequest.flags = T_NEGOTIATE;
+
+        theOTResult.opt.buf = buf;
+        theOTResult.opt.maxlen = kOTFourByteOptionSize;
+
+
+        theOTOption = (TOption *) buf;
+        
+        theOTOption->level = INET_IP;
+        theOTOption->name = IP_REUSEADDR;
+        theOTOption->len = kOTFourByteOptionSize;
+        theOTOption->status = 0;
+        *((UInt32 *) (theOTOption->value)) = inEnableReuseIP;
+
+        errCode = ::OTOptionManagement(inEndpoint,&theOTRequest,&theOTResult);
+        
+        if (errCode == kOTNoError)
+        {
+                if (theOTOption->status != T_SUCCESS)
+                {
+                        errCode = theOTOption->status;
+                }
+                
+                else
+                {
+                        errCode = kOTNoError;
+                }
+        }
+                                
+
+EXITPOINT:
+        
+        errno = errCode;
+        
+        return(errCode);
+}
+
+
+
+
+
+//      Some rough notes....
+
+
+
+//      OTAckSends(ep);
+//      OTAckSends(ep) // enable AckSend option
+//      ......
+//      buf = OTAllocMem( nbytes); // Allocate nbytes of memory from OT
+//      OTSnd(ep, buf, nbytes, 0); // send a packet
+//      ......
+//      NotifyProc( .... void* theParam) // Notifier Proc
+//      case T_MEMORYRELEASED: // process event
+//      OTFreeMem( theParam); // free up memory
+//      break;
+
+
+
+/*
+struct InetInterfaceInfo
+{
+        InetHost                fAddress;
+        InetHost                fNetmask;
+        InetHost                fBroadcastAddr;
+        InetHost                fDefaultGatewayAddr;
+        InetHost                fDNSAddr;
+        UInt16                  fVersion;
+        UInt16                  fHWAddrLen;
+        UInt8*                  fHWAddr;
+        UInt32                  fIfMTU;
+        UInt8*                  fReservedPtrs[2];
+        InetDomainName  fDomainName;
+        UInt32                  fIPSecondaryCount;
+        UInt8                   fReserved[252];                 
+};
+typedef struct InetInterfaceInfo InetInterfaceInfo;
+
+
+
+((InetAddress *) addr.buf)->fHost
+
+struct TBind
+{
+        TNetbuf addr;
+        OTQLen  qlen;
+};
+
+typedef struct TBind    TBind;
+
+struct TNetbuf
+{
+        size_t  maxlen;
+        size_t  len;
+        UInt8*  buf;
+};
+
+typedef struct TNetbuf  TNetbuf;
+
+        
+        struct InetAddress
+{
+                OTAddressType   fAddressType;   // always AF_INET
+                InetPort                fPort;                  // Port number 
+                InetHost                fHost;                  // Host address in net byte order
+                UInt8                   fUnused[8];             // Traditional unused bytes
+};
+typedef struct InetAddress InetAddress;
+*/
+
+
+
+/*
+static pascal void Notifier(void* context, OTEventCode event, OTResult result, void* cookie)
+{
+EPInfo* epi = (EPInfo*) context;
+
+        switch (event)
+        {
+                case T_LISTEN:
+                {
+                        DoListenAccept();
+                        return;
+                }
+                
+                case T_ACCEPTCOMPLETE:
+                {
+                        if (result != kOTNoError)
+                                DBAlert1("Notifier: T_ACCEPTCOMPLETE - result %d",result);
+                        return;
+                }
+                
+                case T_PASSCON:
+                {
+                        if (result != kOTNoError)
+                        {
+                                DBAlert1("Notifier: T_PASSCON result %d", result);
+                                return;
+                        }
+
+                        OTAtomicAdd32(1, &gCntrConnections);
+                        OTAtomicAdd32(1, &gCntrTotalConnections);
+                        OTAtomicAdd32(1, &gCntrIntervalConnects);
+                        
+                        if ( OTAtomicSetBit(&epi->stateFlags, kPassconBit) != 0 )
+                        {
+                                ReadData(epi);
+                        }
+                        
+                        return;
+                }
+                
+                case T_DATA:
+                {
+                        if ( OTAtomicSetBit(&epi->stateFlags, kPassconBit) != 0 )
+                        {
+                                ReadData(epi);
+                        }
+                        
+                        return;
+                }
+                
+                case T_GODATA:
+                {
+                        SendData(epi);
+                        return;
+                }
+                
+                case T_DISCONNECT:
+                {
+                        DoRcvDisconnect(epi);
+                        return;
+                }
+                
+                case T_DISCONNECTCOMPLETE:
+                {
+                        if (result != kOTNoError)
+                                DBAlert1("Notifier: T_DISCONNECT_COMPLETE result %d",result);
+                                
+                        return;
+                }
+                
+                case T_MEMORYRELEASED:
+                {
+                        OTAtomicAdd32(-1, &epi->outstandingSends);
+                        return;
+                }
+                
+                default:
+                {
+                        DBAlert1("Notifier: unknown event <%x>", event);
+                        return;
+                }
+        }
+}
+*/
diff --git a/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h
new file mode 100644
index 0000000000..6e90a5bb44
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/GetHTTPS.src/MacSocket.h
@@ -0,0 +1,103 @@
+#pragma once
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+
+enum
+{
+        kMacSocket_TimeoutErr = -2
+};
+
+
+//      Since MacSocket does busy waiting, I do a callback while waiting
+
+typedef OSErr (*MacSocket_IdleWaitCallback)(void *);
+
+
+//      Call this before anything else!
+
+OSErr MacSocket_Startup(void);
+
+
+//      Call this to cleanup before quitting
+
+OSErr MacSocket_Shutdown(void);
+
+
+//      Call this to allocate a "socket" (reference number is returned in outSocketNum)
+//      Note that inDoThreadSwitching is pretty much irrelevant right now, since I ignore it
+//      The inTimeoutTicks parameter is applied during reads/writes of data
+//      The inIdleWaitCallback parameter specifies a callback which is called during busy-waiting periods
+//      The inUserRefPtr parameter is passed back to the idle-wait callback
+
+OSErr MacSocket_socket(int *outSocketNum,const Boolean inDoThreadSwitching,const long inTimeoutTicks,MacSocket_IdleWaitCallback inIdleWaitCallback,void *inUserRefPtr);
+
+
+//      Call this to connect to an IP/DNS address
+//      Note that inTargetAddressAndPort is in "IP:port" format-- e.g. 10.1.1.1:123
+
+OSErr MacSocket_connect(const int inSocketNum,char *inTargetAddressAndPort);
+
+
+//      Call this to listen on a port
+//      Since this a low-performance implementation, I allow a maximum of 1 (one!) incoming request when I listen
+
+OSErr MacSocket_listen(const int inSocketNum,const int inPortNum);
+
+
+//      Call this to close a socket
+
+OSErr MacSocket_close(const int inSocketNum);
+
+
+//      Call this to receive data on a socket
+//      Most parameters' purpose are obvious-- except maybe "inBlock" which controls whether I wait for data or return immediately
+
+int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const Boolean inBlock);
+
+
+//      Call this to send data on a socket
+
+int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength);
+
+
+//      If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
+//      This function will let you check whether that's true or not
+
+Boolean MacSocket_RemoteEndIsClosing(const int inSocketNum);
+
+
+//      Call this to see if the listen has completed after a call to MacSocket_listen()
+
+Boolean MacSocket_ListenCompleted(const int inSocketNum);
+
+
+//      These really aren't very useful anymore
+
+Boolean MacSocket_LocalEndIsOpen(const int inSocketNum);
+Boolean MacSocket_RemoteEndIsOpen(const int inSocketNum);
+
+
+//      You may wish to change the userRefPtr for a socket callback-- use this to do it
+
+void MacSocket_SetUserRefPtr(const int inSocketNum,void *inNewRefPtr);
+
+
+//      Call these to get the socket's IP:port descriptor
+
+void MacSocket_GetLocalIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength);
+void MacSocket_GetRemoteIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength);
+
+
+//      Call this to get error info from a socket
+
+void MacSocket_GetSocketErrorInfo(const int inSocketNum,int *outSocketErrCode,char *outSocketErrString,const int inSocketErrStringMaxLength);
+
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/lib/libssl/src/MacOS/OpenSSL.mcp.hqx b/src/lib/libssl/src/MacOS/OpenSSL.mcp.hqx
new file mode 100644
index 0000000000..2efa49ac01
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/OpenSSL.mcp.hqx
@@ -0,0 +1,4880 @@
+(This file must be converted with BinHex 4.0)
+
+:#dp`C@j68d`ZE@0`!%e08(*$9dP&!!!!!j)H!!!!!)X-Bfp[E!!!!!-!!!%S!!0
+ipJ!$HKi!!"J!!!!"!!%#!3!!!!!!!!!!!%0[C'9ABA*bD@pb)&"bEfTPBh3!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"(CA4)9&4
+38b"38%-k4'9LG@GRCA)J8R9ZG'PYC3"(CA4)9&438b"38%-k8fpeFQ0P)&4bC@9
+c!%GPG%K89&"6)&"33cT$GA0dEfdJ5f9jGfpbC(-!4f9d5&488&-J8&"$1N&MBf9
+cFb"3BA4SF`"(CA4)9&438b"38%-k9'&bCf9d)&0PG(4TEQGc!%GPG%K89&"6)&"
+33cT'D@aP)%eKF("TEQGc!%GPG%K89&"6)&"33cT#G@PXC#"&H(4bBA-!4f9d5&4
+88&-J8&"$1N4PBR9RCf9b)&4KFQGPG!"(CA4)9&438b"38%-k0MK,)%0[C'9(C@i
+!4f9d5&488&-J8&"$1MBi5b"%DA0KFh0PE@*XCA)!4f9d5&488&-J8&"$1MBi5b"
+(E'pLB@`J6h"dD@eTHQ9b!%GPG%K89&"6)&"33cSf1%XJ6'PZDf9b!%GPG%K89&"
+6)&"33cSf1%XJ8(*[DQ9MG!"(CA4)9&438b"38%-k3bp$+bXJ3fpYF'PXCA)!4f9
+d5&488&-J8&"$1N-[3bXV)&GKFQjTEQGc!%GPG%K89&"6)&"33cT$4Ndf1%X!4f9
+d5&488&-J8&"$1NeKBdp6)%ePFQGP)&"KEQ9X!%GPG%K89&"6)&"33cT38%-J3fp
+NC8GPEJ"(CA4)9&438b"38%-k8&"$)%4TFf&cFf9YBQaPFJ"(CA4)9&438b"38%-
+k8&"$)%GXEf*KE#"2F(4TE@PkCA)!4f9d5&488&-J8&"$1P"33b"-D@jVCA)!4f9
+d5&488&-J8&"$1P"33b"348B!4f9d5&488&-J8&"$1P"33b"3FQpUC@0d!%GPG%K
+89&"6)&"33cT38%0"FfdJ8'&ZC@`!4f9d5&488&-J8&"$1P*PHL"$Efe`D@aPFJ"
+2F'9Z8e0-)&"33cT%C@*eCfGPFL"5G@jdD@eP!%p`C@j68d`J8&"$1P0[GA*MC5"
+8FQ9PF`"2F'9Z8e0-)&"33cT$GA0dEfdJ5f9jGfpbC(-!6h"PEP066#"38%-k3@0
+MCA0c)&"KG'Kc!%p`C@j68d`J8&"$1P4KFQGPG#"6CA4dD@jRF`"2F'9Z8e0-)&"
+33cT'D@aP)%eKF("TEQGc!%p`C@j68d`J8&"$1N*eD@aN)%9iG(*KF`"2F'9Z8e0
+-)&"33cT%C@*eCfGPFL"8BA*RCA3!6h"PEP066#"38%-k0MK,)%0[C'9(C@i!6h"
+PEP066#"38%-k0MK,)%4TFf&cFf9YBQaPFJ"2F'9Z8e0-)&"33cSf1%XJ4fa[BQ&
+X)%p`G'PYDATPFJ"2F'9Z8e0-)&"33cSf1%XJ6'PZDf9b!%p`C@j68d`J8&"$1MB
+i5b"3FQpUC@0d!%p`C@j68d`J8&"$1N-[3bXV)%0[EA"TE'9b!%p`C@j68d`J8&"
+$1N-[3bXV)&GKFQjTEQGc!%p`C@j68d`J8&"$1N0'66Bi5`"2F'9Z8e0-)&"33cT
+0B@028b"0CA*RC5"3B@jPE!"2F'9Z8e0-)&"33cT38%-J3fpNC8GPEJ"2F'9Z8e0
+-)&"33cT38%-J4'PcBA0cC@eLE'9b!%p`C@j68d`J8&"$1P"33b"(E'pLB@`J6h"
+dD@eTHQ9b!%p`C@j68d`J8&"$1P"33b"-D@jVCA)!6h"PEP066#"38%-k8&"$)&"
+&4J"2F'9Z8e0-)&"33cT38%-J8(*[DQ9MG!"2F'9Z8e0-)&"33cT38%0"FfdJ8'&
+ZC@`!6h"PEP066#"38%-k8Q9k)%0[EA"TE'9b!%GPG%K89&"6)$Bi5cT%C@*eCfG
+PFL"5G@jdD@eP!%GPG%K89&"6)$Bi5cT6Eh9bBf8J9(*PCA-!4f9d5&488&-J0MK
+,1N0eFh4[E5",CAPhEh*NF`"(CA4)9&438b!f1%Xk3@0MCA0c)&"KG'Kc!%GPG%K
+89&"6)$Bi5cT8BA*RCA3J8f9dG'PZCh-!4f9d5&488&-J0MK,1NCTE'8J6@&`F'P
+ZCh-!4f9d5&488&-J0MK,1N*eD@aN)%9iG(*KF`"(CA4)9&438b!f1%Xk4'9LG@G
+RCA)J9'&bCf9d!%GPG%K89&"6)$Bi5cSf1%XJ3fpNC8GPEJ"(CA4)9&438b!f1%X
+k0MK,)%4TFf&cFf9YBQaPFJ"(CA4)9&438b!f1%Xk0MK,)%GXEf*KE#"2F(4TE@P
+kCA)!4f9d5&488&-J0MK,1MBi5b"-D@jVCA)!4f9d5&488&-J0MK,1MBi5b"3FQp
+UC@0d!%GPG%K89&"6)$Bi5cT$,d-V+b"$Efe`D@aPFJ"(CA4)9&438b!f1%Xk3bp
+$+bXJ9f&bEQPZCh-!4f9d5&488&-J0MK,1N0'66Bi5`"(CA4)9&438b!f1%Xk6@&
+M6e-J6@9bCf8J8'&ZC@`!4f9d5&488&-J0MK,1P"33b"$Ef4P4f9Z!%GPG%K89&"
+6)$Bi5cT38%-J4'PcBA0cC@eLE'9b!%GPG%K89&"6)$Bi5cT38%-J4fa[BQ&X)%p
+`G'PYDATPFJ"(CA4)9&438b!f1%Xk8&"$)%aTEQYPFJ"(CA4)9&438b!f1%Xk8&"
+$)&"&4J"(CA4)9&438b!f1%Xk8&"$)&"bEfTPBh3!4f9d5&488&-J0MK,1P"33d&
+cE5"3B@jPE!"(CA4)9&438b!f1%Xk8Q9k)%0[EA"TE'9b!%aTBP066#!f1%Xk4'9
+LG@GRCA)J8R9ZG'PYC3"-D@*68d`J0MK,1P0[GA*MC5"8FQ9PF`"-D@*68d`J0MK
+,1N0eFh4[E5",CAPhEh*NF`"-D@*68d`J0MK,1N&MBf9cFb"3BA4SF`"-D@*68d`
+J0MK,1P4KFQGPG#"6CA4dD@jRF`"-D@*68d`J0MK,1NCTE'8J6@&`F'PZCh-!6'P
+L8e0-)$Bi5cT#G@PXC#"&H(4bBA-!6'PL8e0-)$Bi5cT%C@*eCfGPFL"8BA*RCA3
+!6'PL8e0-)$Bi5cSf1%XJ3fpNC8GPEJ"-D@*68d`J0MK,1MBi5b"%DA0KFh0PE@*
+XCA)!6'PL8e0-)$Bi5cSf1%XJ4fa[BQ&X)%p`G'PYDATPFJ"-D@*68d`J0MK,1MB
+i5b"-D@jVCA)!6'PL8e0-)$Bi5cSf1%XJ8(*[DQ9MG!"-D@*68d`J0MK,1N-[3bX
+V)%0[EA"TE'9b!%aTBP066#!f1%Xk3bp$+bXJ9f&bEQPZCh-!6'PL8e0-)$Bi5cT
+$4Ndf1%X!6'PL8e0-)$Bi5cT0B@028b"0CA*RC5"3B@jPE!"-D@*68d`J0MK,1P"
+33b"$Ef4P4f9Z!%aTBP066#!f1%Xk8&"$)%4TFf&cFf9YBQaPFJ"-D@*68d`J0MK
+,1P"33b"(E'pLB@`J6h"dD@eTHQ9b!%aTBP066#!f1%Xk8&"$)%aTEQYPFJ"-D@*
+68d`J0MK,1P"33b"348B!6'PL8e0-)$Bi5cT38%-J8(*[DQ9MG!"-D@*68d`J0MK
+,1P"33d&cE5"3B@jPE!"-D@*68d`J0MK,1P*PHL"$Efe`D@aPFJ"2F'9Z8e0-)$B
+iDcT%C@*eCfGPFL"5G@jdD@eP!%p`C@j68d`J0MKV1P0[GA*MC5"8FQ9PF`"2F'9
+Z8e0-)$BiDcT$GA0dEfdJ5f9jGfpbC(-!6h"PEP066#!f1'Xk3@0MCA0c)&"KG'K
+c!%p`C@j68d`J0MKV1P4KFQGPG#"6CA4dD@jRF`"2F'9Z8e0-)$BiDcT'D@aP)%e
+KF("TEQGc!%p`C@j68d`J0MKV1N*eD@aN)%9iG(*KF`"2F'9Z8e0-)$BiDcT%C@*
+eCfGPFL"8BA*RCA3!6h"PEP066#!f1'Xk0MK,)%0[C'9(C@i!6h"PEP066#!f1'X
+k0MK,)%4TFf&cFf9YBQaPFJ"2F'9Z8e0-)$BiDcSf1%XJ4fa[BQ&X)%p`G'PYDAT
+PFJ"2F'9Z8e0-)$BiDcSf1%XJ6'PZDf9b!%p`C@j68d`J0MKV1MBi5b"3FQpUC@0
+d!%p`C@j68d`J0MKV1N-[3bXV)%0[EA"TE'9b!%p`C@j68d`J0MKV1N-[3bXV)&G
+KFQjTEQGc!%p`C@j68d`J0MKV1N0'66Bi5`"2F'9Z8e0-)$BiDcT0B@028b"0CA*
+RC5"3B@jPE!"2F'9Z8e0-)$BiDcT38%-J3fpNC8GPEJ"2F'9Z8e0-)$BiDcT38%-
+J4'PcBA0cC@eLE'9b!%p`C@j68d`J0MKV1P"33b"(E'pLB@`J6h"dD@eTHQ9b!%p
+`C@j68d`J0MKV1P"33b"-D@jVCA)!6h"PEP066#!f1'Xk8&"$)&"&4J"2F'9Z8e0
+-)$BiDcT38%-J8(*[DQ9MG!"2F'9Z8e0-)$BiDcT38%0"FfdJ8'&ZC@`!6h"PEP0
+66#!f1'Xk8Q9k)%0[EA"TE'9b!%aTBP066#"38%-k4'9LG@GRCA)J8R9ZG'PYC3"
+-D@*68d`J8&"$1P0[GA*MC5"8FQ9PF`"-D@*68d`J8&"$1N0eFh4[E5",CAPhEh*
+NF`"-D@*68d`J8&"$1N&MBf9cFb"3BA4SF`"-D@*68d`J8&"$1P4KFQGPG#"6CA4
+dD@jRF`"-D@*68d`J8&"$1NCTE'8J6@&`F'PZCh-!6'PL8e0-)&"33cT#G@PXC#"
+&H(4bBA-!6'PL8e0-)&"33cT%C@*eCfGPFL"8BA*RCA3!6'PL8e0-)&"33cSf1%X
+J3fpNC8GPEJ"-D@*68d`J8&"$1MBi5b"%DA0KFh0PE@*XCA)!6'PL8e0-)&"33cS
+f1%XJ4fa[BQ&X)%p`G'PYDATPFJ"-D@*68d`J8&"$1MBi5b"-D@jVCA)!6'PL8e0
+-)&"33cSf1%XJ8(*[DQ9MG!"-D@*68d`J8&"$1N-[3bXV)%0[EA"TE'9b!%aTBP0
+66#"38%-k3bp$+bXJ9f&bEQPZCh-!6'PL8e0-)&"33cT$4Ndf1%X!6'PL8e0-)&"
+33cT0B@028b"0CA*RC5"3B@jPE!"-D@*68d`J8&"$1P"33b"$Ef4P4f9Z!%aTBP0
+66#"38%-k8&"$)%4TFf&cFf9YBQaPFJ"-D@*68d`J8&"$1P"33b"(E'pLB@`J6h"
+dD@eTHQ9b!%aTBP066#"38%-k8&"$)%aTEQYPFJ"-D@*68d`J8&"$1P"33b"348B
+!6'PL8e0-)&"33cT38%-J8(*[DQ9MG!"-D@*68d`J8&"$1P"33d&cE5"3B@jPE!"
+-D@*68d`J8&"$1P*PHL"$Efe`D@aPFJ"-D@*$FRP`G'mJ8&"$1N4PBR9RCf9b)&*
+eER4TE@8!6'PL3h*jF(4[)&"33cT6Eh9bBf8J9(*PCA-!6'PL3h*jF(4[)&"33cT
+$GA0dEfdJ5f9jGfpbC(-!6'PL3h*jF(4[)&"33cT"Bf0PFh-J8'&dD(-!6'PL3h*
+jF(4[)&"33cT8BA*RCA3J8f9dG'PZCh-!6'PL3h*jF(4[)&"33cT'D@aP)%eKF("
+TEQGc!%aTBN0bHA"dEb"38%-k3R9TE'3J4AKdFQ&c!%aTBN0bHA"dEb"38%-k4'9
+LG@GRCA)J9'&bCf9d!%aTBN0bHA"dEb"38%-k0MK,)%0[C'9(C@i!6'PL3h*jF(4
+[)&"33cSf1%XJ4'PcBA0cC@eLE'9b!%aTBN0bHA"dEb"38%-k0MK,)%GXEf*KE#"
+2F(4TE@PkCA)!6'PL3h*jF(4[)&"33cSf1%XJ6'PZDf9b!%aTBN0bHA"dEb"38%-
+k0MK,)&"bEfTPBh3!6'PL3h*jF(4[)&"33cT$,d-V+b"$Efe`D@aPFJ"-D@*$FRP
+`G'mJ8&"$1N-[3bXV)&GKFQjTEQGc!%aTBN0bHA"dEb"38%-k3dC00MK,!%aTBN0
+bHA"dEb"38%-k6@&M6e-J6@9bCf8J8'&ZC@`!6'PL3h*jF(4[)&"33cT38%-J3fp
+NC8GPEJ"-D@*$FRP`G'mJ8&"$1P"33b"%DA0KFh0PE@*XCA)!6'PL3h*jF(4[)&"
+33cT38%-J4fa[BQ&X)%p`G'PYDATPFJ"-D@*$FRP`G'mJ8&"$1P"33b"-D@jVCA)
+!6'PL3h*jF(4[)&"33cT38%-J8%9'!%aTBN0bHA"dEb"38%-k8&"$)&"bEfTPBh3
+!6'PL3h*jF(4[)&"33cT38%0"FfdJ8'&ZC@`!6'PL3h*jF(4[)&"33cT5CASJ3fp
+YF'PXCA)!6'PL3h*jF(4[)$Bi5cT%C@*eCfGPFL"5G@jdD@eP!%aTBN0bHA"dEb!
+f1%Xk8fpeFQ0P)&4bC@9c!%aTBN0bHA"dEb!f1%Xk3h9cG'pY)%YPHAG[FQ4c!%a
+TBN0bHA"dEb!f1%Xk3@0MCA0c)&"KG'Kc!%aTBN0bHA"dEb!f1%Xk9'&bCf9d)&0
+PG(4TEQGc!%aTBN0bHA"dEb!f1%Xk4QPXC5"0BA"`D@jRF`"-D@*$FRP`G'mJ0MK
+,1N*eD@aN)%9iG(*KF`"-D@*$FRP`G'mJ0MK,1N4PBR9RCf9b)&4KFQGPG!"-D@*
+$FRP`G'mJ0MK,1MBi5b"$Ef4P4f9Z!%aTBN0bHA"dEb!f1%Xk0MK,)%4TFf&cFf9
+YBQaPFJ"-D@*$FRP`G'mJ0MK,1MBi5b"(E'pLB@`J6h"dD@eTHQ9b!%aTBN0bHA"
+dEb!f1%Xk0MK,)%aTEQYPFJ"-D@*$FRP`G'mJ0MK,1MBi5b"3FQpUC@0d!%aTBN0
+bHA"dEb!f1%Xk3bp$+bXJ3fpYF'PXCA)!6'PL3h*jF(4[)$Bi5cT$,d-V+b"ABA*
+ZD@jRF`"-D@*$FRP`G'mJ0MK,1N0'66Bi5`"-D@*$FRP`G'mJ0MK,1NeKBdp6)%e
+PFQGP)&"KEQ9X!%aTBN0bHA"dEb!f1%Xk8&"$)%0[C'9(C@i!6'PL3h*jF(4[)$B
+i5cT38%-J4'PcBA0cC@eLE'9b!%aTBN0bHA"dEb!f1%Xk8&"$)%GXEf*KE#"2F(4
+TE@PkCA)!6'PL3h*jF(4[)$Bi5cT38%-J6'PZDf9b!%aTBN0bHA"dEb!f1%Xk8&"
+$)&"&4J"-D@*$FRP`G'mJ0MK,1P"33b"3FQpUC@0d!%aTBN0bHA"dEb!f1%Xk8&"
+$3A0Y)&"KEQ9X!%aTBN0bHA"dEb!f1%Xk8Q9k)%0[EA"TE'9b!&"bEfTPBh3J4QP
+XC5"-DA0d!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!3!!!!!!!!!H!!!!!J!!!!!!!!!i!!!!!`!!!!!!!!"9!!!!"!!!!!!!!!"[!!!
+!"3!!!!!!!!#-!!!!"J!!!!!!!!#R!!!!"`!!!!!!!!$"!!!!#!!!!!!!!!$H!!!
+!#3!!!!!!!!$h!!!!#J!!!!!!!!%9!!!!#`!!!!!!!!%h!!!!$!!!!!!!!!&2!!!
+!$3!!!!!!!!&S!!!!$J!!!!!!!!'%!!!!$`!!!!!!!!'J!!!!%!!!!!!!!!'d!!!
+!%3!!!!!!!!(6!!!!%J!!!!!!!!(X!!!!%`!!!!!!!!)+!!!!&!!!!!!!!!)X!!!
+!&3!!!!!!!!*%!!!!&J!!!!!!!!*C!!!!&`!!!!!!!!*b!!!!'!!!!!!!!!+-!!!
+!'3!!!!!!!!+Q!!!!'J!!!!!!!!,$!!!!'`!!!!!!!!,F!!!!(!!!!!!!!!,i!!!
+!(3!!!!!!!!-4!!!!(J!!!!!!!!-Y!!!!(`!!!!!!!!0(!!!!)!!!!!!!!!0J!!!
+!)3!!!!!!!!0m!!!!)J!!!!!!!!18!!!!)`!!!!!!!!1a!!!!*!!!!!!!!!25!!!
+!*3!!!!!!!!2T!!!!*J!!!!!!!!3"!!!!*`!!!!!!!!3F!!!!+!!!!!!!!!3h!!!
+!+3!!!!!!!!4+!!!!+J!!!!!!!!4S!!!!+`!!!!!!!!5!!!!!,!!!!!!!!!5G!!!
+!,3!!!!!!!!5q!!!!,J!!!!!!!!69!!!!,`!!!!!!!!6T!!!!-!!!!!!!!!8"!!!
+!-3!!!!!!!!8D!!!!-J!!!!!!!!8c!!!!-`!!!!!!!!94!!!!0!!!!!!!!!9V!!!
+!03!!!!!!!!@)!!!!0J!!!!!!!!@L!!!!0`!!!!!!!!@r!!!!1!!!!!!!!!AD!!!
+!13!!!!!!!!Ad!!!!1J!!!!!!!!B4!!!!1`!!!!!!!!BU!!!!2!!!!!!!!!C)!!!
+!23!!!!!!!!CU!!!!2J!!!!!!!!D#!!!!2`!!!!!!!!DE!!!!3!!!!!!!!!Dh!!!
+!33!!!!!!!!E6!!!!3J!!!!!!!!ER!!!!3`!!!!!!!!F'!!!!4!!!!!!!!!FI!!!
+!43!!!!!!!!Fp!!!!4J!!!!!!!!GI!!!!4`!!!!!!!!Gh!!!!5!!!!!!!!!H-!!!
+!53!!!!!!!!HP!!!!5J!!!!!!!!Hr!!!!5`!!!!!!!!IC!!!!6!!!!!!!!!Ie!!!
+!63!!!!!!!!J0!!!!6J!!!!!!!!JS!!!!6`!!!!!!!!K!!!!!8!!!!!!!!!KE!!!
+!83!!!!!!!!Kd!!!!8J!!!!!!!!L-!!!!8`!!!!!!!!LR!!!!9!!!!!!!!!Lq!!!
+!93!!!!!!!!MD!!!!9J!!!!!!!!Mk!!!!9`!!!!!!!!N3!!!!@!!!!!!!!!NR!!!
+!@3!!!!!!!!P"!!!!@J!!!!!!!!PE!!!!@`!!!!!!!!PY!!!!A!!!!!!!!!Q+!!!
+!A3!!!!!!!!QK!!!!AJ!!!!!!!!Qp!!!!A`!!!!!!!!RG!!!!B!!!!!!!!!Rc!!!
+!B3!!!!!!!!S'!!!!BJ!!!!!!!!SG!!!!B`!!!!!!!!Se!!!!C!!!!!!!!!T0!!!
+!C3!!!!!!!!TU!!!!CJ!!!!!!!!U$!!!!C`!!!!!!!!UI!!!!D!!!!!!!!!Ui!!!
+!D3!!!!!!!!V8!!!!DJ!!!!!!!!VZ!!!!D`!!!!!!!!X(!!!!E!!!!!!!!!XM!!!
+!E3!!!!!!!!Xl!!!!EJ!!!!!!!!YB!!!!E`!!!!!!!!Yj!!!!F!!!!!!!!!Z3!!!
+!!(%!!!!!!!!,U!!!!()!!!!!!!!,``!!!(-!!!!!!!!,hJ!!!(3!!!!!!!!,m3!
+!!(8!!!!!!!!-$`!!!(B!!!!!!!!-*`!!!(F!!!!!!!!-4!!!!(J!!!!!!!!-C3!
+!!(N!!!!!!!!-I!!!!(S!!!!!!!!-N!!!!!"l!!!!!!!!$+J!!!"m!!!!!!!!$-%
+!!!"p!!!!!!!!$0S!!!"q!!!!!!!!$2B!!!"r!!!!!!!!$3i!!!#!!!!!!!!!$5N
+!!!#"!!!!!!!!$8%!!!##!!!!!!!!$9`!!!#$!!!!!!!!$A8!!!#%!!!!!!!!$Bd
+!!!#&!!!!!!!!$DJ!!!#'!!!!!!!!$Em!!!#(!!!!!!!!$GX!!!#)!!!!!!!!$IX
+!!!#*!!!!!!!!$K%!!!#+!!!!!!!!$LJ!!!#,!!!!!!!!$N)!!!#-!!!!!!!!$P`
+!!!#0!!!!!!!!$Qi!!!#1!!!!!!!!$SX!!!#2!!!!!!!!$U)!!!#3!!!!!!!!!!k
+q!!!!N3!!!!!!!!lH!!!!NJ!!!!!!!!ld!!!!N`!!!!!!!!m(!!!!P!!!!!!!!!m
+H!!!!P3!!!!!!!!mf!!!!PJ!!!!!!!!p1!!!!P`!!!!!!!!pY!!!!Q!!!!!!!!!q
+)!!!!Q3!!!!!!!!qQ!!!!QJ!!!!!!!!r"!!!!Q`!!!!!!!!rI!!!!R!!!!!!!!!r
+l!!!!R3!!!!!!!"!@!!!!RJ!!!!!!!"!d!!!!R`!!!!!!!""1!!!!S!!!!!!!!""
+Y!!!!S3!!!!!!!"#3!!!!!+)!!!!!!!!3U3!!!+-!!!!!!!!3``!!!+3!!!!!!!!
+3i!!!!+8!!!!!!!!3r3!!!+B!!!!!!!!4%J!!!+F!!!!!!!!4-J!!!+J!!!!!!!!
+46!!!!+N!!!!!!!!4D`!!!+S!!!!!!!!4MJ!!!+X!!!!!!!!4T`!!!+`!!!!!!!!
+4[3!!!+d!!!!!!!!4e`!!!+i!!!!!!!!4mJ!!!+m!!!!!!!!5$3!!!,!!!!!!!!!
+5,!!!!,%!!!!!!!!54`!!!,)!!!!!!!!5C3!!!,-!!!!!!!!5J!!!!,3!!!!!!!!
+5RJ!!!,8!!!!!!!!5ZJ!!!,B!!!!!!!!5e3!!!,F!!!!!!!!5m`!!!,J!!!!!!!!
+6$3!!!,N!!!!!!!!6,!!!!,S!!!!!!!!66`!!!,X!!!!!!!!6D!!!!,`!!!!!!!!
+6JJ!!!,d!!!!!!!!6R`!!!,i!!!!!!!!6[!!!!,m!!!!!!!!6d3!!!-!!!!!!!!!
+6m3!!!-%!!!!!!!!8#`!!!-)!!!!!!!!8+J!!!--!!!!!!!!863!!!-3!!!!!!!!
+8CJ!!!-8!!!!!!!!8I!!!!-B!!!!!!!!8PJ!!!-F!!!!!!!!8X3!!!-J!!!!!!!!
+8c!!!!-N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!1J!!!$X!!!!m!!!!23!!!$i!!!!e!!!!1!!!!$m!!!"!!!!!33!!!$3!!!!b!!!
+!13!!!$F!!!"#!!!!3`!!!%3!!!"&!!!!4J!!!%F!!!")!!!!53!!!%S!!!!c!!!
+!0J!!!!J!!!!*!!!!#J!!!!X!!!!-!!!!!`!!!!B!!!!0!!!!$J!!!!m!!!!#!!!
+!!!!!!!F!!!!&!!!!%!!!!"%!!!!5!!!!%`!!!"3!!!!9!!!!&J!!!"F!!!!B!!!
+!!3!!!!3!!!#h!!!!Z!!!!,N!!!#k!!!!Z`!!!,)!!!#e!!!![!!!!,d!!!#q!!!
+!X3!!!+m!!!#f!!!!Y!!!!,m!!!$!!!!!`3!!!-)!!!$$!!!!a!!!!-8!!!$'!!!
+!a`!!!,!!!!#c!!!!RJ!!!*m!!!#J!!!!S3!!!+)!!!#C!!!!R!!!!+-!!!#N!!!
+!T3!!!*J!!!#@!!!!R3!!!*X!!!#Q!!!!T`!!!+J!!!#T!!!!UJ!!!+X!!!#X!!!
+!V3!!!+i!!!#A!!!!QJ!!!&-!!!"8!!!!93!!!&B!!!"A!!!!6J!!!&%!!!"B!!!
+!@3!!!&S!!!"0!!!!5`!!!&)!!!"3!!!!@`!!!&`!!!"G!!!!AJ!!!&m!!!"J!!!
+!B3!!!')!!!"M!!!!6!!!!%m!!!#&!!!!KJ!!!)F!!!#)!!!!L3!!!)!!!!#$!!!
+!LJ!!!)X!!!#-!!!!I`!!!(d!!!#%!!!!JJ!!!)d!!!#1!!!!M`!!!*!!!!!!N3!
+!!*)!!!#6!!!!P!!!!*8!!!"q!!!!J3!!!'`!!!"Y!!!!EJ!!!'m!!!"`!!!!C`!
+!!'S!!!"a!!!!FJ!!!(-!!!"Q!!!!C!!!!'X!!!"T!!!!G!!!!(8!!!"f!!!!G`!
+!!(J!!!"j!!!!HJ!!!(X!!!"m!!!!C3!!!'J!!!!K!!!!)J!!!#-!!!!N!!!!*3!
+!!"`!!!!I!!!!*J!!!#F!!!!S!!!!'`!!!"N!!!!J!!!!(J!!!#N!!!!U!!!!+`!
+!!#`!!!!Y!!!!,J!!!#m!!!!`!!!!-3!!!"S!!!!G!!!!b!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!690-)%-Z8&"$,NaTBJ"*ER4
+PFQCKBf9-D@)!6@&dD%aTBJ"08d`J8R9ZG'PYC9"33bj-D@)!6h"PEP4`G%PZCA4
+38%-ZE`"2F'9Z9("d5@jdCA*ZCA4-D@)!6h"PEP4bB@jcF'pbG%9iG'j38%-ZE`"
+2F'9Z9(*KER0`Eh*d6'PL!&4SFQ9KC(0-D@)!BQP[Ah0cE#jM!(-b-epME'jd,Q-
+!Fc)cAfaTBLjM!(-b-epYCA4S,Q-!Fc)cAh"VG#jM!(-b-epcFRCb,Q-!Fc*IBfa
+ZG#jM!(-bAf9ZBbjM!(-bAfaTBLjM!(-bAfePG'JZB`"c-Pp`Dh3ZB`"c-PpcFRC
+b,Q-!Fc0IBQpdD#jM!(-cAf0XER3ZB`"c-epPEQ-ZB`"c-epXD@)ZB`"c-epYCA4
+S,Q-!Fc0IF'Yd,Q-!Fc0IFh*fFLjM!(0cE&pKE'Gc,Q-!Fh0XAf&cEM%ZB`"cFfa
+IBf9bG#jM!(0cE&pMDA"S,Q-!Fh0XAf9bFLjM!(0cE&pPFR)b,Q-!Fh0XAfaTBLj
+M!(0cE&pbFf%ZB`"cFfaIFf9cFbjM!(0cE&pcG'&d,Q-!Fh0XAh4iG#jM!(3aAf0
+XER3ZB`"d-9pPEQ-ZB`"d-9pXD@)ZB`"d-9pYCA4S,Q-!G$&IFh*fFLjM!'&cEM&
+ICA*b,Q-!BA0Z-9pXD@)ZB`"KFfiaAh"KFLjM!'&cEPp`B@0V,Q-!B9pLDA4cG()
+ZB`"KAf*YF#jM!'&IBQp[E#jM!'&IBRPdCA-ZB`"KAf3bD9pQF#jM!'&IC'PRCA0
+d,Q-!B9pNGA!ZB`"KAf9ZG@dZB`"KAfGPER4Y,Q-!B9pSC()ZB`"KAfNbC&pQF#j
+M!'&ID@jd,Q-!B9pYCA4S,Q-!B9p[BQTPBh3ZB`"KAfpMG'9d,Q-!B9p`FQPZG#j
+M!'&IFf9d,Q-!B9pcD@GZ,Q-!B9pdD@eP,Q-!B9pdHA"P,Q-!B9peG'0dE5jM!'&
+IGA4Q1#jM!'&IGQ9bD@Cj,Q-!B9pfDA-ZB`"N-QPIC'K`,Q-!C$*TAf4cBA!ZB`"
+N-QPIF()ZB`"N-QPIF(8ZB`"N-QPIFPp`FLjM!'3bD9pbAh"e,Q-!C$*TAh0IF()
+ZB`"N-QPIFep`G5jM!'9fF&pKFfia,Q-!CPpPER9Y,Q-!CPpTER3ZB`"QAh0dFQP
+ZCbjM!'NbC&pND(!ZB`"T-Q4IC(0KF#jM!'NbC&p`FLjM!'NbC&p`G5jM!'NbC&p
+bAh"b,Q-!D6*NAh*IF(8ZB`"T-Q4IFep`FLjM!'NbC&pcAh"e,Q-!ER0cCA%ZB`"
+ZAh"VCANZB`"`09p`BQ8ZB`"`09p`BQ9f-LjM!(!hAf4RFh3ZB`"`0epPEQ-ZB`"
+`0epPEQ0IBbjM!(!hAf9fF#jM!(!hAfPIFbjM!(!hAfaTBLjM!(!hAh*PBfP`,Q-
+!F$GIFfPREQ3ZB`"`0epcD@GZD5jM!(!hAh0IC5jM!(!iAh"VCANZB`"dAf0bE#j
+M!(4IF'YPH5jM!(4IFQ9a,Q-!G&pi06!j,Q-!H&pKE'G[FLjM!(KIBA4dFQPL,Q-
+!H&pMD@jQ,Q-!H&pMFQ`ZB`"iAf9iG'9Z,Q-!H&pTEQC[,Q-!H&pZB@eP,Q-!H&p
+`Df9j,Q-!H&p`G@*VCANZB`"iAh*PF5jM!(KIFfPR,Q-!H&pcF'YT,Q-!H&pfB@`
+ZB`"iAhJe-$NZB`"LCPpMCQ)f0#jM!'*QAf9MBLjM!'*QAf9ZBbjM!'*QAfpQBMB
+d,Q-!BQCIFfYPH5jM!'*TEepPFR)ZB`"LD@pIE'PL,Q-!BR0cAh0[BfXZB`"LEPp
+KC'3ZB`"LEPpKFfdZB`"LEPpLE'PZC#jM!'*ZAf4TGLjM!'*ZAf9bFLjM!'*ZAf9
+iF#jM!'*ZAf9iF$)ZB`"LEPpRBf3ZB`"LEPpXD@)ZB`"LEPpYEfjd,Q-!BQjIEA"
+T,Q-!BQjIEA9X,Q-!BQjIF(*TE@8ZB`"LEPp`FQPZG#jM!'*ZAh*KEQ3ZB`"LEPp
+bC@0`,Q-!BQjIFfKTCR3ZB`"LEPpcFA)ZB`"LEPphEh*N,Q-!BR9QCQ9b,Q-!BR9
+QAf9bFLjM!'0IBfCL0M3ZB`"MAf9MBLjM!'0IC@jM,Q-!Bep[CQ)f0#jM!'0IFfY
+PH5jM!'0[EA"IE'PL,Q-!BepbE'8ZB`"MAhTXD@)ZB`"MEfjQ,Q-!BfpZCPpPFR)
+ZB`"MBQ0IBfYcE5jM!'0LBepPEQ-ZB`"MCQ)f0'9NC5jM!'0QBMBdC@jM,Q-!BfC
+LAf9ZBbjM!'4PFepPEQ-ZB`"PBf)cAf9ZBbjM!'9MBPpPEQ-ZB`"PC'9IBf*ME9p
+PEQ-ZB`"PEQ0IFQ9KC#jM!'CMFRP`G#jM!'CMFRP`G&pL,Q-!EfCL0M4PC'8ZB`"
+[CQ)f0'9ZBbjM!'pQBPpPEQ-ZB`"`Bf*MAf9ZBbjM!(&eC&pMDh0Y,Q-!FQ&ZC&p
+VCANZB`"bC@&N-R"hC#jM!(*PB@4IF(GN,Q-!FR"MAf9ZBbjM!(0PG&pVCANZB`"
+cG()bDf9j,Q-!Fh9`F#jM!(KMBQ0IC@jM,Q-!C'KIBfKPBfXZB`"ND&pPFR)ZB`"
+ND&pRC@iZB`"ND&pVCANZB`"ND&pXD@)ZB`"NFf&IBA0Z-5jM!'4cB9pPFR)ZB`"
+NFf&ICf9Z,Q-!C(0KAfYPH5jM!'4cB9pXD@)ZB`"NFf&IFfPRELjM!'4cB9pfFQB
+ZB`"PFR)ZB`"PFR*IB@aX,Q-!CA*bAh"bELjM!'*TEepL0M3ZB`"LD@pIC@jM,Q-
+!BQP[AfeN,Q-!BQP[AfpV,Q-!BepKE'`ZB`"ND@GPFh3ZB`"PEQ0[C'8ZB`"PGR"
+IC@jM,Q-!CAC`Af9bFLjM!'9fF&pVCANZB`"PGR"IE'PL,Q-!CAC`Ah"LC5jM!'9
+fF&p`Df9j,Q-!C9pMBQ0I-f3ZB`"PAf0LBepLCLjM!'9IBf*MAf-ZB`"PAf0LBep
+N,Q-!C9pMBQ0ID5jM!'9IBf*MAh)b,Q-!C9pMBQ0IFM8ZB`"PAf0QBPmcC#jM!'9
+IBfCLAf*Q,Q-!C9pMCQ*IBbjM!'9IBfCLAf3ZB`"PAf0QBPpT,Q-!C9pMCQ*IFM)
+ZB`"PAf0QBPpb05jM!'9IC@0LAc0N,Q-!C9pPBf*IBQBZB`"PAf9MBPpM,Q-!C9p
+PBf*IC#jM!'9IC@0LAfNZB`"PAf9MBPpb-LjM!'9IC@0LAh)e,Q-!C9pZG@aX,Q-
+!C9p[CQ*I-f3ZB`"PAfpQBPpLCLjM!'9IEfCLAf-ZB`"PAfpQBPpN,Q-!C9p[CQ*
+ID5jM!'9IEfCLAh)b,Q-!C9p[CQ*IFM8ZB`"PAh*M0#jM!'9IH'0LBepN,Q-!E9p
+NFh-ZB`"YAf4cFc%ZB`"YAfeN-LjM!'eIE@3e,Q-!E9pYC'-b,Q-!E9pZG@aX,Q-
+!E9pbDA"PE@3ZB`"YAh0SB5jM!'eIFfKK-5jM!'jKE@9c,Q-!F&pNC@-ZB`"`Af9
+ZBbjM!("IE'PL,Q-!F&p[F'9Z,Q-!F&pcC@&X,Q-!F&pcD@GZ,Q-!F&pfCA*TCRN
+ZB`"SE@&M,Q-!D9pMBQ-ZB`"TAf0QBMBd,Q-!D9pPBf)ZB`"TAfpQBMBd,Q-!D9p
+cDf9j,Q-!E'KKFfJZB`"XD&pcG'&dFbjM!'eN-PpNCh0d,Q-!E@3bAfpZC5jM!'e
+N09pNCh0d,Q-!E@3eAfpZC5jM!'eNBc*NCh0d,Q-!E@4M-Pp[EQ8ZB`"[BQTIC'&
+d,Q-!Ef*UAf9bFLjM!'pLDPpXD@)ZB`"[AfjKE@9c,Q-!F'9YAf&XE#jM!("PE9p
+PFR)ZB`"`C@eID@jQEbjM!("PE9pXD@)ZB`"`C@eIFf9KE#jM!("PE9pcD@GZ,Q-
+!F$%bAf&NC#jM!(!a-PpKG(4b,Q-!F$%bAf*KCh-ZB`"`-6*IBh*`G#jM!(!a-Pp
+MFR3ZB`"`-6*IC'9MFLjM!(!a-PpTEQPd,Q-!F$%bAfYPH5jM!(!a-PpVDA0c,Q-
+!F$%bAfaTBLjM!(!a-PpYB@-ZB`"`-6*IEA9dE#jM!(!a-PpcBQ&R,Q-!F$%bAh9
+dE#jM!("V-6*PFR)ZB`"`DcGIC'pTG#jM!("V0epXD@)ZB`"`Df0c0f9bFLjM!'e
+NAh*KEQ3ZB`"bB@jNCQPXC5jM!(*KEQ4IE'PL,Q-!FQ-bBfCL0M3ZB`"bBc*[CQ)
+f0#jM!(*M-PpMBQ-ZB`"bBc*IC@0L,Q-!FQ-bAh0VCANZB`"bBc4IC@jM,Q-!FQ-
+dAh0VCANZB`"bBc9MCQ)f0#jM!(*M0@pQBMBd,Q-!FQ-eAf9MBLjM!(*M09pPEQ-
+ZB`"bBc9IFfYPH5jM!(*YC&pNCh0d,Q-!FQeNAfpZC5jM!(*cB9pPBANZB`"bFf&
+ICA*b,Q-!FR0KAfGPELjM!(*cB9pXD@)ZB`"bFf&IEQpZC5jM!(*cB9p[B@9`,Q-
+!FR0KAh"V-5jM!(*cB9pcB@pc,Q-!FR0KAh0TCfiZB`"bFf&IFh0X,Q-!FfKK-@4
+RFh3ZB`"cD'%aAfpZC5jM!(0SB9pNCh0d,Q-!FfKKAfpZC5jM!(0dB@0V,Q-!G(K
+dAf4L,Q-!BRPIC'Pb,Q-!BRPICQPXC5jM!(Je-$PZB@eP,Q-!H$8`1A*cCA3ZB`"
+i06!jG(P`C5jM!(Je-$PIBfe`,Q-!H$8`19pN-LjM!(Je-$PIC'9Q,Q-!H$8`19p
+PFR)ZB`"i06!jAf9iG#jM!(Je-$PIE(8ZB`"i06!jAfpLDLjM!(Je-$PIFM*i,Q-
+!H$8`19pbCA%ZB`"i06!jAh0PG#jM!(Je-$PIG(Kd,Q-!H$8`19pf-bjM!(Je-$P
+IGQCj,Q-!H&pKE'`ZB`"f-f9bFLjM!(BcAf&VCANZB`"f-epKE(3ZB`"f-epLBfp
+ZFbjM!(BcAf*TG(0d,Q-!GM0IBfpZCLjM!(BcAf0`Efac,Q-!GM0IBh*XC#jM!(B
+cAf9ZG@dZB`"f-epPH(4VG5jM!(BcAfGPEQiZB`"f-epTB68ZB`"f-epTER3ZB`"
+f-epXD@)ZB`"f-ep`Dh8ZB`"f-ep`FQiZB`"f-epcDf9j,Q-!GM0IFhKZCA3ZB`"
+f-epeG'`ZB`"MF(4ICA*b,Q-!Bh*jF(4XD@)ZB`"PH&pNBA4K,Q-!E@9Y,Q-!690
+-)&0*6e9B,P"33bj-D@)!BQCIBR9QCLjM!(KIH$8`1@%ZB`"NFf&IEh0cE#jM!(J
+e-$PcF'YT,Q-!H$8`19pdFR-ZB`"f-ep`GA*`,Q-!GM0ID@jQEbjM!'*IF(*TER3
+ZB`"KAfeLFh4b,Q-!G&pcF'YT,Q-!G&pi06!jB5jM!(4IBQPdFh3ZB`"KAh0dFQj
+TC#jM!'*TEepMBLjM!'*cFepYC@dZB`"LFh0ICQ3ZB`"LFh0ICQPXC5jM!'*cFep
+ZG@aX,Q-!BQCIER9XE#jM!'*QAfjLD@mZB`"LFh0IBQP[,Q-!BPpNG@e`,Q-!C@j
+MAhGbDA3ZB`"`09pMFR"d,Q-!F$9IBh*`G$)ZB`"`-6*IER"KFbjM!("V0epKG(4
+b,Q-!F'XhAfeTE@8ZB`"`DcGIFfeTE@8ZB`"bFf&IBfKV,Q-!FR0KAfjeE'`ZB`"
+MGQ9bFfP[ELjM!%038h4bD@jR9A4TE(-ZBh"`!%9bFQpb5'&ZC'aTEQFZBh"`!%G
+PG%K89&"6,Q0`F!"0B@06Ef0VCA3ZBh"`!'ePE9pNBQFZB`"36&0dFQPZCdCeEQ0
+c8&"$,QaTBJ"LEPpMG(JZB`"bB@jNAf9bFLjM!(J!BA"`FbjM!'&`F&pbB@jN,Q-
+!BA0Z-A"KFR-ZB`"MB5jM!'0TF'KPFR-ZB`"MFQ`ZB`"MFQ`bF$FZB`"NCh0d,Q-
+!C'JZB`"NFf%ZB`"NFf&`BA*KE5jM!'9ZBbjM!'9bFR0dFLjM!'GPEQ4S,Q-!Cf9
+ZC(0K,Q-!Cf9ZFR0K,Q-!ER0PF5jM!'p`C@jcFf`ZB`"`Df0c-6)ZB`"`Df0c0bj
+M!("VBh-i,Q-!FQ9a,Q-!FR0K,Q-!Ff9cFepTC#jM!(0YD@eP,Q-!Fh"PC@3ZB`"
+cF'YKBbjM!(0IBf)ZB`"cAf0XD@9ZG#jM!(0IFf9bGQ9b,Q-!FepcEf0VCA3ZB`"
+fCA*TCRNZB`"fCA*cD@pZ,Q-!H$8`15jM!(0IG'PYC5jM!%G98dPI5@jTG#jMF(!
+!4e9659p$Eh*P,P"33bj-D@)!4e9659p08d`Z8&"$,NaTBJ"(990*Ae0*6e9B,P"
+33bj-D@)!6'PL8e0-,P"33bj-D@)!6'PL3h*jF(4[,P"33bj-D@)!6@&M6e-ZE'P
+L!%e66#"5G@jdD@eP0MK,,NaTBJ"2F'9Z9("d5@jPG#j[!%p`C@j8FQ&ZFh"[FR3
+ZE`"2F'9Z9(*KER0`Eh*d3A"`,Qm!690-)&0*6e9B,MBi5bj-D@)!690-)%-Z0MK
+,)%CK+$4TAcKN+5j-D@)!6@&dD%aTBMBi5b"'B5JdD9miC#NZ6'PL!%CTFR0d)&0
+PCfePER3!4e9659p$Eh*P,MBi5bj-D@)!4e9659p08d`Z0MK,,NaTBJ"(990*Ae0
+*6e9B,MBi5bj-D@)!6'PL3h*jF(4[,MBiDb"'B5JdD9miC#NZ6'PL!%aTBP066#i
+f1%XJ4Q%S0'PI1'3T,NaTBJ"(CA4)9&438b"38%-!6h"PEP066#"38%-!4f9d5&4
+88&-J0MK,!%aTBP066#!f1%X!6h"PEP066#!f1'X!6'PL8e0-)&"33`"-D@*$FRP
+`G'mJ8&"$!%aTBN0bHA"dEb!f1%X!1NGPG%K89&"6+&"33bN!6'PL)%PYF'pbG#"
+38%-!3Q&XE'p[EL")C@a`!%eA)%-[3bXV)&"33`"(B@eP3fpNC5"$EfjfCA*dCA)
+!4QaPH#"3FQ9`FQpMCA0cEh)!69FJ8'&cBf&X)&"33`"5CAS!8&"$3A0Y!%*TFfp
+Z)&"bCA"bEf0PFh0[FJ"B3dp'4L"*EA"[FR3J8&"$!&"&4L"*EA"[FR3J8&"$!$T
+2F'9Z8e0-!$T(CA4)9&438bJf1%XT!%aTBL"*EA"[FR3J0MK,!%e39b"*EA"[FR3
+J0MK,!%eA)%-[3bXV)$Bi5`"09b"3BA0MB@`J0MK,!&"&4L"*EA"[FR3J0MK,!$T
+-D@*68d`Z0MK,)%CK+$4TAcKN+5j-D@)!1Np`C@j68d`S0MKV+3!k6'PL8e0-,P"
+33bj-D@)!1NaTBN0bHA"dEbj38%-Z6'PL!$T-D@*$FRP`G'mZ0MKV)%CK+$4TAcK
+N+5j-D@)!6@&M6e-J8&"$)%aTEQYPFJ"0B@028b!f1%XJ6'PZDf9b!&0[GA*MC5"
+8FQ9PF`"$GA0dEfdJ5f9jGfpbC(-!3@0MCA0c)&"KG'Kc!&4KFQGPG#"6CA4dD@j
+RF`"'D@aP)%eKF("TEQGc!%*eD@aN)%9iG(*KF`"%C@*eCfGPFL"5G@jdD@eP!%4
+PBR9RCf9b)&4KFQGPG!"$,d-V+b"$Efe`D@aPFJ"$,d-V+b"ABA*ZD@jRF`"38%-
+J3fpNC8GPEJ"38%-J4'PcBA0cC@eLE'9b!&"33b"(E'pLB@`J6h"dD@eTHQ9b!&"
+33b"-D@jVCA)!8&"$)&"&4J"38%-J8(*[DQ9MG!"38%0"FfdJ8'&ZC@`!8Q9k)%0
+[EA"TE'9b!$Bi5b"$Ef4P4f9Z!$Bi5b"%DA0KFh0PE@*XCA)!0MK,)%GXEf*KE#"
+2F(4TE@PkCA)!0MK,)%aTEQYPFJ!f1%XJ8(*[DQ9MG!"$4Ndf1%X!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!!!!!!!$J!
+!!!)!!!!!!!!!'`!!!!-!!!!!!!!!)`!!!!3!!!!!!!!!0J!!!!8!!!!!!!!!4`!
+!!!B!!!!!!!!!@J!!!!F!!!!!!!!!F3!!!!J!!!!!!!!!JJ!!!!N!!!!!!!!!M3!
+!!!S!!!!!!!!!P`!!!!X!!!!!!!!!SJ!!!!`!!!!!!!!!V!!!!!d!!!!!!!!!Y`!
+!!!i!!!!!!!!!`3!!!!m!!!!!!!!!c!!!!"!!!!!!!!!!eJ!!!"%!!!!!!!!!h`!
+!!")!!!!!!!!!k!!!!"-!!!!!!!!!mJ!!!"3!!!!!!!!!q`!!!"8!!!!!!!!""3!
+!!"B!!!!!!!!"$`!!!"F!!!!!!!!"'3!!!"J!!!!!!!!")J!!!"N!!!!!!!!"+`!
+!!"S!!!!!!!!"03!!!"X!!!!!!!!"2J!!!"`!!!!!!!!"5!!!!"d!!!!!!!!"8`!
+!!"i!!!!!!!!"AJ!!!"m!!!!!!!!"D3!!!#!!!!!!!!!"G!!!!#%!!!!!!!!"IJ!
+!!#)!!!!!!!!"L3!!!#-!!!!!!!!"N`!!!#3!!!!!!!!"R3!!!#8!!!!!!!!"U!!
+!!#B!!!!!!!!"X`!!!#F!!!!!!!!"[3!!!#J!!!!!!!!"a`!!!#N!!!!!!!!"d!!
+!!#S!!!!!!!!"f3!!!#X!!!!!!!!"i`!!!#`!!!!!!!!"l3!!!#d!!!!!!!!"q!!
+!!#i!!!!!!!!#!`!!!#m!!!!!!!!#$J!!!$!!!!!!!!!#'3!!!$%!!!!!!!!#*!!
+!!$)!!!!!!!!#,!!!!$-!!!!!!!!#03!!!$3!!!!!!!!#2`!!!$8!!!!!!!!#5J!
+!!$B!!!!!!!!#93!!!$F!!!!!!!!#A3!!!$J!!!!!!!!#CJ!!!$N!!!!!!!!#F!!
+!!$S!!!!!!!!#H!!!!$X!!!!!!!!#J`!!!$`!!!!!!!!#L`!!!$d!!!!!!!!#P!!
+!!$i!!!!!!!!#R`!!!$m!!!!!!!!#U3!!!%!!!!!!!!!#X`!!!%%!!!!!!!!#Z`!
+!!%)!!!!!!!!#a!!!!%-!!!!!!!!#c3!!!%3!!!!!!!!#eJ!!!%8!!!!!!!!#i!!
+!!%B!!!!!!!!#k3!!!%F!!!!!!!!#p!!!!%J!!!!!!!!#r!!!!%N!!!!!!!!$"J!
+!!%S!!!!!!!!$%3!!!%X!!!!!!!!$'J!!!%`!!!!!!!!$)`!!!%d!!!!!!!!$,J!
+!!%i!!!!!!!!$13!!!%m!!!!!!!!$4!!!!&!!!!!!!!!$6`!!!&%!!!!!!!!$@J!
+!!&)!!!!!!!!$B`!!!&-!!!!!!!!$D`!!!&3!!!!!!!!$GJ!!!&8!!!!!!!!$J!!
+!!&B!!!!!!!!$L`!!!&F!!!!!!!!$P!!!!&J!!!!!!!!$R3!!!&N!!!!!!!!$U!!
+!!&S!!!!!!!!$X`!!!&X!!!!!!!!$[J!!!&`!!!!!!!!$b3!!!&d!!!!!!!!$d3!
+!!&i!!!!!!!!$fJ!!!&m!!!!!!!!$i`!!!'!!!!!!!!!$lJ!!!'%!!!!!!!!$q!!
+!!')!!!!!!!!%!3!!!'-!!!!!!!!%$!!!!'3!!!!!!!!%&3!!!'8!!!!!!!!%(J!
+!!'B!!!!!!!!%*`!!!'F!!!!!!!!%-J!!!'J!!!!!!!!%23!!!'N!!!!!!!!%5!!
+!!'S!!!!!!!!%83!!!'X!!!!!!!!%@`!!!'`!!!!!!!!%B`!!!'d!!!!!!!!%E!!
+!!'i!!!!!!!!%G!!!!'m!!!!!!!!%I3!!!(!!!!!!!!!%K`!!!(%!!!!!!!!%NJ!
+!!()!!!!!!!!%Q`!!!(-!!!!!!!!%S`!!!(3!!!!!!!!%V3!!!(8!!!!!!!!%YJ!
+!!(B!!!!!!!!%[`!!!(F!!!!!!!!%b!!!!(J!!!!!!!!%d`!!!(N!!!!!!!!%f`!
+!!(S!!!!!!!!%i`!!!(X!!!!!!!!%l!!!!(`!!!!!!!!%p!!!!(d!!!!!!!!%r3!
+!!(i!!!!!!!!&#!!!!(m!!!!!!!!&%3!!!)!!!!!!!!!&'J!!!)%!!!!!!!!&*3!
+!!))!!!!!!!!&,`!!!)-!!!!!!!!&13!!!)3!!!!!!!!&3`!!!)8!!!!!!!!&6J!
+!!)B!!!!!!!!&9`!!!)F!!!!!!!!&B!!!!)J!!!!!!!!&D`!!!)N!!!!!!!!&G!!
+!!)S!!!!!!!!&I3!!!)X!!!!!!!!&KJ!!!)`!!!!!!!!&N!!!!!#0!!!!!!!!"CN
+!!!#1!!!!!!!!"D)!!!#2!!!!!!!!"D`!!!#3!!!!!!!!!!@e!!!!N3!!!!!!!!@
+q!!!!NJ!!!!!!!!A*!!!!N`!!!!!!!!A8!!!!P!!!!!!!!!AH!!!!P3!!!!!!!!A
+S!!!!PJ!!!!!!!!Ac!!!!P`!!!!!!!!Am!!!!Q!!!!!!!!!B'!!!!Q3!!!!!!!!B
+2!!!!QJ!!!!!!!!BC!!!!Q`!!!!!!!!BM!!!!R!!!!!!!!!BV!!!!R3!!!!!!!!B
+c!!!!RJ!!!!!!!!Bp!!!!R`!!!!!!!!C'!!!!S!!!!!!!!!C4!!!!S3!!!!!!!!C
+C!!!!SJ!!!!!!!!CL!!!!S`!!!!!!!!CT!!!!T!!!!!!!!!Cd!!!!T3!!!!!!!!C
+r!!!!TJ!!!!!!!!D*!!!!T`!!!!!!!!D8!!!!U!!!!!!!!!DI!!!!U3!!!!!!!!D
+T!!!!UJ!!!!!!!!Dc!!!!U`!!!!!!!!Dq!!!!V!!!!!!!!!E)!!!!V3!!!!!!!!E
+A!!!!VJ!!!!!!!!EL!!!!V`!!!!!!!!EV!!!!X!!!!!!!!!Ef!!!!X3!!!!!!!!F
+"!!!!XJ!!!!!!!!F-!!!!X`!!!!!!!!F@!!!!Y!!!!!!!!!FK!!!!Y3!!!!!!!!F
+X!!!!YJ!!!!!!!!Fh!!!!Y`!!!!!!!!G#!!!!Z!!!!!!!!!G0!!!!Z3!!!!!!!!G
+A!!!!ZJ!!!!!!!!GK!!!!Z`!!!!!!!!GV!!!![!!!!!!!!!Gb!!!![3!!!!!!!!G
+p!!!![J!!!!!!!!H)!!!![`!!!!!!!!H4!!!!`!!!!!!!!!HD!!!!`3!!!!!!!!H
+M!!!!`J!!!!!!!!HX!!!!``!!!!!!!!Hh!!!!a!!!!!!!!!I"!!!!a3!!!!!!!!I
+,!!!!aJ!!!!!!!!I9!!!!a`!!!!!!!!II!!!!b!!!!!!!!!IU!!!!b3!!!!!!!!I
+d!!!!bJ!!!!!!!!Ik!!!!b`!!!!!!!!J%!!!!c!!!!!!!!!J1!!!!c3!!!!!!!!J
+B!!!!cJ!!!!!!!!JL!!!!c`!!!!!!!!JV!!!!d!!!!!!!!!Jd!!!!d3!!!!!!!!J
+m!!!!dJ!!!!!!!!K&!!!!d`!!!!!!!!K1!!!!e!!!!!!!!!KB!!!!e3!!!!!!!!K
+L!!!!eJ!!!!!!!!KX!!!!e`!!!!!!!!Kf!!!!f!!!!!!!!!L!!!!!f3!!!!!!!!L
+,!!!!fJ!!!!!!!!L@!!!!f`!!!!!!!!LK!!!!h!!!!!!!!!LV!!!!h3!!!!!!!!L
+e!!!!hJ!!!!!!!!Lr!!!!h`!!!!!!!!M+!!!!i!!!!!!!!!M9!!!!i3!!!!!!!!M
+J!!!!iJ!!!!!!!!MV!!!!i`!!!!!!!!Me!!!!j!!!!!!!!!Mr!!!!j3!!!!!!!!N
+*!!!!jJ!!!!!!!!N8!!!!j`!!!!!!!!NI!!!!k!!!!!!!!!NU!!!!k3!!!!!!!!N
+e!!!!kJ!!!!!!!!Nr!!!!k`!!!!!!!!P*!!!!l!!!!!!!!!P6!!!!l3!!!!!!!!P
+H!!!!lJ!!!!!!!!PT!!!!l`!!!!!!!!Pb!!!!m!!!!!!!!!Pp!!!!m3!!!!!!!!Q
+)!!!!mJ!!!!!!!!Q5!!!!m`!!!!!!!!QF!!!!p!!!!!!!!!QQ!!!!p3!!!!!!!!Q
+a!!!!pJ!!!!!!!!Qm!!!!p`!!!!!!!!R%!!!!q!!!!!!!!!R2!!!!q3!!!!!!!!R
+A!!!!qJ!!!!!!!!RJ!!!!q`!!!!!!!!RS!!!!r!!!!!!!!!R`!!!!r3!!!!!!!!R
+j!!!!rJ!!!!!!!!S#!!!!r`!!!!!!!!S0!!!"!!!!!!!!!!S9!!!"!3!!!!!!!!S
+H!!!"!J!!!!!!!!SQ!!!"!`!!!!!!!!SZ!!!""!!!!!!!!!Sf!!!""3!!!!!!!!S
+q!!!""J!!!!!!!!T(!!!""`!!!!!!!!T3!!!"#!!!!!!!!!TC!!!"#3!!!!!!!!T
+N!!!"#J!!!!!!!!TV!!!"#`!!!!!!!!Tc!!!"$!!!!!!!!!Tp!!!"$3!!!!!!!!U
+&!!!"$J!!!!!!!!U2!!!"$`!!!!!!!!UB!!!"%!!!!!!!!!UJ!!!"%3!!!!!!!!U
+V!!!"%J!!!!!!!!Uf!!!"%`!!!!!!!!V!!!!"&!!!!!!!!!V,!!!"&3!!!!!!!!V
+9!!!"&J!!!!!!!!VJ!!!"&`!!!!!!!!VV!!!"'!!!!!!!!!Ve!!!"'3!!!!!!!!V
+r!!!"'J!!!!!!!!X*!!!"'`!!!!!!!!X6!!!"(!!!!!!!!!XG!!!"(3!!!!!!!!X
+R!!!"(J!!!!!!!!Xb!!!"(`!!!!!!!!Xm!!!")!!!!!!!!!Y(!!!")3!!!!!!!!Y
+5!!!")J!!!!!!!!YF!!!")`!!!!!!!!YR!!!"*!!!!!!!!!Yb!!!"*3!!!!!!!!Y
+p!!!"*J!!!!!!!!Z(!!!"*`!!!!!!!!Z5!!!"+!!!!!!!!!ZG!!!"+3!!!!!!!!Z
+R!!!"+J!!!!!!!!Zb!!!"+`!!!!!!!!Zm!!!",!!!!!!!!!['!!!",3!!!!!!!![
+4!!!",J!!!!!!!![F!!!",`!!!!!!!![Q!!!"-!!!!!!!!![`!!!"-3!!!!!!!![
+l!!!"-J!!!!!!!!`&!!!"-`!!!!!!!!`3!!!"0!!!!!!!!!`D!!!"03!!!!!!!!`
+P!!!"0J!!!!!!!!``!!!"0`!!!!!!!!`l!!!"1!!!!!!!!!a'!!!"13!!!!!!!!a
+3!!!"1J!!!!!!!!aD!!!"1`!!!!!!!!aP!!!"2!!!!!!!!!a[!!!"23!!!!!!!!a
+k!!!"2J!!!!!!!!b&!!!"2`!!!!!!!!b3!!!!!8!!!!!!!!!-QJ!!!8%!!!!!!!!
+-T!!!!8)!!!!!!!!-V`!!!8-!!!!!!!!-ZJ!!!83!!!!!!!!-a!!!!88!!!!!!!!
+-cJ!!!8B!!!!!!!!-f!!!!8F!!!!!!!!-iJ!!!8J!!!!!!!!-l!!!!8N!!!!!!!!
+-p`!!!8S!!!!!!!!0!J!!!8X!!!!!!!!0$!!!!8`!!!!!!!!0&`!!!8d!!!!!!!!
+0)J!!!8i!!!!!!!!0,!!!!8m!!!!!!!!00`!!!9!!!!!!!!!03J!!!9%!!!!!!!!
+063!!!9)!!!!!!!!09`!!!9-!!!!!!!!0A`!!!93!!!!!!!!0D!!!!98!!!!!!!!
+0F3!!!9B!!!!!!!!0H`!!!9F!!!!!!!!0KJ!!!9J!!!!!!!!0N3!!!9N!!!!!!!!
+0R!!!!9S!!!!!!!!0T`!!!9X!!!!!!!!0X3!!!9`!!!!!!!!0[!!!!9d!!!!!!!!
+0a`!!!9i!!!!!!!!0dJ!!!9m!!!!!!!!0h!!!!@!!!!!!!!!0j`!!!@%!!!!!!!!
+0mJ!!!@)!!!!!!!!0r3!!!@-!!!!!!!!1#!!!!@3!!!!!!!!1%`!!!@8!!!!!!!!
+1(3!!!@B!!!!!!!!1+!!!!@F!!!!!!!!1-!!!!@J!!!!!!!!11!!!!@N!!!!!!!!
+13J!!!@S!!!!!!!!15`!!!@X!!!!!!!!19J!!!@`!!!!!!!!1B3!!!@d!!!!!!!!
+1D`!!!@i!!!!!!!!1GJ!!!@m!!!!!!!!1J!!!!A!!!!!!!!!1LJ!!!A%!!!!!!!!
+1P3!!!A)!!!!!!!!1R`!!!A-!!!!!!!!1U!!!!A3!!!!!!!!1X3!!!A8!!!!!!!!
+1ZJ!!!AB!!!!!!!!1``!!!AF!!!!!!!!1c!!!!AJ!!!!!!!!1eJ!!!AN!!!!!!!!
+1i3!!!AS!!!!!!!!1kJ!!!AX!!!!!!!!1p!!!!A`!!!!!!!!1r`!!!Ad!!!!!!!!
+2#3!!!Ai!!!!!!!!2$`!!!Am!!!!!!!!2)3!!!B!!!!!!!!!2+`!!!B%!!!!!!!!
+203!!!B)!!!!!!!!23!!!!B-!!!!!!!!25`!!!B3!!!!!!!!29J!!!B8!!!!!!!!
+2B!!!!BB!!!!!!!!2DJ!!!BF!!!!!!!!2G!!!!BJ!!!!!!!!2IJ!!!BN!!!!!!!!
+2K`!!!BS!!!!!!!!2N3!!!BX!!!!!!!!2Q`!!!B`!!!!!!!!2TJ!!!Bd!!!!!!!!
+2V`!!!Bi!!!!!!!!2Z3!!!Bm!!!!!!!!2`J!!!C!!!!!!!!!!$md!!!'4!!!!!!!
+!$pJ!!!'5!!!!!!!!$q)!!!'6!!!!!!!!$q`!!!'8!!!!!!!!$rB!!!'9!!!!!!!
+!$rm!!!'@!!!!!!!!%!S!!!'A!!!!!!!!%"3!!!'B!!!!!!!!%"m!!!'C!!!!!!!
+!%#S!!!'D!!!!!!!!%$8!!!'E!!!!!!!!%%!!!!'F!!!!!!!!%%`!!!'G!!!!!!!
+!%&B!!!'H!!!!!!!!%'%!!!'I!!!!!!!!%'`!!!'J!!!!!!!!%(i!!!'K!!!!!!!
+!%*!!!!!"SJ!!!!!!!"#G!!!"S`!!!!!!!"#V!!!"T!!!!!!!!"#e!!!"T3!!!!!
+!!"$+!!!"TJ!!!!!!!"$6!!!"T`!!!!!!!"$H!!!"U!!!!!!!!"$J!!!"U3!!!!!
+!!"$R!!!"UJ!!!!!!!"$b!!!"U`!!!!!!!"$p!!!"V!!!!!!!!"%#!!!"V3!!!!!
+!!"%-!!!"VJ!!!!!!!"%5!!!"V`!!!!!!!"%E!!!"X!!!!!!!!"%L!!!"X3!!!!!
+!!"%R!!!"XJ!!!!!!!"%Y!!!"X`!!!!!!!"%i!!!"Y!!!!!!!!"%q!!!"Y3!!!!!
+!!"&(!!!"YJ!!!!!!!"&2!!!"Y`!!!!!!!"&B!!!"Z!!!!!!!!"&K!!!"Z3!!!!!
+!!"&S!!!"ZJ!!!!!!!"&b!!!"Z`!!!!!!!"&l!!!"[!!!!!!!!"'$!!!"[3!!!!!
+!!"',!!!"[J!!!!!!!"'4!!!"[`!!!!!!!"'A!!!"`!!!!!!!!"'K!!!"`3!!!!!
+!!"'T!!!"`J!!!!!!!"'a!!!"``!!!!!!!"'j!!!"a!!!!!!!!"(!!!!"a3!!!!!
+!!"(,!!!"aJ!!!!!!!"(@!!!"a`!!!!!!!"(K!!!"b!!!!!!!!"(U!!!"b3!!!!!
+!!"(d!!!"bJ!!!!!!!"(l!!!"b`!!!!!!!")%!!!"c!!!!!!!!")5!!!"c3!!!!!
+!!")N!!!"cJ!!!!!!!")e!!!"c`!!!!!!!"*)!!!"d!!!!!!!!"*A!!!"d3!!!!!
+!!"*T!!!"dJ!!!!!!!"*c!!!"d`!!!!!!!"+'!!!"e!!!!!!!!"+8!!!"e3!!!!!
+!!"+N!!!"eJ!!!!!!!"+h!!!"e`!!!!!!!",*!!!"f!!!!!!!!",K!!!"f3!!!!!
+!!",k!!!"fJ!!!!!!!"-)!!!"f`!!!!!!!"-D!!!"h!!!!!!!!"-V!!!"h3!!!!!
+!!"-q!!!"hJ!!!!!!!"0D!!!"h`!!!!!!!"0c!!!"i!!!!!!!!"1!!!!"i3!!!!!
+!!"1-!!!"iJ!!!!!!!"1C!!!"i`!!!!!!!"1N!!!"j!!!!!!!!"1`!!!"j3!!!!!
+!!"1l!!!"jJ!!!!!!!"2*!!!"j`!!!!!!!"2A!!!"k!!!!!!!!"2Q!!!"k3!!!!!
+!!"2e!!!"kJ!!!!!!!"3#!!!"k`!!!!!!!"32!!!"l!!!!!!!!"3L!!!"l3!!!!!
+!!"3d!!!"lJ!!!!!!!"4#!!!"l`!!!!!!!"4'!!!"m!!!!!!!!"40!!!"m3!!!!!
+!!"4J!!!"mJ!!!!!!!"4a!!!"m`!!!!!!!"5!!!!"p!!!!!!!!"5*!!!"p3!!!!!
+!!"5B!!!"pJ!!!!!!!"5R!!!"p`!!!!!!!"5f!!!"q!!!!!!!!"6$!!!"q3!!!!!
+!!"64!!!"qJ!!!!!!!"6J!!!"q`!!!!!!!"6k!!!"r!!!!!!!!"8)!!!"r3!!!!!
+!!"8B!!!"rJ!!!!!!!"8V!!!"r`!!!!!!!"9)!!!#!!!!!!!!!"9C!!!#!3!!!!!
+!!"9U!!!#!J!!!!!!!"9h!!!#!`!!!!!!!"@(!!!#"!!!!!!!!"@8!!!#"3!!!!!
+!!"@N!!!#"J!!!!!!!"@b!!!#"`!!!!!!!"@r!!!##!!!!!!!!"A3!!!##3!!!!!
+!!"AJ!!!##J!!!!!!!"A[!!!##`!!!!!!!"Aq!!!#$!!!!!!!!"B+!!!#$3!!!!!
+!!"BE!!!#$J!!!!!!!"B`!!!#$`!!!!!!!"Bl!!!#%!!!!!!!!"C$!!!#%3!!!!!
+!!"C2!!!#%J!!!!!!!"CF!!!#%`!!!!!!!"CT!!!#&!!!!!!!!"Ce!!!#&3!!!!!
+!!"D'!!!#&J!!!!!!!"DE!!!#&`!!!!!!!"DQ!!!#'!!!!!!!!"Db!!!#'3!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!)
+!!!!$!!!!"!!!!!8!!!!'!!!!"`!!!!J!!!!*!!!!,3!!!!S!!!!,!!!!$!!!!!d
+!!!!1!!!!$`!!!"!!!!!4!!!!%J!!!"-!!!!8!!!!&3!!!"B!!!!A!!!!'!!!!"N
+!!!!D!!!!'`!!!"`!!!!G!!!!(J!!!"m!!!!J!!!!)3!!!#)!!!!M!!!!*!!!!#8
+!!!!Q!!!!*`!!!#J!!!!T!!!!+J!!!#X!!!!X!!!!,J!!!#m!!!!`!!!!-3!!!$)
+!!!!c!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!0!!!!%!#!!!!!J!!0!!!!!!!!!!"!!!!!J!!!!-!!!!%!!!!"3!!!!B
+!!!!(!!!!#!!!!!N!!!!+!!!!#`!!!!`!!!!0!!!!$J!!!!m!!!!3!!!!%3!!!")
+!!!!@!!!!'`!!!"J!!!!C!!!!'J!!!"`!!!!G!!!!&`!!!"-!!!!8!!!!&3!!!"m
+!!!!H!!!!)!!!!#!&!!!!"3!!)!!!!KN!!!)J!!!@Z3!!'!!!!!)C!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!#!!!#!!!!!J%!!!&P!!!![!!!!'m!!!&Q!!!!F!!!!(%
+!!!"b!!!!F`!!!(3!!!"e!!!!GJ!!!(F!!!"i!!!!H3!!!(S!!!"l!!!!I!!!!B!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#`MlJ!!!!!!!!!3!
+#`NI`!!)!!!!!!!!!!!!!!X)fJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!)!!!%!!!!!"3!!Irm!!!!!Irm!!!!!Irm!!!!!Irm!!!!-!!%!!J!%!!!
+!"8!!!!B!!3!"1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!%!!!$rrrrr!!!!!`!"!!%k1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!3!!!2rrrrm!!!!%!!%!!6SkD@jME(9NC6S!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!)!!3!"1J!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!!`!#!!%k6@&M6e-
+J8h9`F'pbG$S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!2rrrrp!!!!%!!)
+!!6T08d`k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrr
+rrd!!!!8!#J!!6@&M6e-J8&"$)%aTEQYPFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!4f9d5&488&-J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!%k!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!&0B@028b"38%-J6'PZDf9b!!!
+!!!!!!!!!!!!!!!!!!!!H39"36!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!3A"`E!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"J!!!!68e-3J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!6'PL)%PYF'pbG#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69"-4J!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6'PL)%PYF'pbG#"38%-!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!69G$4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!8P053`!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"J!!!!9%9B9#jLD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!3Q&XE'p[EL")C@a`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jM!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!9%9B9#jM+bX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jMB`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!9%9B9#jMF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jMF(!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!9%9B9#jPH(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jRB`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4f&YC80[C'8J3fpZGQ9bG'9b!!!
+!!!!!!!!!!!!!!!"!!!!!9%9B9#jS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!9%9B9#jX!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4QaPH#"3FQ9`FQpMCA0cEh)!!!!
+!!!!!!!!!!!!!!!#!!!!!9%9B9#j`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ8'&cBf&X)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#j`BA-
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ8'&cBf&X)&"33`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!9%9B9#j`BfJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!9%9B9#j`BfJ
+V+`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ8&"$!!!!!!!!!!!
+!!!!!!!!!!!!!!!#!!!!!9%9B9#j`F(8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!69FJ8'&cBf&X)&"33`!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!9%9B9#jb!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8Q9k!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!9%9B9#jc!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!8&"$3A0Y!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jj!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3QPcEfiJ8(*PF(*[Bf9cFfpb!!!
+!!!!!!!!!!!!!!!#!!!!!@%024J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!@%024NBJ5@e`Eh*d)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!C'pMG3!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"J!!!!FR0bB`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!FfKXBJ!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8%9')%PYF'pbG#"38%-!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!Fh4eBJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!8%9')%PYF'pbG#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#jNEf-
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"3!!!!!!8"!3!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!!"!!!
+!!!8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!"!3!!E@&TEJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!3!"!!!!!3%"!3%!!3%!!!!!!!%"!!!
+"!3!"!!!"!!%!!!!!!!!!!!!)!3!"!3!"!3!!!!%!!!N!!"G0B@028b"8EfpXBQp
+i)%4&3P9()$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!r2cmr39"36!!!!B"B`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cm!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!0!!%!!!!!!""I69G&8NY6Ah"bC@CTH#jS!!!!!!!!!!!!!!!!!!!!!!!
+"!!!"!!!!!!!"!!!!!!!!!!!!!!8"!3%!!!%"!!%!!!!!"!!!!!!!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"IAh0dBA*d!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!3!!#8ePFQGP)%peG!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$m
+r2cp"8&"-!!%"!!!%)#!J)!15Jf!$G0pi!`1Yi!!&!J%!!3%!!3%"!!!"!!!!!!!
+!!!%"!3%!!3%!!3!""!!!!!!!!!!!!!!(!3%!!3!!!3!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+IAh0dBA*d!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8!!!e(CA4)9&438bK38%-T!!!!!!!
+!!!!!!!!!!!!!!!!!2cmr2d&38%`!!!3!!!!%!!!!!%!!!&M!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%r2cmr!!!!!!!
+!!!)!!!!#!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+#!&!!!3!"!!%!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8*d024%8R)#G%394"*b!R8%P$9#F
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!3!
+!!!%#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!)!!!!#!J%!!!!
+!!!%!!3-!!!!!!!!!!!!!!!!%!!!!!!!!!!!"!!!$!!!!!`)"!!!!!!!"!!%$!!!
+!!!!!!!!!!!!!"!!!!!!!!!!!!3!!"!!!!!3#!3!!!!!!!3!"!`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!%!!!8!!!!&!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!'!!!!"J)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!"3!!!!!!!!!!!3!!"`!
+!!!F#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!!J!!!!)!J%!!!!
+!!!%!!3-!!!!!!!!!!!!!!!!&!!!!!!!!!!!"!!!*!!!!#3)"!!!!!!!"!!%$!!!
+!!!!!!!!!!!!!"3!!!!!!!!!!!3!!#J!!!!S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!!X!!!!,!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!-!!!!$!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!$3!
+!!!d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!!i!!!!1!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!2!!!!$`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!%!!!!"!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!"%!!!!4!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!5!!!!%J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!%`!
+!!"-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!"3!!!!8!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!9!!!!&3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!&J!!!"B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!"F!!!!A!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!B!!!!'!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!'3!
+!!"N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!"S!!!!D!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!E!!!!'`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!(!!!!"`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!"d!!!!G!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!H!!!!(J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!(`!
+!!"m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!#!!!!!J!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!K!!!!)3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!)J!!!#)#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!#-!!!!M!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!N!!!!*!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!*3!
+!!#8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!#B!!!!Q!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!R!!!!*`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!+!!!!#J#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!#N!!!!T!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!U!!!!+J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!+`!
+!!#X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!#`!!!!X!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!Y!!!!,3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!,J!!!#i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!#m!!!![!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!`!!!!-!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!-3!
+!!$%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!$)!!!!b!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!c!!!!-`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!0!!!!$3#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!$8!!!!e!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!f!!!!0J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!0`!
+!!$F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!$J!!!!i!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!j!!!!13)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!1J!!!$S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!$X!!!!l!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!m!!!!2!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!23!
+!!$d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!$i!!!!q!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!!r!!!!2`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!3!!!!%!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!%%!!!""!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"#!!!!3J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!3`!
+!!%-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!%3!!!"%!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"&!!!!43)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!4J!!!%B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!%F!!!"(!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!")!!!!5!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!53!
+!!%N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!%S!!!"+!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!",!!!!5`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!6!!!!%`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!%d!!!"0!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"1!!!!6J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!6`!
+!!%m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!&!!!!"3!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"4!!!!83)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!8J!!!&)#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!&-!!!"6!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"8!!!!9!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!93!
+!!&8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!&B!!!"@!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"A!!!!9`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!@!!!!&J#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!&N!!!"C!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"D!!!!@J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!@`!
+!!&X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!&`!!!"F!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"G!!!!A3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!AJ!!!&i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!&m!!!"I!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"J!!!!B!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!B3!
+!!'%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!')!!!"L!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"M!!!!B`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!C!!!!'3#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!'8!!!"P!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"Q!!!!CJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!C`!
+!!'F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!'J!!!"S!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"T!!!!D3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!DJ!!!'S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!'X!!!"V!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"X!!!!E!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!E3!
+!!'d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!'i!!!"Z!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"[!!!!E`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!F!!!!(!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!(%!!!"a!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"b!!!!FJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!F`!
+!!(-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!(3!!!"d!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"e!!!!G3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!GJ!!!(B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!(F!!!"h!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"i!!!!H!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!H3!
+!!(N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!(S!!!"k!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!"l!!!!H`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!I!!!!(`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!(d!!!"p!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!"q!!!!IJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!I`!
+!!(m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!)!!!!#!!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#"!!!!J3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!JJ!!!))#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!)-!!!#$!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!#%!!!!K!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!K3!
+!!)8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!)B!!!#'!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#(!!!!K`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!L!!!!)J#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!)N!!!#*!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!#+!!!!LJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!L`!
+!!)X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!)`!!!#-!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#0!!!!M3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!3!!MJ!!!)i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!%!!)m!!!#2!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!#3!!!!!*!!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+4!!!!N3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!NJ!!!*)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!*-!!!#6!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#8!!!!P!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!P3!!!*8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!*B!!!#@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+A!!!!P`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!Q!!!!*J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!*N!!!#C!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#D!!!!QJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!Q`!!!*X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!*`!!!#F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+G!!!!R3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!RJ!!!*i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!*m!!!#I!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#J!!!!S!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!S3!!!+%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!+)!!!#L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+M!!!!S`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!T!!!!+3#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!+8!!!#P!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#Q!!!!TJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!T`!!!+F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!+J!!!#S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+T!!!!U3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!UJ!!!+S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!+X!!!#V!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#X!!!!V!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!V3!!!+d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!+i!!!#Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+[!!!!V`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!X!!!!,!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!,%!!!#a!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#b!!!!XJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!X`!!!,-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!,3!!!#d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+e!!!!Y3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!YJ!!!,B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!,F!!!#h!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#i!!!!Z!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!Z3!!!,N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!,S!!!#k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#
+l!!!!Z`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!![!!!!,`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!,d!!!#p!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!#q!!!![J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!![`!!!,m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!-!!!!$!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+"!!!!`3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!`J!!!-)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!--!!!$$!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$%!!!!a!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!a3!!!-8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!-B!!!$'!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+(!!!!a`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!b!!!!-J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!-N!!!$*!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$+!!!!bJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!b`!!!-X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!-`!!!$-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+0!!!!c3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!cJ!!!-i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!-m!!!$2!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$3!!!!d!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!d3!!!0%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!0)!!!$5!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+6!!!!d`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!e!!!!03#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!08!!!$9!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$@!!!!eJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!e`!!!0F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!0J!!!$B!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+C!!!!f3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!fJ!!!0S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!0X!!!$E!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$F!!!!h!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!h3!!!0d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!0i!!!$H!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+I!!!!h`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!i!!!!1!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!1%!!!$K!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$L!!!!iJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!i`!!!1-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!13!!!$N!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+P!!!!j3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!jJ!!!1B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!1F!!!$R!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$S!!!!k!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!k3!!!1N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!1S!!!$U!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+V!!!!k`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!l!!!!1`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!1d!!!$Y!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$Z!!!!lJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!l`!!!1m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!2!!!!$`!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+a!!!!m3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!mJ!!!2)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!2-!!!$c!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$d!!!!p!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!p3!!!28#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!2B!!!$f!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+h!!!!p`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!q!!!!2J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!2N!!!$j!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$k!!!!qJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!!q`!!!2X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!2`!!!$m!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!$
+p!!!!r3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!!rJ!!!2i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!2m!!!$r!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%!!!!"!!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"!3!!!3%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!3)!!!%#!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+$!!!"!`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!""!!!!33#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!38!!!%&!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%'!!!""J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!""`!!!3F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!3J!!!%)!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+*!!!"#3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"#J!!!3S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!3X!!!%,!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%-!!!"$!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"$3!!!3d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!3i!!!%1!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+2!!!"$`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"%!!!!4!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!4%!!!%4!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%5!!!"%J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"%`!!!4-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!43!!!%8!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+9!!!"&3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"&J!!!4B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!4F!!!%A!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%B!!!"'!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"'3!!!4N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!4S!!!%D!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+E!!!"'`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"(!!!!4`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!4d!!!%G!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%H!!!"(J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"(`!!!4m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!5!!!!%J!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+K!!!")3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!")J!!!5)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!5-!!!%M!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%N!!!"*!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"*3!!!58#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!5B!!!%Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+R!!!"*`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"+!!!!5J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!5N!!!%T!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%U!!!"+J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"+`!!!5X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!5`!!!%X!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+Y!!!",3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!",J!!!5i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!5m!!!%[!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%`!!!"-!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"-3!!!6%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!6)!!!%b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+c!!!"-`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"0!!!!63#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!68!!!%e!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%f!!!"0J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"0`!!!6F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!6J!!!%i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+j!!!"13)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"1J!!!6S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!6X!!!%l!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%m!!!"2!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"23!!!6d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!6i!!!%q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!%
+r!!!"2`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"3!!!!8!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!8%!!!&"!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&#!!!"3J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"3`!!!8-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!83!!!&%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+&!!!"43)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"4J!!!8B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!8F!!!&(!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&)!!!"5!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"53!!!8N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!8S!!!&+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+,!!!"5`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"6!!!!8`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!8d!!!&0!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&1!!!"6J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"6`!!!8m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!9!!!!&3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+4!!!"83)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"8J!!!9)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!9-!!!&6!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&8!!!"9!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"93!!!98#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!9B!!!&@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+A!!!"9`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"@!!!!9J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!9N!!!&C!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&D!!!"@J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"@`!!!9X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!9`!!!&F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+G!!!"A3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"AJ!!!9i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!9m!!!&I!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&J!!!"B!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"B3!!!@%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!@)!!!&L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+M!!!"B`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"C!!!!@3#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!@8!!!&P!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&Q!!!"CJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"C`!!!@F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!@J!!!&S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+T!!!"D3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"DJ!!!@S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!@X!!!&V!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&X!!!"E!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"E3!!!@d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!@i!!!&Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+[!!!"E`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"F!!!!A!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!A%!!!&a!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&b!!!"FJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"F`!!!A-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!A3!!!&d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+e!!!"G3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"GJ!!!AB#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!AF!!!&h!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&i!!!"H!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"H3!!!AN#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!AS!!!&k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&
+l!!!"H`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"I!!!!A`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!Ad!!!&p!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!&q!!!"IJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"I`!!!Am#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!B!!!!'!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'
+"!!!"J3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"JJ!!!B)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!B-!!!'$!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'%!!!"K!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"K3!!!B8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!BB!!!''!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'
+(!!!"K`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"L!!!!BJ#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!BN!!!'*!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'+!!!"LJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!3!"L`!!!BX#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!%!!B`!!!'-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'
+0!!!"M3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"MJ!!!Bi#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!Bm!!!'2!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'3!!!!!C!!!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!"!!'4!!!"N3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!3!"NJ!!!C)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%
+!!C-!!!'6!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'8!!!"P!)
+"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"P3!!!C8#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!CB!!!'@!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!"!!'A!!!"P`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!3!"Q!!!!CJ#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%
+!!CN!!!'C!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'D!!!"QJ)
+"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"Q`!!!CX#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!C`!!!'F!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!"!!'G!!!"R3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!3!"RJ!!!Ci#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%
+!!Cm!!!'I!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'J!!!"S!)
+"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"S3!!!D%#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%!!D)!!!'L!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!"!!'M!!!"S`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!3!"T!!!!D3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!%
+!!D8!!!'P!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!!!!!"!!'Q!!!"TJ)
+"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!3!"T`!!!DF#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!)!!!!$!!!!"!!!!!8!!!!'!!!!"`!
+!!!J!!!!*!!!!#J!!!!X!!!!-!!!!$3!!!!i!!!!2!!!!%!!!!"%!!!!5!!!!%`!
+!!"3!!!!9!!!!&J!!!"F!!!!B!!!!'3!!!"S!!!!E!!!!(!!!!"d!!!!H!!!!(`!
+!!#!!!!!K!!!!)J!!!#-!!!!N!!!!*3!!!#B!!!!R!!!!+!!!!#N!!!!U!!!!+`!
+!!#`!!!!Y!!!!,J!!!#m!!!!`!!!!-3!!!$)!!!!c!!!!0!!!!$8!!!!f!!!!0`!
+!!$J!!!!j!!!!1J!!!$X!!!!m!!!!23!!!$i!!!!r!!!!3!!!!%%!!!"#!!!!3`!
+!!%3!!!"&!!!!4J!!!%F!!!")!!!!53!!!%S!!!",!!!!6!!!!%d!!!"1!!!!6`!
+!!&!!!!"4!!!!8J!!!&-!!!"8!!!!93!!!&B!!!"A!!!!@!!!!&N!!!"D!!!!@`!
+!!&`!!!"G!!!!AJ!!!&m!!!"J!!!!B3!!!')!!!"M!!!!C!!!!'8!!!"Q!!!!C`!
+!!'J!!!"T!!!!DJ!!!'X!!!"X!!!!E3!!!'i!!!"[!!!!F!!!!(%!!!"b!!!!F`!
+!!(3!!!"e!!!!GJ!!!(F!!!"i!!!!H3!!!(S!!!"l!!!!I!!!!(d!!!"q!!!!I`!
+!!)!!!!#"!!!!JJ!!!)-!!!#%!!!!K3!!!)B!!!#(!!!!L!!!!)N!!!#+!!!!L`!
+!!)`!!!#0!!!!MJ!!!)m!!!#3!!!!!*%!!!#5!!!!N`!!!*3!!!#9!!!!PJ!!!*F
+!!!#B!!!!Q3!!!*S!!!#E!!!!R!!!!*d!!!#H!!!!R`!!!+!!!!#K!!!!SJ!!!+-
+!!!#N!!!!T3!!!+B!!!#R!!!!U!!!!+N!!!#U!!!!U`!!!+`!!!#Y!!!!VJ!!!+m
+!!!#`!!!!X3!!!,)!!!#c!!!!Y!!!!,8!!!#f!!!!Y`!!!,J!!!#j!!!!ZJ!!!,X
+!!!#m!!!![3!!!,i!!!#r!!!!`!!!!-%!!!$#!!!!``!!!-3!!!$&!!!!aJ!!!-F
+!!!$)!!!!b3!!!-S!!!$,!!!!c!!!!-d!!!$1!!!!c`!!!0!!!!$4!!!!dJ!!!0-
+!!!$8!!!!e3!!!0B!!!$A!!!!f!!!!0N!!!$D!!!!f`!!!0`!!!$G!!!!hJ!!!0m
+!!!$J!!!!i3!!!1)!!!$M!!!!j!!!!18!!!$Q!!!!j`!!!1J!!!$T!!!!kJ!!!1X
+!!!$X!!!!l3!!!1i!!!$[!!!!m!!!!2%!!!$b!!!!m`!!!23!!!$e!!!!pJ!!!2F
+!!!$i!!!!q3!!!2S!!!$l!!!!r!!!!2d!!!$q!!!!r`!!!3!!!!%"!!!"!J!!!3-
+!!!%%!!!""3!!!3B!!!%(!!!"#!!!!3N!!!%+!!!"#`!!!3`!!!%0!!!"$J!!!3m
+!!!%3!!!"%3!!!4)!!!%6!!!"&!!!!48!!!%@!!!"&`!!!4J!!!%C!!!"'J!!!4X
+!!!%F!!!"(3!!!4i!!!%I!!!")!!!!5%!!!%L!!!")`!!!53!!!%P!!!"*J!!!5F
+!!!%S!!!"+3!!!5S!!!%V!!!",!!!!5d!!!%Z!!!",`!!!6!!!!%a!!!"-J!!!6-
+!!!%d!!!"03!!!6B!!!%h!!!"1!!!!6N!!!%k!!!"1`!!!6`!!!%p!!!"2J!!!6m
+!!!&!!!!"33!!!8)!!!&$!!!"4!!!!88!!!&'!!!"4`!!!8J!!!&*!!!"5J!!!8X
+!!!&-!!!"63!!!8i!!!&2!!!"8!!!!9%!!!&5!!!"8`!!!93!!!&9!!!"9J!!!9F
+!!!&B!!!"@3!!!9S!!!&E!!!"A!!!!9d!!!&H!!!"A`!!!@!!!!&K!!!"BJ!!!@-
+!!!&N!!!"C3!!!@B!!!&R!!!"D!!!!@N!!!&U!!!"D`!!!@`!!!&Y!!!"EJ!!!@m
+!!!&`!!!"F3!!!A)!!!&c!!!"G!!!!A8!!!&f!!!"G`!!!AJ!!!&j!!!"HJ!!!AX
+!!!&m!!!"I3!!!Ai!!!&r!!!"J!!!!B%!!!'#!!!"J`!!!B3!!!'&!!!"KJ!!!BF
+!!!')!!!"L3!!!BS!!!',!!!"M!!!!Bd!!!'1!!!"M`!!!C!!!!!"N3!!!C)!!!'
+6!!!"P!!!!C8!!!'@!!!"P`!!!CJ!!!'C!!!"QJ!!!CX!!!'F!!!"R3!!!Ci!!!'
+I!!!"S!!!!D%!!!'L!!!"S`!!!D3!!!'P!!!"TJ!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'R!!!"`!%!!!!"!!'
+R!3!"SJ%!!D-"!!'K!3!"S!%!!!X"!!!-!3!!#J%!!!d"!!!1!3!!$`%!!"!"!!!
+4!3!!%J%!!"-"!!!8!3!!&3%!!"B"!!!A!3!!'!%!!"N"!!!D!3!!'`%!!"`"!!!
+G!3!!(J%!!"m"!!!J!3!!)3%!!#)"!!!M!3!!*!%!!#8"!!!Q!3!!*`%!!#J"!!!
+T!3!!+J%!!#X"!!!X!3!!,3%!!#i"!!![!3!!-!%!!$%"!!!b!3!!-`%!!$3"!!!
+e!3!!0J%!!$F"!!!i!3!!13%!!$S"!!!l!3!!2!%!!$d"!!!q!3!!2`%!!%!"!!"
+"!3!!3J%!!%-"!!"%!3!!43%!!%B"!!"(!3!!5!%!!%N"!!"+!3!!5`%!!%`"!!"
+0!3!!6J%!!%m"!!"3!3!!83%!!&)"!!"6!3!!9!%!!&8"!!"@!3!!9`%!!&J"!!"
+C!3!!@J%!!&X"!!"F!3!!A3%!!&i"!!"I!3!!B!%!!'%"!!"L!3!!B`%!!'3"!!"
+P!3!!CJ%!!'F"!!"S!3!!D3%!!'S"!!"V!3!!E!%!!'d"!!"Z!3!!E`%!!(!"!!"
+a!3!!FJ%!!(-"!!"d!3!!G3%!!(B"!!"h!3!!H!%!!(N"!!"k!3!!H`%!!(`"!!"
+p!3!!IJ%!!(m"!!#!!3!!J3%!!))"!!#$!3!!K!%!!)8"!!#'!3!!K`%!!)J"!!'
+Q!3!!L3%!!)S"!!#,!3!!M!%!!)d"!!#1!3!!M`%!!*!!!3!!N3%!!*)"!!#6!3!
+!P!%!!*8"!!#@!3!!P`%!!*J"!!#C!3!!QJ%!!*X"!!#F!3!!R3%!!*i"!!#I!3!
+!S!%!!+%"!!#L!3!!S`%!!+3"!!#P!3!!TJ%!!+F"!!#S!3!!U3%!!+S"!!#V!3!
+!V!%!!+d"!!#Z!3!!V`%!!,!"!!#a!3!!XJ%!!,-"!!#d!3!!Y3%!!,B"!!#h!3!
+!Z!%!!,N"!!#k!3!!Z`%!!,`"!!#p!3!![J%!!,m"!!$!!3!!`3%!!-)"!!$$!3!
+!a!%!!-8"!!$'!3!!a`%!!-J"!!$*!3!!bJ%!!-X"!!$-!3!!c3%!!-i"!!$2!3!
+!d!%!!0%"!!$5!3!!d`%!!03"!!$9!3!!eJ%!!0F"!!$B!3!!f3%!!0S"!!$E!3!
+!h!%!!0d"!!$H!3!!h`%!!1!"!!$K!3!!iJ%!!1-"!!$N!3!!j3%!!1B"!!$R!3!
+!k!%!!1N"!!$U!3!!k`%!!1`"!!$Y!3!!lJ%!!1m"!!$`!3!!m3%!!2)"!!$c!3!
+!p!%!!28"!!$f!3!!p`%!!2J"!!$j!3!!qJ%!!2X"!!$m!3!!r3%!!2i"!!$r!3!
+"!!%!!3%"!!%#!3!"!`%!!33"!!%&!3!""J%!!3F"!!%)!3!"#3%!!3S"!!%,!3!
+"$!%!!3d"!!%1!3!"$`%!!4!"!!%4!3!"%J%!!4-"!!%8!3!"&3%!!4B"!!%A!3!
+"'!%!!4N"!!%D!3!"'`%!!4`"!!%G!3!"(J%!!4m"!!%J!3!")3%!!5)"!!%M!3!
+"*!%!!58"!!%Q!3!"*`%!!5J"!!%T!3!"+J%!!5X"!!%X!3!",3%!!5i"!!%[!3!
+"-!%!!6%"!!%b!3!"-`%!!63"!!%e!3!"T`%!!6B"!!%h!3!"1!%!!6N"!!%k!3!
+"1`%!!6`"!!%p!3!"2J%!!6m"!!&!!3!"33%!!8)"!!&$!3!"4!%!!88"!!&'!3!
+"4`%!!8J"!!&*!3!"5J%!!8X"!!&-!3!"63%!!8i"!!&2!3!"8!%!!9%"!!&5!3!
+"8`%!!93"!!&9!3!"9J%!!9F"!!&B!3!"@3%!!9S"!!&E!3!"A!%!!9d"!!&H!3!
+"A`%!!@!"!!&K!3!"BJ%!!@-"!!&N!3!"C3%!!@B"!!&R!3!"D!%!!@N"!!&U!3!
+"D`%!!@`"!!&Y!3!"EJ%!!@m"!!&`!3!"F3%!!A)"!!&c!3!"G!%!!A8"!!&f!3!
+"G`%!!AJ"!!&j!3!"HJ%!!AX"!!&m!3!"I3%!!Ai"!!'!!3!"J3%!!B)"!!'$!3!
+"K!%!!B8"!!''!3!"K`%!!BJ"!!'*!3!"LJ%!!BX"!!'-!3!"M3%!!Bi"!!'2!3!
+"N!!"!!'4!3!"NJ%!!C-"!!'8!3!"P3%!!CB"!!'A!3!"Q!%!!CN"!!'D!3!"Q`%
+!!C`"!!'G!3!"RJ%!!Cm"!!'N!3!"I`%!!!%"!!!%!3!!!`%!!!)"!!!*!3!!"3%
+!!!B"!!!(!3!!#!%!!D8!!!'S!!%!+!!!!#!$NFQ3!$mr!!!!!!!!!!!!!!14bC!
+!!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!6T)HA"PFN0
+KFQ3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#`MlJ!!!!!!!!!3!#`NI
+`!!)!!!!!!!!!!!!!!X)fJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!)!!!%!!!!!"3!!Irm!!!!!Irm!!!!!Irm!!!!!Irm!!!!-!!%!!J!'!!!!"8!
+!!!J!!3!"1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%
+!!!$rrrrr!!!!!`!"!!%k1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!3!!!2rrrrm!!!!%!!%!!6SkD@jME(9NC6S!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!)!!3!"1J!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!!`!"!!%k1MT(990*1QP
+ZBfaeC'8k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!%!!%!!6S
+k1NG98dNkE'PL1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!
+!!!8!!J!"1NeKBdp6)&0eF("[FR3k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%
+!!!$rrrrr3!!!"J!#!!%k690-1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!3!!!2rrrrp!!!!(!!S!!%eKBdp6)&"33b"-D@jVCA)!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%p`C@j68d`J8&"$!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!"1J!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!"6@&M6e-
+J8&"$)%aTEQYPFJ!!!!!!!!!!!!!!!!!!!!!!(N&38%`!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!B!!!!%&`F'`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!%e06%)!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%aTBL"*EA"[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%e36%B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%aTBL"*EA"
+[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA3d3!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!B!!!!&*68N-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!&4&@&3ZBQJ!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%*KE'a[EfiJ5'9XF!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZB`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bX
+V)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBbXV!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZBf-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bX
+V)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBh!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZBh"`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bX
+V)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZCAK`!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZCf-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%GKE@9$Ef4
+P)%0[ERCPFR4PFJ!!!!!!!!!!!!!!!!!!3!!!!&4&@&3ZD!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!
+!%!!!!&4&@&3ZE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%CXCAJJ8(*
+PF(*[Bf9cFfpb!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)&"KFf0KE#"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZF'&c!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)&"KFf0
+KE#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF'0S!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!
+!J!!!!&4&@&3ZF'0S+bX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bX
+V)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF("e!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA)&"KFf0KE#"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!J!!!!&4&@&3ZFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&*PHJ!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF`!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&"33d&cE3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&4&@&3ZH3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%*TFfpZ)&"
+bCA"bEf0PFh0[FJ!!!!!!!!!!!!!!!!!!J!!!!&K$6dB!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&K$6dC')%PYF'pbG#"38%-!!!!!!!!!!!!!!!!!!!!
+!!!!!!'4[Bh8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!(*cFQ-!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!B!!!!(0SE')!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&"&4L"*EA"
+[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(0dG@)!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&"&4L"*EA"[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!ZC'pM!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8!!!!!!&!3%!!3!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!B!!!!!!3!!!!!&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!3%!!'eKD@i!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!%!!3!!!!%"!3%
+"!!%"!!!!!!!"!3!!!3%!!3!!!3!"!!!!!!!!!!!!#!%!!3%!!3%!!!!"!!!*!!!
+A6@&M6e-J9'p[E'*[H#"%48*94b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!2cmr2d&38%`!!!'!@-!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+r2cmr!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!$3!"!!!!!!!9AdeA49*,8ep(990*Ah"bC@CTH#j
+S!!!!!!!!!!!!!!!!!3!!!3!!!!!!!3!!!!!!!!!!!!!&!3%"!!!"!3!"!!!!!!3
+!!!!!!!!!!!!!!!!!!!!!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!AepcG'&bG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!%!!!P0CA*
+RC5"2GA3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!r2cmr39"36!!"!3!!"#!J)#!$NS0J!h6IH!-$VH!!"3)"!!%
+"!!%"!3!!!3!!!!!!!!!"!3%"!!%"!!%!!33!!!!!!!!!!!!!"`%"!!%!!!%!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!AepcG'&bG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&!!!(6h"PEP0
+66!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cp"8&"-!!!%!!!!"!!!!!"!!!"
+B`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!"2cmr2`!!!!!!!!!#!!!!!J!#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!J"3!!%!!3!"!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&#G$6d4&*b!
+R4%&835FJ*e"*3e3R!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!K-!!!)8!!!#&3!!!KB!!!)A!!!"p!!!!HF!!!(q!!!"r3!!!IS
+!!!(m!!!"m`!!!IX!!!)$!!!"U!!!!DN!!!'U!!!!,!!!!#d!!!!Z!!!!,`!!!$!
+!!!!a!!!!-J!!!$-!!!!d!!!!03!!!$B!!!!h!!!!1!!!!$N!!!!k!!!!1`!!!BF
+!!!!m!!!!23!!!$i!!!!r!!!!3!!!!%%!!!',!!!!3J!!!%-!!!"%!!!!43!!!%B
+!!!"(!!!"k3!!!Am!!!"p!!!!IJ!!!(m!!!'5!!!"N3!!!)!!!!#"!!!!c!!!!B`
+!!!$0!!!!JJ!!!)-!!!$1!!!!c`!!!!N!!!(`!!!!K3!!!)B!!!#(!!!"T3!!!)J
+!!!#*!!!!LJ!!!)X!!!#-!!!!M3!!!)i!!!#2!!!!N!!!!!#4!!!!NJ!!!*-!!!#
+8!!!!P3!!!*B!!!#A!!!"N`!!!Bi!!!'2!!!"M3!!!C!!!!!!K!!!!*J!!!#C!!!
+#"J!!!93!!!&9!!!"P!!!!BB!!!)*!!!##J!!!DX!!!#N!!!!T3!!!+B!!!#R!!!
+!U!!!!KJ!!!'X!!!!R`!!!+)!!!#M!!!"R`!!!AS!!!'Y!!!"VJ!!!AX!!!)#!!!
+"RJ!!!0!!!!#D!!!!Q`!!!*`!!!#G!!!!S!!!!*i!!!#K!!!!5!!!!%N!!!"+!!!
+!5`!!!%`!!!"0!!!!6J!!!%m!!!)(!!!##!!!!+N!!!'[!!!"X!!!!,d!!!#q!!!
+![`!!!-!!!!$"!!!!d3!!!E%!!!'b!!!!`J!!!--!!!$%!!!!a3!!!-B!!!'"!!!
+!a`!!!-J!!!#U!!!!U`!!!+`!!!'c!!!!dJ!!!+d!!!'9!!!!b3!!!D!!!!'d!!!
+!bJ!!!-X!!!"3!!!!d`!!!03!!!$9!!!!eJ!!!0F!!!$B!!!"I!!!!0N!!!$D!!!
+!f`!!!0`!!!$G!!!!hJ!!!0m!!!$J!!!!i3!!!1)!!!$M!!!!j!!!!18!!!$Q!!!
+!j`!!!1J!!!$T!!!!kJ!!!1X!!!$X!!!!l3!!!1i!!!$[!!!!m!!!!2%!!!$b!!!
+!m`!!!23!!!$e!!!!pJ!!!2F!!!#Z!!!!V`!!!J8!!!(C!!!"l!!!!&%!!!"5!!!
+!8`!!!HX!!!'e!!!"YJ!!!EF!!!(K!!!"h`!!!D%!!!(D!!!"c!!!!FX!!!(E!!!
+"c3!!!G`!!!(1!!!"#3!!!&3!!!"9!!!!9J!!!&F!!!"B!!!!@3!!!&S!!!"E!!!
+!!3!!!3S!!!%,!!!"$!!!!3d!!!%1!!!"$`!!!4!!!!(e!!!"k!!!!HB!!!(P!!!
+"h3!!!G!!!!(L!!!"j!!!!Gi!!!(2!!!#!!!!!Im!!!(4!!!"SJ!!!!)!!!(B!!!
+"%3!!!4)!!!%6!!!"&!!!!48!!!%@!!!"-`!!!Ad!!!'M!!!"pJ!!!GF!!!!!!!!
+"dJ!!!!-!!!(@!!!"IJ!!!IF!!!(U!!!"q!!!!Hd!!!$i!!!!q3!!!2S!!!$l!!!
+!r!!!!2d!!!$q!!!!r`!!!3!!!!%"!!!"Z!!!!&`!!!"G!!!"&`!!!4J!!!%C!!!
+!X!!!!,%!!!#b!!!"i`!!!H!!!!'j!!!"d`!!!!3!!!!&!!!"e!!!!G8!!!!'!!!
+!"`!!!4S!!!%K!!!")J!!!5-!!!%N!!!"*3!!!5B!!!%R!!!"+!!!!5N!!!%U!!!
+"+`!!!5`!!!'B!!!",3!!!5i!!!'@!!!"P`!!!&i!!!"I!!!!B!!!!'%!!!"L!!!
+!B`!!!'3!!!"P!!!!CJ!!!'F!!!"S!!!!D3!!!'S!!!#c!!!"q3!!!I)!!!%E!!!
+"(!!!!4d!!!%H!!!"(`!!!5!!!!%[!!!"Q3!!!6!!!!%a!!!"QJ!!!CX!!!'k!!!
+"Z`!!!6)!!!'m!!!"T!!!!JX!!!)-!!!#$3!!!Ji!!!)2!!!#%!!!!Hm!!!)4!!!
+"!J!!!3-!!!%%!!!""3!!!3B!!!%(!!!"#!!!!,3!!!%d!!!"TJ!!!,8!!!%e!!!
+"0J!!!6F!!!%i!!!"13!!!6S!!!%l!!!"2!!!!6d!!!%q!!!"2`!!!8!!!!&"!!!
+!YJ!!!,F!!!'p!!!"lJ!!!K)!!!&#!!!"3`!!!,J!!!'q!!!"R!!!!83!!!&&!!!
+"4J!!!8F!!!&)!!!"R3!!!8N!!!&+!!!"5`!!!8`!!!&0!!!!#J!!!!X!!!!-!!!
+!$3!!!!i!!!!2!!!!%!!!!"%!!!!5!!!!%`!!!"3!!!!9!!!!&J!!!"F!!!!B!!!
+!'3!!!"S!!!!E!!!"[`!!!,N!!!&1!!!"6`!!!9!!!!&4!!!"`!!!!J%!!!("!!!
+"`J!!!"`!!!!G!!!!(J!!!"m!!!!J!!!!)3!!!#)!!!!M!!!!*!!!!#8!!!!Q!!!
+"8J!!!,S!!!#l!!!"``!!!F3!!!(&!!!"aJ!!!FS!!!!R!!!!+!!!!#N!!!!U!!!
+!+`!!!J3!!!!)!!!"8`!!!BS!!!"V!!!!E!!!!'d!!!')!!!!EJ!!!BN!!!&R!!!
+"D!!!!@N!!!&U!!!"D`!!!@`!!!&Y!!!"EJ!!!@m!!!&`!!!"F3!!!A)!!!'&!!!
+"F`!!!A3!!!&e!!!"GJ!!!B3!!!&h!!!"H!!!!AN!!!((!!!"b!!!!DF!!!(*!!!
+"9J!!!9F!!!'#!!!"@!!!!9N!!!&D!!!"@`!!!9`!!!&G!!!"AJ!!!9m!!!&J!!!
+"B3!!!@)!!!'$!!!"B`!!!@3!!!&P!!!![!!!!I%!!!"[!!!"CJ!!!(!!!!"a!!!
+!FJ!!!(-!!!"d!!!!G3!!!(B!!!"h!!!!H!!!!(N!!!"k!!!!H`!!!(`!!!'!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-!!!!-!!!!!`!!!!bdhb6,!!!
+qh3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!U!!!!+`!!!#`!!!!Z!!!!,`!!!$!!!!!a!!!!-J!!!$-!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!d!!!
+!3!)!!!!#!!!d!J!!(!)!!"d#!!!H!J!!(`)!!#!#!!!K!J!!)J)!!#-#!!!N!J!
+!*3)!!#B#!!!R!J!!+!)!!#N#!!!U!J!!+`)!!#`#!!!Y!J!!#`)!!!`#!!!0!J!
+!$J)!!!m#!!!3!J!!%3)!!")#!!!6!J!!&!)!!"8#!!!@!J!!&`)!!"J#!!!C!J!
+!'J)!!"X#!!!c!J!!0!)!!#m#!!!`!J!!-J)!!$%#!!!+!J!!!3)!!!3#!!!$!J!
+!!J)!!!N#!!!&!J!!"J)!!!F#!!!)!J!!,J!!!DJ!!3!S!!!!)!14bC!!2cm!!!!
+!!!!!!!!!!j(*N!!!!J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!,#2Z!
+!!!!!!!!"!!,#4r!!!J!!!!!!!!!!!!!#`MD!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!J!!!3!!!!!&!!"rr`!!!!"rr`!!!!"rr`!!!!"rr`!!!!`
+!!3!#!!3!!!!&3!!!"J!"!!%k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!3!!!2rrrrm!!!!$!!%!!6Sk!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrrrr`!!!!3!!3!"1MTTEQ0XG@4P1J!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!!J!"!!%k!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!$!!)
+!!6T0B@028b"6GA"`Eh*d1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrr
+rrd!!!!3!!J!"1Ne66$S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!%!!!$rrrrr3!!!"3!+!!"0B@028b!f1%XJ6'PZDf9b!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"(CA4)9&438b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!6S!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!8eKBdp6)$Bi5b"
+-D@jVCA)!!!!!!!!!!!!!!!!!!!!!!#""8&"-!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+"F("X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"068a#!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"-D@)J5@e`Eh*d)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+08%a'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"-D@)J5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09d0%!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+23NSJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"08&FJ5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"36'pL!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+58e*$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"849K8,Q*S!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"#B@aXEfpZ)%KPE(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q-V+`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q0M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q0`!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q0`F!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q9iF!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,QGM!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"(B@eP3fpNC5"$Efj
+fCA*dCA)!!!!!!!!!!!!!!!!!!%!!!!"849K8,QJ!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!"
+849K8,Q`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"'E'9i)&"bCA"bEf0
+PFh0[FJ!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,R"KF`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,R"MD!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"
+849K8,R"MD#XV!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R"`G3!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"
+849K8,R)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"5CAS!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,R0PC`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,RN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"#DA0[EL"3FQ9`FQp
+MCA0cEh)!!!!!!!!!!!!!!!!!!)!!!!"NEf0e!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+bFh*M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"cD'aL!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"348BJ5@e`Eh*d)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+cG(9L!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"348BJ5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!,Q4[B`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&!!!!!
+!!!!!,R*cFQ-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!!!"3%"!!%!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+'!!!!!!%!!!!!"3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!%"!!"YB@PZ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J"!3%!!!!"!3%!!!%"!3!
+!!!!!!3%!!!%"!!%!!!%%!!!!!!!!!!!!!!J"!!%"!!%"!!!!!3!!#3!!$8GPG%K
+89&"6+$Bi5bN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!$mr2cp"8&"-!!!#!&M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2cmr2`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!d!!3!!!!!!%&p09d955e0IF(*PCQPi,QJ!!!!!!!!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!%!!!!!!!!!!!!!"3%"!3!!!3%!!3!!!!!%!!!!!!!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&p
+IFh4KFR3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!"!!!*6@9bCf8J6h9
+d!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!2cmr2d&38%`!!3%!!!3J)#!J!j+$B!0dhhJ$!khJ!!8#!3!"!3!"!3%
+!!!%!!!!!!!!!!3%"!3!"!3!"!!%%!!!!!!!!!!!!!!F"!3!"!!!"!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!&pIFh4KFR3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3!!#%GPG%K89&"6!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!r2cmr39"36!!!"!!!!!3!!!!!3!!!@-!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6m
+r2cm!!!!!!!!!!J!!!!)!!J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!)!8!!"!!%!!3!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3R3dp%45FJ*d4"9%%
+R)#G35808*`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!$!!!"!!!!#J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!!J!
+!!!X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!!-!!!!-!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!%!!!!$3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!"3!!!!i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!!B!!!!2!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!(!!!!%!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!#!!
+!!"%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!!N!!!!5!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!+!!!!%`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!#`!!!"3#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!!`!!!!9!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!0!!!!&J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!$J!
+!!"F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!!m!!!!B!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!3!!!!'3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!%3!!!"S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!")!!!!E!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!6!!!!(!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!&!!
+!!"d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!"8!!!!H!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!@!!!!(`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!&`!!!#!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!"J!!!!K!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!C!!!!)J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!'J!
+!!#-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!"X!!!!N!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!F!!!!*3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!(3!!!#B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!"i!!!!R!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!I!!!!+!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!)!!
+!!#N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!#%!!!!U!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!L!!!!+`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!)`!!!#`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!#3!!!!Y!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!P!!!!,J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!*J!
+!!#m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!#F!!!!`!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!S!!!!-3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!+3!!!$)#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!#S!!!!c!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!V!!!!0!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!,!!
+!!$8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!#d!!!!f!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!Z!!!!0`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!,`!!!$J#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!$!!!!!j!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!a!!!!1J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!-J!
+!!$X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!$-!!!!m!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!d!!!!23)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!03!!!$i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!$B!!!!r!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!h!!!!3!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!1!!
+!!%%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!$N!!!"#!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!!k!!!!3`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!1`!!!%3#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!$`!!!"&!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!!p!!!!4J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!2J!
+!!%F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!$m!!!")!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"!!!!!53)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!33!!!%S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!%)!!!",!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"$!!!!6!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!4!!
+!!%d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!%8!!!"1!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"'!!!!6`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!4`!!!&!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!%J!!!"4!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"*!!!!8J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!5J!
+!!&-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!%X!!!"8!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"-!!!!93)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!63!!!&B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!%i!!!"A!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"2!!!!@!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!8!!
+!!&N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!&%!!!"D!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"5!!!!@`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!8`!!!&`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!&3!!!"G!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"9!!!!AJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!9J!
+!!&m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!&F!!!"J!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"B!!!!B3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!@3!!!')#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!&S!!!"M!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"E!!!!C!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!A!!
+!!'8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!&d!!!"Q!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"H!!!!C`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!A`!!!'J#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!'!!!!"T!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"K!!!!DJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!BJ!
+!!'X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!'-!!!"X!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"N!!!!E3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!C3!!!'i#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!'B!!!"[!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"R!!!!F!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!D!!
+!!(%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!'N!!!"b!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"U!!!!F`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!D`!!!(3#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!'`!!!"e!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"Y!!!!GJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!EJ!
+!!(F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!'m!!!"i!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"`!!!!H3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!F3!!!(S#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!()!!!"l!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"c!!!!I!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!G!!
+!!(d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!(8!!!"q!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"f!!!!I`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!G`!!!)!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!(J!!!#"!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"j!!!!JJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!HJ!
+!!)-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!(X!!!#%!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!"m!!!!K3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!I3!!!)B#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!(i!!!#(!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!"r!!!!L!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!J!!
+!!)N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!)%!!!#+!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!##!!!!L`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!`!!J`!!!)`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!-!!)3!!!#0!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!$!!#&!!!!MJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!KJ!
+!!)m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!)F!!!#3!!)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!L!!!!*%#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!)N!!!#5!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!$!!#+!!!!N`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!`!!L`!!!*3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!)`
+!!!#9!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#0!!!!PJ)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!MJ!!!*F#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!)m!!!#B!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!$!!#3!!!!!*N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!*%!!!#D!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+5!!!!Q`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!N`!!!*`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!*3!!!#G!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#9!!!!RJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!PJ!!!*m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!*F!!!#J!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+B!!!!S3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!Q3!!!+)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!*S!!!#M!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#E!!!!T!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!R!!!!+8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!*d!!!#Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+H!!!!T`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!R`!!!+J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!+!!!!#T!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#K!!!!UJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!SJ!!!+X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!+-!!!#X!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+N!!!!V3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!T3!!!+i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!+B!!!#[!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#R!!!!X!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!U!!!!,%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!+N!!!#b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+U!!!!X`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!U`!!!,3#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!+`!!!#e!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#Y!!!!YJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!VJ!!!,F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!+m!!!#i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+`!!!!Z3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!X3!!!,S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!,)!!!#l!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#c!!!![!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!Y!!!!,d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!,8!!!#q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+f!!!![`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!Y`!!!-!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!,J!!!$"!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#j!!!!`J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!ZJ!!!--#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!,X!!!$%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#
+m!!!!a3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!![3!!!-B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!,i!!!$(!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!#r!!!!b!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!`!!!!-N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!-%!!!$+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+#!!!!b`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!``!!!-`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!-3!!!$0!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$&!!!!cJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!aJ!!!-m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!-F!!!$3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+)!!!!d3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!b3!!!0)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!-S!!!$6!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$,!!!!e!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!c!!!!08#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!-d!!!$@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+1!!!!e`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!c`!!!0J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!0!!!!$C!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$4!!!!fJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!dJ!!!0X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!0-!!!$F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+8!!!!h3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!e3!!!0i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!0B!!!$I!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$A!!!!i!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!f!!!!1%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!0N!!!$L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+D!!!!i`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!f`!!!13#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!0`!!!$P!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$G!!!!jJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!hJ!!!1F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!0m!!!$S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+J!!!!k3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!i3!!!1S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!1)!!!$V!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$M!!!!l!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!j!!!!1d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!18!!!$Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+Q!!!!l`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!j`!!!2!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!1J!!!$a!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$T!!!!mJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!kJ!!!2-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!1X!!!$d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+X!!!!p3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!l3!!!2B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!1i!!!$h!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$[!!!!q!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!m!!!!2N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!2%!!!$k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+b!!!!q`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!m`!!!2`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!23!!!$p!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$e!!!!rJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!pJ!!!2m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!2F!!!%!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+i!!!"!3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!q3!!!3)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!2S!!!%$!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$l!!!""!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!!r!!!!38#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!2d!!!%'!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!$
+q!!!""`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!!r`!!!3J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!3!!!!%*!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%"!!!"#J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"!J!!!3X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!3-!!!%-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+%!!!"$3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!""3!!!3i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!3B!!!%2!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%(!!!"%!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"#!!!!4%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!3N!!!%5!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
++!!!"%`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"#`!!!43#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!3`!!!%9!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%0!!!"&J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"$J!!!4F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!3m!!!%B!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+3!!!"'3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"%3!!!4S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!4)!!!%E!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%6!!!"(!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"&!!!!4d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!48!!!%H!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+@!!!"(`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"&`!!!5!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!4J!!!%K!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%C!!!")J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"'J!!!5-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!4X!!!%N!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+F!!!"*3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"(3!!!5B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!4i!!!%R!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%I!!!"+!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!")!!!!5N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!5%!!!%U!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+L!!!"+`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!")`!!!5`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!53!!!%Y!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%P!!!",J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"*J!!!5m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!5F!!!%`!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+S!!!"-3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"+3!!!6)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!5S!!!%c!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%V!!!"0!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!",!!!!68#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!5d!!!%f!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+Z!!!"0`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!",`!!!6J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!6!!!!%j!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%a!!!"1J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"-J!!!6X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!6-!!!%m!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+d!!!"23)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"03!!!6i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!6B!!!%r!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%h!!!"3!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"1!!!!8%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!6N!!!&#!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%
+k!!!"3`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"1`!!!83#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!6`!!!&&!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!%p!!!"4J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"2J!!!8F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!6m!!!&)!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+!!!!"53)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"33!!!8S#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!8)!!!&,!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&$!!!"6!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"4!!!!8d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!88!!!&1!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+'!!!"6`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"4`!!!9!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!8J!!!&4!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&*!!!"8J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"5J!!!9-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!8X!!!&8!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+-!!!"93)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"63!!!9B#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!8i!!!&A!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&2!!!"@!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"8!!!!9N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!9%!!!&D!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+5!!!"@`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"8`!!!9`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!93!!!&G!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&9!!!"AJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"9J!!!9m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!9F!!!&J!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+B!!!"B3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"@3!!!@)#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!9S!!!&M!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&E!!!"C!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"A!!!!@8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!9d!!!&Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+H!!!"C`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"A`!!!@J#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!@!!!!&T!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&K!!!"DJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"BJ!!!@X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!@-!!!&X!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+N!!!"E3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"C3!!!@i#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!@B!!!&[!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&R!!!"F!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"D!!!!A%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!@N!!!&b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+U!!!"F`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"D`!!!A3#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!@`!!!&e!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&Y!!!"GJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"EJ!!!AF#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!@m!!!&i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+`!!!"H3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"F3!!!AS#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!A)!!!&l!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&c!!!"I!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"G!!!!Ad#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!A8!!!&q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+f!!!"J!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"G`!!!B%#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!AJ!!!'#!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&j!!!"J`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"HJ!!!B3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!AX!!!'&!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&
+m!!!"KJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"I3!!!BF#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!Ai!!!')!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!&r!!!"L3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"J!!!!BS#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!-!!B%!!!',!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'
+#!!!"M!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"J`!!!Bd#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!B3!!!'1!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'&!!!"M`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!`!"KJ!!!C!!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!$!!'(!!!"N3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!
+"L!!!!C)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!BN!!!'6!J%
+!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'+!!!"P!)"!!!!!!!"!!%
+"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"L`!!!C8#!3!!!!!!!3!"!3!!!!!!!!!
+!!!!!!!%!!!!!!!!!!!-!!B`!!!'@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!$!!'0!!!"P`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!
+"MJ!!!CJ#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!Bm!!!'C!J%
+!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'3!!!!!CS#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!C%!!!'E!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!$!!'5!!!"R!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!`!"N`!!!Cd#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-
+!!C3!!!'H!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'9!!!"R`)
+"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"PJ!!!D!#!3!!!!!!!3!
+"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!CF!!!'K!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!$!!'B!!!"SJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!`!"Q3!!!D-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!-
+!!CS!!!(5!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'E!!!"d`)
+"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"R!!!!G3#!3!!!!!!!3!
+"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!Cd!!!(9!J%!!!!!!!%!!3-!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!$!!'H!!!"T!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!`!"R`!!!GB#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!-
+!!D!!!!(A!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!!!!!$!!'K!!!"f!)
+"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!!`!"SJ!!!GN#!3!!!!!!!3!
+"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!-!!D-!!!'Q!J%!!!!!!!%!!3%!!!!!!!!
+!!!!!!!!"!!!!!!!!!!!$!!'N!!!"T`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!!J!!!!-!!!!%!!!!"3!
+!!!B!!!!(!!!!#!!!!!N!!!!+!!!!#`!!!!`!!!!0!!!!$J!!!!m!!!!3!!!!%3!
+!!")!!!!6!!!!&!!!!"8!!!!@!!!!&`!!!"J!!!!C!!!!'J!!!"X!!!!F!!!!(3!
+!!"i!!!!I!!!!)!!!!#%!!!!L!!!!)`!!!#3!!!!P!!!!*J!!!#F!!!!S!!!!+3!
+!!#S!!!!V!!!!,!!!!#d!!!!Z!!!!,`!!!$!!!!!a!!!!-J!!!$-!!!!d!!!!03!
+!!$B!!!!h!!!!1!!!!$N!!!!k!!!!1`!!!$`!!!!p!!!!2J!!!$m!!!"!!!!!33!
+!!%)!!!"$!!!!4!!!!%8!!!"'!!!!4`!!!%J!!!"*!!!!5J!!!%X!!!"-!!!!63!
+!!%i!!!"2!!!!8!!!!&%!!!"5!!!!8`!!!&3!!!"9!!!!9J!!!&F!!!"B!!!!@3!
+!!&S!!!"E!!!!A!!!!&d!!!"H!!!!A`!!!'!!!!"K!!!!BJ!!!'-!!!"N!!!!C3!
+!!'B!!!"R!!!!D!!!!'N!!!"U!!!!D`!!!'`!!!"Y!!!!EJ!!!'m!!!"`!!!!F3!
+!!()!!!"c!!!!G!!!!(8!!!"f!!!!G`!!!(J!!!"j!!!!HJ!!!(X!!!"m!!!!I3!
+!!(i!!!"r!!!!J!!!!)%!!!##!!!!J`!!!)3!!!#&!!!!KJ!!!)F!!!#)!!!!L3!
+!!)S!!!#,!!!!M!!!!)d!!!#1!!!!M`!!!*!!!!!!N3!!!*)!!!#6!!!!P!!!!*8
+!!!#@!!!!P`!!!*J!!!#C!!!!QJ!!!*X!!!#F!!!!R3!!!*i!!!#I!!!!S!!!!+%
+!!!#L!!!!S`!!!+3!!!#P!!!!TJ!!!+F!!!#S!!!!U3!!!+S!!!#V!!!!V!!!!+d
+!!!#Z!!!!V`!!!,!!!!#a!!!!XJ!!!,-!!!#d!!!!Y3!!!,B!!!#h!!!!Z!!!!,N
+!!!#k!!!!Z`!!!,`!!!#p!!!![J!!!,m!!!$!!!!!`3!!!-)!!!$$!!!!a!!!!-8
+!!!$'!!!!a`!!!-J!!!$*!!!!bJ!!!-X!!!$-!!!!c3!!!-i!!!$2!!!!d!!!!0%
+!!!$5!!!!d`!!!03!!!$9!!!!eJ!!!0F!!!$B!!!!f3!!!0S!!!$E!!!!h!!!!0d
+!!!$H!!!!h`!!!1!!!!$K!!!!iJ!!!1-!!!$N!!!!j3!!!1B!!!$R!!!!k!!!!1N
+!!!$U!!!!k`!!!1`!!!$Y!!!!lJ!!!1m!!!$`!!!!m3!!!2)!!!$c!!!!p!!!!28
+!!!$f!!!!p`!!!2J!!!$j!!!!qJ!!!2X!!!$m!!!!r3!!!2i!!!$r!!!"!!!!!3%
+!!!%#!!!"!`!!!33!!!%&!!!""J!!!3F!!!%)!!!"#3!!!3S!!!%,!!!"$!!!!3d
+!!!%1!!!"$`!!!4!!!!%4!!!"%J!!!4-!!!%8!!!"&3!!!4B!!!%A!!!"'!!!!4N
+!!!%D!!!"'`!!!4`!!!%G!!!"(J!!!4m!!!%J!!!")3!!!5)!!!%M!!!"*!!!!58
+!!!%Q!!!"*`!!!5J!!!%T!!!"+J!!!5X!!!%X!!!",3!!!5i!!!%[!!!"-!!!!6%
+!!!%b!!!"-`!!!63!!!%e!!!"0J!!!6F!!!%i!!!"13!!!6S!!!%l!!!"2!!!!6d
+!!!%q!!!"2`!!!8!!!!&"!!!"3J!!!8-!!!&%!!!"43!!!8B!!!&(!!!"5!!!!8N
+!!!&+!!!"5`!!!8`!!!&0!!!"6J!!!8m!!!&3!!!"83!!!9)!!!&6!!!"9!!!!98
+!!!&@!!!"9`!!!9J!!!&C!!!"@J!!!9X!!!&F!!!"A3!!!9i!!!&I!!!"B!!!!@%
+!!!&L!!!"B`!!!@3!!!&P!!!"CJ!!!@F!!!&S!!!"D3!!!@S!!!&V!!!"E!!!!@d
+!!!&Z!!!"E`!!!A!!!!&a!!!"FJ!!!A-!!!&d!!!"G3!!!AB!!!&h!!!"H!!!!AN
+!!!&k!!!"H`!!!A`!!!&p!!!"IJ!!!Am!!!'!!!!"J3!!!B)!!!'$!!!"K!!!!B8
+!!!''!!!"K`!!!BJ!!!'*!!!"LJ!!!BX!!!'-!!!"M3!!!Bi!!!'2!!!"N!!!!!'
+4!!!"NJ!!!C-!!!'8!!!"P3!!!CB!!!'A!!!"Q!!!!Cd!!!'L!!!"S`!!!CN!!!'
+D!!!"Q`!!!C`!!!'H!!!"R`!!!D!!!!'K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!D3!!!(
+!!`!!!!-!!D3!!!(D!!%!(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-!!CJ$!!'
+C!`!"P`-!!CB$!!!#!`!!!`-!!!%$!!!%!`!!"3-!!!B$!!!(!`!!#!-!!!N$!!!
++!`!!#`-!!!`$!!!0!`!!$J-!!!m$!!!3!`!!%3-!!")$!!!6!`!!&!-!!"8$!!!
+@!`!!&`-!!"J$!!!C!`!!'J-!!"X$!!!F!`!!(3-!!"i$!!!I!`!!)!-!!#%$!!!
+L!`!!)`-!!#3$!!!P!`!!*J-!!#F$!!!S!`!!+3-!!#S$!!!V!`!!,!-!!#d$!!!
+Z!`!!,`-!!$!$!!!a!`!!-J-!!$-$!!!d!`!!03-!!$B$!!!h!`!!1!-!!$N$!!!
+k!`!!1`-!!$`$!!!p!`!!2J-!!$m$!!"!!`!!33-!!%)$!!"$!`!!4!-!!%8$!!"
+'!`!!4`-!!%J$!!"*!`!!5J-!!%X$!!"-!`!!63-!!%i$!!"2!`!!8!-!!&%$!!"
+5!`!!8`-!!&3$!!"9!`!!9J-!!&F$!!"B!`!!@3-!!&S$!!"E!`!!A!-!!&d$!!"
+H!`!!A`-!!'!$!!"K!`!!BJ-!!'-$!!"N!`!!C3-!!'B$!!"R!`!!D!-!!'N$!!"
+U!`!!D`-!!'`$!!"Y!`!!EJ-!!'m$!!"`!`!!F3-!!()$!!"c!`!!G!-!!(8$!!"
+f!`!!G`-!!(J$!!"j!`!!HJ-!!(X$!!"m!`!!I3-!!(i$!!"r!`!"S`-!!)!$!!#
+"!`!!JJ-!!)-$!!#%!`!!K3-!!)B$!!#(!`!!L!-!!)N$!!#+!`!!L`-!!)`$!!#
+0!`!!MJ-!!)m$!!#3!!-!!*%$!!#5!`!!N`-!!*3$!!#9!`!!PJ-!!*F$!!#B!`!
+!Q3-!!*S$!!#E!`!!R!-!!*d$!!#H!`!!R`-!!+!$!!#K!`!!SJ-!!+-$!!#N!`!
+!T3-!!+B$!!#R!`!!U!-!!+N$!!#U!`!!U`-!!+`$!!#Y!`!!VJ-!!+m$!!#`!`!
+!X3-!!,)$!!#c!`!!Y!-!!,8$!!#f!`!!Y`-!!,J$!!#j!`!!ZJ-!!,X$!!#m!`!
+![3-!!,i$!!#r!`!!`!-!!-%$!!$#!`!!``-!!-3$!!$&!`!!aJ-!!-F$!!$)!`!
+!b3-!!-S$!!$,!`!!c!-!!-d$!!$1!`!!c`-!!0!$!!$4!`!!dJ-!!0-$!!$8!`!
+!e3-!!0B$!!$A!`!!f!-!!0N$!!$D!`!!f`-!!0`$!!$G!`!!hJ-!!0m$!!$J!`!
+!i3-!!1)$!!$M!`!!j!-!!18$!!$Q!`!!j`-!!1J$!!$T!`!!kJ-!!1X$!!$X!`!
+!l3-!!1i$!!$[!`!!m!-!!2%$!!$b!`!!m`-!!23$!!$e!`!!pJ-!!2F$!!$i!`!
+!q3-!!2S$!!$l!`!!r!-!!2d$!!$q!`!!r`-!!3!$!!%"!`!"!J-!!3-$!!%%!`!
+""3-!!3B$!!%(!`!"#!-!!3N$!!%+!`!"#`-!!3`$!!%0!`!"$J-!!3m$!!%3!`!
+"%3-!!4)$!!%6!`!"&!-!!48$!!%@!`!"&`-!!4J$!!%C!`!"'J-!!4X$!!%F!`!
+"(3-!!4i$!!%I!`!")!-!!5%$!!%L!`!")`-!!53$!!%P!`!"*J-!!5F$!!%S!`!
+"+3-!!5S$!!%V!`!",!-!!D3$!!%Y!`!",J-!!5m$!!%`!`!"-3-!!6)$!!%c!`!
+"0!-!!68$!!%f!`!"0`-!!6J$!!%j!`!"1J-!!6X$!!%m!`!"23-!!6i$!!%r!`!
+"3!-!!8%$!!&#!`!"3`-!!83$!!&&!`!"4J-!!8F$!!&)!`!"53-!!8S$!!&,!`!
+"6!-!!8d$!!&1!`!"6`-!!9!$!!&4!`!"8J-!!9-$!!&8!`!"93-!!9B$!!&A!`!
+"@!-!!9N$!!&D!`!"@`-!!9`$!!&G!`!"AJ-!!9m$!!&J!`!"B3-!!@)$!!&M!`!
+"C!-!!@8$!!&Q!`!"C`-!!@J$!!&T!`!"DJ-!!@X$!!&X!`!"E3-!!@i$!!&[!`!
+"F!-!!A%$!!&b!`!"F`-!!A3$!!&e!`!"GJ-!!AF$!!&i!`!"H3-!!AS$!!&l!`!
+"I!-!!Ad$!!&q!`!"I`-!!B!$!!'"!`!"JJ-!!B-$!!'%!`!"K3-!!BB$!!'(!`!
+"L!-!!BN$!!'+!`!"L`-!!B`$!!'0!`!"MJ-!!Bm$!!'3!!-!!C%$!!'5!`!"N`-
+!!C3$!!'9!`!"RJ-!!D!$!!'K!`!"Q`-!!D)$!!'D!`!"R!-!!Cd$!!'I!!)!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#`MlJ!!!!!!!!!3!#`NI`!!)!!!!
+!!!!!!!!!!X)fJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!%
+!!!!!"3!!Irm!!!!!Irm!!!!!Irm!!!!!Irm!!!!-!!%!!J!'!!!!"8!!!!J!!3!
+"1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrr
+r!!!!!`!"!!%k1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!3!!!2rrrrm!!!!%!!%!!6SkD@jME(9NC6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!rrrrrd!!!!)!!3!"1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!!`!"!!%k1MT(990*1QPZBfaeC'8
+k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!%!!%!!6Sk1NG98dN
+kE'PL1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!8!!J!
+"1NeKBdp6)&0eF("[FR3k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrr
+r3!!!"J!#!!%k690-1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!3!!!2rrrrp!!!!(!!S!!%eKBdp6)$Bi5b"-D@jVCA)!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%aTBP066#!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!"1J!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!"6@&M6e-J0MK,)%a
+TEQYPFJ!!!!!!!!!!!!!!!!!!!!!!)%&38%`!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!%&
+`F'`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!%e06%)!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%aTBL"*EA"[FR3J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%e
+36%B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%aTBL"*EA"[FR3J0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA3d3!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!%p
+#5L!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%e39b"*EA"[FR3J0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&"-Ef)!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!&*
+68N-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!&4&@&3ZBQJ!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%*KE'a[EfiJ5'9XF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZB`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBbXV!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZBf-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBh!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZBh"`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZCAK`!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZCf-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%GKE@9$Ef4P)%0[ERC
+PFR4PFJ!!!!!!!!!!!!!!!!!!3!!!!&4&@&3ZD!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!!&4
+&@&3ZE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%CXCAJJ8(*PF(*[Bf9
+cFfpb!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)&"KFf0KE#!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZF'&c!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)&"KFf0KE#!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF'0S!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4
+&@&3ZF'0S+bX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)$Bi5`!
+!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF("e!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%eA)&"KFf0KE#!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4
+&@&3ZFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&*PHJ!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZFf9R!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4
+&@&3ZH3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%*TFfpZ)&"bCA"bEf0
+PFh0[FJ!!!!!!!!!!!!!!!!!!J!!!!'4[Bh8!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!(*
+cFQ-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!(0SE')!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!&"&4L"*EA"[FR3J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(0
+dG@)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&"&4L"*EA"[FR3J0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!ZC'pM!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8!!!!!!
+!!!!ZFR0bB`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!!!&!3%!!3!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B
+!!!!!!3!!!!!&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!3%!!'eKD@i!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!%"!3!!!!%"!3!!!3%"!!!
+!!!!"!3!!!3%!!3!!!33!!!!!!!!!!!!!#!%!!3%!!3%!!!!"!!!*!!-B6'PL8e0
+-,MBi5b"'B5JdD9miC#NZ6'PL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!2cmr2cmr2cm!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!r2cmr!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!$3!"!!!!!!!9AdeA49*,8ep(990*Ah"bC@CTH#jS!!!!!!!
+!!!!!!!!!!3!!!!!!!!!!!3!!!!!!!!!!!!!&!3%"!!!"!3!"!!!!!!3!!!!!!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Aep
+cG'&bG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!%!!!P0CA*RC5"2GA3
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!r2cmr39"36!!"!3!!"#!J)#!$NS0J!h6IH!-$VH!!"3)"!!%"!!%"!3!
+!!3!!!!!!!!!"!3%"!!%"!!%!!33!!!!!!!!!!!!!"`%"!!%!!!%!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!AepcG'&bG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&!!!)4f9d5&488&-!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cp"8&"-!!!%!!!!"!!!!!"!!!"B`!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"2cm
+r2`!!!!!!!!!#!!!!!J!#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!J"3!!%!!3!"!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&#G$6d4&*b!R4%&835F
+J*e"*3e3R!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!3!!!%!!!!+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!#!!!
+!#`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!!`!!!!`#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!!3!!!!0!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!&!!!!$J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"!!!"J!!!!m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!3!!!F!!!!3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!)!!!
+!%3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!#3!!!")#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!!S!!!!6!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!,!!!!&!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"!!!$!!!!"8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!3!!!d!!!!@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!1!!!
+!&`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!$`!!!"J#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!"!!!!!C!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!4!!!!'J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"!!!%J!!!"X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!3!!"-!!!!F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!8!!!
+!(3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!&3!!!"i#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!"B!!!!I!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!A!!!!)!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"!!!'!!!!#%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!3!!"N!!!!L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!D!!!
+!)`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!'`!!!#3#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!"`!!!!P!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!G!!!!*J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"!!!(J!!!#F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!3!!"m!!!!S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!%!!!J!!!
+!+3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"!!!)3!!!#S#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!3!!#)!!!!V!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!%!!!M!!!!,!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!)!!!!$!!!!"!!!!!8!!!!'!!!
+!"`!!!!J!!!!*!!!!#J!!!!X!!!!-!!!!$3!!!!i!!!!2!!!!%!!!!"%!!!!5!!!
+!%`!!!"3!!!!9!!!!&J!!!"F!!!!B!!!!'3!!!"S!!!!E!!!!(!!!!"d!!!!H!!!
+!(`!!!#!!!!!K!!!!)J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)`!!!%!%!!!!"!!
+!)`!!!GS!!3!F!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!"33!!!3%!!!$"!!
+!!J3!!!B%!!!,"!!!#J3!!!N%!!!)"!!!"`3!!!`%!!!5"!!!%33!!"!%!!!2"!!
+!$33!!!i%!!!6"!!!)J3!!#%%!!!J"!!!(`3!!#-%!!!""!!!&!3!!"8%!!!@"!!
+!&`3!!"J%!!!C"!!!'J3!!"X%!!!F"!!!(33!!"i!!J!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!,#2Z!!!!!!!!!"!!,#4r!!!J!!!!!!!!!!!!!#`MD!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!3!!!!!&!!"rr`!!!!"
+rr`!!!!"rr`!!!!"rr`!!!!`!!3!#!!B!!!!&3!!!#!!"!!%k!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!2rrrrm!!!!$!!%!!6Sk!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrrrr`!!!!3
+!!3!"1MTTEQ0XG@4P1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$
+rrrrr3!!!!J!"!!%k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!2rrrrp!!!!$!!%!!6Sk1NG98dNkD@jME(9NC6S!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!3!!3!"1MSk4e9656TXD@)k!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!"3!#!!%k6@&M6e-J8h9`F'p
+bG$S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!2rrrrp!!!!'!!)!!6T08d`
+k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrrrrd!!!!F
+!#J!!6@&M6e-J0MK,)%aTEQYPFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!6h"PEP066#!f1'X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!%k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!&0B@028b!f1%XJ6'PZDf9b!!!!!!!!!!!
+!!!!!!!!!!!!J39"36!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!3A"`E!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"J!!!!68e-3J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6'P
+L)%PYF'pbG#!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69"-4J!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6'PL)%PYF'pbG#!f1%X!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!69G$4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!6d*+)!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69"A)%PYF'pbG#!f1%X!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!8%a[BJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!8P053`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"J!!!!9%9B9#jLD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3Q&
+XE'p[EL")C@a`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jM!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!9%9B9#jM+bX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jMB`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!9%9B9#jMF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jMF(!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!9%9B9#jPH(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jRB`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4f&YC80[C'8J3fpZGQ9bG'9b!!!!!!!!!!!
+!!!!!!!"!!!!!9%9B9#jS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!9%9B9#jX!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4QaPH#"3FQ9`FQpMCA0cEh)!!!!!!!!!!!!
+!!!!!!!#!!!!!9%9B9#j`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J8'&cBf&X)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#j`BA-!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ8'&cBf&X)$Bi5`!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!9%9B9#j`BfJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!9%9B9#j`BfJV+`!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69FJ3bp$+bXJ0MK,!!!!!!!!!!!!!!!!!!!
+!!!!!!!#!!!!!9%9B9#j`F(8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!69F
+J8'&cBf&X)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!9%9B9#jb!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8Q9k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!9%9B9#jcC@F!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!9%9B9#jj!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3QPcEfiJ8(*PF(*[Bf9cFfpb!!!!!!!!!!!
+!!!!!!!#!!!!!C'pMG3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!FR0bB`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"J!!!!FfKXBJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8%9
+')%PYF'pbG#!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Fh4eBJ!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8%9')%PYF'pbG#!f1%X!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!#jNEf-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3!!!!!!!!!#jbFh*M!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"J!!!!!!8"!3!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"J!!!!!"!!!!!!8!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!3!
+!E@&TEJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!)!3!"!!!!!3%"!!!"!3%!!!!!!!%"!!!"!3!"!!!
+""!!!!!!!!!!!!!!)!3!"!3!"!3!!!!%!!!N!!!a2F'9Z8e0-+$BiDbN!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!r2cm
+r39"36!!!!J"B`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cm!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+0!!%!!!!!!"9I69G&8NY6AdG98dPIF(*PCQPi,QJ!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!"!!!!!!!!!!!!!!8"!3%!!!%"!!%!!!!!"!!!!!!!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"IAh0dBA*d!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!3!!#8ePFQGP)%peG!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cp"8&"
+-!!%"!!!%)#!J)!15Jf!$G0pi!`1Yi!!&!J%!!3%!!3%"!!!"!!!!!!!!!!%"!3%
+!!3%!!3!""!!!!!!!!!!!!!!(!3%!!3!!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"IAh0dBA*
+d!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!8!!!G2F'9Z8e0-!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!2cmr2d&38%`!!!3!!!!%!!!!!%!!!&M!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%r2cmr!!!!!!!!!!)!!!!
+#!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!&!!!3!
+"!!%!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!8*d024%8R)#G%394"*b!R8%P$9#F!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3!!!3!!!ES#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!8!!!)!!!'l!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!$!!!"[!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!"3!!"!!!!Ed#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!8!!!8!!!'q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!
+'!!!"[`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"3!!"`!!!F!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!8!!!J!!!("!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!*!!!"`J)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!"3!!#J!!!F-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!8!!!X!!!(%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!
+-!!!"a3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"3!!$3!!!FB#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!8!!!i!!!((!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!2!!!"b!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!"3!!%!!!!FN#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!8!!"%!!!(+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!
+5!!!"b`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"3!!%`!!!F`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!8!!"3!!!(E!J%!!!!!!!%!!3-
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!9!!!"h!)"!!!!!!!"!!%$!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!"3!!&J!!!Gd#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!8!!"F!!!(5!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!
+B!!!"f3)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!"3!!'3!!!G3#!3!
+!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!8!!"S!!!(9!J%!!!!!!!%!!3-
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!E!!!"eJ)"!!!!!!!"!!%$!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!"3!!(!!!!G-#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!8!!"d!!!(A!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!"!!!!!!!!!!!&!!!
+H!!!"f!)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!"3!!(`!!!Im%!3!
+!!!!!!!!"!`!!!!!!!!!!!!!!!)%!!!!!!!!!!!8!!#!!!!(I!J%!!!!!!!%!!3-
+!!!!!!!!!!!!!!!#"!!!!!!!!!!!!!!!!!!!!!3!!!!)!!!!$!!!!"!!!!!8!!!!
+'!!!!"`!!!!J!!!!*!!!!#J!!!!X!!!!-!!!!$3!!!!i!!!!2!!!!%!!!!"%!!!!
+5!!!!&J!!!"X!!!!B!!!!'3!!!"S!!!!F!!!!(3!!!"F!!!!6!!!!&!!!!"8!!!!
+H!!!!(`!!!#!!!!!J"3!!!!8!!#!!!!(D!!%!(!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!8!!!%&!!!#"3!!!`8!!!3&!!!&"3!!"J8!!!F&!!!)"3!!#38!!!S&!!!
+,"3!!$!8!!!d&!!!1"3!!$`8!!"!&!!!4"3!!%J8!!#!&!!!I"3!!%`8!!"3&!!!
+9"3!!&J8!!"d&!!!H"3!!(!8!!"J&!!!A"3!!'38!!"S&!!!E!!)!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!#`MlJ!!!!!!!!!3!#`NI`!!)!!!!!!!!!!!!
+!!X)fJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!%!!!!!"3!
+!Irm!!!!!Irm!!!!!Irm!!!!!Irm!!!!-!!%!!J!'!!!!"8!!!!J!!3!"1J!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrrr!!!!!`!
+"!!%k1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!2r
+rrrm!!!!%!!%!!6SkD@jME(9NC6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!rrrrrd!!!!)!!3!"1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!$rrrrr3!!!!`!"!!%k1MT(990*1QPZBfaeC'8k!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!%!!%!!6Sk1NG98dNkE'PL1J!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!8!!J!"1NeKBdp
+6)&0eF("[FR3k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrrr3!!!"J!
+#!!%k690-1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!2r
+rrrp!!!!(!!S!!%eKBdp6)&"33b"-D@jVCA)!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!%aTBP066#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!"1J!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!"6@&M6e-J8&"$)%aTEQYPFJ!
+!!!!!!!!!!!!!!!!!!!!!(N&38%`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!%&`F'`!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!B!!!!%e06%)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%aTBL"*EA"[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%e36%B!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%aTBL"*EA"[FR3J8&"$!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!%eA3d3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!&*68N-!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!B!!!!&4&@&3ZBQJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%*KE'a[EfiJ5'9XF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZB`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBbXV!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBf-
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZBh"
+`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZCAK`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZCf-
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%GKE@9$Ef4P)%0[ERCPFR4PFJ!
+!!!!!!!!!!!!!!!!!3!!!!&4&@&3ZD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!!&4&@&3ZE!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%CXCAJJ8(*PF(*[Bf9cFfpb!!!
+!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)&"KFf0KE#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF'&
+c!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)&"KFf0KE#"38%-!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF'0S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF'0
+S+bX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%eA)%-[3bXV)&"33`!!!!!!!!!
+!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZF("e!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!%eA)&"KFf0KE#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!&4&@&3ZFJ!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&*PHJ!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZF`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&"33d&cE3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&4&@&3ZH3!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%*TFfpZ)&"bCA"bEf0PFh0[FJ!
+!!!!!!!!!!!!!!!!!J!!!!&K$6dB!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&K$6dC')%PYF'pbG#"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!'4[Bh8!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!B!!!!(*cFQ-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!(0SE')!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&"&4L"*EA"[FR3J8&"$!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!(0dG@)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!&"&4L"*EA"[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!ZC'p
+M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!8!!!!!!&!3%!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!!!!3!
+!!!!&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!3%!!'eKD@i!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!%"!3!!!!%"!3!!!3%"!!!!!!!"!3!
+!!3%!!3!!!33!!!!!!!!!!!!!#!%!!3%!!3%!!!!"!!!*!!-B6'PL8e0-,MBi5b"
+'B5JiD9mdC#NZ6'PL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!2cmr2cmr2cm!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!r2cmr!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!$3!"!!!!!!!9AdeA49*,8ep(990*Ah"bC@CTH#jS!!!!!!!!!!!!!!!
+!!3!!!3!!!!!!!3!!!!!!!!!!!!!&!3%"!!!"!3!"!!!!!!3!!!!!!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!AepcG'&bG!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!%!!!P0CA*RC5"2GA3!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+r2cmr39"36!!"!3!!"#!J)#!$NS0J!h6IH!-$VH!!"3)"!!%"!!%"!3!!!3!!!!!
+!!!!"!3%"!!%"!!%!!33!!!!!!!!!!!!!"`%"!!%!!!%!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!AepcG'&bG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&!!-16'PL8e0-,P"33bj-D@)!!!!
+!!!!!!!!!!!!!!!!!!$mr2cmr2cmr!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"2cmr2`!!!!!
+!!!!#!!!!!J!#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!J"3!!%!!3!"!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&#G$6d4&*b!R4%&835FJ*e"*3e3
+R!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!B!!!%
+!!!!+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!#!!!!#`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!!`!!!!`#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!!3!!!!0!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!&!!!!$J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"J!!"J!!!!m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!!F
+!!!!3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!)!!!!%3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!#3!!!")#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!!S!!!!6!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!,!!!!&!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"J!!$!!!!"8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!!d
+!!!!@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!1!!!!&`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!$`!!!"J#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"!!!!!C!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!4!!!!'J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"J!!%J!!!"X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"-
+!!!!F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!8!!!!(3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!&3!!!"i#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"B!!!!I!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!A!!!!)!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"J!!'!!!!#%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"N
+!!!!L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!D!!!!)`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!'`!!!#3#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"`!!!!P!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!G!!!!*J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"J!!(J!!!#F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!"m
+!!!!S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!'!!!J!!!!+3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"J!!)3!!!#S#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!B!!#)!!!!V!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!'!!!M!!!!,!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!)!!!!$!!!!"!!!!!8!!!!'!!!!"`!!!!J
+!!!!*!!!!#J!!!!X!!!!-!!!!$3!!!!i!!!!2!!!!%!!!!"%!!!!5!!!!%`!!!"3
+!!!!9!!!!&J!!!"F!!!!B!!!!'3!!!"S!!!!E!!!!(!!!!"d!!!!H!!!!(`!!!#!
+!!!!K!!!!)J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)`!!!%!'!!!!"J!!)`B!!!8
+'!!!%"J!!!`B!!!)'!!!'"J!!#`B!!!S'!!!*"J!!#!B!!!F'!!!-"J!!%JB!!"%
+'!!!3"J!!$`B!!!d'!!!1"J!!%`B!!#)'!!!K"J!!)!B!!"m'!!!M"J!!!3B!!"3
+'!!!9"J!!&JB!!"F'!!!B"J!!'3B!!"S'!!!E"J!!(!B!!"d'!!!H!!!"U!!"!#J
+!!!!J!j(*N!!r2`!!!!!!!!!!!!!$NFQ3!!!#!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!X)qi!!!!!!!!!%!!X*(m!!#!!!!!!!!!!!!!!,#0S!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!"!!!!!!8!!(rr!!!!!(rr!!!
+!!(rr!!!!!(rr!!!!$!!"!!)!"J!!!!9!!!!)!!%!!6S!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrrrr`!!!!-!!3!"1MS!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrrr!!!!"!!"!!%
+k1QPZBfaeC'8k!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp
+!!!!#!!%!!6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!rrrrrd!!!!-!!3!"1MSk4e9656TTEQ0XG@4P1J!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!$rrrrr3!!!"!!"!!%k1MT(990*1QaTBMS!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!&!!)!!6T0B@028b"6GA"`Eh*d1J!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrrrrd!!!!B!!J!"1Ne66$S!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!!$rrrrr3!!!"`!+!!"
+0B@028b"38%-J6'PZDf9b!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+-D@*$FRP`G'mJ8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!%!!6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!)!!8eKBdp6)&"33b"-D@jVCA)!!!!!!!!!!!!!!!!
+!!!!!!"j"8&"-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!""F("X!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!'!!!!"068a#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"-D@)J5@e
+`Eh*d)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"08%a'!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"-D@)J5@e`Eh*d)&"33`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"09d0%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"58e*$!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!'!!!!"849K8,Q*S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"#B@aXEfp
+Z)%KPE(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q-!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"849K8,Q-V+`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-
+V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q0M!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"849K8,Q0`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-
+V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q0`F!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"849K8,Q9iF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,QGM!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"(B@eP3fpNC5"$EfjfCA*dCA)!!!!!!!!!!!!!!!!
+!!%!!!!"849K8,QJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-
+V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!"849K8,Q`!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"'E'9i)&"bCA"bEf0PFh0[FJ!!!!!!!!!!!!!!!!!
+!!)!!!!"849K8,R!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"3BA0
+MB@`J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,R"KF`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"09b"3BA0MB@`J8&"$!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"849K8,R"MD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-
+V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R"MD#XV!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b"38%-!!!!!!!!!!!!!!!!!!!!!!!!
+!!)!!!!"849K8,R"`G3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"3BA0
+MB@`J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R)!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"5CAS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"849K8,R-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"38%0"Ffd
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,RN!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"#DA0[EL"3FQ9`FQpMCA0cEh)!!!!!!!!!!!!!!!!
+!!)!!!!"B3dp'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"B3dp'4L"
+*EA"[FR3J8&"$!!!!!!!!!!!!!!!!!!!!!!!!!!"NEf0e!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!'!!!!"bFh*M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"cD'aL!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"348BJ5@e`Eh*d)&"33`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!"cG(9L!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"348BJ5@e
+`Eh*d)&"33`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!,Q4[B`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!&!!!!!!"3%"!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!!!%!!!!!"3!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%"!!"YB@P
+Z!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!J"!!%!!!!"!3%"!3!"!3!!!!!!!3%!!!%"!!%!!!%!!3!
+!!!!!!!!!!!J"!!%"!!%"!!!!!3!!#3!!&deKBdp6)&4[EfaLEhJJ4%9#98FJ0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$mr2cp"8&"
+-!!!"J&M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2cmr2`!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!d!!3!
+!!!!!&9p09d955e0I4e9659p`FQ9QDAJZD!!!!!!!!!!!!!!!!!%!!!%!!!!!!!%
+!!!!!!!!!!!!!"3%"!3!!!3%!!3!!!!!%!!!!!!!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&pIFh4KFR3!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!3!"!!!*6@9bCf8J6h9d!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2cmr2d&38%`!!3%
+!!!3J)#!J!j+$B!0dhhJ$!khJ!!8#!3!"!3!"!3%!!!%!!!!!!!!!!3%"!3!"!3!
+"!!%%!!!!!!!!!!!!!!F"!3!"!!!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&pIFh4KFR3!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!"3!$%8aTBN0bHA"dEbj38%-Z6'PL!!!!!!!!!!!!!!!
+!!!!r2cmr2cmr2`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6mr2cm!!!!!!!!!!J!!!!)!!J!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!8!!"!!%!!3!
+"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!"3R3dp%45FJ*d4"9%%R)#G35808*`!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(!!!"!!!!,3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!!J!!!#i#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!!-!!!![!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!%!!!!-!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!"3!!!$%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!!B!!!!
+b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!(!!!!-`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!#!!!!$3#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!!N!!!!e!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!+!!!!0J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!#`!!!$F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!!`!!!!
+i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!0!!!!13)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!$J!!!$S#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!!m!!!!l!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!3!!!!2!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!%3!!!$d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!")!!!!
+q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!6!!!!2`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!&!!!!%!#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!"8!!!""!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!@!!!!3J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!&`!!!%-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!"J!!!"
+%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!C!!!!43)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!'J!!!%B#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!"X!!!"(!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!F!!!!5!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!(3!!!%N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!"i!!!"
++!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!I!!!!5`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!)!!!!%`#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!#%!!!"0!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!L!!!!6J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!)`!!!%m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!#3!!!"
+3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!P!!!!83)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!*J!!!&)#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!#F!!!"6!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!S!!!!9!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!+3!!!&8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!#S!!!"
+@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!V!!!!9`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!,!!!!&J#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!#d!!!"C!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!Z!!!!@J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!,`!!!&X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!$!!!!"
+F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!a!!!!A3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!-J!!!&i#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!$-!!!"I!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!d!!!!B!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!03!!!'%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!$B!!!"
+L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!h!!!!B`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!1!!!!'3#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!$N!!!"P!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!!k!!!!CJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!1`!!!'F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!$`!!!"
+S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!!p!!!!D3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!2J!!!'S#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!$m!!!"V!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"!!!!!E!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!33!!!'d#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!%)!!!"
+Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"$!!!!E`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!4!!!!(!#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!%8!!!"a!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"'!!!!FJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!4`!!!(-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!%J!!!"
+d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"*!!!!G3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!5J!!!(B#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!%X!!!"h!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"-!!!!H!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!63!!!(N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!%i!!!"
+k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"2!!!!H`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!8!!!!(`#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!&%!!!"p!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"5!!!!IJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!8`!!!(m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!&3!!!#
+!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"9!!!!J3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!9J!!!))#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!&F!!!#$!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"B!!!!K!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!@3!!!)8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!&S!!!#
+'!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"E!!!!K`)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!A!!!!)J#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!&d!!!#*!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"H!!!!LJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!
+!"`!!A`!!!)X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!'!!!!#
+-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"K!!!!M3)"!!!!!!!
+"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!BJ!!!)i#!3!!!!!!!3!"!3!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!F!!'-!!!#2!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!
+"!!!!!!!!!!!(!!"N!!!!N!!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!'8!!!#4!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"Q!!!
+!NJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!C`!!!*-#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!'J!!!#8!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!"T!!!!P3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!DJ!!!*B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!'X!!!#A!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"X!!!
+!Q!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!E3!!!*N#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!'i!!!#D!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!"[!!!!Q`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!F!!!!*`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!(%!!!#G!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"b!!!
+!RJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!F`!!!*m#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!(3!!!#J!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!"e!!!!S3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!GJ!!!+)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!(F!!!#M!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"i!!!
+!T!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!H3!!!+8#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!(S!!!#Q!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!"l!!!!T`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!I!!!!+J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!(d!!!#T!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!"q!!!
+!UJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!I`!!!+X#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!)!!!!#X!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!#"!!!!V3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!JJ!!!+i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!)-!!!#[!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#%!!!
+!X!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!K3!!!,%#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!)B!!!#b!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!#(!!!!X`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!L!!!!,3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!)N!!!#e!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#+!!!
+!YJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!L`!!!,F#!3!!!!!
+!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!)`!!!#i!J%!!!!!!!%!!3%!!!!
+!!!!!!!!!!!!"!!!!!!!!!!!(!!#0!!!!Z3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!
+!!3!!!!!!!!!!"`!!MJ!!!,S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!
+!!!F!!)m!!!#l!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#3!!!
+!!,`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!*%!!!#p!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#5!!!![J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!N`!!!,m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!*3!!!$!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#9!!!!`3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!PJ!
+!!-)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!*F!!!$$!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#B!!!!a!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!Q3!!!-8#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!*S!!!$'!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#E!!!!a`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!R!!
+!!-J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!*d!!!$*!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#H!!!!bJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!R`!!!-X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!+!!!!$-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#K!!!!c3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!SJ!
+!!-i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!+-!!!$2!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#N!!!!d!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!T3!!!0%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!+B!!!$5!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#R!!!!d`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!U!!
+!!03#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!+N!!!$9!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#U!!!!eJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!U`!!!0F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!+`!!!$B!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#Y!!!!f3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!VJ!
+!!0S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!+m!!!$E!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#`!!!!h!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!X3!!!0d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!,)!!!$H!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#c!!!!h`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!Y!!
+!!1!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!,8!!!$K!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#f!!!!iJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!Y`!!!1-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!,J!!!$N!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#j!!!!j3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!ZJ!
+!!1B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!,X!!!$R!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!#m!!!!k!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!![3!!!1N#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!,i!!!$U!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!#r!!!!k`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!`!!
+!!1`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!-%!!!$Y!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$#!!!!lJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!``!!!1m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!-3!!!$`!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$&!!!!m3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!aJ!
+!!2)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!-F!!!$c!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$)!!!!p!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!b3!!!28#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!-S!!!$f!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$,!!!!p`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!c!!
+!!2J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!-d!!!$j!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$1!!!!qJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!c`!!!2X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!0!!!!$m!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$4!!!!r3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!dJ!
+!!2i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!0-!!!$r!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$8!!!"!!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!e3!!!3%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!0B!!!%#!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$A!!!"!`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!f!!
+!!33#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!0N!!!%&!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$D!!!""J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!f`!!!3F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!0`!!!%)!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$G!!!"#3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!hJ!
+!!3S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!0m!!!%,!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$J!!!"$!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!i3!!!3d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!1)!!!%1!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$M!!!"$`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!j!!
+!!4!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!18!!!%4!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$Q!!!"%J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!j`!!!4-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!1J!!!%8!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$T!!!"&3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!kJ!
+!!4B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!1X!!!%A!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$X!!!"'!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!l3!!!4N#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!1i!!!%D!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$[!!!"'`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!m!!
+!!4`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!2%!!!%G!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$b!!!"(J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!m`!!!4m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!23!!!%J!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$e!!!")3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!pJ!
+!!5)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!2F!!!%M!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$i!!!"*!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!q3!!!58#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!2S!!!%Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!$l!!!"*`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!!r!!
+!!5J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!2d!!!%T!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!$q!!!"+J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!!r`!!!5X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!3!!!!%X!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%"!!!",3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"!J!
+!!5i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!3-!!!%[!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%%!!!"-!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!""3!!!6%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!3B!!!%b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%(!!!"-`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"#!!
+!!63#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!3N!!!%e!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%+!!!"0J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"#`!!!6F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!3`!!!%i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%0!!!"13)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"$J!
+!!6S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!3m!!!%l!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%3!!!"2!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"%3!!!6d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!4)!!!%q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%6!!!"2`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"&!!
+!!8!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!48!!!&"!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%@!!!"3J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"&`!!!8-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!4J!!!&%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%C!!!"43)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"'J!
+!!8B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!4X!!!&(!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%F!!!"5!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"(3!!!8N#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!4i!!!&+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%I!!!"5`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!")!!
+!!8`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!5%!!!&0!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%L!!!"6J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!")`!!!8m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!53!!!&3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%P!!!"83)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"*J!
+!!9)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!5F!!!&6!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%S!!!"9!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"+3!!!98#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!5S!!!&@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%V!!!"9`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!",!!
+!!9J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!5d!!!&C!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%Z!!!"@J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!",`!!!9X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!6!!!!&F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%a!!!"A3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"-J!
+!!9i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!6-!!!&I!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%d!!!"B!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"03!!!@%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!6B!!!&L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%h!!!"B`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"1!!
+!!@3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!6N!!!&P!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!%k!!!"CJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"1`!!!@F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!6`!!!&S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!%p!!!"D3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"2J!
+!!@S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!6m!!!&V!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&!!!!"E!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"33!!!@d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!8)!!!&Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&$!!!"E`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"4!!
+!!A!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!88!!!&a!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&'!!!"FJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"4`!!!A-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!8J!!!&d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&*!!!"G3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"5J!
+!!AB#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!8X!!!&h!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&-!!!"H!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"63!!!AN#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!8i!!!&k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&2!!!"H`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"8!!
+!!A`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!9%!!!&p!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&5!!!"IJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"8`!!!B!#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!93!!!'"!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&9!!!"JJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"9J!
+!!B-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!9F!!!'%!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&B!!!"K3)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"@3!!!BB#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!9S!!!'(!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&E!!!"L!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"A!!
+!!BN#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!9d!!!'+!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&H!!!"L`)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!"`!"A`!!!B`#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!F!!@!!!!'0!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!(!!&K!!!"MJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"BJ!
+!!Bm#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!@-!!!'3!!)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"C!!!!C%#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!@8!!!'5!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!(!!&Q!!!"N`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"`!"C`!!!C3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!@J
+!!!'9!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&T!!!"PJ)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"DJ!!!CF#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!@X!!!'B!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!(!!&X!!!"Q3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"`!"E3!!!CS#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!@i
+!!!'E!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&[!!!"R!)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!"`!"F!!!!Cd#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!A%!!!'H!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!(!!&b!!!"R`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!"`!"F`!!!D3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!F!!A3
+!!!'Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!(!!&e!!!"T`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!!!!)
+!!!!$!!!!"!!!!!8!!!!'!!!!"`!!!!J!!!!*!!!!#J!!!!X!!!!-!!!!$3!!!!i
+!!!!2!!!!%!!!!"%!!!!5!!!!%`!!!"3!!!!9!!!!&J!!!"F!!!!B!!!!'3!!!"S
+!!!!E!!!!(!!!!"d!!!!H!!!!(`!!!#!!!!!K!!!!)J!!!#-!!!!N!!!!*3!!!#B
+!!!!R!!!!+!!!!#N!!!!U!!!!+`!!!#`!!!!Y!!!!,J!!!#m!!!!`!!!!-3!!!$)
+!!!!c!!!!0!!!!$8!!!!f!!!!0`!!!$J!!!!j!!!!1J!!!$X!!!!m!!!!23!!!$i
+!!!!r!!!!3!!!!%%!!!"#!!!!3`!!!%3!!!"&!!!!4J!!!%F!!!")!!!!53!!!%S
+!!!",!!!!6!!!!%d!!!"1!!!!6`!!!&!!!!"4!!!!8J!!!&-!!!"8!!!!93!!!&B
+!!!"A!!!!@!!!!&N!!!"D!!!!@`!!!&`!!!"G!!!!AJ!!!&m!!!"J!!!!B3!!!')
+!!!"M!!!!C!!!!'8!!!"Q!!!!C`!!!'J!!!"T!!!!DJ!!!'X!!!"X!!!!E3!!!'i
+!!!"[!!!!F!!!!(%!!!"b!!!!F`!!!(3!!!"e!!!!GJ!!!(F!!!"i!!!!H3!!!(S
+!!!"l!!!!I!!!!(d!!!"q!!!!I`!!!)!!!!#"!!!!JJ!!!)-!!!#%!!!!K3!!!)B
+!!!#(!!!!L!!!!)N!!!#+!!!!L`!!!)`!!!#0!!!!MJ!!!)m!!!#3!!!!!*%!!!#
+5!!!!N`!!!*3!!!#9!!!!PJ!!!*F!!!#B!!!!Q3!!!*S!!!#E!!!!R!!!!*d!!!#
+H!!!!R`!!!+!!!!#K!!!!SJ!!!+-!!!#N!!!!T3!!!+B!!!#R!!!!U!!!!+N!!!#
+U!!!!U`!!!+`!!!#Y!!!!VJ!!!+m!!!#`!!!!X3!!!,)!!!#c!!!!Y!!!!,8!!!#
+f!!!!Y`!!!,J!!!#j!!!!ZJ!!!,X!!!#m!!!![3!!!,i!!!#r!!!!`!!!!-%!!!$
+#!!!!``!!!-3!!!$&!!!!aJ!!!-F!!!$)!!!!b3!!!-S!!!$,!!!!c!!!!-d!!!$
+1!!!!c`!!!0!!!!$4!!!!dJ!!!0-!!!$8!!!!e3!!!0B!!!$A!!!!f!!!!0N!!!$
+D!!!!f`!!!0`!!!$G!!!!hJ!!!0m!!!$J!!!!i3!!!1)!!!$M!!!!j!!!!18!!!$
+Q!!!!j`!!!1J!!!$T!!!!kJ!!!1X!!!$X!!!!l3!!!1i!!!$[!!!!m!!!!2%!!!$
+b!!!!m`!!!23!!!$e!!!!pJ!!!2F!!!$i!!!!q3!!!2S!!!$l!!!!r!!!!2d!!!$
+q!!!!r`!!!3!!!!%"!!!"!J!!!3-!!!%%!!!""3!!!3B!!!%(!!!"#!!!!3N!!!%
++!!!"#`!!!3`!!!%0!!!"$J!!!3m!!!%3!!!"%3!!!4)!!!%6!!!"&!!!!48!!!%
+@!!!"&`!!!4J!!!%C!!!"'J!!!4X!!!%F!!!"(3!!!4i!!!%I!!!")!!!!5%!!!%
+L!!!")`!!!53!!!%P!!!"*J!!!5F!!!%S!!!"+3!!!5S!!!%V!!!",!!!!5d!!!%
+Z!!!",`!!!6!!!!%a!!!"-J!!!6-!!!%d!!!"03!!!6B!!!%h!!!"1!!!!6N!!!%
+k!!!"1`!!!6`!!!%p!!!"2J!!!6m!!!&!!!!"33!!!8)!!!&$!!!"4!!!!88!!!&
+'!!!"4`!!!8J!!!&*!!!"5J!!!8X!!!&-!!!"63!!!8i!!!&2!!!"8!!!!9%!!!&
+5!!!"8`!!!93!!!&9!!!"9J!!!9F!!!&B!!!"@3!!!9S!!!&E!!!"A!!!!9d!!!&
+H!!!"A`!!!@!!!!&K!!!"BJ!!!@-!!!&N!!!"C3!!!@B!!!&R!!!"D!!!!@N!!!&
+U!!!"D`!!!@`!!!&Y!!!"EJ!!!@m!!!&`!!!"F3!!!A)!!!&c!!!"G!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"G3!!!B!(!!!
+!"`!"G3F!!!%(!!!#"`!!!`F!!!3(!!!&"`!!"JF!!!F(!!!)"`!!#3F!!!S(!!!
+,"`!!$!F!!!d(!!!1"`!!$`F!!"!(!!!4"`!!%JF!!"-(!!!8"`!!&3F!!"B(!!!
+A"`!!'!F!!"N(!!!D"`!!'`F!!"`(!!!G"`!!(JF!!"m(!!!J"`!!)3F!!#)(!!!
+M"`!!*!F!!#8(!!!Q"`!!*`F!!#J(!!!T"`!!+JF!!#X(!!!X"`!!,3F!!#i(!!!
+["`!!-!F!!$%(!!!b"`!!-`F!!$3(!!!e"`!!0JF!!$F(!!!i"`!!13F!!$S(!!!
+l"`!!2!F!!$d(!!!q"`!!2`F!!%!(!!"""`!!3JF!!%-(!!"%"`!!43F!!%B(!!"
+("`!!5!F!!%N(!!"+"`!!5`F!!%`(!!"0"`!!6JF!!%m(!!"3"`!!83F!!&)(!!"
+6"`!!9!F!!&8(!!"@"`!!9`F!!&J(!!"C"`!!@JF!!&X(!!"F"`!"G!F!!&d(!!"
+H"`!!A`F!!'!(!!"K"`!!BJF!!'-(!!"N"`!!C3F!!'B(!!"R"`!!D!F!!'N(!!"
+U"`!!D`F!!'`(!!"Y"`!!EJF!!'m(!!"`"`!!F3F!!()(!!"c"`!!G!F!!(8(!!"
+f"`!!G`F!!(J(!!"j"`!!HJF!!(X(!!"m"`!!I3F!!(i(!!"r"`!!J!F!!)%(!!#
+#"`!!J`F!!)3(!!#&"`!!KJF!!)F(!!#)"`!!L3F!!)S(!!#,"`!!M!F!!)d(!!#
+1"`!!M`F!!*!!"`!!N3F!!*)(!!#6"`!!P!F!!*8(!!#@"`!!P`F!!*J(!!#C"`!
+!QJF!!*X(!!#F"`!!R3F!!*i(!!#I"`!!S!F!!+%(!!#L"`!!S`F!!+3(!!#P"`!
+!TJF!!+F(!!#S"`!!U3F!!+S(!!#V"`!!V!F!!+d(!!#Z"`!!V`F!!,!(!!#a"`!
+!XJF!!,-(!!#d"`!!Y3F!!,B(!!#h"`!!Z!F!!,N(!!#k"`!!Z`F!!,`(!!#p"`!
+![JF!!,m(!!$!"`!!`3F!!-)(!!$$"`!!a!F!!-8(!!$'"`!!a`F!!-J(!!$*"`!
+!bJF!!-X(!!$-"`!!c3F!!-i(!!$2"`!!d!F!!0%(!!$5"`!!d`F!!03(!!$9"`!
+!eJF!!0F(!!$B"`!!f3F!!0S(!!$E"`!!h!F!!0d(!!$H"`!!h`F!!1!(!!$K"`!
+!iJF!!1-(!!$N"`!!j3F!!1B(!!$R"`!!k!F!!1N(!!$U"`!!k`F!!1`(!!$Y"`!
+!lJF!!1m(!!$`"`!!m3F!!2)(!!$c"`!!p!F!!28(!!$f"`!!p`F!!2J(!!$j"`!
+!qJF!!2X(!!$m"`!!r3F!!2i(!!$r"`!"!!F!!3%(!!%#"`!"!`F!!33(!!%&"`!
+""JF!!3F(!!%)"`!"#3F!!A8(!!%+"`!"#`F!!3`(!!%0"`!"$JF!!3m(!!%3"`!
+"%3F!!4)(!!%6"`!"&!F!!48(!!%@"`!"&`F!!4J(!!%C"`!"'JF!!4X(!!%F"`!
+"(3F!!4i(!!%I"`!")!F!!5%(!!%L"`!")`F!!53(!!%P"`!"*JF!!5F(!!%S"`!
+"+3F!!5S(!!%V"`!",!F!!5d(!!%Z"`!",`F!!6!(!!%a"`!"-JF!!6-(!!%d"`!
+"03F!!6B(!!%h"`!"1!F!!6N(!!%k"`!"1`F!!6`(!!%p"`!"2JF!!6m(!!&!"`!
+"33F!!8)(!!&$"`!"4!F!!88(!!&'"`!"4`F!!8J(!!&*"`!"5JF!!8X(!!&-"`!
+"63F!!8i(!!&2"`!"8!F!!9%(!!&5"`!"8`F!!93(!!&9"`!"9JF!!9F(!!&B"`!
+"@3F!!9S(!!&E"`!"A!F!!9d(!!&H"`!"A`F!!@!(!!&K"`!"BJF!!@-(!!&N"`!
+"C3F!!@B(!!&R"`!"D!F!!@N(!!&U"`!"D`F!!@`(!!&Y"`!"EJF!!@m(!!&`"`!
+"F3F!!A)(!!&c!!!"U!!"!#J!!!!J!j(*N!!r2`!!!!!!!!!!!!!$NFQ3!!!#!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!X)qi!!!!!!!!!%!!X*(m!!#!!!
+!!!!!!!!!!!,#0S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!
+"!!!!!!8!!(rr!!!!!(rr!!!!!(rr!!!!!(rr!!!!$!!"!!)!"J!!!!9!!!!)!!%
+!!6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrr
+rr`!!!!-!!3!"1MS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!%!!!$rrrrr!!!!"!!"!!%k1QPZBfaeC'8k!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!2rrrrp!!!!#!!%!!6S!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!rrrrrd!!!!-!!3!"1MSk4e9656TTEQ0XG@4
+P1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$rrrrr3!!!"!!"!!%k1MT(990
+*1QaTBMS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2rrrrp!!!!&!!)
+!!6T0B@028b"6GA"`Eh*d1J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!rrr
+rrd!!!!B!!J!"1Ne66$S!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!%!!!$rrrrr3!!!"`!+!!"0B@028b!f1%XJ6'PZDf9b!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!"-D@*$FRP`G'mJ0MK,!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%!!6S!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!8eKBdp6)$Bi5b"
+-D@jVCA)!!!!!!!!!!!!!!!!!!!!!!#""8&"-!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+"F("X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"068a#!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"-D@)J5@e`Eh*d)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+08%a'!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"-D@)J5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09d0%!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+23NSJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"08&FJ5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"36'pL!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+58e*$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"849K8,Q*S!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"#B@aXEfpZ)%KPE(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q-V+`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q0M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q0`!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,Q0`F!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,Q9iF!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,QGM!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"(B@eP3fpNC5"$Efj
+fCA*dCA)!!!!!!!!!!!!!!!!!!%!!!!"849K8,QJ!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!"!!!!"
+849K8,Q`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"'E'9i)&"bCA"bEf0
+PFh0[FJ!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,R"KF`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK
+,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,R"MD!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"
+849K8,R"MD#XV!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"09b"$,d-V+b!f1%X
+!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"849K8,R"`G3!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"09b"3BA0MB@`J0MK,!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!"
+849K8,R)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"5CAS!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"849K8,R0PC`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+849K8,RN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"#DA0[EL"3FQ9`FQp
+MCA0cEh)!!!!!!!!!!!!!!!!!!)!!!!"NEf0e!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"
+bFh*M!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!"cD'aL!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!"348BJ5@e`Eh*d)$Bi5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+cG(9L!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"348BJ5@e`Eh*d)$B
+i5`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!,Q4[B`!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&!!!!!
+!!!!!,R*cFQ-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!!!"3%"!!%!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+'!!!!!!%!!!!!"3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!%"!!"YB@PZ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J"!!%!!!!"!3%!!!%"!3!
+!!!!!!3%!!!%"!!%!!!%%!!!!!!!!!!!!!!J"!!%"!!%"!!!!!3!!#3!$'daTBN0
+bHA"dEbif1'XJ4Q%S0'PI1'3T,NaTBJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!$mr2cmr2cmr!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2cmr2`!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!d!!3!!!!!!&9p09d955e0I4e9659p`FQ9QDAJZD!!!!!!
+!!!!!!!!!!!%!!!!!!!!!!!%!!!!!!!!!!!!!"3%"!3!!!3%!!3!!!!!%!!!!!!!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&p
+IFh4KFR3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!"!!!*6@9bCf8J6h9
+d!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!2cmr2d&38%`!!3%!!!3J)#!J!j+$B!0dhhJ$!khJ!!8#!3!"!3!"!3%
+!!!%!!!!!!!!!!3%"!3!"!3!"!!%%!!!!!!!!!!!!!!F"!3!"!!!"!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!&pIFh4KFR3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3!!"dp`C@j68d`!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!r2cmr39"36!!!"!!!!!3!!!!!3!!!@-!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!6m
+r2cm!!!!!!!!!!J!!!!)!!J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!)!8!!"!!%!!3!"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"3R3dp%45FJ*d4"9%%
+R)#G35808*`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!)!!!"!!!!,3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!!J!
+!!#i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!!-!!!![!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!%!!!!-!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!"3!!!$%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!!B!!!!b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!(!!!!-`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!#!!
+!!$3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!!N!!!!e!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!+!!!!0J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!#`!!!$F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!!`!!!!i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!0!!!!13)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!$J!
+!!$S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!!m!!!!l!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!3!!!!2!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!%3!!!$d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!")!!!!q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!6!!!!2`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!&!!
+!!%!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!"8!!!""!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!@!!!!3J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!&`!!!%-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!"J!!!"%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!C!!!!43)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!'J!
+!!%B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!"X!!!"(!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!F!!!!5!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!(3!!!%N#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!"i!!!"+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!I!!!!5`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!)!!
+!!%`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!#%!!!"0!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!L!!!!6J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!)`!!!%m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!#3!!!"3!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!P!!!!83)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!*J!
+!!&)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!#F!!!"6!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!S!!!!9!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!+3!!!&8#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!#S!!!"@!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!V!!!!9`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!,!!
+!!&J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!#d!!!"C!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!Z!!!!@J)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!,`!!!&X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!$!!!!"F!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!a!!!!A3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!-J!
+!!&i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!$-!!!"I!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!d!!!!B!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!03!!!'%#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!$B!!!"L!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!h!!!!B`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!1!!
+!!'3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!$N!!!"P!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!!k!!!!CJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!1`!!!'F#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!$`!!!"S!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!!p!!!!D3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!2J!
+!!'S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!$m!!!"V!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"!!!!!E!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!33!!!'d#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!%)!!!"Z!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"$!!!!E`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!4!!
+!!(!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!%8!!!"a!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"'!!!!FJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!4`!!!(-#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!%J!!!"d!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"*!!!!G3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!5J!
+!!(B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!%X!!!"h!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"-!!!!H!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!63!!!(N#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!%i!!!"k!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"2!!!!H`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!8!!
+!!(`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!&%!!!"p!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"5!!!!IJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!8`!!!(m#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!&3!!!#!!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"9!!!!J3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!9J!
+!!))#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!&F!!!#$!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"B!!!!K!)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!@3!!!)8#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!&S!!!#'!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"E!!!!K`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!A!!
+!!)J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!&d!!!#*!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"H!!!!LJ)"!!!!!!!"!!%"!!!
+!!!!!!!!!!!!!!3!!!!!!!!!!#!!!A`!!!)X#!3!!!!!!!3!"!3!!!!!!!!!!!!!
+!!!%!!!!!!!!!!!J!!'!!!!#-!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!
+!!!!)!!"K!!!!M3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!BJ!
+!!)i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!'-!!!#2!J%!!!!
+!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"N!!!!N!!#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!'8!!!#4!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!"Q!!!!NJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!C`!!!*-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!'J
+!!!#8!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"T!!!!P3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!DJ!!!*B#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!'X!!!#A!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!"X!!!!Q!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!E3!!!*N#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!'i
+!!!#D!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"[!!!!Q`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!F!!!!*`#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!(%!!!#G!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!"b!!!!RJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!F`!!!*m#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!(3
+!!!#J!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"e!!!!S3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!GJ!!!+)#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!(F!!!#M!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!"i!!!!T!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!H3!!!+8#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!(S
+!!!#Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!"l!!!!T`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!I!!!!+J#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!(d!!!#T!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!"q!!!!UJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!I`!!!+X#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)!
+!!!#X!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#"!!!!V3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!JJ!!!+i#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)-!!!#[!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!#%!!!!X!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!K3!!!,%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)B
+!!!#b!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#(!!!!X`)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!L!!!!,3#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)N!!!#e!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!#+!!!!YJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!#!!!L`!!!,F#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)`
+!!!#i!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#0!!!!Z3)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!MJ!!!,S#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!)m!!!#l!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!)!!#3!!!!!,`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!*%!!!#p!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+5!!!![J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!N`!!!,m#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!*3!!!$!!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#9!!!!`3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!PJ!!!-)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!*F!!!$$!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+B!!!!a!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!Q3!!!-8#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!*S!!!$'!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#E!!!!a`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!R!!!!-J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!*d!!!$*!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+H!!!!bJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!R`!!!-X#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!+!!!!$-!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#K!!!!c3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!SJ!!!-i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!+-!!!$2!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+N!!!!d!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!T3!!!0%#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!+B!!!$5!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#R!!!!d`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!U!!!!03#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!+N!!!$9!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+U!!!!eJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!U`!!!0F#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!+`!!!$B!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#Y!!!!f3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!VJ!!!0S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!+m!!!$E!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+`!!!!h!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!X3!!!0d#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!,)!!!$H!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#c!!!!h`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!Y!!!!1!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!,8!!!$K!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+f!!!!iJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!Y`!!!1-#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!,J!!!$N!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#j!!!!j3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!ZJ!!!1B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!,X!!!$R!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#
+m!!!!k!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!![3!!!1N#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!,i!!!$U!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!#r!!!!k`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!`!!!!1`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!-%!!!$Y!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+#!!!!lJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!``!!!1m#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!-3!!!$`!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$&!!!!m3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!aJ!!!2)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!-F!!!$c!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+)!!!!p!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!b3!!!28#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!-S!!!$f!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$,!!!!p`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!c!!!!2J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!-d!!!$j!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+1!!!!qJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!c`!!!2X#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!0!!!!$m!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$4!!!!r3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!dJ!!!2i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!0-!!!$r!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+8!!!"!!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!e3!!!3%#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!0B!!!%#!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$A!!!"!`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!f!!!!33#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!0N!!!%&!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+D!!!""J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!f`!!!3F#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!0`!!!%)!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$G!!!"#3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!hJ!!!3S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!0m!!!%,!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+J!!!"$!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!i3!!!3d#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!1)!!!%1!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$M!!!"$`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!j!!!!4!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!18!!!%4!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+Q!!!"%J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!j`!!!4-#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!1J!!!%8!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$T!!!"&3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!kJ!!!4B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!1X!!!%A!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+X!!!"'!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!l3!!!4N#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!1i!!!%D!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$[!!!"'`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!m!!!!4`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!2%!!!%G!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+b!!!"(J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!m`!!!4m#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!23!!!%J!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$e!!!")3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!pJ!!!5)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!2F!!!%M!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+i!!!"*!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!q3!!!58#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!2S!!!%Q!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$l!!!"*`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!!r!!!!5J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!2d!!!%T!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!$
+q!!!"+J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!!r`!!!5X#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!3!!!!%X!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%"!!!",3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"!J!!!5i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!3-!!!%[!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+%!!!"-!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!""3!!!6%#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!3B!!!%b!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%(!!!"-`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"#!!!!63#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!3N!!!%e!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
++!!!"0J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"#`!!!6F#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!3`!!!%i!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%0!!!"13)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"$J!!!6S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!3m!!!%l!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+3!!!"2!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"%3!!!6d#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!4)!!!%q!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%6!!!"2`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"&!!!!8!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!48!!!&"!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+@!!!"3J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"&`!!!8-#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!4J!!!&%!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%C!!!"43)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"'J!!!8B#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!4X!!!&(!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+F!!!"5!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"(3!!!8N#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!4i!!!&+!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%I!!!"5`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!")!!!!8`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!5%!!!&0!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+L!!!"6J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!")`!!!8m#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!53!!!&3!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%P!!!"83)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"*J!!!9)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!5F!!!&6!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+S!!!"9!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"+3!!!98#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!5S!!!&@!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%V!!!"9`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!",!!!!9J#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!5d!!!&C!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+Z!!!"@J)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!",`!!!9X#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!6!!!!&F!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%a!!!"A3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"-J!!!9i#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!6-!!!&I!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+d!!!"B!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"03!!!@%#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!6B!!!&L!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%h!!!"B`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"1!!!!@3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!6N!!!&P!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%
+k!!!"CJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"1`!!!@F#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!6`!!!&S!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!%p!!!"D3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"2J!!!@S#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!6m!!!&V!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+!!!!"E!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"33!!!@d#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!8)!!!&Z!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&$!!!"E`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"4!!!!A!#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!88!!!&a!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+'!!!"FJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"4`!!!A-#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!8J!!!&d!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&*!!!"G3)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"5J!!!AB#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!8X!!!&h!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+-!!!"H!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"63!!!AN#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!8i!!!&k!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&2!!!"H`)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"8!!!!A`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!9%!!!&p!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+5!!!"IJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"8`!!!B!#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!93!!!'"!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&9!!!"JJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"9J!!!B-#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!9F!!!'%!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+B!!!"K3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"@3!!!BB#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!9S!!!'(!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&E!!!"L!)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"A!!!!BN#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!9d!!!'+!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&
+H!!!"L`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"A`!!!B`#!3!
+!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!@!!!!'0!J%!!!!!!!%!!3%
+!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&K!!!"MJ)"!!!!!!!"!!%"!!!!!!!!!!!
+!!!!!!3!!!!!!!!!!#!!"BJ!!!Bm#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!
+!!!!!!!J!!@-!!!'3!!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!
+"C!!!!C%#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!@8!!!'5!J%
+!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&Q!!!"N`)"!!!!!!!"!!%
+"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"C`!!!C3#!3!!!!!!!3!"!3!!!!!!!!!
+!!!!!!!%!!!!!!!!!!!J!!@J!!!'9!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!)!!&T!!!"PJ)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!
+"DJ!!!CF#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!@X!!!'B!J%
+!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&X!!!"Q3)"!!!!!!!"!!%
+"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"E3!!!CS#!3!!!!!!!3!"!3!!!!!!!!!
+!!!!!!!%!!!!!!!!!!!J!!@i!!!'E!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!)!!&[!!!"R!)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!
+"F!!!!Cd#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!J!!A%!!!'H!J%
+!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!)!!&b!!!"R`)"!!!!!!!"!!%
+"!!!!!!!!!!!!!!!!!3!!!!!!!!!!#!!"F`!!!D3#!3!!!!!!!3!"!3!!!!!!!!!
+!!!!!!!%!!!!!!!!!!!J!!A3!!!'Q!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!
+!!!!!!!!)!!&e!!!"T`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!3!!!!)!!!!$!!!!"!!!!!8!!!!'!!!!"`!!!!J!!!!*!!!
+!#J!!!!X!!!!-!!!!$3!!!!i!!!!2!!!!%!!!!"%!!!!5!!!!%`!!!"3!!!!9!!!
+!&J!!!"F!!!!B!!!!'3!!!"S!!!!E!!!!(!!!!"d!!!!H!!!!(`!!!#!!!!!K!!!
+!)J!!!#-!!!!N!!!!*3!!!#B!!!!R!!!!+!!!!#N!!!!U!!!!+`!!!#`!!!!Y!!!
+!,J!!!#m!!!!`!!!!-3!!!$)!!!!c!!!!0!!!!$8!!!!f!!!!0`!!!$J!!!!j!!!
+!1J!!!$X!!!!m!!!!23!!!$i!!!!r!!!!3!!!!%%!!!"#!!!!3`!!!%3!!!"&!!!
+!4J!!!%F!!!")!!!!53!!!%S!!!",!!!!6!!!!%d!!!"1!!!!6`!!!&!!!!"4!!!
+!8J!!!&-!!!"8!!!!93!!!&B!!!"A!!!!@!!!!&N!!!"D!!!!@`!!!&`!!!"G!!!
+!AJ!!!&m!!!"J!!!!B3!!!')!!!"M!!!!C!!!!'8!!!"Q!!!!C`!!!'J!!!"T!!!
+!DJ!!!'X!!!"X!!!!E3!!!'i!!!"[!!!!F!!!!(%!!!"b!!!!F`!!!(3!!!"e!!!
+!GJ!!!(F!!!"i!!!!H3!!!(S!!!"l!!!!I!!!!(d!!!"q!!!!I`!!!)!!!!#"!!!
+!JJ!!!)-!!!#%!!!!K3!!!)B!!!#(!!!!L!!!!)N!!!#+!!!!L`!!!)`!!!#0!!!
+!MJ!!!)m!!!#3!!!!!*%!!!#5!!!!N`!!!*3!!!#9!!!!PJ!!!*F!!!#B!!!!Q3!
+!!*S!!!#E!!!!R!!!!*d!!!#H!!!!R`!!!+!!!!#K!!!!SJ!!!+-!!!#N!!!!T3!
+!!+B!!!#R!!!!U!!!!+N!!!#U!!!!U`!!!+`!!!#Y!!!!VJ!!!+m!!!#`!!!!X3!
+!!,)!!!#c!!!!Y!!!!,8!!!#f!!!!Y`!!!,J!!!#j!!!!ZJ!!!,X!!!#m!!!![3!
+!!,i!!!#r!!!!`!!!!-%!!!$#!!!!``!!!-3!!!$&!!!!aJ!!!-F!!!$)!!!!b3!
+!!-S!!!$,!!!!c!!!!-d!!!$1!!!!c`!!!0!!!!$4!!!!dJ!!!0-!!!$8!!!!e3!
+!!0B!!!$A!!!!f!!!!0N!!!$D!!!!f`!!!0`!!!$G!!!!hJ!!!0m!!!$J!!!!i3!
+!!1)!!!$M!!!!j!!!!18!!!$Q!!!!j`!!!1J!!!$T!!!!kJ!!!1X!!!$X!!!!l3!
+!!1i!!!$[!!!!m!!!!2%!!!$b!!!!m`!!!23!!!$e!!!!pJ!!!2F!!!$i!!!!q3!
+!!2S!!!$l!!!!r!!!!2d!!!$q!!!!r`!!!3!!!!%"!!!"!J!!!3-!!!%%!!!""3!
+!!3B!!!%(!!!"#!!!!3N!!!%+!!!"#`!!!3`!!!%0!!!"$J!!!3m!!!%3!!!"%3!
+!!4)!!!%6!!!"&!!!!48!!!%@!!!"&`!!!4J!!!%C!!!"'J!!!4X!!!%F!!!"(3!
+!!4i!!!%I!!!")!!!!5%!!!%L!!!")`!!!53!!!%P!!!"*J!!!5F!!!%S!!!"+3!
+!!5S!!!%V!!!",!!!!5d!!!%Z!!!",`!!!6!!!!%a!!!"-J!!!6-!!!%d!!!"03!
+!!6B!!!%h!!!"1!!!!6N!!!%k!!!"1`!!!6`!!!%p!!!"2J!!!6m!!!&!!!!"33!
+!!8)!!!&$!!!"4!!!!88!!!&'!!!"4`!!!8J!!!&*!!!"5J!!!8X!!!&-!!!"63!
+!!8i!!!&2!!!"8!!!!9%!!!&5!!!"8`!!!93!!!&9!!!"9J!!!9F!!!&B!!!"@3!
+!!9S!!!&E!!!"A!!!!9d!!!&H!!!"A`!!!@!!!!&K!!!"BJ!!!@-!!!&N!!!"C3!
+!!@B!!!&R!!!"D!!!!@N!!!&U!!!"D`!!!@`!!!&Y!!!"EJ!!!@m!!!&`!!!"F3!
+!!A)!!!&c!!!"G!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!"G3!!!B!)!!!!#!!"G3!!!GS!!3!F!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!#!!!!3J!!!))!!!$#!!!"!J!!!8)!!!'#!!!"`J!!!J)!!!*#!!!#JJ
+!!!X)!!!-#!!!$3J!!!i)!!!2#!!!%!J!!"%)!!!5#!!!%`J!!"3)!!!9#!!!&JJ
+!!"F)!!!B#!!!'3J!!"S)!!!E#!!!(!J!!"d)!!!H#!!!(`J!!#!)!!!K#!!!)JJ
+!!#-)!!!N#!!!*3J!!#B)!!!R#!!!+!J!!#N)!!!U#!!!+`J!!#`)!!!Y#!!!,JJ
+!!#m)!!!`#!!!-3J!!$))!!!c#!!!0!J!!$8)!!!f#!!!0`J!!$J)!!!j#!!!1JJ
+!!$X)!!!m#!!!23J!!$i)!!!r#!!!3!J!!%%)!!"##!!!3`J!!%3)!!"&#!!!4JJ
+!!%F)!!")#!!!53J!!%S)!!",#!!!6!J!!%d)!!"1#!!!6`J!!&!)!!"4#!!!8JJ
+!!&-)!!"8#!!!93J!!&B)!!"A#!!!@!J!!&N)!!"D#!!!@`J!!&`)!!&d#!!!A3J
+!!&i)!!"I#!!!B!J!!'%)!!"L#!!!B`J!!'3)!!"P#!!!CJJ!!'F)!!"S#!!!D3J
+!!'S)!!"V#!!!E!J!!'d)!!"Z#!!!E`J!!(!)!!"a#!!!FJJ!!(-)!!"d#!!!G3J
+!!(B)!!"h#!!!H!J!!(N)!!"k#!!!H`J!!(`)!!"p#!!!IJJ!!(m)!!#!#!!!J3J
+!!)))!!#$#!!!K!J!!)8)!!#'#!!!K`J!!)J)!!#*#!!!LJJ!!)X)!!#-#!!!M3J
+!!)i)!!#2#!!!N!!)!!#4#!!!NJJ!!*-)!!#8#!!!P3J!!*B)!!#A#!!!Q!J!!*N
+)!!#D#!!!Q`J!!*`)!!#G#!!!RJJ!!*m)!!#J#!!!S3J!!+))!!#M#!!!T!J!!+8
+)!!#Q#!!!T`J!!+J)!!#T#!!!UJJ!!+X)!!#X#!!!V3J!!+i)!!#[#!!!X!J!!,%
+)!!#b#!!!X`J!!,3)!!#e#!!!YJJ!!,F)!!#i#!!!Z3J!!,S)!!#l#!!![!J!!,d
+)!!#q#!!![`J!!-!)!!$"#!!!`JJ!!--)!!$%#!!!a3J!!-B)!!$(#!!!b!J!!-N
+)!!$+#!!!b`J!!-`)!!$0#!!!cJJ!!-m)!!$3#!!!d3J!!0))!!$6#!!!e!J!!08
+)!!$@#!!!e`J!!0J)!!$C#!!!fJJ!!0X)!!$F#!!!h3J!!0i)!!$I#!!!i!J!!1%
+)!!$L#!!!i`J!!13)!!$P#!!!jJJ!!1F)!!$S#!!!k3J!!1S)!!$V#!!!l!J!!1d
+)!!$Z#!!!l`J!!2!)!!$a#!!!mJJ!!2-)!!$d#!!!p3J!!2B)!!$h#!!!q!J!!2N
+)!!$k#!!!q`J!!2`)!!$p#!!!rJJ!!2m)!!%!#!!"!3J!!3))!!%$#!!""!J!!38
+)!!%'#!!""`J!!3J)!!%*#!!"G3J!!3S)!!%,#!!"$!J!!3d)!!%1#!!"$`J!!4!
+)!!%4#!!"%JJ!!4-)!!%8#!!"&3J!!4B)!!%A#!!"'!J!!4N)!!%D#!!"'`J!!4`
+)!!%G#!!"(JJ!!4m)!!%J#!!")3J!!5))!!%M#!!"*!J!!58)!!%Q#!!"*`J!!5J
+)!!%T#!!"+JJ!!5X)!!%X#!!",3J!!5i)!!%[#!!"-!J!!6%)!!%b#!!"-`J!!63
+)!!%e#!!"0JJ!!6F)!!%i#!!"13J!!6S)!!%l#!!"2!J!!6d)!!%q#!!"2`J!!8!
+)!!&"#!!"3JJ!!8-)!!&%#!!"43J!!8B)!!&(#!!"5!J!!8N)!!&+#!!"5`J!!8`
+)!!&0#!!"6JJ!!8m)!!&3#!!"83J!!9))!!&6#!!"9!J!!98)!!&@#!!"9`J!!9J
+)!!&C#!!"@JJ!!9X)!!&F#!!"A3J!!9i)!!&I#!!"B!J!!@%)!!&L#!!"B`J!!@3
+)!!&P#!!"CJJ!!@F)!!&S#!!"D3J!!@S)!!&V#!!"E!J!!@d)!!&Z#!!"E`J!!A!
+)!!&a#!!"FJJ!!A-#!!!"!!!!!3)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!J!!!J!!!!)#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!3!!!!!!!!!!!)!!!-
+!!!!$!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!%!!!!!!!!!!!#!!!%!!!!"!)"!!!
+!!!!"!!%$!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!!"3!!!!8#!3!!!!!!!3!"!`!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!!B!!!!'!J%!!!!!!!%!!3-!!!!!!!!!!!!
+!!!!&!!!!!!!!!!!#!!!(!!!!"`)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!#!!!!!J#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!8!!!!!!!!!!!)!!!N
+!!!!*!J%!!!!!!!%!!3-!!!!!!!!!!!!!!!!&!!!!!!!!!!!#!!!+!!!"I`)"!!!
+!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!#`!!!DN#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!!`!!!'U!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!0!!!"U`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!$J!!!D`#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!!m
+!!!'Y!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!3!!!"VJ)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!%3!!!Dm#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!")!!!'`!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!6!!!"X3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!&!!!!E)#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!"8
+!!!'c!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!@!!!"Y!)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!&`!!!E8#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!"J!!!'f!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!C!!!"Y`)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!'J!!!EJ#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!"X
+!!!'j!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!F!!!"ZJ)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!(3!!!EX#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!"i!!!'m!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!I!!!"[3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!)!!!!Ei#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!#%
+!!!'r!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!L!!!"`!)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!)`!!!F%#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!#3!!!(#!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!P!!!"``)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!*J!!!F3#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!#F
+!!!(&!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!S!!!"aJ)"!!!
+!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!+3!!!FF#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!#S!!!()!J%!!!!!!!%!!3%!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!V!!!"b3)"!!!!!!!"!!%"!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!,!!!!FS#!3!!!!!!!3!"!3!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!#d
+!!!(,!J%!!!!!!!%!!3%!!!!!!!!!!!!!!!!"!!!!!!!!!!!#!!!Z!!!"T3)"!!!
+!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!!!!!!!J!!,`!!!F`#!3!!!!!!!3!"!3!
+!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!$!!!!(0!J%!!!!!!!%!!3-!!!!!!!!!!!!
+!!!!"!!!!!!!!!!!#!!!a!!!"cJ)"!!!!!!!"!!%$!!!!!!!!!!!!!!!!!3!!!!!
+!!!!!!J!!-J!!!Fm#!3!!!!!!!3!"!`!!!!!!!!!!!!!!!!%!!!!!!!!!!!)!!$-
+!!!(p"!%!!!!!!!!!!3-!!!!!!!!!!!!!!!#"!!!!!!!!!!!#!!!d!!!"rJ3"!!!
+!!!!!!!%$!!!!!!!!!!!!!!!!J3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'!!!!J)!!J!!!!!#!`!&!!!
+!!!)%!!`!!!!!!J8!#J!!!!!#"J!#!!!!!!)(!!8!!!!!!JJ!!J!!!!!##3!'!!!
+!!!)+!!d!!!!!!JX!"3!!!!!#$!!&!!!!!!)0!!%!!!!!!Ji!!3!!!!!#$`!(!!!
+!!!)3!!J!!!!!!K%!"3!!!!!#%J!#!!!!!!)6!!)!!!!!!K3!#!!!!!!#&3!"!!!
+!!!)@!!%!!!!!!KF!#!!!!!!#'!!*!!!!!!)C!!3!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!"jJF!!!%!!!!!!!!!!!!!!!!!!!!!Y0m2&2rrr[B
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(R#!!!!3!!!!!!!!!!!!!!!!!!!!#
+dh`m8rrr13J!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!J!!!!"i!!!!!(L!!!
+!!H%!!!!"j!!!!!(P!!!!!H-!!!!"jJ!!!!(R!!%!!!!b8Np29!!!!!!!!!!!!!!
+!!!C(8P93!!!!!!!!!!%18Qpj*h-J4f9d5&488&-!!!!%4NP-43%!!D*'58a&!3!
+"SdC*6%8"!!'K4NP-43%!!D"(8P93!!!!!!!!!!)66h"PEP066#""F("XD@0KG'P
+[EJ!!!#0'58a&!J!!(%C*6%8#!!!U4NP-43)!!!e'58a&!J!!)%C*6%8#!!!54NP
+-43)!!"0'58a&!J!!&NC*6%8#!!!B4NP-43)!!"G'58a&!J!!$NC*6%8#!!!H4NP
+-43)!!"&'58a&!J!!%%C*6%8#!!!K4NP-43)!!"4'58a&!J!!&8C*6%8#!!!X4NP
+-43)!!"T'58a&!J!!'8C*6%8#!!!S4NP-43)!!#G'58a&!J!!*%C*6%8#!!!Y4NP
+-43)!!!Y'58a&!J!!*NC*6%8#!!!T4NP-43)!!!a'58a&!J!!+dC*6%8#!!!L4NP
+-43)!!!p'58a&!J!!'dC*6%8#!!!G4NP-43)!!"p'58a&!J!!*8C*6%8#!!!M4e*
+98!!!!!!!!!!$%8p`C@j68d`J6'PLFQ&bD@9c!!!!"%G599!!!!!!!!!!"!038%-
+!!!!#4NP-43)!!$0'58a&!J!!0%G599!!!!!!!!!!"3-f1'X!!!!#4NP-438!!#"
+'58a&"3!!(dG599!!!!!!!!!!"JCMFRP`G'm!!!!S4NP-43%!!Aa'58a&!3!"INC
+*6%8"!!'N4NP-43%!!Cp'58a&!3!"I8C*6%8"!!&l4e*98!!!!!!!!!!("'&cEM%
+!!!"A4NP-43%!!$j'58a&!3!!-8C*6%8"!!"&4NP-43%!!$P'58a&!3!!3dC*6%8
+"!!!m4NP-43%!!$p'58a&!3!!3%C*6%8"!!"%4NP-43%!!%&'58a&!3!!0dC*6%8
+"!!!e4NP-43%!!$Y'58a&!3!!-NC*6%8"!!!i4NP-43%!!%K'58a&!3!!4NC*6%8
+"!!"#4NP-43%!!$C'58a&!3!!4dC*6%8"!!')4NP-43%!!("'58a&!3!!I%C*6%8
+"!!"i4NP-43%!!(T'58a&!3!!H8C*6%8"!!"a4NP-43%!!(C'58a&!3!!FNC*6%8
+"!!"p4NP-43%!!B&'58a&!3!!FdC*6%8"!!"e4NP-43%!!(Y'58a&!3!!A8C*6%8
+"!!"04NP-43%!!&P'58a&!3!!6NC*6%8"!!"D4NP-43%!!%p'58a&!3!!@dC*6%8
+"!!"34NP-43%!!&a'58a&!3!!5dC*6%8"!!"A4NP-43%!!%a'58a&!3!!@%C*6%8
+"!!"Z4NP-43%!!'p'58a&!3!"LNC*6%8"!!"X4NP-43%!!'e'58a&!3!"L8C*6%8
+"!!',4NP-43%!!'9'58a&!3!!D8C*6%8"!!"S4NP-43%!!'G'58a&!3!!BdC*6%8
+"!!"N4NP-43%!!'&'58a&!3!!DNC*6%8"!!"L4NP-43%!!'C'58a&!3!!8dC*6%8
+"!!"84NP-43%!!&9'58a&!3!!9NC*6%8"!!"*4NP-43%!!%T'58a&!3!!ANC*6%8
+"!!"54NP-43%!!$T'58a&!3!!GdC*6%8"!!!c4NP-43%!!(4'58a&!3!!,dC*6%8
+"!!!Z4NP-43%!!#e'58a&!3!!28C*6%8"!!!d4NP-43%!!Ba'58a&!3!!88C*6%8
+"!!!`4NP-43%!!&p'58a&!3!!B%C*6%8"!!"V4e*98!!!!!!!!!!)!Q*Q!!!!"8C
+*6%8"!!##4NP-43%!!(p'58a&!3!!J%C*6%8"!!"q4NP-43%!!)&(8P93!!!!!!!
+!!!N$BQP[!!!!$NC*6%8"!!#%4NP-43%!!Be'58a&!3!!JdC*6%8"!!'14NP-43%
+!!C&'58a&!3!"MdC*6%8"!!'3!%C*6%8"!!#&4NP-43%!!C*'58a&!3!"J%C*6%8
+"!!'(4NP-43%!!C9'58a&!3!"NdC*6%8"!!'84e*98!!!!!!!!!!+!Q*Z!!!!&%C
+*6%8"!!#'4NP-43%!!)P'58a&!3!!LdC*6%8"!!#14NP-43%!!DC'58a&!3!!N8C
+*6%8"!!#64NP-43%!!*4'58a&!3!!PNC*6%8"!!#B4NP-43%!!)K'58a&!3!!M8C
+*6%8"!!#54NP-43%!!)T'58a&!3!!PdC*6%8"!!#(4NP-43%!!*9'58a&!3!!MdC
+*6%8"!!#3!%C*6%8"!!#-4e*98!!!!!!!!!!,"Q*eCQCPFJ!!!!*'58a&!3!!Q8C
+*6%8"!!#D4e*98!!!!!!!!!!-"'0KFh3!!!!&4NP-43%!!*p'58a&!3!!R%C*6%8
+"!!#G4NP-43%!!*Y'58a&!3!!RNG599!!!!!!!!!!$34MEfe`!!!!!dC*6%8"!!#
+J4NP-43%!!+&'58a&!3!!SNG599!!!!!!!!!!$J4MEfjQ!!!!!NC*6%8"!!#M4NP
+-43%!!+4(8P93!!!!!!!!!!m$C'9c!!!!'NC*6%8"!!#P4NP-43%!!+C'58a&!3!
+!U%C*6%8"!!#T4NP-43%!!+Y'58a&!3!!V%C*6%8"!!#Z4NP-43%!!CC'58a&!3!
+!VdC*6%8"!!#b4NP-43%!!,0'58a&!3!!Y%C*6%8"!!#e4NP-43%!!,C'58a&!3!
+!Z%C*6%8"!!#j4NP-43%!!,T'58a&!3!!UNC*6%8"!!#`4NP-43%!!,G'58a&!3!
+![8C*6%8"!!#l4NP-43%!!+G'58a&!3!!X8C*6%8"!!#m4NP-43%!!+e(8P93!!!
+!!!!!!"!#C'J!!!!&4NP-43%!!-"'58a&!3!!`8C*6%8"!!$#4NP-43%!!,j'58a
+&!3!![dG599!!!!!!!!!!%30NFf%!!!!)4NP-43%!!-9'58a&!3!!aNC*6%8"!!$
+(4NP-43%!!-0'58a&!3!!b8C*6%8"!!$)4NP-43%!!-4'58a&!3!"JNG599!!!!!
+!!!!!%J0PFR)!!!!$4NP-43%!!-T'58a&!3!!bdC*6%8"!!$-4e*98!!!!!!!!!!
+6!f9fF!!!!$p'58a&!3!!ddC*6%8"!!$54NP-43%!!04'58a&!3!!eNC*6%8"!!$
+V4NP-43%!!0e'58a&!3!!j%C*6%8"!!$c4NP-43%!!1a'58a&!3!!hNC*6%8"!!$
+P4NP-43%!!24'58a&!3!!k%C*6%8"!!$D4NP-43%!!2G'58a&!3!"!NC*6%8"!!$
+K4NP-43%!!2"'58a&!3!!q%C*6%8"!!$Y4NP-43%!!0p'58a&!3!!jNC*6%8"!!$
+e4NP-43%!!1P'58a&!3!!fdC*6%8"!!$L4NP-43%!!2&'58a&!3!!kNC*6%8"!!$
+F4NP-43%!!10'58a&!3!!mNC*6%8"!!$Z4NP-43%!!1"'58a&!3!!jdC*6%8"!!$
+f4NP-43%!!2j'58a&!3!!qdC*6%8"!!$m4NP-43%!!3"'58a&!3!"!8C*6%8"!!$
+j4NP-43%!!2T'58a&!3!!r8C*6%8"!!$r4NP-43%!!3C'58a&!3!""dC*6%8"!!%
+)4NP-43%!!3P'58a&!3!""8C*6%8"!!%%4NP-43%!!30'58a&!3!!cdC*6%8"!!$
+04NP-43%!!-j'58a&!3!!e8C*6%8"!!$[4NP-43%!!0&'58a&!3!!edC*6%8"!!$
+34NP-43%!!0P'58a&!3!!f%C*6%8"!!'A4NP-43%!!CK(8P93!!!!!!!!!"3%D'e
+KB`!!!!&'58a&!3!"#NG599!!!!!!!!!!&34TC'9K!!!!"8C*6%8"!!%,4NP-43%
+!!3a'58a&!3!"$NC*6%8"!!%04NP-43%!!3p(8P93!!!!!!!!!"B&E'KKFfJ!!!!
+#4NP-43%!!4"'58a&!3!"%8G599!!!!!!!!!!&`0YC$)!!!!#4NP-43%!!4*'58a
+&!3!"%dG599!!!!!!!!!!'!0YC$8!!!!#4NP-43%!!44'58a&!3!"&8G599!!!!!
+!!!!!'34YC'-b!!!!!NC*6%8"!!%@4NP-43%!!4G(8P93!!!!!!!!!"S(Ef*UC@0
+dF`!!!!4'58a&!3!"'dC*6%8"!!%B4NP-43%!!4T'58a&!3!"'8G599!!!!!!!!!
+!'`0`C@d!!!!'4NP-43%!!5&'58a&!3!")%C*6%8"!!%H4NP-43%!!4p'58a&!3!
+"(%C*6%8"!!%G4e*98!!!!!!!!!!F"R"VBh-a-J!!!""'58a&!3!")NC*6%8"!!%
+M4NP-43%!!54'58a&!3!"*8C*6%8"!!%Q4NP-43%!!5G'58a&!3!"+%C*6%8"!!%
+T4NP-43%!!5T'58a&!3!"+dC*6%8"!!%X4NP-43%!!5e'58a&!3!",NC*6%8"!!%
+[4NP-43%!!CP'58a&!3!"-%G599!!!!!!!!!!(39`Df0c0`!!!!C'58a&!3!"-NC
+*6%8"!!%c4NP-43%!!6&'58a&!3!"R%C*6%8"!!'D4NP-43%!!CY(8P93!!!!!!!
+!!"i%FQ&ZC!!!!!4'58a&!3!"0%C*6%8"!!%e4NP-43%!!6C'58a&!3!"TdG599!
+!!!!!!!!!(`0bBc)!!!!&4NP-43%!!6T'58a&!3!"1dC*6%8"!!%j4NP-43%!!6G
+'58a&!3!"1%G599!!!!!!!!!!)!0bBc3!!!!#4NP-43%!!6e'58a&!3!"2%G599!
+!!!!!!!!!)30bBc8!!!!&4NP-43%!!8*'58a&!3!"3%C*6%8"!!&"4NP-43%!!6j
+'58a&!3!"2dG599!!!!!!!!!!)JCbDA"PE@3!!!!#4NP-43%!!80'58a&!3!"4%G
+599!!!!!!!!!!)`0bFf%!!!!-4NP-43%!!89'58a&!3!"4dC*6%8"!!&)4NP-43%
+!!8e'58a&!3!"6%C*6%8"!!&'4NP-43%!!8Y'58a&!3!"6NC*6%8"!!&*4NP-43%
+!!8T'58a&!3!"R8C*6%8"!!'H4e*98!!!!!!!!!!N!h0SB3!!!!4'58a&!3!"88C
+*6%8"!!&24NP-43%!!9*'58a&!3!"8%G599!!!!!!!!!!*39cG'&MD`!!!!&'58a
+&!3!"8dG599!!!!!!!!!!*JCdH(4IC')!!!!"4NP-43%!!94(8P93!!!!!!!!!#F
+%H$8`13!!!"9'58a&!3!"A%C*6%8"!!&E4NP-43%!!@&'58a&!3!"@NC*6%8"!!&
+J4NP-43%!!@*'58a&!3!"JdC*6%8"!!&Q4NP-43%!!@0'58a&!3!"@%C*6%8"!!&
+G4NP-43%!!9G'58a&!3!"C8C*6%8"!!&H4NP-43%!!9P'58a&!3!"AdC*6%8"!!&
+R4NP-43%!!@4'58a&!3!"K%C*6%8"!!&94NP-43%!!9C(8P93!!!!!!!!!#J'H$8
+`1ABc!!!!&8C*6%8"!!&V4NP-43%!!@a'58a&!3!"E8C*6%8"!!&a4NP-43%!!A0
+'58a&!3!"G8C*6%8"!!&h4NP-43%!!AT'58a&!3!"D%C*6%8"!!&b4NP-43%!!@T
+'58a&!3!"H%C*6%8"!!&T4NP-43%!!AC'58a&!3!"G%C*6%8"!!&`4NP-43%!!AP
+'58a&!3!"ENC*6%8"!!&[4NP-43%!!B9'58a&!3!"KNG599!!!!!!!!!!+30cFf`
+!!!!M4NP-43%!!"0'58a&!3!!&8C*6%8"!!!34NP-43%!!"*'58a&!3!!%8C*6%8
+"!!!84NP-43%!!"T'58a&!3!!(%C*6%8"!!!A4NP-43%!!"P'58a&!3!!'%C*6%8
+"!!!E4NP-43%!!"C'58a&!3!!$8C*6%8"!!!24NP-43%!!!Y'58a&!3!!$%C*6%8
+"!!!14NP-43%!!#Y'58a&!3!!,%C*6%8"!!!S4NP-43%!!#T'58a&!3!!+8C*6%8
+"!!!M4NP-43%!!#*'58a&!3!!(dC*6%8"!!!P4NP-43%!!#"'58a&!3!!*NC*6%8
+"!!!N4NP-43%!!"j'58a&!3!!*dC*6%8"!!!G4NP-43%!!!T'58a&!3!!)8G599!
+!!!!!!!!!+Jj(990*)%aTBR*KFQPPF`!!!!0'58a&!J!!,dG599!!!!!!!!!!+`0
+38%-!!!!$4NP-43)!!$"'58a&!J!!-8C*6%8#!!!b4e*98!!!!!!!!!!X!cBiD`!
+!!!0'58a&"3!!&%C*6%8&!!!94NP-438!!"C(8P93!!!!!!!!!#d138j655"-D@*
+bBA*TCA-!!!!#4e*98!!!!!!!!!!Z!e"33`!!!!*'58a&!3!!!8C*6%8"!!&r4e*
+98!!!!!!!!!![!cBiD`!!!!*'58a&!`!"S%C*6%8$!!'K4e*98!!!!!!!!!!`$8e
+KBb"-D@*bBA*TCA-!!!!#4e*98!!!!!!!!!!a!e"33`!!!!P'58a&!3!!"%C*6%8
+"!!!#4NP-43%!!!0'58a&!3!!#8C*6%8"!!!)4NP-43%!!!G'58a&!3!!"NC*6%8
+"!!!&4NP-43%!!D9(8P93!!!!!!!!!$)$0MKV!!!!"NC*6%8$!!'D4NP-43-!!D*
+'58a&!`!"R%C*6%8$!!'G4NP-43-!!Cp'58a&!`!"Q`!!!!!!!!!!!!!!Y,T3!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!#"J%#!!!c"`%#!!!d!!!!!J3""3!!)!J""3!!(`!!!HF
+!!!)!!!!6e`!!&!!!!!(R!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!$*!!!!i!!!&0i
+!!"J!!!!!b3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!H!"!!!"!!!!!!!!!!!
+!"!!"!!!"k,6I$a6rrqXL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"i3)!!!%
+!!!!!!!!!!!!%!!%!!!(dY0m2*3!!DlF!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!(L!`!!!3!!!!!!!!!!!!3!!3!!!I@dh`m8!!!`R3!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!H-%!!!"!!!!!!!!!!!!"!!"!!!"ql6I$a6rrjeI!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!"j!8!!!%!!!!!!!!!!!!%!!%!!!(mY0m2*IrrcT!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"j3B!!!%!!!!!!!!!!!!%!!%!!!(
+pY0m2&2rrVV8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(Q"`!!!3!!!!!!!!!
+!!!3!!3!!!Ikdh`m8rrrqpJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!HF)!!!
+"!!!!!!!!!!!!"!!"!!!"rl6I$a6rrmj#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!"+!!!'!"YFh4b!!!!!!!!!!!!!!!!!!!C+!!!#S"YFh4X!!!!!!!!!!!!!!!
+!!!!MU!!!!i"YFh4Z!!!!!!!!!!!!!!!!!!!R+!!!'!"YFh4b!!!$k!!!!!!!!!!
+!!!!r+!!!'B"YFh4X!!!$k!!!!!!!!!!!!!%0dJ!!#)"YFh4Z!!!$k!!!!!!!!!!
+!!!"E+!!!"4"`FQ9Q!!jqcJ!!!!%!!!!!!!"J1!!!!!K`FQ9Q!!i,hJ!!!!)!!!!
+!!!"J3!!!!"T`FQ9Q!!i*C!!!!!-!!!!!!!"J@J!!$+"`FQ9Q!!j"B3!!!!3!!!!
+!!!"XqJ!!"K4`FQ9Q!!kHI3!!!!8!!!!!!!"c$J!!#*C`FQ9Q!!j,f`!!!!B!!!!
+!!!"lT!!!!3G`FQ9Q!!ihQJ!!!!F!!!!!!!"mU`!!!b"`FQ9Q!!iT1`!!!!J!!!!
+!!!"rb`!!!"4`FQ9Q!!jZi!!!!!N!!!!!!!"rh`!!!!T`FQ9Q!!jf-!!!!!S!!!!
+!!!"rk3!!!!a`FQ9Q!!k$&3!!!!X!!!!!!!"rp3!!!!j`FQ9Q!!l6V!!!!!`!!!!
+!!!#!!`!!!3C`FQ9Q!!l9e3!!!!d!!!!!!!#"#3!!!$j`FQ9Q!!k(*3!!!!i!!!!
+!!!#"4`!!!!j`FQ9Q!!j"33!!!!m!!!!!!!#"93!!!GT`FQ9Q!!jMQ`!!!"!!!!!
+!!!#$,`!!!'*`FQ9Q!!iIT3!!!"%!!!!!!!#$N3!!!"4`FQ9Q!!i)0`!!!")!!!!
+!!!#$T3!!!!T`FQ9Q!!k[Z3!!!"-!!!!!!!#$V`!!!!a`FQ9Q!!kCE!!!!"3!!!!
+!!!#$Z`!!!-T`FQ9Q!!jHY`!!!"8!!!!!!!#%K3!!!4K`FQ9Q!!kSh!!!!"B!!!!
+!!!#&R3!!!+K`FQ9Q!!j(T3!!!"F!!!!!!!#'43!!!#j`FQ9Q!!i#aJ!!!"J!!!!
+!!!#'F`!!!Ja`FQ9Q!!lpS`!!!"N!!!!!!!#)I`!!4J"YG("X!!!!!3!!!!!!!!!
+!!!$1I`!!"`"YG("c!!!!!3!!!!!!!!!!!!$9I`!!!""YG("T!!!!!3!!!!!!!!!
+!!!$9M`!!"TaYG'a[!!!!!3!!!!!!!!!!!!$F+`!!!#"YG(0X!!!!!3!!!!!!!!!
+!!!$F5`!!"4"`FQ9Q!!klZ`!!!"S!!!!!!!$K@`!!!!K`FQ9Q!!lq$`!!!"X!!!!
+!!!$KB`!!!"T`FQ9Q!!lTR!!!!"`!!!!!!!$KI3!!%0"`FQ9Q!!jkK!!!!"d!!!!
+!!!$b63!!"K4`FQ9Q!!lQ%3!!!"i!!!!!!!$iB3!!#*C`FQ9Q!!l4QJ!!!"m!!!!
+!!!%!p`!!!3G`FQ9Q!!l9lJ!!!#!!!!!!!!%"rJ!!!b"`FQ9Q!!i2K!!!!#%!!!!
+!!!%&(J!!!"4`FQ9Q!!kki3!!!#)!!!!!!!%&-J!!!!T`FQ9Q!!lUEJ!!!#-!!!!
+!!!%&2!!!!!a`FQ9Q!!l+`J!!!#3!!!!!!!%&5!!!!!j`FQ9Q!!j@3J!!!#8!!!!
+!!!%&9J!!!3C`FQ9Q!!kR#`!!!#B!!!!!!!%'A!!!!$j`FQ9Q!!i993!!!#F!!!!
+!!!%'QJ!!!!j`FQ9Q!!km6J!!!#J!!!!!!!%'U!!!!GT`FQ9Q!!kq6J!!!#N!!!!
+!!!%)JJ!!!'*`FQ9Q!!lXDJ!!!#S!!!!!!!%)j!!!!"4`FQ9Q!!lEH!!!!#X!!!!
+!!!%)q!!!!!T`FQ9Q!!i6c`!!!#`!!!!!!!%*!J!!!!a`FQ9Q!!iSA!!!!#d!!!!
+!!!%*$J!!!-T`FQ9Q!!i15!!!!#i!!!!!!!%*f!!!!4K`FQ9Q!!i#2!!!!#m!!!!
+!!!%+m!!!!+K`FQ9Q!!l,'3!!!$!!!!!!!!%,Q!!!!#j`FQ9Q!!l[K3!!!$%!!!!
+!!!%,aJ!!!Ja`FQ9Q!!kqX!!!!$)!!!!!!!0#I!!!#J"YG("X!!!!!J!!!!!!!!!
+!!!"BU!!!!3"YG("c!!!!!J!!!!!!!!!!!!"CU!!!!""YG("T!!!!!J!!!!!!!!!
+!!!%BiJ!!!0"YG'a[!!!!!J!!!!!!!!!!!!%CXJ!!!#"YG(0X!!!!!J!!!!!!!!!
+!!!%CdJ!!"4"`FQ9Q!!lk53!!!$-!!!!!!!%HiJ!!!!K`FQ9Q!!ibfJ!!!$3!!!!
+!!!%HkJ!!!"T`FQ9Q!!j($3!!!$8!!!!!!!%I"!!!$+"`FQ9Q!!ipM3!!!$B!!!!
+!!!%VT!!!"K4`FQ9Q!!kR*3!!!$F!!!!!!!%aZ!!!#5C`FQ9Q!!lqqJ!!!$J!!!!
+!!!%khJ!!!3G`FQ9Q!!j"k!!!!$N!!!!!!!%lj3!!!b"`FQ9Q!!jU8`!!!$S!!!!
+!!!%r"3!!!"4`FQ9Q!!m!0!!!!$X!!!!!!!%r'3!!!!T`FQ9Q!!kBq3!!!$`!!!!
+!!!%r)`!!!!a`FQ9Q!!ia@3!!!$d!!!!!!!%r,`!!!!j`FQ9Q!!kDRJ!!!$i!!!!
+!!!%r23!!!3C`FQ9Q!!i"i`!!!$m!!!!!!!&!3`!!!$j`FQ9Q!!ja`3!!!%!!!!!
+!!!&!J3!!!!j`FQ9Q!!lI4!!!!%%!!!!!!!&!M`!!!GT`FQ9Q!!j[I`!!!%)!!!!
+!!!&#D3!!!'*`FQ9Q!!iXV!!!!%-!!!!!!!&#b`!!!"4`FQ9Q!!i&T`!!!%3!!!!
+!!!&#h`!!!!T`FQ9Q!!lfMJ!!!%8!!!!!!!&#k3!!!!a`FQ9Q!!km-!!!!%B!!!!
+!!!&#p3!!!-T`FQ9Q!!k+c3!!!%F!!!!!!!&$[`!!!4K`FQ9Q!!jBk`!!!%J!!!!
+!!!&%e`!!!+K`FQ9Q!!i30J!!!%N!!!!!!!&&I`!!!#j`FQ9Q!!kMJ3!!!%S!!!!
+!!!&&V3!!!Ja`FQ9Q!!jc,3!!!%X!!!!!!!&(Z3!!4J"YG("X!!!!!`!!!!!!!!!
+!!!'0Z3!!"`"YG("c!!!!!`!!!!!!!!!!!!'8Z3!!!""YG("T!!!!!`!!!!!!!!!
+!!!'8b3!!!#"YG(0X!!!!!`!!!!!!!!!!!!'8k3!!"T!!EA4XE`!!!!-!!!!!!!!
+!!!!"QhN!!!83F(*PCJ!1L,S!!!"-!!!!!!!"S)N!!!!)F(*PCJ!1iN8!!!"0!!!
+!!!!"S*%!!!!DF(*PCJ!1d&S!!!"1!!!!!!!"S+X!!"$3F(*PCJ!1Rh-!!!"2!!!
+!!!!"XAX!!!B8F(*PCJ!1P(-!!!"3!!!!!!!"Yim!!!NQF(*PCJ!1LkB!!!"4!!!
+!!!!"`,8!!!%(F(*PCJ!1VAF!!!"5!!!!!!!"`E`!!!-JF(*PCJ!1ejm!!!"6!!!
+!!!!"a0`!!!!8F(*PCJ!1FbF!!!"8!!!!!!!"a2!!!!!+F(*PCJ!1@,m!!!"9!!!
+!!!!"a2S!!!!-F(*PCJ!1VG`!!!"@!!!!!!!"a3B!!!!1F(*PCJ!1@GJ!!!"A!!!
+!!!!"a43!!!%'F(*PCJ!1G1)!!!"B!!!!!!!"aKS!!!!qF(*PCJ!1CB`!!!"C!!!
+!!!!"aPJ!!!!1F(*PCJ!1*2X!!!"D!!!!!!!"aQB!!!(DF(*PCJ!19#X!!!"E!!!
+!!!!"b%!!!!"LF(*PCJ!1mb!!!!"F!!!!!!!"b+)!!!!8F(*PCJ!1m`8!!!"G!!!
+!!!!"b,B!!!!+F(*PCJ!1fHN!!!"H!!!!!!!"b-!!!!!-F(*PCJ!1$)-!!!"I!!!
+!!!!"b-`!!!$+F(*PCJ!1%CN!!!"J!!!!!!!"bCB!!!%BF(*PCJ!1Y5%!!!"K!!!
+!!!!"bUi!!!#SF(*PCJ!1$e8!!!"L!!!!!!!"beB!!!!ZF(*PCJ!1VXF!!!"M!!!
+!!!!"bi3!!!)-F(*PCJ!1YBi!!!"N!!!!!!!"cC!!!!!+!'edF'`!!!!%!!!!!!!
+!!!!!!GH3!!!!!3"YG("c!!!!"!!!!!!!!!!!!!(BN!!!!!!3EA4`D3!!!!3!!!!
+!!!!!!!!"f+!!!!!JEA4cE!!!!!3!!!!!!!!!!!!"f-!!!!#-EA4XE`!!!!3!!!!
+!!!!!!!!"f8`!!!83F(*PCJ!1C"3!!!"P!!!!!!!"hP`!!!!)F(*PCJ!1MEF!!!"
+Q!!!!!!!"hQ3!!!!DF(*PCJ!1SV`!!!"R!!!!!!!"hRi!!"$3F(*PCJ!1NlJ!!!"
+S!!!!!!!"ldi!!!B8F(*PCJ!1G1B!!!"T!!!!!!!"p@)!!!NQF(*PCJ!1lFS!!!"
+U!!!!!!!"rSJ!!!%(F(*PCJ!1ff%!!!"V!!!!!!!"rim!!!-JF(*PCJ!1r-N!!!"
+X!!!!!!!#!Um!!!!8F(*PCJ!1r(F!!!"Y!!!!!!!#!X-!!!!+F(*PCJ!1%0B!!!"
+Z!!!!!!!#!Xd!!!!-F(*PCJ!11!J!!!"[!!!!!!!#!YN!!!!1F(*PCJ!1Lh%!!!"
+`!!!!!!!#!ZF!!!%'F(*PCJ!1,BX!!!"a!!!!!!!#!qd!!!!qF(*PCJ!1KTd!!!"
+b!!!!!!!#"#X!!!!1F(*PCJ!1%am!!!"c!!!!!!!#"$N!!!(DF(*PCJ!1HE-!!!"
+d!!!!!!!#"K-!!!"LF(*PCJ!1idJ!!!"e!!!!!!!#"R8!!!!8F(*PCJ!1AA!!!!"
+f!!!!!!!#"SN!!!!+F(*PCJ!1j"8!!!"h!!!!!!!#"T-!!!!-F(*PCJ!1Qr-!!!"
+i!!!!!!!#"Tm!!!$+F(*PCJ!1a+%!!!"j!!!!!!!#"fN!!!%BF(*PCJ!1CMm!!!"
+k!!!!!!!##)%!!!#SF(*PCJ!1XB!!!!"l!!!!!!!##5N!!!!ZF(*PCJ!1mR8!!!"
+m!!!!!!!##9F!!!)-F(*PCJ!1Z,`!!!"p!!!!!!!##f-!!!8!EA4`E!!!!!8!!!!
+!!!!!!!!!@EJ!!!#!EA4`F`!!!!8!!!!!!!!!!!!!@MJ!!!!3EA4`D3!!!!8!!!!
+!!!!!!!!#%2-!!!!JEA4cE!!!!!8!!!!!!!!!!!!#%4-!!!#!EA4XE`!!!!8!!!!
+!!!!!!!!#%C-!!!83F(*PCJ!1a$B!!!"q!!!!!!!#&U-!!!!)F(*PCJ!1ppX!!!"
+r!!!!!!!#&UX!!!!DF(*PCJ!1YK%!!!#!!!!!!!!#&X8!!"$3F(*PCJ!1UKi!!!#
+"!!!!!!!#*j8!!!B8F(*PCJ!1!fJ!!!##!!!!!!!#,DN!!!L@F(*PCJ!1bY3!!!#
+$!!!!!!!#0Mm!!!%(F(*PCJ!1D*S!!!#%!!!!!!!#0dB!!!-JF(*PCJ!1Q1)!!!#
+&!!!!!!!#1QB!!!!8F(*PCJ!1DmN!!!#'!!!!!!!#1RS!!!!+F(*PCJ!1B[N!!!#
+(!!!!!!!#1S3!!!!-F(*PCJ!1Y%%!!!#)!!!!!!!#1T!!!!!!$R"bC@B!$Z2!!!!
+!L3!!!!!!!MUH!!!""R"bC@B!$K+Q!!!!LJ!!!!!!!MZN!!!!2R"bC@B!$Y45!!!
+!L`!!!!!!!M[L!!!!$R"bC@B!$ThJ!!!!M!!!!!!!!M[`!!!"fR"bC@B!$L2p!!!
+!M3!!!!!!!Mh+!!!!BR"bC@B!$UH%!!!!MJ!!!!!!!MiX!!!!&("bC@B!$U1Q!!!
+!M`!!!!!!!Mj!!!!!#R"bC@B!$Rrm!!!!N!!!!!!!!!)q5J!!!!a`FQ9Q!!iEh`!
+!!*%!!!!!!!)q9J!!!-T`FQ9Q!!j-XJ!!!*)!!!!!!!)r)!!!!4K`FQ9Q!!jGN3!
+!!*-!!!!!!!*!1!!!!+K`FQ9Q!!i5!3!!!*3!!!!!!!*!i!!!!#j`FQ9Q!!lG5`!
+!!*8!!!!!!!*"$J!!!Ja`FQ9Q!!jL+`!!!*B!!!!!!!*$'J!!#J"YG("X!!!!"J!
+!!!!!!!!!!!*0'J!!!3"YG("c!!!!"J!!!!!!!!!!!!*1'J!!!""YG("T!!!!"J!
+!!!!!!!!!!!*1+J!!!)aYG'a[!!!!"J!!!!!!!!!!!!*1YJ!!!#"YG(0X!!!!"J!
+!!!!!!!!!!!*1eJ!!"4"`FQ9Q!!ke'`!!!*F!!!!!!!*6jJ!!!!K`FQ9Q!!iPYJ!
+!!*J!!!!!!!*6lJ!!!"T`FQ9Q!!k$'`!!!*N!!!!!!!*8#!!!%0"`FQ9Q!!iDS3!
+!!*S!!!!!!!*Nf!!!"K4`FQ9Q!!k8"3!!!*X!!!!!!!*Ul!!!#*C`FQ9Q!!iKFJ!
+!!*`!!!!!!!*cJJ!!!3G`FQ9Q!!iTD3!!!*d!!!!!!!*dL3!!!b"`FQ9Q!!i1j`!
+!!*i!!!!!!!*hU3!!!"4`FQ9Q!!jL[3!!!*m!!!!!!!*h[3!!!!T`FQ9Q!!jXAJ!
+!!+!!!!!!!!*ha`!!!!a`FQ9Q!!jr'`!!!+%!!!!!!!*hd`!!!!j`FQ9Q!!k0TJ!
+!!+)!!!!!!!*hi3!!!3C`FQ9Q!!i0!3!!!+-!!!!!!!*ij`!!!$j`FQ9Q!!j!f3!
+!!+3!!!!!!!*j*3!!!!j`FQ9Q!!k[33!!!+8!!!!!!!*j-`!!!GT`FQ9Q!!iY93!
+!!+B!!!!!!!*l$3!!!'*`FQ9Q!!i`KJ!!!+F!!!!!!!*lE`!!!"4`FQ9Q!!jK6!!
+!!+J!!!!!!!*lJ`!!!!T`FQ9Q!!kKkJ!!!+N!!!!!!!*lM3!!!!a`FQ9Q!!k[X3!
+!!+S!!!!!!!*lQ3!!!-T`FQ9Q!!iUj!!!!+X!!!!!!!*mB`!!!4K`FQ9Q!!iAM3!
+!!+`!!!!!!!*pH`!!!+K`FQ9Q!!jMNJ!!!+d!!!!!!!*q)`!!!#j`FQ9Q!!lid!!
+!!+i!!!!!!!*q83!!!Ja`FQ9Q!!iiI!!!!+m!!!!!!!+!A3!!2!"YG("X!!!!"`!
+!!!!!!!!!!!+mA3!!"J"YG("c!!!!"`!!!!!!!!!!!!,#A3!!!""YG("T!!!!"`!
+!!!!!!!!!!!,#E3!!"G4YG'a[!!!!"`!!!!!!!!!!!!,)33!!!#"YG(0X!!!!"`!
+!!!!!!!!!!!,)B3!!"4"`FQ9Q!!i1N!!!!!#`!!!!!!!#cA%!!!!)F(*PCJ!1PMd
+!!!#a!!!!!!!#cAN!!!!DF(*PCJ!1G*S!!!#b!!!!!!!#cC-!!"$3F(*PCJ!1m28
+!!!#c!!!!!!!#hQ-!!!B8F(*PCJ!18k%!!!#d!!!!!!!#j(F!!!NQF(*PCJ!1&dF
+!!!#e!!!!!!!#lCd!!!%(F(*PCJ!1a"8!!!#f!!!!!!!#lU3!!!-JF(*PCJ!1h-`
+!!!#h!!!!!!!#mF3!!!!8F(*PCJ!1Gj-!!!#i!!!!!!!#mGJ!!!!+F(*PCJ!1c58
+!!!#j!!!!!!!#mH)!!!!-F(*PCJ!1Nd!!!!#k!!!!!!!#mHi!!!!1F(*PCJ!1Kq%
+!!!#l!!!!!!!#mI`!!!%'F(*PCJ!1ebJ!!!#m!!!!!!!#m`)!!!!qF(*PCJ!1C`N
+!!!#p!!!!!!!#md!!!!!1F(*PCJ!1qpm!!!#q!!!!!!!#mdi!!!(DF(*PCJ!1EaJ
+!!!#r!!!!!!!#p5J!!!"LF(*PCJ!1m4i!!!$!!!!!!!!#pBS!!!!8F(*PCJ!1#Td
+!!!$"!!!!!!!#pCi!!!!+F(*PCJ!1d"!!!!$#!!!!!!!#pDJ!!!!-F(*PCJ!1Mb-
+!!!$$!!!!!!!#pE3!!!$+F(*PCJ!1+43!!!$%!!!!!!!#pRi!!!%BF(*PCJ!1BQB
+!!!$&!!!!!!!#pjB!!!#SF(*PCJ!1JbF!!!$'!!!!!!!#q$i!!!!ZF(*PCJ!1jBJ
+!!!$(!!!!!!!#q'`!!!)-F(*PCJ!1EJ)!!!$)!!!!!!!#qRJ!!$`!EA4`E!!!!!J
+!!!!!!!!!!!!$0RJ!!!B!EA4`F`!!!!J!!!!!!!!!!!!$2(J!!!!3EA4`D3!!!!J
+!!!!!!!!!!!!$2)J!!!!JEA4cE!!!!!J!!!!!!!!!!!!$2+J!!!A8EA4XE`!!!!J
+!!!!!!!!!!!!$D9S!!"$%EA4RE!!!!qJ!!!!!!!!!!!!$8d!!!!!XE@pdD3!!!!!
+!!!!!!!!!!!!$8f`!!"1!8%acG!!19TJ!!!$*!!!!!!!"&P)!!!)XEA"cD3!!!qJ
+!!!!!!!!!!!!$D1S!!!!3EA0dF!!!!!)!!!!!!!!!!!!$D2S!!!!3EA0dF!!!!!8
+!!!!!!!!!!!!!@NJ!!!!SEA0dD3!!!qJ!!!!!!!!!!!!$D6)!!!!SEA0dD3!!!!!
+!!!!!!!!!!!!!@R!!!!!-E@&XE!!!!!!!!!!!!!!!!!!$6(`!!!$%E@&`E!!!!!!
+!!!!!!!!!!-eY!!!:
diff --git a/src/lib/libssl/src/MacOS/Randomizer.cpp b/src/lib/libssl/src/MacOS/Randomizer.cpp
new file mode 100644
index 0000000000..cceb6bde44
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/Randomizer.cpp
@@ -0,0 +1,476 @@
+/* 
+------- Strong random data generation on a Macintosh (pre - OS X) ------
+                
+--      GENERAL: We aim to generate unpredictable bits without explicit
+        user interaction. A general review of the problem may be found
+        in RFC 1750, "Randomness Recommendations for Security", and some
+        more discussion, of general and Mac-specific issues has appeared
+        in "Using and Creating Cryptographic- Quality Random Numbers" by
+        Jon Callas (www.merrymeet.com/jon/usingrandom.html).
+
+        The data and entropy estimates provided below are based on my
+        limited experimentation and estimates, rather than by any
+        rigorous study, and the entropy estimates tend to be optimistic.
+        They should not be considered absolute.
+
+        Some of the information being collected may be correlated in
+        subtle ways. That includes mouse positions, timings, and disk
+        size measurements. Some obvious correlations will be eliminated
+        by the programmer, but other, weaker ones may remain. The
+        reliability of the code depends on such correlations being
+        poorly understood, both by us and by potential interceptors.
+
+        This package has been planned to be used with OpenSSL, v. 0.9.5.
+        It requires the OpenSSL function RAND_add. 
+
+--      OTHER WORK: Some source code and other details have been
+        published elsewhere, but I haven't found any to be satisfactory
+        for the Mac per se:
+
+        * The Linux random number generator (by Theodore Ts'o, in
+          drivers/char/random.c), is a carefully designed open-source
+          crypto random number package. It collects data from a variety
+          of sources, including mouse, keyboard and other interrupts.
+          One nice feature is that it explicitly estimates the entropy
+          of the data it collects. Some of its features (e.g. interrupt
+          timing) cannot be reliably exported to the Mac without using
+          undocumented APIs.
+
+        * Truerand by Don P. Mitchell and Matt Blaze uses variations
+          between different timing mechanisms on the same system. This
+          has not been tested on the Mac, but requires preemptive
+          multitasking, and is hardware-dependent, and can't be relied
+          on to work well if only one oscillator is present.
+
+        * Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann),
+          gathers a lot of information about the machine and system
+          environment. Unfortunately, much of it is constant from one
+          startup to the next. In other words, the random seed could be
+          the same from one day to the next. Some of the APIs are
+          hardware-dependent, and not all are compatible with Carbon (OS
+          X). Incidentally, the EGD library is based on the UNIX entropy
+          gathering methods in cryptlib, and isn't suitable for MacOS
+          either.
+
+        * Mozilla (and perhaps earlier versions of Netscape) uses the
+          time of day (in seconds) and an uninitialized local variable
+          to seed the random number generator. The time of day is known
+          to an outside interceptor (to within the accuracy of the
+          system clock). The uninitialized variable could easily be
+          identical between subsequent launches of an application, if it
+          is reached through the same path.
+
+        * OpenSSL provides the function RAND_screen(), by G. van
+          Oosten, which hashes the contents of the screen to generate a
+          seed. This is not useful for an extension or for an
+          application which launches at startup time, since the screen
+          is likely to look identical from one launch to the next. This
+          method is also rather slow.
+
+        * Using variations in disk drive seek times has been proposed
+          (Davis, Ihaka and Fenstermacher, world.std.com/~dtd/;
+          Jakobsson, Shriver, Hillyer and Juels,
+          www.bell-labs.com/user/shriver/random.html). These variations
+          appear to be due to air turbulence inside the disk drive
+          mechanism, and are very strongly unpredictable. Unfortunately
+          this technique is slow, and some implementations of it may be
+          patented (see Shriver's page above.) It of course cannot be
+          used with a RAM disk.
+
+--      TIMING: On the 601 PowerPC the time base register is guaranteed
+        to change at least once every 10 addi instructions, i.e. 10
+        cycles. On a 60 MHz machine (slowest PowerPC) this translates to
+        a resolution of 1/6 usec. Newer machines seem to be using a 10
+        cycle resolution as well.
+        
+        For 68K Macs, the Microseconds() call may be used. See Develop
+        issue 29 on the Apple developer site
+        (developer.apple.com/dev/techsupport/develop/issue29/minow.html)
+        for information on its accuracy and resolution. The code below
+        has been tested only on PowerPC based machines.
+
+        The time from machine startup to the launch of an application in
+        the startup folder has a variance of about 1.6 msec on a new G4
+        machine with a defragmented and optimized disk, most extensions
+        off and no icons on the desktop. This can be reasonably taken as
+        a lower bound on the variance. Most of this variation is likely
+        due to disk seek time variability. The distribution of startup
+        times is probably not entirely even or uncorrelated. This needs
+        to be investigated, but I am guessing that it not a majpor
+        problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz
+        machine, ~16 bits for a 450 MHz machine.
+
+        User-launched application startup times will have a variance of
+        a second or more relative to machine startup time. Entropy >~22
+        bits.
+
+        Machine startup time is available with a 1-second resolution. It
+        is predictable to no better a minute or two, in the case of
+        people who show up punctually to work at the same time and
+        immediately start their computer. Using the scheduled startup
+        feature (when available) will cause the machine to start up at
+        the same time every day, making the value predictable. Entropy
+        >~7 bits, or 0 bits with scheduled startup.
+
+        The time of day is of course known to an outsider and thus has 0
+        entropy if the system clock is regularly calibrated.
+
+--      KEY TIMING: A  very fast typist (120 wpm) will have a typical
+        inter-key timing interval of 100 msec. We can assume a variance
+        of no less than 2 msec -- maybe. Do good typists have a constant
+        rhythm, like drummers? Since what we measure is not the
+        key-generated interrupt but the time at which the key event was
+        taken off the event queue, our resolution is roughly the time
+        between process switches, at best 1 tick (17 msec). I  therefore
+        consider this technique questionable and not very useful for
+        obtaining high entropy data on the Mac.
+
+--      MOUSE POSITION AND TIMING: The high bits of the mouse position
+        are far from arbitrary, since the mouse tends to stay in a few
+        limited areas of the screen. I am guessing that the position of
+        the mouse is arbitrary within a 6 pixel square. Since the mouse
+        stays still for long periods of time, it should be sampled only
+        after it was moved, to avoid correlated data. This gives an
+        entropy of log2(6*6) ~= 5 bits per measurement.
+
+        The time during which the mouse stays still can vary from zero
+        to, say, 5 seconds (occasionally longer). If the still time is
+        measured by sampling the mouse during null events, and null
+        events are received once per tick, its resolution is 1/60th of a
+        second, giving an entropy of log2 (60*5) ~= 8 bits per
+        measurement. Since the distribution of still times is uneven,
+        this estimate is on the high side.
+
+        For simplicity and compatibility across system versions, the
+        mouse is to be sampled explicitly (e.g. in the event loop),
+        rather than in a time manager task.
+
+--      STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k
+        from one startup to the next, with 'minimal' computer use. Won't
+        vary at all if machine is started again immediately after
+        startup (unless virtual memory is on), but any application which
+        uses the web and caches information to disk is likely to cause
+        this much variation or more. The variation is probably not
+        random, but I don't know in what way. File sizes tend to be
+        divisible by 4 bytes since file format fields are often
+        long-aligned. Entropy > log2 (20000/4) ~= 12 bits.
+        
+--      STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume
+        gets fragmented this could be anywhere in principle. In a
+        perfectly unfragmented volume this will be strongly correlated
+        with the total file size on the disk. With more fragmentation
+        comes less certainty. I took the variation in this value to be
+        1/8 of the total file size on the volume.
+
+--      SYSTEM REQUIREMENTS: The code here requires System 7.0 and above
+        (for Gestalt and Microseconds calls). All the calls used are
+        Carbon-compatible.
+*/
+
+/*------------------------------ Includes ----------------------------*/
+
+#include "Randomizer.h"
+
+// Mac OS API
+#include <Files.h>
+#include <Folders.h>
+#include <Events.h>
+#include <Processes.h>
+#include <Gestalt.h>
+#include <Resources.h>
+#include <LowMem.h>
+
+// Standard C library
+#include <stdlib.h>
+#include <math.h>
+
+/*---------------------- Function declarations -----------------------*/
+
+// declared in OpenSSL/crypto/rand/rand.h
+extern "C" void RAND_add (const void *buf, int num, double entropy);
+
+unsigned long GetPPCTimer (bool is601); // Make it global if needed
+                                        // elsewhere
+
+/*---------------------------- Constants -----------------------------*/
+
+#define kMouseResolution 6              // Mouse position has to differ
+                                        // from the last one by this
+                                        // much to be entered
+#define kMousePositionEntropy 5.16      // log2 (kMouseResolution**2)
+#define kTypicalMouseIdleTicks 300.0    // I am guessing that a typical
+                                        // amount of time between mouse
+                                        // moves is 5 seconds
+#define kVolumeBytesEntropy 12.0        // about log2 (20000/4),
+                                        // assuming a variation of 20K
+                                        // in total file size and
+                                        // long-aligned file formats.
+#define kApplicationUpTimeEntropy 6.0   // Variance > 1 second, uptime
+                                        // in ticks  
+#define kSysStartupEntropy 7.0          // Entropy for machine startup
+                                        // time
+
+
+/*------------------------ Function definitions ----------------------*/
+
+CRandomizer::CRandomizer (void)
+{
+        long    result;
+        
+        mSupportsLargeVolumes =
+                (Gestalt(gestaltFSAttr, &result) == noErr) &&
+                ((result & (1L << gestaltFSSupports2TBVols)) != 0);
+        
+        if (Gestalt (gestaltNativeCPUtype, &result) != noErr)
+        {
+                mIsPowerPC = false;
+                mIs601 = false;
+        }
+        else
+        {
+                mIs601 = (result == gestaltCPU601);
+                mIsPowerPC = (result >= gestaltCPU601);
+        }
+        mLastMouse.h = mLastMouse.v = -10;      // First mouse will
+                                                // always be recorded
+        mLastPeriodicTicks = TickCount();
+        GetTimeBaseResolution ();
+        
+        // Add initial entropy
+        AddTimeSinceMachineStartup ();
+        AddAbsoluteSystemStartupTime ();
+        AddStartupVolumeInfo ();
+        AddFiller ();
+}
+
+void CRandomizer::PeriodicAction (void)
+{
+        AddCurrentMouse ();
+        AddNow (0.0);   // Should have a better entropy estimate here
+        mLastPeriodicTicks = TickCount();
+}
+
+/*------------------------- Private Methods --------------------------*/
+
+void CRandomizer::AddCurrentMouse (void)
+{
+        Point mouseLoc;
+        unsigned long lastCheck;        // Ticks since mouse was last
+                                        // sampled
+
+#if TARGET_API_MAC_CARBON
+        GetGlobalMouse (&mouseLoc);
+#else
+        mouseLoc = LMGetMouseLocation();
+#endif
+        
+        if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
+            labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
+                AddBytes (&mouseLoc, sizeof (mouseLoc),
+                                kMousePositionEntropy);
+        
+        if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
+                mMouseStill ++;
+        else
+        {
+                double entropy;
+                
+                // Mouse has moved. Add the number of measurements for
+                // which it's been still. If the resolution is too
+                // coarse, assume the entropy is 0.
+
+                lastCheck = TickCount() - mLastPeriodicTicks;
+                if (lastCheck <= 0)
+                        lastCheck = 1;
+                entropy = log2l
+                        (kTypicalMouseIdleTicks/(double)lastCheck);
+                if (entropy < 0.0)
+                        entropy = 0.0;
+                AddBytes (&mMouseStill, sizeof (mMouseStill), entropy);
+                mMouseStill = 0;
+        }
+        mLastMouse = mouseLoc;
+}
+
+void CRandomizer::AddAbsoluteSystemStartupTime (void)
+{
+        unsigned long   now;            // Time in seconds since
+                                        // 1/1/1904
+        GetDateTime (&now);
+        now -= TickCount() / 60;        // Time in ticks since machine
+                                        // startup
+        AddBytes (&now, sizeof (now), kSysStartupEntropy);
+}
+
+void CRandomizer::AddTimeSinceMachineStartup (void)
+{
+        AddNow (1.5);                   // Uncertainty in app startup
+                                        // time is > 1.5 msec (for
+                                        // automated app startup).
+}
+
+void CRandomizer::AddAppRunningTime (void)
+{
+        ProcessSerialNumber PSN;
+        ProcessInfoRec          ProcessInfo;
+        
+        ProcessInfo.processInfoLength = sizeof (ProcessInfoRec);
+        ProcessInfo.processName = nil;
+        ProcessInfo.processAppSpec = nil;
+        
+        GetCurrentProcess (&PSN);
+        GetProcessInformation (&PSN, &ProcessInfo);
+
+        // Now add the amount of time in ticks that the current process
+        // has been active
+
+        AddBytes (&ProcessInfo, sizeof (ProcessInfoRec),
+                        kApplicationUpTimeEntropy);
+}
+
+void CRandomizer::AddStartupVolumeInfo (void)
+{
+        short                   vRefNum;
+        long                    dirID;
+        XVolumeParam    pb;
+        OSErr                   err;
+        
+        if (!mSupportsLargeVolumes)
+                return;
+                
+        FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder,
+                        &vRefNum, &dirID);
+        pb.ioVRefNum = vRefNum;
+        pb.ioCompletion = 0;
+        pb.ioNamePtr = 0;
+        pb.ioVolIndex = 0;
+        err = PBXGetVolInfoSync (&pb);
+        if (err != noErr)
+                return;
+                
+        // Base the entropy on the amount of space used on the disk and
+        // on the next available allocation block. A lot else might be
+        // unpredictable, so might as well toss the whole block in. See
+        // comments for entropy estimate justifications.
+
+        AddBytes (&pb, sizeof (pb),
+                kVolumeBytesEntropy +
+                log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
+                                * 4294967296.0D +
+                        (pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo))
+                                / pb.ioVAlBlkSiz - 3.0));
+}
+
+/*
+        On a typical startup CRandomizer will come up with about 60
+        bits of good, unpredictable data. Assuming no more input will
+        be available, we'll need some more lower-quality data to give
+        OpenSSL the 128 bits of entropy it desires. AddFiller adds some
+        relatively predictable data into the soup.
+*/
+
+void CRandomizer::AddFiller (void)
+{
+        struct
+        {
+                ProcessSerialNumber psn;        // Front process serial
+                                                // number
+                RGBColor        hiliteRGBValue; // User-selected
+                                                // highlight color
+                long            processCount;   // Number of active
+                                                // processes
+                long            cpuSpeed;       // Processor speed
+                long            totalMemory;    // Total logical memory
+                                                // (incl. virtual one)
+                long            systemVersion;  // OS version
+                short           resFile;        // Current resource file
+        } data;
+        
+        GetNextProcess ((ProcessSerialNumber*) kNoProcess);
+        while (GetNextProcess (&data.psn) == noErr)
+                data.processCount++;
+        GetFrontProcess (&data.psn);
+        LMGetHiliteRGB (&data.hiliteRGBValue);
+        Gestalt (gestaltProcClkSpeed, &data.cpuSpeed);
+        Gestalt (gestaltLogicalRAMSize, &data.totalMemory);
+        Gestalt (gestaltSystemVersion, &data.systemVersion);
+        data.resFile = CurResFile ();
+        
+        // Here we pretend to feed the PRNG completely random data. This
+        // is of course false, as much of the above data is predictable
+        // by an outsider. At this point we don't have any more
+        // randomness to add, but with OpenSSL we must have a 128 bit
+        // seed before we can start. We just add what we can, without a
+        // real entropy estimate, and hope for the best.
+
+        AddBytes (&data, sizeof(data), 8.0 * sizeof(data));
+        AddCurrentMouse ();
+        AddNow (1.0);
+}
+
+//-------------------  LOW LEVEL ---------------------
+
+void CRandomizer::AddBytes (void *data, long size, double entropy)
+{
+        RAND_add (data, size, entropy * 0.125); // Convert entropy bits
+                                                // to bytes
+}
+
+void CRandomizer::AddNow (double millisecondUncertainty)
+{
+        long time = SysTimer();
+        AddBytes (&time, sizeof (time), log2l (millisecondUncertainty *
+                        mTimebaseTicksPerMillisec));
+}
+
+//----------------- TIMING SUPPORT ------------------
+
+void CRandomizer::GetTimeBaseResolution (void)
+{       
+#ifdef __powerc
+        long speed;
+        
+        // gestaltProcClkSpeed available on System 7.5.2 and above
+        if (Gestalt (gestaltProcClkSpeed, &speed) != noErr)
+                // Only PowerPCs running pre-7.5.2 are 60-80 MHz
+                // machines.
+                mTimebaseTicksPerMillisec =  6000.0D;
+        // Assume 10 cycles per clock update, as in 601 spec. Seems true
+        // for later chips as well.
+        mTimebaseTicksPerMillisec = speed / 1.0e4D;
+#else
+        // 68K VIA-based machines (see Develop Magazine no. 29)
+        mTimebaseTicksPerMillisec = 783.360D;
+#endif
+}
+
+unsigned long CRandomizer::SysTimer (void)      // returns the lower 32
+                                                // bit of the chip timer
+{
+#ifdef __powerc
+        return GetPPCTimer (mIs601);
+#else
+        UnsignedWide usec;
+        Microseconds (&usec);
+        return usec.lo;
+#endif
+}
+
+#ifdef __powerc
+// The timebase is available through mfspr on 601, mftb on later chips.
+// Motorola recommends that an 601 implementation map mftb to mfspr
+// through an exception, but I haven't tested to see if MacOS actually
+// does this. We only sample the lower 32 bits of the timer (i.e. a
+// few minutes of resolution)
+
+asm unsigned long GetPPCTimer (register bool is601)
+{
+        cmplwi  is601, 0        // Check if 601
+        bne     _601            // if non-zero goto _601
+        mftb    r3              // Available on 603 and later.
+        blr                     // return with result in r3
+_601:
+        mfspr r3, spr5          // Available on 601 only.
+                                // blr inserted automatically
+}
+#endif
diff --git a/src/lib/libssl/src/MacOS/Randomizer.h b/src/lib/libssl/src/MacOS/Randomizer.h
new file mode 100644
index 0000000000..565537b15d
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/Randomizer.h
@@ -0,0 +1,43 @@
+
+//      Gathers unpredictable system data to be used for generating
+//      random bits
+
+#include <MacTypes.h>
+
+class CRandomizer
+{
+public:
+        CRandomizer (void);
+        void PeriodicAction (void);
+        
+private:
+
+        // Private calls
+
+        void            AddTimeSinceMachineStartup (void);
+        void            AddAbsoluteSystemStartupTime (void);
+        void            AddAppRunningTime (void);
+        void            AddStartupVolumeInfo (void);
+        void            AddFiller (void);
+
+        void            AddCurrentMouse (void);
+        void            AddNow (double millisecondUncertainty);
+        void            AddBytes (void *data, long size, double entropy);
+        
+        void            GetTimeBaseResolution (void);
+        unsigned long   SysTimer (void);
+
+        // System Info  
+        bool            mSupportsLargeVolumes;
+        bool            mIsPowerPC;
+        bool            mIs601;
+        
+        // Time info
+        double          mTimebaseTicksPerMillisec;
+        unsigned long   mLastPeriodicTicks;
+        
+        // Mouse info
+        long            mSamplePeriod;
+        Point           mLastMouse;
+        long            mMouseStill;
+};
diff --git a/src/lib/libssl/src/MacOS/TODO b/src/lib/libssl/src/MacOS/TODO
new file mode 100644
index 0000000000..903eb133de
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/TODO
@@ -0,0 +1,18 @@
+-------------------------------------------------------------------
+Verify server certificate
+-------------------------------------------------------------------
+Currently omitted from the project:
+
+        crypto/tmdiff.c
+        crypto/bio/bss_conn.c
+        crypto/bio/b_sock.c
+        crypto/bio/bss_acpt.c
+        crypto/bio/bss_log.h
+
+-------------------------------------------------------------------
+Build libraries to link with...
+-------------------------------------------------------------------
+Port openssl application.
+-------------------------------------------------------------------
+BN optimizations (currently PPC version is compiled with BN_LLONG)
+-------------------------------------------------------------------
diff --git a/src/lib/libssl/src/MacOS/_MWERKS_GUSI_prefix.h b/src/lib/libssl/src/MacOS/_MWERKS_GUSI_prefix.h
new file mode 100644
index 0000000000..fe6b5387d6
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/_MWERKS_GUSI_prefix.h
@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+#pragma longlong on
+#endif
+#if 1
+#define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH
diff --git a/src/lib/libssl/src/MacOS/_MWERKS_prefix.h b/src/lib/libssl/src/MacOS/_MWERKS_prefix.h
new file mode 100644
index 0000000000..2189da753b
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/_MWERKS_prefix.h
@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+#pragma longlong on
+#endif
+#if 0
+#define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH
diff --git a/src/lib/libssl/src/MacOS/buildinf.h b/src/lib/libssl/src/MacOS/buildinf.h
new file mode 100644
index 0000000000..90875b6e2f
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/buildinf.h
@@ -0,0 +1,5 @@
+#ifndef MK1MF_BUILD
+#  define CFLAGS        "-DB_ENDIAN"
+#  define PLATFORM      "macos"
+#  define DATE          "Sun Feb 27 19:44:16 MET 2000"
+#endif
diff --git a/src/lib/libssl/src/MacOS/mklinks.as.hqx b/src/lib/libssl/src/MacOS/mklinks.as.hqx
new file mode 100644
index 0000000000..fe3e7d53da
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/mklinks.as.hqx
@@ -0,0 +1,820 @@
+(This file must be converted with BinHex 4.0)
+
+:#QeVE'PZDh-ZBA-!39"36'&`E(3J!!!!!!!!!*LiI6m!!!!!!3!!!*G#!!#@3J!
+!!AChFQPd!!!!K3)"!3m(Fh9`F'pbG!!!!)B#!3%$"(0eFQ8!!!#(!J-%"!3("3C
+cGfPdBfJ!!!#)!J%"#39cH@jMD!!!!)N#"J%$!`-&"3-'FhPcG'9Y!!!!LJ)&"3)
+%!J8("!-#!`4dB@*X!!!!L`))!3-$!`-$!`-$"(4PE'`!!!#-!J)"#38$G'KP!!!
+!M3))(J)@!Ki#!J))!K)#!`)B!Kd%G'KPE3!!!)i#!J%&#`4dD'9j!!!!M`)#!J)
+#$3TdD(*[G@GSEh9d!!!!N!!#!3%&"(4TCQB!!!#4!J%"!`4dD@eP!!!!NJ)"!JS
+#!h4T!!!!'N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!H!!!!!!!#!!!!!!
+!!!!!!!!!!!!!rrrrr`!!!$3!!!!N!!!!!#"[!!5JAb"[!!5K++!M6R9$9'mJFR9
+Z)(4SDA-JFf0bDA"d)'&`F'aTBf&dD@pZ,#"jEh8JEA9cG#"QDA*cG#"TER0dB@a
+X)%&`F'aP8f0bDA"d,J!!!)C8D'Pc)(0MFQP`G#"MFQ9KG'9c)#iZ,fPZBfaeC'8
+[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@aTBA0PFbi0$8P
+d)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9KFf8JBQ8JF'&
+dD@9ZG$SY+3!!!#S!!J!!!!!!$3!+!"!!!!!-!!!!!!!!!!!!63!0!!S!%!%!!!`
+!!!!!!!!!!!!B!!!!+!!!!!!!!!!)!!!!)!#N2c`!!DR`!!!!l!!!!!&19[ri,`0
+f!#m$-$bKVDG'*KmY52ri,`-`2+LITdBQ(b!ZrrLa`'FJ,`-J2'0`ER4"l[rm)NL
+KV5+)*Kp+3'B)5Ulrr'F#GJ%3!bBZrr41ANje6PB!!#m-@Bm[2%j29%Nr2!#!U"m
+SAb!-CJK`!cm!UFKJ+#m-UC)J9#!)d+J!'#&!!"JJ9#!)d+J!(#&!!"a9Mbm8)&q
+JAMk!9%mSE[rm6Pj1G8j@!!![$%kkre4+!'FU@Bm[2'&`E(3[2(0MF(4`)DJU+&m
+J$'F5@Bm[$#mm!!!!!A!!U#UTp&K26VVrG#KZrra1ANje!!!!('&`E(3!!!!"4P*
+&4J!!!!!!J%P$6L-!!!!!!*B!!!!"!!!!!!G"8&"-!!!!!!!"!!!"!!!!!S!!!!4
+!!!"i)!!!K"!!!3))!!)#"!!%"!)!#!J"!"!8!)!J)J"!3%%!)2#!J"#*!%!)KJ!
+J")3!)!*!!"!")!!3!K!!%!3)!"!)"!!J%!)!3#!"!)"!!S%!J!5#!3!)4!)!#%J
+%!!KB#!!%C"!!!m)J!!!"3!!!!)!!!!%!!!!$J!!!"m!!!(rJ!!$rm!!"rrJ!!rr
+m!!IrrJ!2rrm!(rrrJ$rrrm"rrrrJrrrrm2rrrrMrrrrmrrrrrRrrrrmrrrrq(rr
+rr!rrrrJ(rrr`!rrri!(rrm!$rrq!"rrr!!rrrJ!2rr`!$rri!!IRm!!$`q!!!!(
+!!!!!J!!!!!)!!!!!!!!!!!m!!!!!!!!!!!!!!!!!!!$`m!!!!!!!!!!!!!!!!!!
+2!!m!!!!!!!!!!!!!!!rrm!!!m!!!!!!!!!!!!!$`c0m!!!m!!!!!!!!!!!!2!!c
+-m!!!m!!!!!!!!!!!m!$-cI!!!!m!!!!!!!!!$`!-c0m!!!!!m!!!!!!!!2!!c-h
+`!!!!!!m!!!!!!!m!$-cIh`!!!!!!m!!!!!$`!-c0rGh`!!!!!!m!!!!2!!c-hph
+-h`!!!!!!m!!!rrr-cIhF`-h`!!!!!!m!!2lFr0rGc!`-h`!!!!!!m!$pc-rph-$
+!`-h`!!!!!!m!r-`2cF`-$!!-r3!!!!!!m!m!`-c!`-!!$0m!!!!!$-m!m!`-$!`
+!!-cI!!!!!-c`!!m!`-$!!!`-h`!!!!c2!!!!m!`-!!$!c0m!!!$-m!!!!!m!`!!
+-$-hm!!!-c`!!!!!!m!!!`-cIc!!!c2!!!!!!!!m!$!c0r-`!$-m!!!!!!!$pm-$
+-hmc!!-c`!!!!!!!2hI`-cIc-!!c2!!!!!!!!rGc2c0r-`!$-m!!!!!!!!2h-cmh
+mc!!-c`!!!!!!!!$mc!rIr-!!c2!!!!!!!!!!$m$2m!r-$-m!!!!!!!!!!!$rr`!
+!r-c`!!!!!!!!!!!!!!!!!!r2!!!!!!!!!!!!!!!!!!!!m!!!!!!!!!!!!!"!!B!
+13"%J)4"##18%Q)+3!%&!)5!L%%3BL#83*L!G3!#!!B!2`"rJ2r"rq2rmrrlrrhr
+r2riIr"ri2r!ri"h!!)!!!!#!!!!!$r!!!!!!!2r`$`!!!!!2$!m!m!!!!2$!c`!
+2!!!2$!c`!!$`!2r`cpm!!!m!rGrpc2!!!2$p$p`-c`!!$`m!`-$0m!$2!2!-$-h
+`$2!!$`$-hm$2!!!2m-hm$2!!!2h2hm$2!!!!r-rm$2!!!!!2r`r2!!!!!!!!!2!
+!!!!!!!#D8f0bDA"d)%&`F'aTBf&dD@pZ$3e8D'Pc)(0MFQP`G#"MFQ9KG'9c)#i
+Z,fPZBfaeC'8[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@a
+TBA0PFbi0$8Pd)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9
+KFf8JBQ8JF'&dD@9ZG$SY+3!!!")!!J!!!!!!!!!!!!%!"J!'%iN!!!!+@1!!!b!
+!!!-J!!!!!"3!+`!(!Cm#@!!V!!F"f!*B!!!!!3!!M`C'BA0N98&6)$%Z-6!a,M%
+`$J!!!!32rrm!!3!#!!-"rrm!!!d!!3!"D`!!!!!!!!!%!J!%!!)!"3!'$3!&!!*
+X!!)!!!U`!!IrrJd!"`!#6`!!!!!+X!!)!!N0!!J!!@X!!!!%#Um!#J)!#J!#!!X
+!$!d!#`!#E!!#!!3!"2rprr`"rrd!!!(rr!!!!J!-!!)!$3!1$3!0!!*X!!%!"!!
+%rrX!$`(rq`!!$!!2!&N!8b"(CA3JF'&dD#"dEb"dD'Pc)%&`F'aP8f0bDA"d)'&
+`F'aPG$XJGA0P)'Pd)(4[)'C[FQdJG'KP)("KG'JJG'mJG'KP)'PZBfaeC'8JCQp
+XC'9b!!)!!!)!$J!#!"!!%3d!%!!#E!!"!!3!"2rk!")"rrS!!!`!%J!Q!#!JB@j
+N)(4SC5"[G'KPFL"bC@aPGQ&ZG#"QEfaNCA*c,J!#!!!#!"%!!J!6!"30!"-!!R-
+!!!!%!"%!&3!@$3!9!!*M!!!!"!!1!"F!'!d!&`!#E!!&!!3!$!!CrrN0!"N!!Qi
+!!!!%!!`!'J!E$3!D!!)d!!!!"3!-rrJ!(!Vrq!!%#Q0[BQS0!"`!!Q`!"3!'!!X
+!(Irh$3!G!!0*!!)!"J!,rrB!([re#[rf!"JZC@&bFfCQC(*KE'Pc!!!!!!!!)!"
+KCQ4b$3!H!!"Q!!!!"J!(![re!!!"rrF!!!d!'`!"E3!!!!3!"3!I$`!I!6J)ER9
+XE!!!!!!!!Gq!rrm!!!!A"NCTEQ4PFJ!!(`*[Me!!ASfm!Qq,i!"HA[!!I&M!!!!
+!!!!!'mi!!JN#!Qq-1!!!Kb%#Ei`J!!!!!%C14&*038e"3e-!!"%!B@aTF`!!!!!
+!fJ!#!!!-6@&MD@jdEh0S)%K%!!!!!!!!!!!!!!!!!!!!XSA5h%*%!!!!!!!A"NC
+TEQ4PFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!3rLc#@a!4Nj%8Ne"3e2rrrrr!!!!!!!!!!!!!!!!!!!
+!!!!!!!e6HA0dC@dJ4QpXC'9b!!!"!!3!!!!A!!)!)8eKBfPZG'pcD#")4$T6HA0
+dC@dJ4QpXC'9b1NCTEQ4PFJ$rr`!!!Irj!!!0!"J!!@d!!!!-!!hrp!Vrp!!%#Q0
+dH(30!"B!!@m!!!!!!!$rm`[rm`!5-!!(G'KPF'&dD!!(G'KP8'&dD!)!&!!#!#!
+!)3d!)!!#E!!#!")!%[rbrr%"rr)!!!(rm3!!!J!K!!)!)J!M$3!L!!*b!!!!%J!
+A!#3!*3d!*!!#EJ!$!")!&3!Q!#F0!#B!!6%!!!!6!"Arm!Vrm!!%#R4iC'`0!#F
+!!6%!!!!5!"2rl`Vrl`!%#Q&cBh)0!#8!!@m!!!!!!!$rlJ[rlJ!F-!!-G'KPEfa
+NC'9XD@ec!!adD'92E'4%C@aTEA-#!#-!!J!S!#N0!#J!!R)!!!!B!"d!+J!V$3!
+U!!&Y!!!!'!!C!#`-!#`!"`!"1J!#!!!0!#X!!Qi!!`!!!!!!,3!Z$3!Y!!%a!!!
+!'J!Frqd+rqd!"!TdH'4X$3!Z!!%a!!!!'3!Drq`+rq`!"!TKFf0b!J!T!!)!,`!
+`$3![!!*X!!)!(J!Hrq[rkJ(rk`!!!IrU!!!#!$!!!J!a!$)0!$%!!R)!!!!H!#X
+!-`!d$3!c!!*X!!8!(J!T!$Ark3d!03!#EJ!!!"i!+3!f!$F0!$B!!cF"!!!I!#R
+rk!!i!$N+rqJ!"!TMDA4Y$3!i!!&Y!!!!)`!PrqF$rqF!!3d!13!"E3!!!#B!+2r
+Q!rrQrrd0!$F!!@m!!!!H!"rrj3[rj3!5-!!(G'KPF'&dD!!(G'KP8'&dD!(rk3!
+!$3!d!!&[!!!!!!!!rq3,rq3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0
+d8'&dD!)!-J!#!$S!1`d!1J!#FJ!!!#`!1`!m!$d0!$`!!Q-!!!!X!$N!2J!r$3!
+q!!*X!!8!,!!h!%$ri`d!3!!#EJ!!!#`!0`""!%)0!%%!!cF"!!!Y!$IriJ"$!%3
++rq)!"!TMDA4Y$3"$!!&Y!!!!-3!crq%$rq%!!3d!4!!"E3!!!$3!0[rJ!rrJrri
+0!%)!!@m!!!!X!#hrh`[rh`!5-!!(G'KPF'&dD!!(G'KP8'&dD!(ri`!!$3!r!!&
+Y!!!!0`!irpi+rpi!"!T849K8$3!p!!&[!!!!!!!!rpd,rpd!&M!!#A4SC@ePF'&
+dD!!*G'KP6@93BA4S!J!l!!)!43"'$3"&!!*X!!)!2!!mrpcrf`(rh!!!!IrE!!!
+#!%B!!J"(!%J0!%F!!R)!!!!m!%8!53"+$3"*!!*M!!!!2!""!%X!6!d!5`!#BJ!
+!!$`!2`"0!%i0!%d!!@m!!!!m!$hrfJ[rfJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4
+SC9"bEfTPBh43BA4S$3"1!!&Y!!!!23!q!%m-!%m!$3!(D@jME(9NC3!#!!!0!%`
+!!@d!!!!r!%$rf3Vrf3!%#P4&@&30!%S!!@m!!!!!!!$rf![rf!!Q-!!4D@jME(9
+NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S!J")!!)!8!"4$3"3!!*b!!!
+!4J"9!&)!8`d!8J!#B`!!!%B!83"8!&80!&3!!Q)!!!"'!%m!9J"A$3"@!!*L!!!
+!4J",!&J!@3d!@!!"E`!!!%B!4rrA#rrA!#!`!!jdD'9`FQpUC@0dF'&dD!!1G'K
+P8(*[DQ9MG&"KG'J0!&N!!@d!!!"(!%S!@J`!@J!0!!GTEQ0XG@4P!!)!!!d!9`!
+"E3!!!%X!6J"E$!"E!!d!"fp`C@jcFf`!!J!!$3"9!!&Y!!!!6`"3rpB+rpB!"!T
+849K8$3"6!!&[!!!!!!!!rp8,rp8!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S!J"4!!)!A!"G$3"F!!*b!!!!9J"
+K!&i!A`d!AJ!#B`!!!&B!A3"J!'%0!'!!!Q)!!!"@!&X!BJ"M$3"L!!&[!!!!9J"
+Arp3,rp3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0d8'&dD!d!B`!"E3!
+!!&F!@J"N$!"N!!`!"Q0bHA"dE`!#!!!0!'%!!@d!!!"E!&crd`Vrd`!%#P4&@&3
+0!&m!!@m!!!!!!!$rdJ[rdJ!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!)!A3!#!'8!CJd!C3!#FJ!!!')!E3"R!'J0!'F!!Q-!!!"L!'N!D3"
+U$3"T!!*L!!!!BJ"R!'X!E!d!D`!"E`!!!')!Brr4#rr4!#!`!!jdD'9`FQpUC@0
+dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!'`!!@d!!!"M!'B!E3`!E3!*!!0cFf`!!J!
+!$3"U!!&Y!!!!C`"Srp!+rp!!"!T849K8$3"S!!&[!!!!!!!!rmm,rmm!(M!!$A0
+cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J#!'B!!J"Z!'m0!'i!!R)!!!"Z!(8
+!F!"a$3"`!!*M!!!!EJ"a!()!F`d!FJ!"E`!!!'i!Err1#rr1!#!`!!jdD'9`FQp
+UC@0dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!(-!!@d!!!"[!($rc3Vrc3!%#P4&@&3
+0!(%!!@m!!!!!!!$rc![rc!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p`C@jcFfa
+'EfaNCA*3BA4S!J"[!!)!G!"e$3"d!!*X!!)!GJ"frm[rbJ(rb`!!!Ir+!!!#!(8
+!!J"f!(F0!(B!!R)!!!"f!(X!H!"j$3"i!!&[!!!!GJ"hrmN,rmN!($!!$(4SC@p
+XC'4PE'PYF`!-G'KP6faN4'9XD@ec$3"j!!*Z!!-!!!!!!(S!H`d!HJ!"-3!!!(J
+!H[r)#[r)!!3+G(KNE!d!H`!"-3!!!(F!H2r(#[r(!!3+BA0MFJ)!G`!#!(`!I3d
+!I!!#E!!#!(`!I2r'rm8"rmB!!!(ra3!!!J"p!!)!IJ"r$3"q!!*X!!%!I!"mrm3
+!J!(ra!!!$!#!!%!!1L"NC@aPG'8JEfaN)'PZBfaeC'8kEh"PER0cE#"QEfaNCA)
+JB@jN)(*PBh*PBA4P)'Pd)'0XC@&ZE(N!!J!!!J"r!!)!J3##$3#"!!*X!!)!I!"
+mrm2r`J(r``!!!Ir#!!!#!))!!J#$!)30!)-!!e%!!!"m!+8!K3#'!)F0!)8!!@X
+!!!"r!*`!L!)!L!!#!)N!LJd!L3!$53!#!(m!N[r"!)[r`!Vr`3!B,QeTFf0cE'0
+d+LSU+J!!!!!!!*!!!#SU+LS0!)X!!Qi!!!"r!)i!M!#0$3#-!!)d!!!!K`#1rlm
+!MJVr[`!%#Q0QEf`0!)i!!@d!!!#+!)d!M``!M`!0!!G[F'9ZFh0X!!)!!!d!M3!
+#0!!!!(m!Krqq!*!!#[qq!!3+BfC[E!d!N!!!!@m!!!#$!)Er[3[r[3!Q-!!4D@j
+ME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S![r!!!!#!)S!!J#4rl`
+0!*%!!dN!!J#6!*crZ`#5rlS+rlX!'#jMEh*PC'9XEbSU+LS!!!!!!!#3!!!U+LS
+U$3#5!!%a!!!!N`#BrlN+rlN!"!TcC@aP![qk!!!#rl`!!!d!KJ!$8J!!!!!!!2q
+irlIrYJVrZ!!B,Q&cBh*PFR)J+LSU+J!!!!!!!*!!!#SU+LS"rlF!!!,rYJ!!$3#
+(!!*X!!%!T!#Nrl8!N`(rY3!!$!#6!"-!$5"TCfj[FQ8JCA*bEh)!!J!!!J#%!!)
+!P!#9$3#8!!*X!!)!TJ#Qrl6rX`(rY!!!!Iqc!!!#!*8!!J#@!*F0!*B!!dN!!J#
+Q!,lrX[qa!*J+rl)!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Iqa!!!'!*J
+!!rq`!*N!QJVrX!!%#QY[Bf`0!*N!!@d!!!#U!+hrV`VrV`!%#Q0QEf`'!*S!!rq
+Z!*[rV3VrVJ!%#QPZFfJ0!*X!!M3!!!#`!,MrV!#F#[qX!!3+BfC[E!d!R!!"E`!
+!!,3!YrqV#rqV!#B`!"&TEQ0XG@4PCQpXC'9bF'&dD!!4D@jME(9NC8C[E'4PFP"
+KG'J'rkd!!!)!P`!#!*d!RJd!R3!#FJ!!!,m!aJ#I!+!0!*m!!Q`"!!#r!-)!SIq
+U$3#K!!%a!!!![`$#rkN+rkN!"!TbFfad!IqU!!!0!+!!!@m!!!!!!!$rU![rU!!
+Z-!!9G'KPEQ9hCQpXC'9bFQ9QCA*PEQ0P!"9dD'91CAG'EfaNCA*5C@CPFQ9ZBf8
+#!*i!!J#L!+-0!+)!!dN!!J$(!-lrT`#NrkB+rkF!'#jYDA0MFfaMG#SU+LS!!!!
+!!!#3!!!U+LSU$3#N!!&[!!!!a`$+rk8,rk8!,M!!&A4SC@jPGfC[E'4PFR*PCQ9
+bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P![qQ!!!#!+-!!J#P!+B0!+8!!R)
+!!!$2!0`!T`#S$3#R!!&Y!!!!c`$5!+N-!+N!$3!(Eh"PER0cE!!#!!!0!+J!!Qi
+!!!!!!!!!UJ#V$3#U!!%a!!!!e`$Erk3+rk3!"!T`EQ&Y$3#V!!%a!!!!dJ$Ark-
++rk-!"!TcC@aP!J#Q!!)!V!#Y$3#X!!*X!!)!h3$Grk,rS3(rSJ!!!IqK!!!#!+d
+!!J#Z!+m0!+i!!Q`!!3$G!0hrS!#`!IqJ!!!-!,!!(`!C)&0dBA*d)'eKDfPZCb"
+dD'8JB@aTBA0PF`!#!!!#!+m!!J#a!,)0!,%!!dN!!J$G!3ArRrqH!,-+rjm!'#j
+MEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!IqH!!!'!,-!!rqG!,3!Y3VrR3!%#QY
+[Bf`0!,3!!@d!!!$K!16rR!VrR!!%#Q&XD@%'!,8!!rqE!,B!Y`VrQ`!%#QPZFfJ
+0!,B!!M3!!!$R!1rrQJ#i#[qD!!3+BfC[E!d!Z!!"E`!!!1X!l[qC#rqC!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD!B!Y`!$rjJ!ZIqA#[qB!!3+G'mJ)!d!Z3!#EJ!!!2)!r`#k!,X0!,S!!M3!!!$
+i!2rrPJ#m#[q@!!3+CQPXC3d![!!"E3!!!2X!rJ#p$!#p!"-!$@p`C@jcFfaMEfj
+Q,QJ!!J!!$3#l!!)d!!!!mJ$irj8![JVrP3!%#Q0QEf`0!,i!!@m!!!$f!2IrP![
+rP!!@-!!*G'KPE@9`BA4S!!PdD'90C9"KG'J'rjF!!!)!XJ!#!,m!`!d![`!#E!!
+#!3B""[q6rj)"rj-!!!(rNJ!!!J$!!!)!`3$#$3$"!!*b!!!""J%4!--!a!d!``!
+#BJ!!!3B"$3$&!-B0!-8!!@m!!!%'!3RrN3[rN3!N-!!3Bh*jF(4[CQpXC'9bF'&
+dD!!3Bh*jF(4[4QpXC'9b8'&dD!d!aJ!"E3!!!3N"$!$($!$(!!X!"6TKFfia!!)
+!!!d!a!!"E`!!!!!!!2q3!![rN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!`J!
+#!-J!b3d!b!!$53!#!4)"22q2rii!bJVrM`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!
+!!'jeE'`"rii!!!B!bJ!$rid!b`$-#[q0!!3+DfpME!d!b`!"E3!!!4B"'Iq-#[q
+-!!3+B@aTB3B!c!!$riX!c3$1#[q,!!3+D@jcD!d!c3!#0!!!!4`"*2q+!-m+riS
+!"!TMCQpX$3$2!!&[!!!")!%MriN,riN!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9
+bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J$1!!2rL!$3riF+riJ!"!T
+dEb!J$3$3!!*Z!!!"*`%f!0%!dJd!d3!#0!!!!5m"0[q'!0-+riB!"!TQD@aP$3$
+6!!&Y!!!"-J%e!03-!03!$!!'BA0Z-5jS!!)!!!d!dJ!#0!!!!5F",rq&!08+ri8
+!"!TMCQpX$3$9!!&[!!!"+`%Zri3,ri3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!E
+rK`!!!J$*!!)!eJ$A$3$@!!0*!!)"23&Rri2rJJ$B#[q$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(rJJ!!"J$B!!2rJ3$C!0S+ri%!"!TVEf0X$3$C!!&Y!!!
+"33&%ri!+ri!!"!TKE'PK"J$D!!2rI`$E!0`+rhm!"!TTER0S$3$E!!)d!!!"4`&
+2rhi!h3VrIJ!%#Q0QEf`0!0d!!@m!!!&,!8lrI3[rI3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!0`!!rpm!0l
+rH`VrI!!%#R4[)#!0!0i!!Qi!!!&5!@%!h`$J$3$I!!)d!!!"@J&KrhS!i3VrHJ!
+%#QCTE'80!1%!!@d!!!&G!@!!iJ`!iJ!3!!TKFfiaAfeKBbjS!!)!!!d!i!!#0!!
+!!9)"@[pj!1-+rhN!"!TMCQpX$3$M!!&[!!!"9J&CrhJ,rhJ!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!ErH`!!!J$A!!)!j!$P$3$N!!*X!!)"D!&SrhIrGJ(rG`!!!Ip
+f!!!#!18!!J$Q!1F0!1B!!R)!!!&S!A-!k!$T$3$S!!*L!!!"D!&[!1S!k`d!kJ!
+"E`!!!@J"Drpe#rpe!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*
+3BA4S$3$V!!&Y!!!"D`&Z!1`-!1`!#J!%1Q*TE`!#!!!0!1N!!@m!!!!!!!$rG![
+rG!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J$R!!)!l3$Z$3$Y!!0*!!)"G!'Hrh2
+rFJ$[#[pc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(rFJ!!"J$[!!2rF3$
+`!2%+rh%!"!TVEf0X$3$`!!&Y!!!"H!&lrh!+rh!!"!TKE'PK"J$a!!2rE`$b!2-
++rfm!"!TTER0S$3$b!!)d!!!"IJ''rfi!p!VrEJ!%#Q0QEf`0!23!!@m!!!'#!BA
+rE3[rE3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!2-!!rpX!2ArD`VrE!!%#R4[)#!0!28!!Qi!!!'*!CJ!pJ$
+h$3$f!!)d!!!"N3'BrfS!q!VrDJ!%#QCTE'80!2J!!@d!!!'8!CF!q3`!q3!,!!9
+LD@mZD!!#!!!0!2F!!M3!!!'*!C(rD3$k#[pT!!3+BfC[E!d!qJ!"E`!!!Bd"N!$
+rD![rD!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[pV!!!#!1i!!J$l!2`0!2X!!Q`
+!!J'I!CrrCrpQ!IpR!!!"rfB!!!)!r!!#!2d!rJd!r3!#FJ!!!Cm"UJ$r!3!0!2m
+!!Q)!!!'I!DB"!3%#$3%"!!&[!!!"R`'Lrf8,rf8!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!3)!!@d!!!'L!D8"!``"!`!*!!-kBQB!!J!
+!$3%!!!&[!!!!!!!!rf3,rf3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!rJ!#!33
+""3d""!!$53!#!DX"eIpMrf)""JVrB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rf)!!!B""J!$rf%""`%)#[pK!!3+DfpME!d""`!"E3!!!Dm"X[pJ#[pJ!!3
++B@aTB3B"#!!$rem"#3%+#[pI!!3+D@jcD!d"#3!#0!!!!E8"[IpH!3X+rei!"!T
+MCQpX$3%,!!&[!!!"Z3'mred,red!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J%+!!2rA!%-reX+re`!"!TdEb!
+J$3%-!!*Z!!!"`!(2!3d"$Jd"$3!#0!!!!FJ"crpD!3m+reS!"!TQD@aP$3%2!!&
+Y!!!"b`(1!4!-!4!!%!!+BQa[GfCTFfJZD!!#!!!0!3i!!M3!!!(!!FMr@3%4#[p
+C!!3+BfC[E!d"%3!"E`!!!F3"arpB#rpB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J
+'reX!!!)""3!#!4)"%`d"%J!#E!!#!GB"e[pAreB"reF!!!(r9J!!!J%6!!)"&!%
+9$3%8!!*b!!!"eJ(K!4B"&`d"&J!#BJ!!!GB"h3%B!4N0!4J!!@m!!!(@!GRr93[
+r93!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"'3!"E3!
+!!GN"h!%D$!%D!!N!!cTLEJ!#!!!0!4F!!@m!!!!!!!$r9![r9!!8-!!)G'9YF("
+KG'J!#(4PEA"3BA4S!J%9!!)"'`%F$3%E!!0*!!)"iJ)-re2r8J%G#[p6!"JZBfp
+bC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r8J!!"J%G!!2r83%H!4m+re%!"!TVEf0
+X$3%H!!&Y!!!"jJ(Tre!+re!!"!TKE'PK"J%I!!2r6`%J!5%+rdm!"!TTER0S$3%
+J!!)d!!!"l!(drdi")JVr6J!%#Q0QEf`0!5)!!@m!!!(`!I2r63[r63!d-!!BEh"
+PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J
+'!5%!!rp-!52r5`Vr6!!%#R4[)#!0!5-!!Qi!!!(h!JB"*!%P$3%N!!)d!!!"r`)
+'rdS"*JVr5J!%#QCTE'80!5B!!@d!!!)#!J8"*``"*`!+!!4LELjS!!)!!!d"*3!
+#0!!!!IF"rrp*!5J+rdN!"!TMCQpX$3%S!!&[!!!"q`(qrdJ,rdJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!Er5`!!!J%F!!)"+3%U$3%T!!*X!!)#$3)0rdIr4J(r4`!
+!!Ip'!!!#!5S!!J%V!5`0!5X!!R)!!!)0!KJ",3%Z$3%Y!!*L!!!#$3)8!5m"-!d
+",`!"E`!!!Jd#%2p&#rp&!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3%`!!&Y!!!#%!)6!6%-!6%!$3!(1Q*eCQCPFJ!#!!!0!5i!!@m!!!!
+!!!$r4![r4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J%X!!)"-J%c$3%b!!0*!!)
+#'3*$rd2r3J%d#[p$!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r3J!!"J%
+d!!2r33%e!6B+rd%!"!TVEf0X$3%e!!&Y!!!#(3)Jrd!+rd!!"!TKE'PK"J%f!!2
+r2`%h!6J+rcm!"!TTER0S$3%h!!)d!!!#)`)Vrci"13Vr2J!%#Q0QEf`0!6N!!@m
+!!!)R!LVr23[r23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!6J!!rmm!6Vr1`Vr2!!%#R4[)#!0!6S!!Qi!!!)
+Z!Md"1`%m$3%l!!)d!!!#0J)prcS"23Vr1J!%#QCTE'80!6d!!@d!!!)j!M`"2J`
+"2J!1!!KLG@CQCA)ZD!!#!!!0!6`!!M3!!!)Z!MEr13%r#[mj!!3+BfC[E!d"2`!
+"E`!!!M)#0Imi#rmi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rcX!!!)"-`!#!8!
+"33d"3!!#E!!#!N3#42mhrcB"rcF!!!(r0J!!!J&"!!)"3J&$$3&#!!*b!!!#4!*
+2!83"43d"4!!#BJ!!!N3#5`&'!8F0!8B!!@m!!!*%!NIr03[r03!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"4`!"E3!!!NF#5J&)$!&)!!X
+!"6TMBA0d!!)!!!d"43!"E`!!!!!!!2md#rmd!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J#!8-!!J&*!8S0!8N!!dN!!J*3!RVr-rmb!8X+rc-!'#jMEh*PBh*PE#SU+LS
+!!!!!!!#3!!"ZG@aX!Imb!!!'!8X!!rma!8`"63Vr-3!%#QY[Bf`0!8`!!@d!!!*
+8!PIr-!Vr-!!%#Q&XD@%'!8d!!rm[!8i"6`Vr,`!%#QPZFfJ0!8i!!M3!!!*D!Q,
+r,J&3#[mZ!!3+BfC[E!d"8!!"E`!!!Pi#BImY#rmY!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"6`!$rb`"8Im
+V#[mX!!3+G'mJ)!d"83!#EJ!!!Q8#G!&5!9-0!9)!!M3!!!*Y!R6r+J&8#[mU!!3
++CQPXC3d"9!!"E3!!!R!#F`&9$!&9!!`!"Q0KFh3ZD!!#!!!0!9-!!M3!!!*P!Qh
+r+3&@#[mT!!3+BfC[E!d"9J!"E`!!!QN#E2mS#rmS!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rbX!!!)"5J!#!9F"@!d"9`!#E!!#!RX#HrmRrbB"rbF!!!(r*J!!!J&
+B!!)"@3&D$3&C!!*b!!!#H`+'!9X"A!d"@`!#BJ!!!RX#JJ&G!9i0!9d!!@m!!!*
+l!Rlr*3[r*3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+"AJ!"E3!!!Ri#J3&I$!&I!!X!"6TMEfe`!!)!!!d"A!!"E`!!!!!!!2mN#rmN!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!9S!!J&J!@%0!@!!!dN!!J+(!V(r)rmL!@)
++rb-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!ImL!!!'!@)!!rmK!@-"C!V
+r)3!%#QY[Bf`0!@-!!@d!!!+,!Slr)!Vr)!!%#Q&XD@%'!@3!!rmI!@8"CJVr(`!
+%#QPZFfJ0!@8!!M3!!!+4!TRr(J&R#[mH!!3+BfC[E!d"C`!"E`!!!T8#Q2mG#rm
+G!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4Qp
+XC'9b8'&dD!B"CJ!$ra`"D2mE#[mF!!3+G'mJ)!d"D!!#EJ!!!T`#U`&T!@S0!@N
+!!M3!!!+N!U[r'J&V#[mD!!3+CQPXC3d"D`!"E3!!!UF#UJ&X$!&X!!`!"Q0[EA!
+ZD!!#!!!0!@S!!M3!!!+F!U6r'3&Y#[mC!!3+BfC[E!d"E3!"E`!!!U!#SrmB#rm
+B!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'raX!!!)"B3!#!@i"E`d"EJ!#E!!#!V)
+#X[mAraB"raF!!!(r&J!!!J&[!!)"F!&a$3&`!!*b!!!#XJ+p!A)"F`d"FJ!#BJ!
+!!V)#Z3&d!A80!A3!!@m!!!+b!VAr&3[r&3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!
+3Bh*jF(4[4QpXC'9b8'&dD!d"G3!"E3!!!V8#Z!&f$!&f!!X!"6TMEfjQ!!)!!!d
+"F`!"E`!!!!!!!2m8#rm8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!A%!!J&h!AJ
+0!AF!!dN!!J+q!ZMr%rm5!AN+ra-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@a
+X!Im5!!!'!AN!!rm4!AS"H`Vr%3!%#QY[Bf`0!AS!!@d!!!,#!XAr%!Vr%!!%#Q&
+XD@%'!AX!!rm2!A`"I3Vr$`!%#QPZFfJ0!A`!!M3!!!,)!Y$r$J&q#[m1!!3+BfC
+[E!d"IJ!"E`!!!X`#crm0#rm0!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J
+!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"I3!$r``"Irm,#[m-!!3+G'mJ)!d
+"I`!#EJ!!!Y-#iJ'!!B%0!B!!!M3!!!,E!Z,r#J'##[m+!!3+CQPXC3d"JJ!"E3!
+!!Yi#i3'$$!'$!!`!"Q0[EQBZD!!#!!!0!B%!!M3!!!,6!Y[r#3'%#[m*!!3+BfC
+[E!d"K!!"E`!!!YF#f[m)#rm)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r`X!!!)
+"H!!#!B8"KJd"K3!#E!!#!ZN#kIm(r`B"r`F!!!(r"J!!!J''!!)"K`')$3'(!!*
+b!!!#k3,d!BN"LJd"L3!#BJ!!!ZN#m!',!B`0!BX!!@m!!!,T!Zcr"3[r"3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"M!!"E3!!!Z`#l`'
+0$!'0!!S!"$TNCA-!!J!!$3'+!!&[!!!!!!!!r`3,r`3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"L!!#!Bi"M`d"MJ!$53!#![8$(rm$r`)"N!!+r`-!'#jMEh*PBh*
+PE#SU+LS!!!!!!!#3!!"ZG@aX!Im#!!!'!C!!!!2r!3'4!C)+r`%!"!TVEf0X$3'
+4!!&Y!!!#q3,mr`!+r`!!"!TKE'PK"J'5!!2qr`'6!C3+r[m!"!TTER0S$3'6!!)
+d!!!#r`-(r[i"P3VqrJ!%#Q0QEf`0!C8!!@m!!!-$!`Eqr3[qr3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!C3
+!!rlm!CEqq`Vqr!!%#R4[)#!0!CB!!Qi!!!-+!aN"P`'B$3'A!!)d!!!$%J-Cr[S
+"Q3VqqJ!%#QCTE'80!CN!!@d!!!-9!aJ"QJ`"QJ!,!!9NCA-ZD!!#!!!0!CJ!!M3
+!!!-+!a,qq3'E#[lj!!3+BfC[E!d"Q`!"E`!!!`i$%Ili#rli!"3`!!KdC@e`F'&
+dD!!)G'9YF&"KG'J'r[X!!!)"M`!#!C`"R3d"R!!#E!!#!b!$)2lhr[B"r[F!!!(
+qpJ!!!J'G!!)"RJ'I$3'H!!*b!!!$)!-V!D!"S3d"S!!#BJ!!!b!$*`'L!D-0!D)
+!!@m!!!-J!b2qp3[qp3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9
+b8'&dD!d"S`!"E3!!!b-$*J'N$!'N!!N!!cTND!!#!!!0!D%!!@m!!!!!!!$qp![
+qp!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'I!!)"T3'Q$3'P!!0*!!)$,!0@r[2
+qmJ'R#[lc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(qmJ!!"J'R!!2qm3'
+S!DN+r[%!"!TVEf0X$3'S!!&Y!!!$-!-cr[!+r[!!"!TKE'PK"J'T!!2ql`'U!DX
++rZm!"!TTER0S$3'U!!)d!!!$0J-qrZi"V!VqlJ!%#Q0QEf`0!D`!!@m!!!-k!ch
+ql3[ql3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!DX!!rlX!Dhqk`Vql!!%#R4[)#!0!Dd!!Qi!!!0"!e!"VJ'
+[$3'Z!!)d!!!$5303rZS"X!VqkJ!%#QCTE'80!E!!!@d!!!0-!dm"X3`"X3!+!!4
+ND#jS!!)!!!d"V`!#0!!!!d%$5IlT!E)+rZN!"!TMCQpX$3'b!!&[!!!$430)rZJ
+,rZJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eqk`!!!J'Q!!)"X`'d$3'c!!*X!!)
+$9`0ArZIqjJ(qj`!!!IlQ!!!#!E3!!J'e!EB0!E8!!R)!!!0A!f)"Y`'i$3'h!!*
+L!!!$9`0H!EN"ZJd"Z3!"E`!!!eF$@[lP#rlP!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3'k!!&Y!!!$@J0G!EX-!EX!#J!%1Q4cB3!#!!!
+0!EJ!!@m!!!!!!!$qj![qj!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'f!!)"[!'
+p$3'm!!0*!!)$B`10rZ2qiJ'q#[lM!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(qiJ!!"J'q!!2qi3'r!F!+rZ%!"!TVEf0X$3'r!!&Y!!!$C`0UrZ!+rZ!!"!T
+KE'PK"J(!!!2qh`("!F)+rYm!"!TTER0S$3("!!)d!!!$E30erYi"``VqhJ!%#Q0
+QEf`0!F-!!@m!!!0a!h6qh3[qh3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!F)!!rlF!F6qf`Vqh!!%#R4[)#!
+0!F3!!Qi!!!0i!iF"a3('$3(&!!)d!!!$J!1(rYS"a`VqfJ!%#QCTE'80!FF!!@d
+!!!1$!iB"b!`"b!!,!!9NFf%ZD!!#!!!0!FB!!M3!!!0i!i$qf3(*#[lC!!3+BfC
+[E!d"b3!"E`!!!h`$IrlB#rlB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rYX!!!)
+"[3!#!FS"b`d"bJ!#E!!#!ii$M[lArYB"rYF!!!(qeJ!!!J(,!!)"c!(0$3(-!!*
+b!!!$MJ1C!Fi"c`d"cJ!#BJ!!!ii$P3(3!G%0!G!!!@m!!!11!j(qe3[qe3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"d3!"E3!!!j%$P!(
+5$!(5!!S!"$TPFR)!!J!!$3(2!!&[!!!!!!!!rY3,rY3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"c3!#!G-"e!d"d`!$53!#!jS$a2l6rY)"e3Vqd`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rY)!!!B"e3!$rY%"eJ(A#[l4!!3+DfpME!d"eJ!
+"E3!!!ji$SIl3#[l3!!3+B@aTB3B"e`!$rXm"f!(C#[l2!!3+D@jcD!d"f!!#0!!
+!!k3$V2l1!GS+rXi!"!TMCQpX$3(D!!&[!!!$U!1VrXd,rXd!0$!!''p`C@jcFfa
+TEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J(C!!2
+qc!(ErXX+rX`!"!TdEb!J$3(E!!*Z!!!$V`1q!G`"h3d"h!!#0!!!!lF$[[l+!Gi
++rXS!"!TQD@aP$3(H!!&Y!!!$ZJ1p!Gm-!Gm!#`!&CA*b,QJ!!J!!$3(G!!)d!!!
+$V`1hrXN"i!Vqb3!%#Q0QEf`0!H!!!@m!!!1c!lEqb![qb!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S"[l,!!!#!G3!!J(K!H)0!H%!!Q`!!J2&!mAqarl'!Il(!!!"rXB
+!!!)"iJ!#!H-"j!d"i`!#FJ!!!m8$d!(P!HB0!H8!!Q)!!!2&!m`"j`(S$3(R!!&
+[!!!$a32)rX8,rX8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"
+KG'J0!HJ!!@d!!!2)!mX"k3`"k3!+!!3kCAC`!!)!!!d"jJ!"E`!!!!!!!2l%#rl
+%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!H3!!J(U!HX0!HS!!dN!!J24!r[q`rl
+#!H`+rX-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Il#!!!'!H`!!rl"!Hd
+"lJVq`3!%#QY[Bf`0!Hd!!@d!!!29!pMq`!Vq`!!%#Q&XD@%'!Hi!!rkr!Hm"m!V
+q[`!%#QPZFfJ0!Hm!!M3!!!2E!q2q[J(a#[kq!!3+BfC[E!d"m3!"E`!!!pm$i[k
+p#rkp!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4
+P4QpXC'9b8'&dD!B"m!!$rV`"m[kl#[km!!3+G'mJ)!d"mJ!#EJ!!!qB$p3(c!I3
+0!I-!!M3!!!2Z!rAqZJ(e#[kk!!3+CQPXC3d"p3!"E3!!!r%$p!(f$!(f!!X!"@9
+fF#jS!!)!!!d"p!!#0!!!!qB$l[kj!IF+rVN!"!TMCQpX$3(h!!&[!!!$kJ2YrVJ
+,rVJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqZ`!!!J(V!!)"q!(j$3(i!!*X!!)
+$r!2mrVIqYJ(qY`!!!Ikf!!!#!IN!!J(k!IX0!IS!!R)!!!2m"!F"r!(p$3(m!!*
+L!!!$r!3$!Ii"r`d"rJ!"E`!!!r`$rrke#rke!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3(r!!&Y!!!$r`3#!J!-!J!!#`!&1QKYB@-!!J!
+!$3(p!!&[!!!!!!!!rV3,rV3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)"q`!#!J%
+#!Jd#!3!$53!#"!J%-[kcrV)#!`VqX`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rV)!!!B#!`!$rV%#"!)&#[ka!!3+DfpME!d#"!!"E3!!"!`%$rk`#[k`!!3
++B@aTB3B#"3!$rUm#"J)(#[k[!!3+D@jcD!d#"J!#0!!!"")%'[kZ!JJ+rUi!"!T
+MCQpX$3))!!&[!!!%&J3CrUd,rUd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)(!!2qV!)*rUX+rU`!"!TdEb!
+J$3)*!!*Z!!!%(33X!JS##`d##J!#0!!!"#8%,2kU!J`+rUS!"!TQD@aP$3)-!!&
+Y!!!%+!3V!Jd-!Jd!$!!'D'eKBbjS!!)!!!d##`!#0!!!""d%*IkT!Ji+rUN!"!T
+MCQpX$3)1!!&[!!!%)33NrUJ,rUJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqU`!
+!!J)#!!)#$`)3$3)2!!*X!!)%-`3crUIqTJ(qT`!!!IkQ!!!#!K!!!J)4!K)0!K%
+!!R)!!!3c"$i#%`)8$3)6!!*L!!!%-`3k!K8#&Jd#&3!"E`!!"$-%0[kP#rkP!#3
+`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3)@!!&Y!!!%0J3
+j!KF-!KF!#`!&1QPNC@%!!J!!$3)8!!&[!!!!!!!!rU3,rU3!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!)#%J!#!KJ#'3d#'!!$53!#"$m%DIkMrU)#'JVqS`!B,Q0[FQ9
+MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rU)!!!B#'J!$rU%#'`)F#[kK!!3+DfpME!d
+#'`!"E3!!"%-%4[kJ#[kJ!!3+B@aTB3B#(!!$rTm#(3)H#[kI!!3+D@jcD!d#(3!
+#0!!!"%N%8IkH!Km+rTi!"!TMCQpX$3)I!!&[!!!%6343rTd,rTd!0$!!''p`C@j
+cFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)
+H!!2qR!)JrTX+rT`!"!TdEb!J$3)J!!*Z!!!%9!4M!L%#)Jd#)3!#0!!!"&`%Brk
+D!L-+rTS!"!TQD@aP$3)M!!&Y!!!%A`4L!L3-!L3!$!!'D@4PB5jS!!)!!!d#)J!
+#0!!!"&3%A2kC!L8+rTN!"!TMCQpX$3)P!!&[!!!%@!4ErTJ,rTJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!EqQ`!!!J)C!!)#*J)R$3)Q!!*X!!)%DJ4UrTIqPJ(qP`!
+!!Ik@!!!#!LF!!J)S!LN0!LJ!!R)!!!4U"(8#+J)V$3)U!!*L!!!%DJ4a!L`#,3d
+#,!!"E`!!"'S%EIk9#rk9!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3)Y!!&Y!!!%E34`!Li-!Li!$!!'1QaSBA0S!!)!!!d#+`!"E`!!!!!
+!!2k8#rk8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!LN!!J)[!M!0!Lm!!dN!!J4
+f"+$qNrk5!M%+rT-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ik5!!!'!M%
+!!rk4!M)#-`VqN3!%#QY[Bf`0!M)!!@d!!!4k"(hqN!!+rT!!!!3+B@aTB3B#-`!
+$rSm#0!)e#[k2!!3+D@jcD!d#0!!#0!!!")!%L2k1!MB+rSi!"!TMCQpX$3)f!!&
+[!!!%K!5(rSd,rSd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP0
+66%PZBfaeC'9'EfaNCA*3BA4S"J)e!!2qM!)hrSX+rS`!"!TdEb!J$3)h!!*Z!!!
+%L`5D!MJ#13d#1!!#0!!!"*-%Q[k+!MS+rSS!"!TQD@aP$3)k!!&Y!!!%PJ5C!MX
+-!MX!$3!(E'KKFfJZD!!#!!!0!MN!!M3!!!5,"*2qL3)m#[k*!!3+BfC[E!d#2!!
+"E`!!")m%N[k)#rk)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rSX!!!)#-!!#!Md
+#2Jd#23!#E!!#"+%%SIk(rSB"rSF!!!(qKJ!!!J)q!!)#2`*!$3)r!!*b!!!%S35
+X!N%#3Jd#33!#BJ!!"+%%U!*$!N30!N-!!@m!!!5K"+6qK3[qK3!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d#4!!"E3!!"+3%T`*&$!*&!!S
+!"$TYC$)!!J!!$3*#!!&[!!!!!!!!rS3,rS3!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#3!!#!NB#4`d#4J!$53!#"+d%erk$rS)#5!VqJ`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rS)!!!B#5!!$rS%#53*+#[k"!!3+DfpME!d#53!"E3!!",%
+%Y2k!#[k!!!3+B@aTB3B#5J!$rRm#5`*-#[jr!!3+D@jcD!d#5`!#0!!!",F%[rj
+q!Nd+rRi!"!TMCQpX$3*0!!&[!!!%Z`5qrRd,rRd!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*-!!2qI!*1rRX
++rR`!"!TdEb!J$3*1!!*Z!!!%`J64!Nm#8!d#6`!#0!!!"-S%dIjk!P%+rRS!"!T
+QD@aP$3*4!!&Y!!!%c363!P)-!P)!#`!&E@3b,QJ!!J!!$3*3!!)d!!!%`J6+rRN
+#8`VqH3!%#Q0QEf`0!P-!!@m!!!6'"-RqH![qH!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S"[jl!!!#!NF!!J*8!P80!P3!!Q`!!J6B"0MqGrjf!Ijh!!!"rRB!!!)#93!
+#!PB#9`d#9J!#FJ!!"0J%i`*B!PN0!PJ!!Q)!!!6B"0m#@J*E$3*D!!&[!!!%f!6
+ErR8,rR8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!PX
+!!@d!!!6E"0i#A!`#A!!+!!3kE@3e!!)!!!d#@3!"E`!!!!!!!2jd#rjd!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J#!PF!!J*G!Pi0!Pd!!dN!!J6N"3lqFrjb!Pm+rR-
+!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ijb!!!'!Pm!!rja!Q!#B3VqF3!
+%#QY[Bf`0!Q!!!@d!!!6S"1[qF!VqF!!%#Q&XD@%'!Q%!!rj[!Q)#B`VqE`!%#QP
+ZFfJ0!Q)!!M3!!!6Z"2EqEJ*N#[jZ!!3+BfC[E!d#C!!"E`!!"2)%pIjY#rjY!$3
+`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9
+b8'&dD!B#B`!$rQ`#CIjV#[jX!!3+G'mJ)!d#C3!#EJ!!"2N&#!*Q!QF0!QB!!M3
+!!!8""3MqDJ*S#[jU!!3+CQPXC3d#D!!"E3!!"33&"`*T$!*T!!X!"@eN05jS!!)
+!!!d#C`!#0!!!"2N&!IjT!QS+rQN!"!TMCQpX$3*U!!&[!!!%r38!rQJ,rQJ!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!EqD`!!!J*H!!)#D`*X$3*V!!*X!!)&$`82rQI
+qCJ(qC`!!!IjQ!!!#!Q`!!J*Y!Qi0!Qd!!R)!!!82"4S#E`*`$3*[!!*L!!!&$`8
+@!R%#FJd#F3!"E`!!"3m&%[jP#rjP!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP
+`G'p'EfaNCA*3BA4S$3*b!!&Y!!!&%J89!R--!R-!#`!&1QeNBc)!!J!!$3*`!!&
+[!!!!!!!!rQ3,rQ3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)#EJ!#!R3#G3d#G!!
+$53!#"4X&4IjMrQ)#GJVqB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rQ)
+!!!B#GJ!$rQ%#G`*i#[jK!!3+DfpME!d#G`!"E3!!"4m&)[jJ#[jJ!!3+B@aTB3B
+#H!!$rPm#H3*k#[jI!!3+D@jcD!d#H3!#0!!!"58&,IjH!RX+rPi!"!TMCQpX$3*
+l!!&[!!!&+38XrPd,rPd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"
+PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*k!!2qA!*mrPX+rP`!"!TdEb!J$3*m!!*
+Z!!!&-!8r!Rd#IJd#I3!#0!!!"6J&2rjD!Rm+rPS!"!TQD@aP$3*r!!&Y!!!&1`8
+q!S!-!S!!$!!'E@4M-LjS!!)!!!d#IJ!#0!!!"6!&12jC!S%+rPN!"!TMCQpX$3+
+"!!&[!!!&0!8hrPJ,rPJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq@`!!!J*e!!)
+#JJ+$$3+#!!*X!!)&4J9'rPIq9J(q9`!!!Ij@!!!#!S-!!J+%!S80!S3!!R)!!!9
+'"9%#KJ+($3+'!!*L!!!&4J90!SJ#L3d#L!!"E`!!"8B&5Ij9#rj9!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3+*!!&Y!!!&539-!SS-!SS
+!$J!)1QpLDQ9MG(-!!J!!$3+(!!&[!!!!!!!!rP3,rP3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)#K3!#!SX#M!d#L`!$53!#"9)&I2j6rP)#M3Vq8`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rP)!!!B#M3!$rP%#MJ+2#[j4!!3+DfpME!d#MJ!
+"E3!!"9B&@Ij3#[j3!!3+B@aTB3B#M`!$rNm#N!!#N3Vq6`!%#QPZFfJ0!T!!!!)
+d!!!&A!9NrNi#NJVq6J!%#Q0QEf`0!T)!!@m!!!9J"@2q63[q63!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!T%
+!!rj-!T2q5`Vq6!!%#R4[)#!0!T-!!Qi!!!9R"AB#P!+9$3+8!!)d!!!&E`9frNS
+#PJVq5J!%#QCTE'80!TB!!@d!!!9b"A8#P``#P`!2!!P[BQTPBh4c,QJ!!J!!$3+
+9!!)d!!!&C`9[rNN#Q!Vq53!%#Q0QEf`0!TJ!!@m!!!9V"@lq5![q5!!8-!!)G'9
+YF("KG'J!#(4PEA"3BA4S"[j,!!!#!S`!!J+C!TS0!TN!!Q`!!J9p"Ahq4rj'!Ij
+(!!!"rNB!!!)#QJ!#!TX#R!d#Q`!#FJ!!"Ad&L!+G!Ti0!Td!!Q)!!!9p"B3#R`+
+J$3+I!!&[!!!&I3@!rN8,rN8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC
+[E'4PFP"KG'J0!U!!!@d!!!@!"B-#S3`#S3!+!!3kF'9Y!!)!!!d#RJ!"E`!!!!!
+!!2j%#rj%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!T`!!J+L!U-0!U)!!dN!!J@
+*"E2q3rj#!U3+rN-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ij#!!!'!U3
+!!rj"!U8#TJVq33!%#QY[Bf`0!U8!!@d!!!@0"C!!rN!+rN!!"!TKE'PK"J+Q!!2
+q2`+R!UJ+rMm!"!TTER0S$3+R!!)d!!!&N`@ErMi#U3Vq2J!%#Q0QEf`0!UN!!@m
+!!!@A"CVq23[q23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!UJ!!rim!UVq1`Vq2!!%#R4[)#!0!US!!Qi!!!@
+H"Dd#U`+X$3+V!!)d!!!&TJ@YrMS#V3Vq1J!%#QCTE'80!Ud!!@d!!!@T"D`#VJ`
+#VJ!,!!9`C@dZD!!#!!!0!U`!!M3!!!@H"DEq13+[#[ij!!3+BfC[E!d#V`!"E`!
+!"D)&TIii#rii!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rMX!!!)#S`!#!V!#X3d
+#X!!$53!#"E3&h[ihrMB#XJVq0`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`
+"rMB!!!B#XJ!$rM8#X`+d#[ie!!3+DfpME!d#X`!"E3!!"EJ&Zrid#[id!!3+B@a
+TB3B#Y!!$rM-#Y3+f#[ic!!3+D@jcD!d#Y3!#0!!!"Ei&a[ib!VF+rM)!"!TMCQp
+X$3+h!!&[!!!&`JA&rM%,rM%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!
+BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J+f!!2q-!+irLm+rM!!"!TdEb!J$3+
+i!!*Z!!!&b3AB!VN#ZJd#Z3!#0!!!"G%&f2iZ!VX+rLi!"!TQD@aP$3+l!!&Y!!!
+&e!AA!V`-!V`!$!!'F'9Y-LjS!!)!!!d#ZJ!#0!!!"FN&dIiY!Vd+rLd!"!TMCQp
+X$3+p!!&[!!!&c3A3rL`,rL`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq,`!!!J+
+a!!)#[J+r$3+q!!*X!!)&h`AIrL[q+J(q+`!!!IiU!!!#!Vm!!J,!!X%0!X!!!R)
+!!!AI"HS#`J,$$3,#!!*L!!!&h`AQ!X3#a3d#a!!"E`!!"Gm&i[iT#riT!#3`!""
+MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,&!!&Y!!!&iJAP!XB
+-!XB!$3!(1R"VBh-a-J!#!!!0!X-!!@m!!!!!!!$q+![q+!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S!J,"!!)#a`,)$3,(!!0*!!)&k`B9rLIq*J,*#[iR!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(q*J!!"J,*!!2q*3,+!XX+rL8!"!TVEf0X$3,
++!!&Y!!!&l`AbrL3+rL3!"!TKE'PK"J,,!!2q)`,-!Xd+rL-!"!TTER0S$3,-!!)
+d!!!&p3AprL)#cJVq)J!%#Q0QEf`0!Xi!!@m!!!Aj"Icq)3[q)3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!Xd
+!!riJ!Xrq(`Vq)!!%#R4[)#!0!Xm!!Qi!!!B!"Jm#d!,4$3,3!!)d!!!'#!B2rKi
+#dJVq(J!%#QCTE'80!Y)!!@d!!!B,"Ji#d``#d`!1!!K`Df0c-6)ZD!!#!!!0!Y%
+!!M3!!!B!"JMq(3,8#[iG!!3+BfC[E!d#e!!"E`!!"J3'"riF#riF!"3`!!KdC@e
+`F'&dD!!)G'9YF&"KG'J'rKm!!!)#b!!#!Y8#eJd#e3!#E!!#"KB'&[iErKS"rKX
+!!!(q'J!!!J,@!!)#e`,B$3,A!!*b!!!'&JBK!YN#fJd#f3!#BJ!!"KB'(3,E!Y`
+0!YX!!@m!!!B@"KRq'3[q'3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!d#h!!"E3!!"KN'(!,G$!,G!!`!"MT`Df0c0`!#!!!0!YS!!@m!!!!
+!!!$q'![q'!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J,B!!)#hJ,I$3,H!!0*!!)
+')JC-rKIq&J,J#[iA!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(q&J!!"J,
+J!!2q&3,K!Z)+rK8!"!TVEf0X$3,K!!&Y!!!'*JBTrK3+rK3!"!TKE'PK"J,L!!2
+q%`,M!Z3+rK-!"!TTER0S$3,M!!)d!!!',!BdrK)#j3Vq%J!%#Q0QEf`0!Z8!!@m
+!!!B`"M2q%3[q%3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!Z3!!ri3!ZEq$`Vq%!!%#R4[)#!0!ZB!!Qi!!!B
+h"NB#j`,S$3,R!!)d!!!'2`C'rJi#k3Vq$J!%#QCTE'80!ZN!!@d!!!C#"N8#kJ`
+#kJ!0!!G`Df0c0bjS!!)!!!d#k!!#0!!!"MF'2ri0!ZX+rJd!"!TMCQpX$3,V!!&
+[!!!'1`BqrJ`,rJ`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq$`!!!J,I!!)#l!,
+Y$3,X!!*X!!)'63C0rJ[q#J(q#`!!!Ii+!!!#!Zd!!J,Z!Zm0!Zi!!R)!!!C0"PJ
+#m!,a$3,`!!*L!!!'63C8![)#m`d#mJ!"E`!!"Nd'82i*#ri*!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,c!!&Y!!!'8!C6![3-![3!#`!
+&1R*KEQ3!!J!!$3,a!!&[!!!!!!!!rJJ,rJJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#l`!#![8#pJd#p3!$53!#"PN'Jri(rJB#p`Vq"`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rJB!!!B#p`!$rJ8#q!,j#[i&!!3+DfpME!d#q!!"E3!!"Pd
+'B2i%#[i%!!3+B@aTB3B#q3!$rJ-#qJ,l#[i$!!3+D@jcD!d#qJ!#0!!!"Q-'Dri
+#![`+rJ)!"!TMCQpX$3,m!!&[!!!'C`CUrJ%,rJ%!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J,l!!2q!!,prIm
++rJ!!"!TdEb!J$3,p!!*Z!!!'EJCp![i#r`d#rJ!#0!!!"RB'IIhq!`!+rIi!"!T
+QD@aP$3-!!!&Y!!!'H3Cm!`%-!`%!$!!'FQ&ZC#jS!!)!!!d#r`!#0!!!"Qi'G[h
+p!`)+rId!"!TMCQpX$3-#!!&[!!!'FJCerI`,rI`!&$!!#(4PEA"`BA4S!!KdC@e
+`8'&dD!Epr`!!!J,f!!)$!`-%$3-$!!*X!!)'K!D%rI[pqJ(pq`!!!Ihk!!!#!`3
+!!J-&!`B0!`8!!R)!!!D%"Sm$"`-)$3-(!!*L!!!'K!D,!`N$#Jd$#3!"E`!!"S3
+'Krhj#rhj!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-
++!!&Y!!!'K`D+!`X-!`X!#J!%1R*M-J!#!!!0!`J!!@m!!!!!!!$pq![pq!!8-!!
+)G'9YF("KG'J!#(4PEA"3BA4S!J-'!!)$$!-0$3--!!0*!!)'N!!'Z[hhrIB$$JV
+pp`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rIB!!!B$$J!$rI8$$`-3#[h
+e!!3+DfpME!d$$`!"E3!!"T3'Prhd#[hd!!3+B@aTB3B$%!!$rI-$%3-5#[hc!!3
++D@jcD!d$%3!#0!!!"TS'S[hb!a-+rI)!"!TMCQpX$3-6!!&[!!!'RJDKrI%,rI%
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J-5!!2pm!-8rHm+rI!!"!TdEb!J$3-8!!*Z!!!'T3Dd!a8$&Jd$&3!
+#0!!!"Ud'Y2hZ!aF+rHi!"!TQD@aP$3-A!!&Y!!!'X!Dc!aJ-!aJ!#`!&FQ-b,QJ
+!!J!!$3-@!!)d!!!'T3DYrHd$'3Vpl3!%#Q0QEf`0!aN!!@m!!!DT"Ucpl![pl!!
+8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[h[!!!#!`d!!J-D!aX0!aS!!Q`!!JDl"V[
+pkrhU!IhV!!!"rHS!!!)$'`!#!a`$(3d$(!!#FJ!!"VX'aJ-H!am0!ai!!Q)!!!D
+l"X)$)!-K$3-J!!&[!!!'Z`DqrHN,rHN!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0
+bHA"dEdC[E'4PFP"KG'J0!b%!!@d!!!Dq"X%$)J`$)J!+!!3kFQ-d!!)!!!d$(`!
+"E`!!!!!!!2hS#rhS!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!ad!!J-M!b30!b-
+!!dN!!JE("[(pjrhQ!b8+rHF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ih
+Q!!!'!b8!!rhP!bB$*`Vpj3!%#QY[Bf`0!bB!!@d!!!E,"Xlpj!Vpj!!%#Q&XD@%
+'!bF!!rhM!bJ$+3Vpi`!%#QPZFfJ0!bJ!!M3!!!E4"YRpiJ-U#[hL!!3+BfC[E!d
+$+J!"E`!!"Y8'f2hK#rhK!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p
+`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$+3!$rH!$+rhI#[hJ!!3+G'mJ)!d$+`!
+#EJ!!"Y`'k`-X!bd0!b`!!M3!!!EN"Z[phJ-Z#[hH!!3+CQPXC3d$,J!"E3!!"ZF
+'kJ-[$!-[!!X!"A*M0#jS!!)!!!d$,3!#0!!!"Y`'j2hG!c!+rGd!"!TMCQpX$3-
+`!!&[!!!'i!EMrG`,rG`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eph`!!!J-N!!)
+$-3-b$3-a!!*X!!)'mJEbrG[pfJ(pf`!!!IhD!!!#!c)!!J-c!c30!c-!!R)!!!E
+b"[d$03-f$3-e!!*L!!!'mJEj!cF$1!d$0`!"E`!!"[)'pIhC#rhC!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-i!!&Y!!!'p3Ei!cN-!cN
+!#J!%1R*M03!#!!!0!cB!!@m!!!!!!!$pf![pf!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S!J-d!!)$1J-l$3-k!!0*!!)'rJFSrGIpeJ-m#[hA!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(peJ!!"J-m!!2pe3-p!ci+rG8!"!TVEf0X$3-p!!&Y!!!
+(!JF&rG3+rG3!"!TKE'PK"J-q!!2pd`-r!d!+rG-!"!TTER0S$3-r!!)d!!!(#!F
+3rG)$33VpdJ!%#Q0QEf`0!d%!!@m!!!F-"`rpd3[pd3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!d!!!rh3!d,
+pc`Vpd!!%#R4[)#!0!d)!!Qi!!!F6"b)$3`0%$30$!!)d!!!('`FLrFi$43VpcJ!
+%#QCTE'80!d8!!@d!!!FH"b%$4J`$4J!,!!9bBc8ZD!!#!!!0!d3!!M3!!!F6"a[
+pc30(#[h0!!3+BfC[E!d$4`!"E`!!"aF('[h-#rh-!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rFm!!!)$1`!#!dJ$53d$5!!#E!!#"bN(+Ih,rFS"rFX!!!(pbJ!!!J0
+*!!)$5J0,$30+!!*b!!!(+3Fd!d`$63d$6!!#BJ!!"bN(-!01!dm0!di!!@m!!!F
+T"bcpb3[pb3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+$6`!"E3!!"b`(,`03$!03!!d!"cTbDA"PE@3!!J!!$300!!&[!!!!!!!!rFJ,rFJ
+!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$5`!#!e%$8Jd$83!$53!#"c8(Arh(rFB
+$8`Vpa`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rFB!!!B$8`!$rF8$9!0
+9#[h&!!3+DfpME!d$9!!"E3!!"cN(22h%#[h%!!3+B@aTB3B$93!$rF-$9J0A#[h
+$!!3+D@jcD!d$9J!#0!!!"cm(4rh#!eJ+rF)!"!TMCQpX$30B!!&[!!!(3`G'rF%
+,rF%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J0A!!2p`!0CrEm+rF!!"!TdEb!J$30C!!*Z!!!(5JGC!eS$@`d
+$@J!#0!!!"e)(@Ifq!e`+rEi!"!TQD@aP$30F!!&Y!!!(93GB!ed-!ed!$J!)FQP
+`C@eN,QJ!!J!!$30E!!)d!!!(5JG5rEd$AJVp[3!%#Q0QEf`0!ei!!@m!!!G1"e(
+p[![p[!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[fr!!!#!e)!!J0I!f!0!em!!Q`
+!!JGJ"f$pZrfk!Ifl!!!"rES!!!)$B!!#!f%$BJd$B3!#FJ!!"f!(D`0M!f30!f-
+!!Q)!!!GJ"fF$C30Q$30P!!&[!!!(B!GMrEN,rEN!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!fB!!@d!!!GM"fB$C``$C`!+!!3kFR0K!!)
+!!!d$C!!"E`!!!!!!!2fi#rfi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!f)!!J0
+S!fN0!fJ!!dN!!JGX"jEpYrff!fS+rEF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"
+ZG@aX!Iff!!!'!fS!!rfe!fX$E!VpY3!%#QY[Bf`0!fX!!@d!!!G`"h2pY!VpY!!
+%#Q&XD@%'!f`!!rfc!fd$EJVpX`!%#QPZFfJ0!fd!!M3!!!Gf"hlpXJ0[#[fb!!3
++BfC[E!d$E`!"E`!!"hS(IIfa#rfa!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"
+KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$EJ!$rE!$F2f[#[f`!!3+G'm
+J)!d$F!!#EJ!!"i%(N!!$F30b$30a!!)d!!!(L3H3!2fZ!h-+rDi!"!TQD@aP$30
+c!!&Y!!!(M!H2!h3-!h3!#`!&FR0K,QJ!!J!!$30b!!)d!!!(J3H*rDd$G3VpV3!
+%#Q0QEf`0!h8!!@m!!!H&"iMpV![pV!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[f
+[!!!#!fN!!J0f!hF0!hB!!Q`!!JHA"jIpUrfU!IfV!!!"rDS!!!)$G`!#!hJ$H3d
+$H!!#FJ!!"jF(SJ0k!hX0!hS!!Q)!!!HA"ji$I!0p$30m!!&[!!!(P`HDrDN,rDN
+!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!hd!!@d!!!H
+D"jd$IJ`$IJ!-!!BkFh4KBfX!!J!!$30l!!&[!!!!!!!!rDJ,rDJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!)$H3!#!hm$J!d$I`!$53!#"k-(cIfRrDB$J3VpT`!B,Q0
+[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rDB!!!B$J3!$rD8$JJ1$#[fP!!3+Dfp
+ME!d$JJ!"E3!!"kF(U[fN#[fN!!3+B@aTB3B$J`!$rD-$K!1&#[fM!!3+D@jcD!d
+$K!!#0!!!"kd(YIfL!iB+rD)!"!TMCQpX$31'!!&[!!!(X3HdrD%,rD%!0$!!''p
+`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4
+S"J1&!!2pS!1(rCm+rD!!"!TdEb!J$31(!!*Z!!!(Z!I(!iJ$L3d$L!!#0!!!"m!
+(arfH!iS+rCi!"!TQD@aP$31+!!&Y!!!(``I'!iX-!iX!$3!(Fh4KBfXZD!!#!!!
+0!iN!!M3!!!Hi"m$pR31-#[fG!!3+BfC[E!d$M!!"E`!!"l`([rfF#rfF!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J'rCm!!!)$J!!#!id$MJd$M3!$53!#"mi(q2fErCS
+$M`VpQ`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rCS!!!B$M`!$rCN$N!!
+$N3VpQ3!%#QY[Bf`0!j!!!!&Y!!!(dJI9rCJ+rCJ!"!TKE'PK"J14!!2pP`15!j-
++rCF!"!TTER0S$315!!)d!!!(f!IJrCB$P!VpPJ!%#Q0QEf`0!j3!!@m!!!IF"pr
+pP3[pP3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!j-!!rf8!jApN`VpP!!%#R4[)#!0!j8!!Qi!!!IM"r)$PJ1
+A$31@!!)d!!!(k`IbrC)$Q!VpNJ!%#QCTE'80!jJ!!@d!!!IZ"r%$Q3`$Q3!4!!Y
+cB@CPFh4KBfXZD!!#!!!0!jF!!M3!!!IM"q[pN31D#[f4!!3+BfC[E!d$QJ!"E`!
+!"qF(k[f3!![pN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EpN`!!!J11!!)$Q`1
+F$31E!!*X!!)(q3IjrBrpMJ(pM`!!!If1!!!#!j`!!J1G!ji0!jd!!R)!!!Ij#!3
+$R`1J$31I!!*L!!!(q3J!!k%$SJd$S3!"E`!!"rN(r2f0#rf0!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$31L!!&Y!!!(r!Ir!k--!k-!#J!
+%1R0SB3!#!!!0!k!!!@m!!!!!!!$pM![pM!!8-!!)G'9YF("KG'J!#(4PEA"3BA4
+S!J1H!!)$T!1P$31N!!0*!!))"3J[rB[pLJ1Q#[f,!"JZBfpbC@0bC@`U+LSU!!!
+!!!!!N!!!ER9XE!(pLJ!!"J1Q!!2pL31R!kJ+rBN!"!TVEf0X$31R!!&Y!!!)#3J
+-rBJ+rBJ!"!TKE'PK"J1S!!2pK`1T!kS+rBF!"!TTER0S$31T!!)d!!!)$`JArBB
+$U`VpKJ!%#Q0QEf`0!kX!!@m!!!J6#"EpK3[pK3!d-!!BEh"PER0cE'PZBfaeC'9
+QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!kS!!rf%!kcpJ`V
+pK!!%#R4[)#!0!k`!!Qi!!!JD##N$V31Z$31Y!!)d!!!))JJTrB)$V`VpJJ!%#QC
+TE'80!km!!@d!!!JP##J$X!`$X!!,!!9cD'%ZD!!#!!!0!ki!!M3!!!JD##,pJ31
+a#[f"!!3+BfC[E!d$X3!"E`!!#"i))If!#rf!!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J'rB-!!!)$T3!#!l)$X`d$XJ!#E!!##$!)-2errAi"rAm!!!(pIJ!!!J1c!!)
+$Y!1e$31d!!*b!!!)-!Jl!lB$Y`d$YJ!#BJ!!#$!)0`1i!lN0!lJ!!@m!!!J`#$2
+pI3[pI3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d$Z3!
+"E3!!#$-)0J1k$!1k!!d!"cTdH(4IC')!!J!!$31h!!&[!!!!!!!!rA`,rA`!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!)$Y3!#!lX$[!d$Z`!$53!##$`)C[elrAS$[3V
+pH`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rAS!!!B$[3!$rAN$[J1r#[e
+j!!3+DfpME!d$[J!"E3!!#%!)3rei#[ei!!3+B@aTB3B$[`!$rAF$`!2"#[eh!!3
++D@jcD!d$`!!#0!!!#%B)6[ef!m)+rAB!"!TMCQpX$32#!!&[!!!)5JK0rA8,rA8
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J2"!!2pG!2$rA-+rA3!"!TdEb!J$32$!!*Z!!!)83KJ!m3$a3d$a!!
+#0!!!#&N)B2eb!mB+rA)!"!TQD@aP$32'!!&Y!!!)A!KI!mF-!mF!$J!)G(KdAf4
+L,QJ!!J!!$32&!!)d!!!)83KCrA%$b!VpF3!%#Q0QEf`0!mJ!!@m!!!K9#&MpF![
+pF!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[ec!!!#!l`!!J2*!mS0!mN!!Q`!!JK
+R#'IpEreZ!Ie[!!!"r@i!!!)$bJ!#!mX$c!d$b`!#FJ!!#'F)FJ20!mi0!md!!Q)
+!!!KR#'i$c`23$322!!&[!!!)C`KUr@d,r@d!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J0!p!!!@d!!!KU#'d$d3`$d3!,!!8kH$8`13!#!!!
+0!mi!!@m!!!!!!!$pE![pE!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J2-!!)$dJ2
+6$325!!0*!!))F`LGr@[pDJ28#[eV!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(pDJ!!"J28!!2pD329!pB+r@N!"!TVEf0X$329!!&Y!!!)G`Kkr@J+r@J!"!T
+KE'PK"J2@!!2pC`2A!pJ+r@F!"!TTER0S$32A!!)d!!!)I3L&r@B$f3VpCJ!%#Q0
+QEf`0!pN!!@m!!!L"#)6pC3[pC3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!pJ!!reN!pVpB`VpC!!%#R4[)#!
+0!pS!!Qi!!!L)#*F$f`2F$32E!!)d!!!)N!!)PreL!pd+r@)!"!TQD@aP$32G!!&
+Y!!!)N`L@!pi-!pi!$!!'H$8`15jS!!)!!!d$h!!#0!!!#)J)N!$pB32I#[eK!!3
++BfC[E!d$h`!"E`!!#)`)MreJ#reJ!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r@-
+!!!)$d`!#!q!$i3d$i!!$53!##*i)b2eIr9i$iJVpA`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"r9i!!!B$iJ!$r9d$i`2N#[eG!!3+DfpME!d$i`!"E3!!#+)
+)TIeF#[eF!!3+B@aTB3B$j!!$r9X$j32Q#[eE!!3+D@jcD!d$j3!#0!!!#+J)X2e
+D!qF+r9S!"!TMCQpX$32R!!&[!!!)V!L[r9N,r9N!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J2Q!!2p@!2Sr9F
++r9J!"!TdEb!J$32S!!*Z!!!)X`M#!qN$kJd$k3!#0!!!#,X)`[e@!qX+r9B!"!T
+QD@aP$32V!!&Y!!!)[JM"!q`-!q`!%!!+H$8`19pfCRNZD!!#!!!0!qS!!M3!!!L
+c#,[p932Y#[e9!!3+BfC[E!d$l3!"E`!!#,F)Z[e8#re8!"3`!!KdC@e`F'&dD!!
+)G'9YF&"KG'J'r9F!!!)$i3!#!qi$l`d$lJ!#E!!##-N)bIe6r9)"r9-!!!(p8J!
+!!J2[!!)$m!2a$32`!!*b!!!)b3M8!r)$m`d$mJ!#BJ!!#-N)d!2d!r80!r3!!@m
+!!!M*#-cp83[p83!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&
+dD!d$p3!"E3!!#-`)c`2f$!2f!!d!"cTi06!jGM-!!J!!$32c!!&[!!!!!!!!r9!
+,r9!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$m3!#!rF$q!d$p`!$53!##08)rre
+2r8i$q3Vp6`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8i!!!B$q3!$r8d
+$qJ2l#[e0!!3+DfpME!d$qJ!"E3!!#0N)h2e-#[e-!!3+B@aTB3B$q`!$r8X$r!2
+p#[e,!!3+D@jcD!d$r!!#0!!!#0m)jre+!ri+r8S!"!TMCQpX$32q!!&[!!!)i`M
+Qr8N,r8N!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfa
+eC'9'EfaNCA*3BA4S"J2p!!2p5!2rr8F+r8J!"!TdEb!J$32r!!*Z!!!)kJMj"!!
+%!3d%!!!#0!!!#2))qIe'"!)+r8B!"!TQD@aP$33#!!&Y!!!)p3Mi"!--"!-!$J!
+)H$8`1ABc,QJ!!J!!$33"!!)d!!!)kJMbr88%"!Vp43!%#Q0QEf`0"!3!!@m!!!M
+Z#2(p4![p4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[e(!!!#!rJ!!J3&"!B0"!8
+!!Q`!!JN!#3$p3re#!Ie$!!!"r8)!!!)%"J!#"!F%#!d%"`!$53!##3!*+[e"r8!
+%#3Vp33!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8!!!!B%#3!$r6m%#J3
+,#[dr!!3+DfpME!d%#J!"E3!!#33*"rdq#[dq!!3+B@aTB3B%#`!$r6d%$!30#[d
+p!!3+D@jcD!d%$!!#0!!!#3S*%[dm"!i+r6`!"!TMCQpX$331!!&[!!!*$JN4r6X
+,r6X!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J30!!2p1J32r6N+r6S!"!TdEb!J$332!!*Z!!!*&3NN""!%%3d
+%%!!#0!!!#4d**2di"")+r6J!"!TQD@aP$335!!&Y!!!*)!NM""--""-!#`!&Fh0
+X,QJ!!J!!$334!!)d!!!*&3NGr6F%&!Vp0`!%#Q0QEf`0""3!!@m!!!NC#4cp0J[
+p0J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD!Ep13!!!J3)!!)%&33
+@$339!!0*!!)*+`P9r6Ap0!3A#[de!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(p0!!!"J3A!!2p-`3B""N+r6-!"!TVEf0X$33B!!&Y!!!*,`Nbr6)+r6)!"!T
+KE'PK"J3C!!2p-33D""X+r6%!"!TTER0S$33D!!)d!!!*03Npr6!%(!Vp-!!%#Q0
+QEf`0""`!!@m!!!Nj#6cp,`[p,`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'""X!!rdZ""hp,3Vp,J!%#R4[)#!
+0""d!!Qi!!!P!#8m%(J3I$33H!!)d!!!*5!P2r5`%)!Vp,!!%#QCTE'80"#!!!@d
+!!!P,#8i%)3`%)3!-!!CcFf`b,QJ!!J!!$33I!!)d!!!*3!P)r5X%)JVp+`!%#Q0
+QEf`0"#)!!@m!!!P%#8Ip+J[p+J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9
+b8'&dD!Ep,3!!!J3@!!)%)`3N$33M!!0*!!)*9JQ!r5Rp+!3P#[dT!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(p+!!!"J3P!!2p*`3Q"#F+r5F!"!TVEf0X$33
+Q!!&Y!!!*@JPGr5B+r5B!"!TKE'PK"J3R!!2p*33S"#N+r58!"!TTER0S$33S!!)
+d!!!*B!PSr53%+JVp*!!%#Q0QEf`0"#S!!@m!!!PN#@Ip)`[p)`!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"#N
+!!rdL"#[p)3Vp)J!%#R4[)#!0"#X!!Qi!!!PV#AS%,!3Y$33X!!)d!!!*F`Pkr5!
+%,JVp)!!%#QCTE'80"#i!!@d!!!Pf#AN%,``%,`!0!!GcFf`b-bjS!!)!!!d%,3!
+#0!!!#@X*FrdI"$!+r4m!"!TMCQpX$33`!!&[!!!*E`Pbr4i,r4i!(M!!$A0cE'C
+[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r5%!!!)%*!!#"$%%-Jd%-3!$53!##B%
+*UrdGr4`%-`Vp(3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r4`!!!B%-`!
+$r4X%0!3e#[dE!!3+DfpME!d%0!!"E3!!#B8*L2dD#[dD!!3+B@aTB3B%03!$r4N
+%0J3h#[dC!!3+D@jcD!d%0J!#0!!!#BX*NrdB"$J+r4J!"!TMCQpX$33i!!&[!!!
+*M`Q5r4F,r4F!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%P
+ZBfaeC'9'EfaNCA*3BA4S"J3h!!2p&J3jr48+r4B!"!TdEb!J$33j!!*Z!!!*PJQ
+P"$S%1`d%1J!#0!!!#Ci*TId8"$`+r43!"!TQD@aP$33m!!&Y!!!*S3QN"$d-"$d
+!$!!'Fh0X-bjS!!)!!!d%1`!#0!!!#CB*R[d6"$i+r4-!"!TMCQpX$33q!!&[!!!
+*QJQGr4),r4)!(M!!$A0cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r48!!!)
+%-J!#"$m%3!d%2`!$53!##D`*e[d4r4!%33Vp%3!B,Q0[FQ9MFQ9X+LSU+J!!!!!
+!!*!!!'jeE'`"r4!!!!B%33!$r3m%3J4$#[d2!!3+DfpME!d%3J!"E3!!#E!*Xrd
+1#[d1!!3+B@aTB3B%3`!$r3d%4!4&#[d0!!3+D@jcD!d%4!!#0!!!#EB*[[d-"%B
++r3`!"!TMCQpX$34'!!&[!!!*ZJQpr3X,r3X!0$!!''p`C@jcFfaTEQ0XG@4PCQp
+XC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J4&!!2p#J4(r3N+r3S
+!"!TdEb!J$34(!!*Z!!!*`3R3"%J%53d%5!!#0!!!#FN*d2d)"%S+r3J!"!TQD@a
+P$34+!!&Y!!!*c!R2"%X-"%X!$!!'G'ac-5jS!!)!!!d%53!#0!!!#F%*bId("%`
++r3F!"!TMCQpX$34-!!&[!!!*a3R)r3B,r3B!(M!!$A0cE'C[E'4PFR"KG'J!$A0
+cE%C[E'4PFP"KG'J'r3N!!!)%3!!#"%d%6Jd%63!#E!!##GF*erd&r33"r38!!!(
+p"!!!!J41!!)%6`43$342!!0*!!)*e`S"r32p!J44#[d$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(p!J!!"J44!!2p!345"&-+r3%!"!TVEf0X$345!!&Y!!!
+*f`RHr3!+r3!!"!TKE'PK"J46!!2mr`48"&8+r2m!"!TTER0S$348!!)d!!!*i3R
+Tr2i%9JVmrJ!%#Q0QEf`0"&B!!@m!!!RP#HMmr3[mr3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"&8!!rcm"&I
+mq`Vmr!!%#R4[)#!0"&F!!Qi!!!RX#IX%@!4C$34B!!)d!!!*p!Rlr2S%@JVmqJ!
+%#QCTE'80"&S!!@d!!!Rh#IS%@``%@`!1!!KMFRP`G'mZD!!#!!!0"&N!!M3!!!R
+X#I6mq34F#[cj!!3+BfC[E!d%A!!"E`!!#I!*mrci#rci!#3`!""MFRP`G'pQEfa
+NCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cl!!!#"&!!!J4G"&i0"&d!!Q`!!JS
+##J,mprcf!Ich!!!"r2B!!!)%AJ!#"&m%B!d%A`!$53!##J)+,2cer23%B3Vmp3!
+B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r23!!!B%B3!$r2-%BJ4M#[cc!!3
++DfpME!d%BJ!"E3!!#JB+#Icb#[cb!!3+B@aTB3B%B`!$r2%%C!4P#[ca!!3+D@j
+cD!d%C!!#0!!!#J`+&2c`"'B+r2!!"!TMCQpX$34Q!!&[!!!+%!S6r1m,r1m!0$!
+!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*
+3BA4S"J4P!!2mlJ4Rr1d+r1i!"!TdEb!J$34R!!*Z!!!+&`SQ"'J%D3d%D!!#0!!
+!#Km+*[cX"'S+r1`!"!TQD@aP$34U!!&Y!!!+)JSP"'X-"'X!%!!+Eh"PER0cE(B
+ZD!!#!!!0"'N!!M3!!!SA#Krmk`4X#[cV!!3+BfC[E!d%E!!"E`!!#KX+([cU#rc
+U!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cY!!!#"'!
+!!J4Y"'i0"'d!!dN!!JSY#PImkIcS"'m+r1N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcS!!!'"'m!!rcR"(!%F3Vmj`!%#QY[Bf`0"(!!!@d!!!Sa#M6mjJV
+mjJ!%#Q&XD@%'"(%!!rcP"()%F`Vmj3!%#QPZFfJ0"()!!M3!!!Sh#Mrmj!4d#[c
+N!!3+BfC[E!d%G!!"E`!!#MX+2[cM#rcM!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%F`!$r1)%GIcK#[cL!!3
++G'mJ)!d%G3!#EJ!!#N)+834f"(F0"(B!!M3!!!T+#P(mi!4i#[cJ!!3+CQPXC3d
+%H!!"E3!!#Nd+8!4j$!4j!!i!#(4YC'PQCLjS!!)!!!d%G`!#0!!!#N)+5[cI"(S
++r0m!"!TMCQpX$34k!!&[!!!+4JT*r0i,r0i!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J'r1%!!!)%EJ!#"(X%I!d%H`!#E!!##PJ+@2cGr0`
+"r0d!!!(mh!!!!J4m!!)%I34q$34p!!*X!!)+@!TBr0[mfJ(mf`!!!IcD!!!#"(i
+!!J4r")!0"(m!!dN!!JTB#S,mfIcB")%+r0N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcB!!!'")%!!rcA"))%J`Vme`!%#QY[Bf`0"))!!@d!!!TF#PrmeJV
+meJ!%#Q&XD@%'")-!!rc9")3%K3Vme3!%#QPZFfJ0")3!!M3!!!TL#QVme!5'#[c
+8!!3+BfC[E!d%KJ!"E`!!#QB+DIc6#rc6!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%K3!$r0)%Krc4#[c5!!3
++G'mJ)!d%K`!#EJ!!#Qd+I!5)")N0")J!!M3!!!Te#Rcmd!5+#[c3!!3+CQPXC3d
+%LJ!"E3!!#RJ+H`5,$!5,!!`!"Q9IEh-ZD!!#!!!0")N!!M3!!!TY#RAmc`5-#[c
+2!!3+BfC[E!d%M!!"E`!!#R%+G2c1#rc1!#B`!"&[F'9ZFh0XCQpXC'9bF'&dD!!
+4Eh"PER0cE%C[E'4PFP"KG'J'r0%!!!)%J!!#")d%MJd%M3!$53!##S-+VIc0r-`
+%M`Vmc3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r-`!!!B%M`!$r-X%N!!
+%N3Vmb`!%#QY[Bf`0"*!!!!&Y!!!+K`U+r-S+r-S!"!TKE'PK"J54!!2mb355"*-
++r-N!"!TTER0S$355!!)d!!!+M3U9r-J%P!Vmb!!%#Q0QEf`0"*3!!@m!!!U4#T6
+ma`[ma`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'"*-!!rc'"*Ama3VmaJ!%#R4[)#!0"*8!!Qi!!!UB#UF%PJ5
+A$35@!!)d!!!+S!URr-3%Q!Vma!!%#QCTE'80"*J!!@d!!!UM#UB%Q3`%Q3!0!!G
+PAfpc-LjS!!)!!!d%P`!#0!!!#TJ+S2c$"*S+r--!"!TMCQpX$35D!!&[!!!+R!U
+Ir-),r-)!*M!!%@p`C@jcFfaQEfaNCA*`BA4S!"&[F'9ZFh0X4QpXC'9b8'&dD!E
+ma3!!!J51!!)%Qrc"$35E!!*X!!)+VJUZr-$m[`(m`!!!!Ibr!!!#r-%!!!d!#3!
+"E3!!!!!!!3!I!Irq!!!#!!B!!J5F"*d0"*`!!Q`!!J!!!!$m[[bp!Ibq!!!"r,d
+!!!)%R3!#"*i%R`d%RJ!#E!!##V%+b!5Jr,`0"+!!!dN!!JUa#XMmZ`5K"+)+r,X
+!'#jcHA0[C'a[Cf&cDh)!!!!!!!!!!&4&@&30"+%!!@d!!!Ua#V3%S``%S`!'!!!
+!!J!!"J5L!!2mZJ5N"+8+r,S!"!TLG'jc$35N!!&+!!!+Y`Um"+B#"+B!!J5Rr,N
+0"+F!!@d!!!Uh#VS%U!`%U!!+!!4%EfjP!!)!!!,mZ3!!"J5P!!2mZ!5Tr,F+r,J
+!"!TRDACe$35T!!&Y!!!+[`V#r,B$r,B!"3EmY`!!!Ibm!!!#"*m!!J5Ur,80"+S
+!!Q`!!J!!!!$mY2bc!Ibd!!!"r,-!!!,mY3!!$J!#!!!2%!!$!",mXJ5V"+`%V35
+Z"+m%X!5a",)%X`5d",8%YJ5hr,(mX2b[r+i"r,)!!"!%U`!3r+hmV2bVr+VmUIb
+Sr+ImT[bPr+6mSrbLr+(mS2bIr*i+r+d!'#jKCACdEf&`F'jeE'`!!)!!!!#3!!!
+U+LSU#rbX!")`!!GdD'9`BA4S!!GdD'93BA4S#rbV!"``!!adD'9[E'4NC@aTEA-
+!$(4SC8pXC%4PE'PYF`[mUJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh4
+3BA4S#rbT!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mU!!Q-!!4D@jME(9NC@C
+[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rbR!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD![mTJ!N-!!3Bh*
+jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mT3!H-!!0Fh0XCQpXC'9
+bF'&dD!!0Fh0X4QpXC'9b8'&dD![mT!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p
+`C@jcFfa'EfaNCA*3BA4S#rbM!#i`!"9dD'9ZCAGQEfaNCA*bC@CPFQ9ZBf8!&A4
+SC8jPGdC[E'4PFP*PCQ9bC@jMC3[mSJ!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!Ib
+K!!!"r+!!!!(mR`!!!IbH!!!1"+`!"a$mR35ir*cmQ`5j",VmQJVmR3!B,Q&PGR4
+[BA"`ER9XE!!!J!!!!*!!!#SU+LS0",J!!@X!!!!!#XJ%Z`)%Z`!#!!8%[!)%[!!
+#"*lmQ3,mQ3!!!IbF!!!#r*X!!"!%Z3!!%!5k!)B!(rbBr*ImP[b9r*6mNrb5!#c
+mNIb3!2b2r)lmMIb-!%rmL`"D!&[mLJ"Nr)N!EIb)r)ImKJ#2r)AmK2b$r),mJIb
+!r(rmI[apr(cmH`#Tr(VmHIair(F![Iaf!-ImG3$8!1)!l!$j!3-"%!%D!5F"-3%
+q!8J"93&I!@`"GJ'$!Bd"QJ'N!E%"Z`()!G)"h`(T!IB#!!)0!KF#*!)Z!MX#43*
+5!P`#D3*c!S!#LJ+A!U%#VJ+m!XB#d`,G!ZS#p!-"!`X$'!-L!bm$130'!e!$A30
+R!h3$IJ1,!jN$S`1`!lS$a`24!pi$l!2f"!-%%`3K"#m%234,"&X%D`4j")X%Q35
+Mr(3%U2acr(,mF3VmQ!!%#Q0[BQS+r*F!'#jPBA*cCQCNFQ&XDA-!!!!!!!!J!'&
+QC()+r*B!"!TMG(Kd#rb9!")`!!GdD'9`BA4S!!GdD'93BA4S#[b8!!3+BA0MFJV
+mN`!%#R4iC'`,r*)!($!!$(4SC@pXC'4PE'PYF`!-G'KP6faN4'9XD@ec#[b4!!3
++BfPdE32mN!$rr3[mM`!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh43BA4
+S!rb1rri+r)d!"!T849K8#rb-!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mL`!
+Q-!!4D@jME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rb+!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD![mL3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mL!!
+H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD![mK`!Q-!!4Eh"PER0cE'C
+[E'4PFR"KG'J!%@p`C@jcFfa'EfaNCA*3BA4S#[b'!!3+BfC[E!VmK3!B,QeTFf0
+cE'0d+LSU+J!!!!!!!*!!!#SU+LS+r)3!"!TcC@aP#[b$!"JZBfpbC@4PE'mU+LS
+U!!!!!!!!N!!!+LSU+J(mJJ!!![b"!!!+r)!!"!TVEf0X#[ar!!3+D@jcD!2mIJ!
+%#[ap!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!VmI!!%#R*cE(3,r(X!,M!
+!&A4SC@jPGfC[E'4PFR*PCQ9bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P#[a
+k!!3+F'jKE3VmH3!%#Q&XD@%+r(J!"!TdEb!J#[ah!!3+CQPXC32mGJ!'#rae!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J+r(3!"!TLG'jc#[ac!!3+CfPfG32mFJ!&#[a
+a!"JZFhPcEf4XEfGKFfYb!!!!!!!!!!"849K8%IbD#XRJ%JUYi1%TDJ`!!LrM*N9
+4e%r&jLa&edrSaHBX4Nr%@qPF@eTVA&VU-NAE6m4Ek9aE@QYF@Z`bl5C&hNr,lbA
+Y*N9J!""2bf%!%59K!")Pl5C&B!!66mYK!"3Pl5C&B!!96mYK!"BPl5C&B!!A6m[
+Y*N9J!"K2amAQ,%C2&!!L+Q%!'9m!%#pK!"PK!"S[DJ`!'dmUB3!F,'S-!"eA!!K
+B!"i!(fK2+Q%!)'%!'@%!)5TK!"PI!"![B3!L$!!M6em!*%9J!#92A`!PDJ`!'dp
+K!#BUB3!F,'%!*ba'6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"R1,f%!+Q%!+bp
+K!#`-!#02A`!9B3!Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!#m[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!
+`,f%!,!`!)dpI!"9K!$%P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!
+Z,f%!+Q%!-LpK!#`-!#02A`!9B3!c*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!,LpK!#TK!$3[B3!X$!!M6em!&@%!059&B!!Z6bTK!#"K!#KK!#%UB3!
+CA`!6,f%!+5TK!"PI!#i[B3!UB3!f,f%!,!`!)dpI!"9K!$FP4@!!,NmUB3!JB3!
+SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!1#pK!#`-!#02A`!9B3!j*89J!#j
+2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!$S[B3!X$!!M6em!&@%
+!1b9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!m,f%!,!`
+!)dpI!"9K!$dP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!2LpK!#`-!#02A`!9B3!r*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!%![B3!X$!!M6em!&@%!359&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"#,f%!,!`!)dpI!"9K!%-P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!4#pK!#`-!#02A`!9B3"&*89J!#j2+Q%!)'%
+!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!%B[B3!X$!!M6em!&@%!4b9&B!!
+Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"),f%!,!`!)dpI!"9
+K!%NP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!5LpK!#`
+-!#02A`!9B3",*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#T
+K!%`[B3!X$!!M6em!&@%!659&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!#i[B3!UB3"1,f%!,!`!)dpI!"9K!%mP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bp
+K!#NUB3!CA`!Z,f%!+Q%!8#pK!#`-!#02A`!9B3"4*89J!#j2+Q%!)'%!+'%!)5T
+K!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&)[B3!X$!!M6em!&@%!8b9&B!!Z6bTK!#"
+K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"8,f%!,!`!)dpI!"9K!&8P4@!
+!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!9LpK!#`-!#02A`!
+9B3"A*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&J[B3!
+X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"C,f%!,!`!)dp
+I!"9K!&SP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!@bp
+K!#`-!#02A`!9B3"F*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!&d[B3!X$!!M6em!&@%!AL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5T
+K!"PI!#i[B3!UB3"I,f%!,!`!)dpI!"9K!'!P4@!!,NmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!Z,f%!+Q%!B5pK!#`-!#02A`!9B3"L*89J!#j2+Q%!)'%!+'%
+!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'-[B3!X$!!M6em!&@%!C#9&B!!Z6bT
+K!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"P,f%!,!`!)dpI!"9K!'B
+P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!CbpK!#`-!#0
+2A`!9B3"S*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'N
+[B3!X$!!M6em!&@%!DL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i
+[B3!UB3"V,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!E#pK!#`-!#02A`!9B3"Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!'i[B3!X$!!M6em!&@%!Eb9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"`,f%!,!`!)dpI!"9K!(%P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!FLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-
+[B3!T+Q%!'9m!,LpK!#TK!(-[B3!X$!!M6em!&@%!G#9&B!!Z6bTK!#"K!#KK!#%
+UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"e,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!A,f%!+Q%!GLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!&bpK!#TK!(F[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!"F[B3!UB3"i,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!A,f%
+!+Q%!H5pK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&bpK!#TK!(S
+[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!"8[B3!UB3"l,f%!,!`
+!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!9,f%!+Q%!I#pK!#`-!#02+Q%
+!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&5pK!#TK!(d[B3!X$!!M6bTK!#"K!#K
+K!#%UB3!CA`!6,f%!+5TK!"PI!"J[B3!UB3"q,f%!,!`!)dmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!B,f%!+Q%!IbpK!#`-!#028&92B3#!B3#"B3##DhCK!)0
+K!)4K!#)-!)82$!5Y!&%!5deKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0
+[E@PZCcT[F'9ZFh0X,90139!Y-6Nj16%b-6%k6@&M6e-kE@YXD@jVFbjKF`!#!!!
+1"+i!!J6mF!5p!ra`!!%1",d!!3!%[J`%[J!'!!!!!J!!$J5[!!)%r'm%[`2mE`!
+%$J5r!!3!"-!%`36#"---"-!!%J!-6@&MD@jdEh0S)%K%!!)!!!`%`3!8!!j%CA0
+VG'p`)%C[E'4PFJ!#!!!-"-)!$J!)5@jMEfeTEQF!!J!!$!6$!"X!&@p`C@jcFf`
+Y8dj"8#da16Nj-6)a-3!#!!!-",!!4J"!6@&MD@jdEh0S)%K%1N4PFfYdEh!J4Qp
+XC'9b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6T0B@028`!#!!!-",%
+!5!"#6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9b1NPZBfpYD@jR1Qp`C@jcFf`
+Y8dj"8#da16Nj-6)a-6TTEQ0XG@4P!!)!!!`%XJ"3!%T0B@0TER4[FfJJ5%3k4'9
+cDh4[F#"'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a1QPZBfa
+eC'8kEh"PER0cE!!#!!!-",-!4`""6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9
+b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6TMFRP`G'm!!J!!$!5d!%3
+!2NeKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90
+139!Y-6Nj16%b-6%kFh0X!!)!!!`%Y3"!!$T0B@0TER4[FfJJ5%3k4'9cDh4[F#"
+'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a!!)!!!i%YJ!"&!6
+%$J6%!!-B"-AmEJ6'$J6&!!-B"-ImE36)$J6(!!-B"-RmE!6+$J6*!!-B!"rmD`6
+,#[aV!!3+BfC[E!`%b`!1!!K*EQ0[E@PZC`!#!!!+r'`!"!TMCQpX$!6+!"X!&@p
+`C@jcFf`Y8dj"8#da16Nj-6)a-3!#!!!+r'd!"!TMCQpX$!6)!!d!"fPZBfaeC'8
+!!J!!#[aZ!!3+BfC[E!`%aJ!9!!peER4TG'aPC#"QEfaNCA)!!J!!$!5h!%i!5%e
+KBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90139!
+Y-6Nj16%b-6%kBh*jF(4[1RJe-$Pf-`!#!!!"r,%!!!(mX!!!!Ib[!!!"r+i!!'&
+cBh)!!3!-qYlHV3!!!3!!!*G#!!#@3J!!!AB!!$-8-0J!!!!F!AB!$h0MFhS!!!#
+#6Np853!!!)jcBh"d!!!!QP4&@&3!!3#QFh4jE!!!!,j$6d4&!!%!bN*14%`!!!$
+LBA"XG!!!!1j'8N9'!!!!qNP$6L-!!!%'D@0X0!!!!4*TBh-M!!!"(QPMFc3!!!%
+UD'CNFJ!!!6C659T&!!!"3PG3Eh-!!!&1!!$rr`!!!!!!!!!!!)$rre!!!"i!!!!
+!!)$rr`!!"cJ#DH#m"'Mrr`!!!*S!!!!!%iRrr`!!"Pi!!!!!"'Mrr`!!!53!!!!
+!!!$rrb!!!9)!!!!!!!(rra3!!@i#DG`%!)$rr`!!!Pi#DH"X!!$rr`!!!Ri!!!!
+!!)$rr`!!!S-#DH"d!*Err`!!!Si!!!!!!*Err`!!!j)!!!!!!*Err`!!"CB#DH%
+i!*Err`!!"GS#DH%dkF$rr`!!"[`!!!!!rrrrr`!!"a)!!!!!!)$rr`!!"b!!!!!
+!*4S:
diff --git a/src/lib/libssl/src/MacOS/opensslconf.h b/src/lib/libssl/src/MacOS/opensslconf.h
new file mode 100644
index 0000000000..ad557cc06a
--- /dev/null
+++ b/src/lib/libssl/src/MacOS/opensslconf.h
@@ -0,0 +1,116 @@
+/* MacOS/opensslconf.h */
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define OPENSSLDIR "/usr/local/ssl"
+#endif
+#endif
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+#define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+#define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+#define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H)
+#if !defined(RC4_INT)
+/* using int types make the structure larger but make the code faster
+ * on most boxes I have tested - up to %20 faster. */
+/*
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
+#define RC4_INT unsigned char
+#endif
+#if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#define RC4_CHUNK unsigned long
+#endif
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+#ifndef DES_LONG
+#define DES_LONG unsigned long
+#endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#define CONFIG_HEADER_BN_H
+#if __option(longlong)
+#  define BN_LLONG
+#else
+#  undef BN_LLONG
+#endif
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+#undef SIXTEEN_BIT
+#undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+#define CONFIG_HEADER_RC4_LOCL_H
+/* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
+#undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+#define CONFIG_HEADER_BF_LOCL_H
+#define BF_PTR
+#endif /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+#define CONFIG_HEADER_DES_LOCL_H
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#define DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#define DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#define DES_UNROLL
+#endif
+
+#endif /* HEADER_DES_LOCL_H */
+
+#ifndef __POWERPC__
+#define MD32_XARRAY
+#endif
diff --git a/src/lib/libssl/src/Makefile.org b/src/lib/libssl/src/Makefile.org
new file mode 100644
index 0000000000..2def579c26
--- /dev/null
+++ b/src/lib/libssl/src/Makefile.org
@@ -0,0 +1,351 @@
+##
+## Makefile for OpenSSL
+##
+
+VERSION=
+MAJOR=
+MINOR=
+PLATFORM=dist
+OPTIONS=
+# INSTALL_PREFIX is for package builders so that they can configure
+# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
+# Normally it is left empty.
+INSTALL_PREFIX=
+INSTALLTOP=/usr/local/ssl
+
+# Do not edit this manually. Use Configure --openssldir=DIR do change this!
+OPENSSLDIR=/usr/local/ssl
+
+# RSAref  - Define if we are to link with RSAref.
+# NO_IDEA - Define to build without the IDEA algorithm
+# NO_RC4  - Define to build without the RC4 algorithm
+# NO_RC2  - Define to build without the RC2 algorithm
+# THREADS - Define when building with threads, you will probably also need any
+#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
+# TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
+# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
+# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
+# DEVRANDOM - Give this the value of the 'random device' if your OS supports
+#           one.  32 bytes will be read from this when the random
+#           number generator is initalised.
+# SSL_ALLOW_ADH - define if you want the server to be able to use the
+#           SSLv3 anon-DH ciphers.
+# SSL_FORBID_ENULL - define if you want the server to be not able to use the
+#           NULL encryption ciphers.
+#
+# LOCK_DEBUG - turns on lots of lock debug output :-)
+# REF_CHECK - turn on some xyz_free() assertions.
+# REF_PRINT - prints some stuff on structure free.
+# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
+# MFUNC - Make all Malloc/Free/Realloc calls call
+#       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
+#       call application defined callbacks via CRYPTO_set_mem_functions()
+# MD5_ASM needs to be defined to use the x86 assembler for MD5
+# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
+# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
+# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
+# equal 4.
+# PKCS1_CHECK - pkcs1 tests.
+
+CC= gcc
+#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+DEPFLAG= 
+PEX_LIBS= -L. -L.. -L../.. -L../../..
+EX_LIBS= 
+AR=ar r
+RANLIB= ranlib
+PERL= perl
+
+# Set BN_ASM to bn_asm.o if you want to use the C version
+BN_ASM= bn_asm.o
+#BN_ASM= bn_asm.o
+#BN_ASM= asm/bn86-elf.o # elf, linux-elf
+#BN_ASM= asm/bn86-sol.o # solaris
+#BN_ASM= asm/bn86-out.o # a.out, FreeBSD
+#BN_ASM= asm/bn86bsdi.o # bsdi
+#BN_ASM= asm/alpha.o    # DEC Alpha
+#BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC
+#BN_ASM= asm/r3000.o    # SGI MIPS cpu
+#BN_ASM= asm/sparc.o    # Sun solaris/SunOS
+#BN_ASM= asm/bn-win32.o # Windows 95/NT
+#BN_ASM= asm/x86w16.o   # 16 bit code for Windows 3.1/DOS
+#BN_ASM= asm/x86w32.o   # 32 bit code for Windows 3.1
+
+# For x86 assembler: Set PROCESSOR to 386 if you want to support
+# the 80386.
+PROCESSOR=
+
+# Set DES_ENC to des_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+DES_ENC= asm/dx86-out.o asm/yx86-out.o
+#DES_ENC= des_enc.o fcrypt_b.o          # C
+#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
+#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
+#DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD
+#DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi
+
+# Set BF_ENC to bf_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+BF_ENC= asm/bx86-out.o
+#BF_ENC= bf_enc.o
+#BF_ENC= asm/bx86-elf.o # elf
+#BF_ENC= asm/bx86-sol.o # solaris
+#BF_ENC= asm/bx86-out.o # a.out, FreeBSD
+#BF_ENC= asm/bx86bsdi.o # bsdi
+
+# Set CAST_ENC to c_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+CAST_ENC= asm/cx86-out.o
+#CAST_ENC= c_enc.o
+#CAST_ENC= asm/cx86-elf.o # elf
+#CAST_ENC= asm/cx86-sol.o # solaris
+#CAST_ENC= asm/cx86-out.o # a.out, FreeBSD
+#CAST_ENC= asm/cx86bsdi.o # bsdi
+
+# Set RC4_ENC to rc4_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC4_ENC= asm/rx86-out.o
+#RC4_ENC= rc4_enc.o
+#RC4_ENC= asm/rx86-elf.o # elf
+#RC4_ENC= asm/rx86-sol.o # solaris
+#RC4_ENC= asm/rx86-out.o # a.out, FreeBSD
+#RC4_ENC= asm/rx86bsdi.o # bsdi
+
+# Set RC5_ENC to rc5_enc.o if you want to use the C version
+#There are 4 x86 assember options.
+RC5_ENC= asm/r586-out.o
+#RC5_ENC= rc5_enc.o
+#RC5_ENC= asm/r586-elf.o # elf
+#RC5_ENC= asm/r586-sol.o # solaris
+#RC5_ENC= asm/r586-out.o # a.out, FreeBSD
+#RC5_ENC= asm/r586bsdi.o # bsdi
+
+# Also need MD5_ASM defined
+MD5_ASM_OBJ= asm/mx86-out.o
+#MD5_ASM_OBJ= asm/mx86-elf.o        # elf
+#MD5_ASM_OBJ= asm/mx86-sol.o        # solaris
+#MD5_ASM_OBJ= asm/mx86-out.o        # a.out, FreeBSD
+#MD5_ASM_OBJ= asm/mx86bsdi.o        # bsdi
+
+# Also need SHA1_ASM defined
+SHA1_ASM_OBJ= asm/sx86-out.o
+#SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
+#SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
+#SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
+#SHA1_ASM_OBJ= asm/sx86bsdi.o       # bsdi
+
+# Also need RMD160_ASM defined
+RMD160_ASM_OBJ= asm/rm86-out.o
+#RMD160_ASM_OBJ= asm/rm86-elf.o       # elf
+#RMD160_ASM_OBJ= asm/rm86-sol.o       # solaris
+#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
+#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
+
+DIRS=   crypto ssl rsaref apps test tools
+SHLIBDIRS= crypto ssl
+
+# dirs in crypto to build
+SDIRS=  \
+        md2 md5 sha mdc2 hmac ripemd \
+        des rc2 rc4 rc5 idea bf cast \
+        bn rsa dsa dh \
+        buffer bio stack lhash rand err objects \
+        evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+
+MAKEFILE= Makefile.ssl
+MAKE=     make -f Makefile.ssl
+
+MAN1=1
+MAN3=3
+SHELL=/bin/sh
+
+TOP=    .
+ONEDIRS=out tmp
+EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
+WDIRS=  windows
+LIBS=   libcrypto.a libssl.a 
+
+GENERAL=        Makefile
+BASENAME=       openssl
+NAME=           $(BASENAME)-$(VERSION)
+TARFILE=        $(NAME).tar
+WTARFILE=       $(NAME)-win.tar
+EXHEADER=       e_os.h e_os2.h
+HEADER=         e_os.h
+
+all: Makefile.ssl
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making all in $$i..." && \
+        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+        done
+        -@# cd perl; $(PERL) Makefile.PL; make
+
+sub_all:
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making all in $$i..." && \
+        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+        done;
+
+linux-shared:
+        for i in ${SHLIBDIRS}; do \
+        rm -f lib$$i.a lib$$i.so \
+                lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+        ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+        ( set -x; ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+                -Wl,-S,-soname=lib$$i.so.${MAJOR} \
+                -Wl,--whole-archive lib$$i.a \
+                -Wl,--no-whole-archive -lc ) || exit 1; \
+        rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+        done;
+        @set -x; \
+        for i in ${SHLIBDIRS}; do \
+        ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+        ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+        done;
+
+Makefile.ssl: Makefile.org
+        @echo "Makefile.ssl is older than Makefile.org."
+        @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
+        @false
+
+libclean:
+        rm -f *.a */lib */*/lib
+
+clean:
+        rm -f shlib/*.o *.o core a.out fluff *.map
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making clean in $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+        rm -f $(LIBS); \
+        done;
+        rm -f *.a *.o speed.* *.map *.so .pure core
+        rm -f $(TARFILE)
+        @for i in $(ONEDIRS) ;\
+        do \
+        rm -fr $$i/*; \
+        done
+
+makefile.one: files
+        $(PERL) util/mk1mf.pl >makefile.one; \
+        sh util/do_ms.sh
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making 'files' in $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
+        done;
+
+links:
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
+        @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
+        @for i in $(DIRS); do \
+        (cd $$i && echo "making links in $$i..." && \
+        $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+        done;
+
+dclean:
+        rm -f *.bak
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making dclean in $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
+        done;
+
+rehash:
+        @(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+
+test:   tests
+
+tests: rehash
+        @(cd test && echo "testing..." && \
+        $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests );
+        @apps/openssl version -a
+
+depend:
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making dependencies $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+        done;
+
+lint:
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making lint $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
+        done;
+
+tags:
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i && echo "making tags $$i..." && \
+        $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
+        done;
+
+errors:
+        perl util/mkerr.pl -recurse -write
+
+util/libeay.num::
+        perl util/mkdef.pl crypto update
+
+util/ssleay.num::
+        perl util/mkdef.pl ssl update
+
+TABLE: Configure
+        (echo 'Output of `Configure TABLE'"':"; \
+        perl Configure TABLE) > TABLE
+
+update: depend errors util/libeay.num util/ssleay.num TABLE
+
+tar:
+        @tar --norecurse -cvf - \
+                `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+        tardy --user_number=0  --user_name=openssl \
+              --group_number=0 --group_name=openssl \
+              --prefix=openssl-$(VERSION) - |\
+        gzip --best >../$(TARFILE).gz; \
+        ls -l ../$(TARFILE).gz
+
+dist:   
+        $(PERL) Configure dist
+        @$(MAKE) dist_pem_h
+        @$(MAKE) SDIRS='${SDIRS}' clean
+        @$(MAKE) tar
+
+dist_pem_h:
+        (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
+
+install: all
+        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+                $(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+                $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
+                $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+                $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
+                $(INSTALL_PREFIX)$(OPENSSLDIR)/private \
+                $(INSTALL_PREFIX)$(OPENSSLDIR)/lib
+        @for i in $(EXHEADER) ;\
+        do \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+        @for i in $(DIRS) ;\
+        do \
+        (cd $$i; echo "installing $$i..."; \
+        $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' install ); \
+        done
+        @for i in $(LIBS) ;\
+        do \
+        (       echo installing $$i; \
+                cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+                $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+                chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+        done
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
new file mode 100644
index 0000000000..c152b7155d
--- /dev/null
+++ b/src/lib/libssl/src/NEWS
@@ -0,0 +1,65 @@
+
+  NEWS
+  ====
+
+  This file gives a brief overview of the major changes between each OpenSSL
+  release. For more details please read the CHANGES file.
+
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+
+      o Transparent support for PKCS#8 format private keys: these are used
+        by several software packages and are more secure than the standard
+        form
+      o PKCS#5 v2.0 implementation
+      o Password callbacks have a new void * argument for application data
+      o Avoid various memory leaks
+      o New pipe-like BIO that allows using the SSL library when actual I/O
+        must be handled by the application (BIO pair)
+
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+      o Lots of enhancements and cleanups to the Configuration mechanism
+      o RSA OEAP related fixes
+      o Added `openssl ca -revoke' option for revoking a certificate
+      o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
+      o Source tree cleanups: removed lots of obsolete files
+      o Thawte SXNet, certificate policies and CRL distribution points
+        extension support
+      o Preliminary (experimental) S/MIME support
+      o Support for ASN.1 UTF8String and VisibleString
+      o Full integration of PKCS#12 code
+      o Sparc assembler bignum implementation, optimized hash functions
+      o Option to disable selected ciphers
+
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+      o Fixed a security hole related to session resumption
+      o Fixed RSA encryption routines for the p < q case
+      o "ALL" in cipher lists now means "everything except NULL ciphers"
+      o Support for Triple-DES CBCM cipher
+      o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA
+      o First support for new TLSv1 ciphers
+      o Added a few new BIOs (syslog BIO, reliable BIO)
+      o Extended support for DSA certificate/keys.
+      o Extended support for Certificate Signing Requests (CSR)
+      o Initial support for X.509v3 extensions
+      o Extended support for compression inside the SSL record layer
+      o Overhauled Win32 builds
+      o Cleanups and fixes to the Big Number (BN) library
+      o Support for ASN.1 GeneralizedTime
+      o Splitted ASN.1 SETs from SEQUENCEs
+      o ASN1 and PEM support for Netscape Certificate Sequences
+      o Overhauled Perl interface
+      o Lots of source tree cleanups.
+      o Lots of memory leak fixes.
+      o Lots of bug fixes.
+
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+      o Integration of the popular NO_RSA/NO_DSA patches
+      o Initial support for compression inside the SSL record layer
+      o Added BIO proxy and filtering functionality
+      o Extended Big Number (BN) library
+      o Added RIPE MD160 message digest
+      o Addeed support for RC2/64bit cipher
+      o Extended ASN.1 parser routines
+      o Adjustations of the source tree for CVS
+      o Support for various new platforms
+
diff --git a/src/lib/libssl/src/README.ASN1 b/src/lib/libssl/src/README.ASN1
new file mode 100644
index 0000000000..11bcfaf4dd
--- /dev/null
+++ b/src/lib/libssl/src/README.ASN1
@@ -0,0 +1,187 @@
+
+OpenSSL ASN1 Revision
+=====================
+
+This document describes some of the issues relating to the new ASN1 code.
+
+Previous OpenSSL ASN1 problems
+=============================
+
+OK why did the OpenSSL ASN1 code need revising in the first place? Well
+there are lots of reasons some of which are included below...
+
+1. The code is difficult to read and write. For every single ASN1 structure
+(e.g. SEQUENCE) four functions need to be written for new, free, encode and
+decode operations. This is a very painful and error prone operation. Very few
+people have ever written any OpenSSL ASN1 and those that have usually wish
+they hadn't.
+
+2. Partly because of 1. the code is bloated and takes up a disproportionate
+amount of space. The SEQUENCE encoder is particularly bad: it essentially
+contains two copies of the same operation, one to compute the SEQUENCE length
+and the other to encode it.
+
+3. The code is memory based: that is it expects to be able to read the whole
+structure from memory. This is fine for small structures but if you have a
+(say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
+
+4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
+changing the tag to the expected one, attempting to read it, then changing it
+back again. This means that decode buffers have to be writable even though they
+are ultimately unchanged. This gets in the way of constification.
+
+5. The handling of EXPLICIT isn't much better. It adds a chunk of code into 
+the decoder and encoder for every EXPLICIT tag.
+
+6. APPLICATION and PRIVATE tags aren't even supported at all.
+
+7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
+types that are not OPTIONAL.
+
+8. Much of the code assumes that a tag will fit in a single octet. This is
+only true if the tag is 30 or less (mercifully tags over 30 are rare).
+
+9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
+macros that properly support it.
+
+10. Encoders have no concept of OPTIONAL and have no error checking. If the
+passed structure contains a NULL in a mandatory field it will not be encoded,
+resulting in an invalid structure.
+
+11. It is tricky to add ASN1 encoders and decoders to external applications.
+
+Template model
+==============
+
+One of the major problems with revision is the sheer volume of the ASN1 code.
+Attempts to change (for example) the IMPLICIT behaviour would result in a
+modification of *every* single decode function. 
+
+I decided to adopt a template based approach. I'm using the term 'template'
+in a manner similar to SNACC templates: it has nothing to do with C++
+templates.
+
+A template is a description of an ASN1 module as several constant C structures.
+It describes in a machine readable way exactly how the ASN1 structure should
+behave. If this template contains enough detail then it is possible to write
+versions of new, free, encode, decode (and possibly others operations) that
+operate on templates.
+
+Instead of having to write code to handle each operation only a single
+template needs to be written. If new operations are needed (such as a 'print'
+operation) only a single new template based function needs to be written 
+which will then automatically handle all existing templates.
+
+Plans for revision
+==================
+
+The revision will consist of the following steps. Other than the first two
+these can be handled in any order.
+ 
+o Design and write template new, free, encode and decode operations, initially
+memory based. *DONE*
+
+o Convert existing ASN1 code to template form. *IN PROGRESS*
+
+o Convert an existing ASN1 compiler (probably SNACC) to output templates
+in OpenSSL form.
+
+o Add support for BIO based ASN1 encoders and decoders to handle large
+structures, initially blocking I/O.
+
+o Add support for non blocking I/O: this is quite a bit harder than blocking
+I/O.
+
+o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
+certificates etc etc.
+
+Description of major changes
+============================
+
+The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
+absent. The meaning of absent depends on the context. If for example the
+boolean type is DEFAULT FALSE (as in the case of the critical flag for
+certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
+Usually the value will only ever be read via an API which will hide this from
+an application.
+
+There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
+SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
+old code would omit the structure if the STACK was NULL (which is fine) or if
+it had zero elements (which is NOT OK). This causes problems because an empty
+SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
+it is encoded it will be omitted resulting in different encodings. The new code
+only omits the encoding if the STACK is NULL, if it contains zero elements it
+is encoded and empty. There is an additional problem though: because an empty
+STACK was omitted, sometimes the corresponding *_new() function would
+initialize the STACK to empty so an application could immediately use it, if
+this is done with the new code (i.e. a NULL) it wont work. Therefore a new
+STACK should be allocated first. One instance of this is the X509_CRL list of
+revoked certificates: a helper function X509_CRL_add0_revoked() has been added
+for this purpose.
+
+The X509_ATTRIBUTE structure used to have an element called 'set' which took
+the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
+to the behaviour of CHOICE in the new code this has been changed to a field
+called 'single' which is 0 for a SET OF and 1 for single. The old field has
+been deleted to deliberately break source compatibility. Since this structure
+is normally accessed via higher level functions this shouldn't break too much.
+
+The X509_REQ_INFO certificate request info structure no longer has a field
+called 'req_kludge'. This used to be set to 1 if the attributes field was
+(incorrectly) omitted. You can check to see if the field is omitted now by
+checking if the attributes field is NULL. Similarly if you need to omit
+the field then free attributes and set it to NULL.
+
+The top level 'detached' field in the PKCS7 structure is no longer set when
+a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
+The behaviour of PKCS7_get_detached() is unaffected.
+
+The values of 'type' in the GENERAL_NAME structure have changed. This is
+because the old code use the ASN1 initial octet as the selector. The new
+code uses the index in the ASN1_CHOICE template.
+
+The DIST_POINT_NAME structure has changed to be a true CHOICE type.
+
+typedef struct DIST_POINT_NAME_st {
+int type;
+union {
+        STACK_OF(GENERAL_NAME) *fullname;
+        STACK_OF(X509_NAME_ENTRY) *relativename;
+} name;
+} DIST_POINT_NAME;
+
+This means that name.fullname or name.relativename should be set
+and type reflects the option. That is if name.fullname is set then
+type is 0 and if name.relativename is set type is 1.
+
+With the old code using the i2d functions would typically involve:
+
+unsigned char *buf, *p;
+int len;
+/* Find length of encoding */
+len = i2d_SOMETHING(x, NULL);
+/* Allocate buffer */
+buf = OPENSSL_malloc(len);
+if(buf == NULL) {
+        /* Malloc error */
+}
+/* Use temp variable because &p gets updated to point to end of
+ * encoding.
+ */
+p = buf;
+i2d_SOMETHING(x, &p);
+
+
+Using the new i2d you can also do:
+
+unsigned char *buf = NULL;
+int len;
+len = i2d_SOMETHING(x, &buf);
+if(len < 0) {
+        /* Malloc error */
+}
+
+and it will automatically allocate and populate a buffer with the
+encoding. After this call 'buf' will point to the start of the
+encoding which is len bytes long.
diff --git a/src/lib/libssl/src/README.ENGINE b/src/lib/libssl/src/README.ENGINE
new file mode 100644
index 0000000000..3d88ed152f
--- /dev/null
+++ b/src/lib/libssl/src/README.ENGINE
@@ -0,0 +1,63 @@
+
+  ENGINE
+  ======
+
+  With OpenSSL 0.9.6, a new component has been added to support external 
+  crypto devices, for example accelerator cards.  The component is called
+  ENGINE, and has still a pretty experimental status and almost no
+  documentation.  It's designed to be faily easily extensible by the
+  calling programs.
+
+  There's currently built-in support for the following crypto devices:
+
+      o CryptoSwift
+      o Compaq Atalla
+      o nCipher CHIL
+
+  A number of things are still needed and are being worked on:
+
+      o An openssl utility command to handle or at least check available
+        engines.
+      o A better way of handling the methods that are handled by the
+        engines.
+      o Documentation!
+
+  What already exists is fairly stable as far as it has been tested, but
+  the test base has been a bit small most of the time.
+
+  Because of this experimental status and what's lacking, the ENGINE
+  component is not yet part of the default OpenSSL distribution.  However,
+  we have made a separate kit for those who want to try this out, to be
+  found in the same places as the default OpenSSL distribution, but with
+  "-engine-" being part of the kit file name.  For example, version 0.9.6
+  is distributed in the following two files:
+
+      openssl-0.9.6.tar.gz
+      openssl-engine-0.9.6.tar.gz
+
+  NOTES
+  =====
+
+  openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do
+  not need to download both.
+
+  openssl-engine-0.9.6.tar.gz is usable even if you don't have an external
+  crypto device.  The internal OpenSSL functions are contained in the
+  engine "openssl", and will be used by default.
+
+  No external crypto device is chosen unless you say so.  You have actively
+  tell the openssl utility commands to use it through a new command line
+  switch called "-engine".  And if you want to use the ENGINE library to
+  do something similar, you must also explicitely choose an external crypto
+  device, or the built-in crypto routines will be used, just as in the
+  default OpenSSL distribution.
+
+
+  PROBLEMS
+  ========
+
+  It seems like the ENGINE part doesn't work too well with Cryptoswift on
+  Win32.  A quick test done right before the release showed that trying
+  "openssl speed -engine cswift" generated errors.  If the DSO gets enabled,
+  an attempt is made to write at memory address 0x00000002.
+
diff --git a/src/lib/libssl/src/VMS/TODO b/src/lib/libssl/src/VMS/TODO
new file mode 100644
index 0000000000..359e069191
--- /dev/null
+++ b/src/lib/libssl/src/VMS/TODO
@@ -0,0 +1,18 @@
+TODO:
+=====
+
+There are a few things that need to be worked out in the VMS version of
+OpenSSL, still:
+
+- Description files. ("Makefile's" :-))
+- Script code to link an already compiled build tree.
+- A VMSINSTALlable version (way in the future, unless someone else hacks).
+- shareable images (DLL for you Windows folks).
+
+There may be other things that I have missed and that may be desirable.
+Please send mail to <openssl-users@openssl.org> or to me directly if you
+have any ideas.
+
+--
+Richard Levitte <richard@levitte.org>
+1999-05-24
diff --git a/src/lib/libssl/src/VMS/WISHLIST.TXT b/src/lib/libssl/src/VMS/WISHLIST.TXT
new file mode 100644
index 0000000000..c151fc8ea7
--- /dev/null
+++ b/src/lib/libssl/src/VMS/WISHLIST.TXT
@@ -0,0 +1,4 @@
+* Have the building procedure contain a LINK-only possibility.
+  Wished by Mark Daniel <mark.daniel@dsto.defence.gov.au>
+
+  One way to enable that is also to go over to DESCRIP.MMS files.
diff --git a/src/lib/libssl/src/VMS/install.com b/src/lib/libssl/src/VMS/install.com
new file mode 100644
index 0000000000..d941392c23
--- /dev/null
+++ b/src/lib/libssl/src/VMS/install.com
@@ -0,0 +1,71 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 23-MAY-1998 19:22
+$!
+$! P1   root of the directory tree
+$!
+$       IF P1 .EQS. ""
+$       THEN
+$           WRITE SYS$OUTPUT "First argument missing."
+$           WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$           EXIT
+$       ENDIF
+$
+$       ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$       DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$       DEFINE/NOLOG WRK_SSLVLIB WRK_SSLROOT:[VAX_LIB]
+$       DEFINE/NOLOG WRK_SSLALIB WRK_SSLROOT:[ALPHA_LIB]
+$       DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
+$       DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE]
+$       DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE]
+$       DEFINE/NOLOG WRK_SSLCERTS WRK_SSLROOT:[CERTS]
+$       DEFINE/NOLOG WRK_SSLPRIVATE WRK_SSLROOT:[PRIVATE]
+$
+$       IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$       IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLINCLUDE:
+$       IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[VMS]
+$
+$       EXHEADER := vms_idhacks.h
+$
+$       COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
+$
+$       OPEN/WRITE SF WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM
+$       WRITE SYS$OUTPUT "%OPEN-I-CREATED,  ",F$SEARCH("WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM")," created."
+$       WRITE SF "$! Startup file for Openssl 0.9.2-RL 15-Mar-1999"
+$       WRITE SF "$!"
+$       WRITE SF "$! Do not edit this file, as it will be regenerated during next installation."
+$       WRITE SF "$! Instead, add or change SSLROOT:[VMS]OPENSSL_SYSTARTUP.COM"
+$       WRITE SF "$!"
+$       WRITE SF "$! P1 a qualifier to DEFINE.  For example ""/SYSTEM"" to get the logical names"
+$       WRITE SF "$!    defined in the system logical name table."
+$       WRITE SF "$!"
+$       WRITE SF "$     ARCH = ""VAX"""
+$       WRITE SF "$     IF F$GETSYI(""CPU"") .GE. 128 THEN ARCH = ""ALPHA"""
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLROOT         ",ROOT,".] /TRANS=CONC"
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLLIB          SSLROOT:['ARCH'_LIB]"
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLINCLUDE      SSLROOT:[INCLUDE]"
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLEXE          SSLROOT:['ARCH'_EXE]"
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLCERTS        SSLROOT:[CERTS]"
+$       WRITE SF "$     DEFINE/NOLOG'P1 SSLPRIVATE      SSLROOT:[PRIVATE]"
+$       WRITE SF "$"
+$       WRITE SF "$!    This is program can include <openssl/{foo}.h>"
+$       WRITE SF "$     DEFINE/NOLOG'P1 OPENSSL         SSLINCLUDE:"
+$       WRITE SF "$"
+$       WRITE SF "$     IF F$SEARCH(""SSLROOT:[VMS]OPENSSL_SYSTARTUP.COM"") .NES."""" THEN -"
+$       WRITE SF "         @SSLROOT:[VMS]OPENSSL_SYSTARTUP.COM"
+$       WRITE SF "$"
+$       WRITE SF "$     EXIT"
+$       CLOSE SF
+$
+$       COPY OPENSSL_UTILS.COM WRK_SSLROOT:[VMS]/LOG
+$
+$       EXIT
diff --git a/src/lib/libssl/src/VMS/mkshared.com b/src/lib/libssl/src/VMS/mkshared.com
new file mode 100644
index 0000000000..afdc85bbe0
--- /dev/null
+++ b/src/lib/libssl/src/VMS/mkshared.com
@@ -0,0 +1,353 @@
+$! MKSHARED.COM -- script to created shareable images on VMS
+$!
+$! No command line parameters.  This should be run at the start of the source
+$! tree (the same directory where one finds INSTALL.VMS).
+$!
+$! Input:       [.UTIL]LIBEAY.NUM,[.AXP.EXE.CRYPTO]LIBCRYPTO.OLB
+$!              [.UTIL]SSLEAY.NUM,[.AXP.EXE.SSL]LIBSSL.OLB
+$! Output:      [.AXP.EXE.CRYPTO]LIBCRYPTO.OPT,.MAP,.EXE
+$!              [.AXP.EXE.SSL]LIBSSL.OPT,.MAP,.EXE
+$!
+$! So far, tests have only been made on VMS for Alpha.  VAX will come in time.
+$! ===========================================================================
+$
+$! ----- Prepare info for processing: version number and file info
+$ gosub read_version_info
+$ if libver .eqs. ""
+$ then
+$   write sys$error "ERROR: Couldn't find any library version info..."
+$   exit
+$ endif
+$
+$ if f$getsyi("CPU") .ge. 128
+$ then
+$   libid  = "Crypto"
+$   libnum = "[.UTIL]LIBEAY.NUM"
+$   libdir = "[.AXP.EXE.CRYPTO]"
+$   libolb = "''libdir'LIBCRYPTO.OLB"
+$   libopt = "''libdir'LIBCRYPTO.OPT"
+$   libmap = "''libdir'LIBCRYPTO.MAP"
+$   libgoal= "''libdir'LIBCRYPTO.EXE"
+$   libref = ""
+$   gosub create_axp_shr
+$   libid  = "SSL"
+$   libnum = "[.UTIL]SSLEAY.NUM"
+$   libdir = "[.AXP.EXE.SSL]"
+$   libolb = "''libdir'LIBSSL.OLB"
+$   libopt = "''libdir'LIBSSL.OPT"
+$   libmap = "''libdir'LIBSSL.MAP"
+$   libgoal= "''libdir'LIBSSL.EXE"
+$   libref = "[.AXP.EXE.CRYPTO]LIBCRYPTO.EXE"
+$   gosub create_axp_shr
+$ else
+$   libtit = "CRYPTO_TRANSFER_VECTOR"
+$   libid  = "Crypto"
+$   libnum = "[.UTIL]LIBEAY.NUM"
+$   libdir = "[.VAX.EXE.CRYPTO]"
+$   libmar = "''libdir'LIBCRYPTO.MAR"
+$   libolb = "''libdir'LIBCRYPTO.OLB"
+$   libopt = "''libdir'LIBCRYPTO.OPT"
+$   libobj = "''libdir'LIBCRYPTO.OBJ"
+$   libmap = "''libdir'LIBCRYPTO.MAP"
+$   libgoal= "''libdir'LIBCRYPTO.EXE"
+$   libref = ""
+$   libvec = "LIBCRYPTO"
+$   gosub create_vax_shr
+$   libtit = "SSL_TRANSFER_VECTOR"
+$   libid  = "SSL"
+$   libnum = "[.UTIL]SSLEAY.NUM"
+$   libdir = "[.VAX.EXE.SSL]"
+$   libmar = "''libdir'LIBSSL.MAR"
+$   libolb = "''libdir'LIBSSL.OLB"
+$   libopt = "''libdir'LIBSSL.OPT"
+$   libobj = "''libdir'LIBSSL.OBJ"
+$   libmap = "''libdir'LIBSSL.MAP"
+$   libgoal= "''libdir'LIBSSL.EXE"
+$   libref = "[.VAX.EXE.CRYPTO]LIBCRYPTO.EXE"
+$   libvec = "LIBSSL"
+$   gosub create_vax_shr
+$ endif
+$ exit
+$
+$! ----- Soubroutines to actually build the shareable libraries
+$! The way things work, there's a main shareable library creator for each
+$! supported architecture, which is called from the main code above.
+$! The creator will define a number of variables to tell the next levels of
+$! subroutines what routines to use to write to the option files, call the
+$! main processor, read_func_num, and when that is done, it will write version
+$! data at the end of the .opt file, close it, and link the library.
+$!
+$! read_func_num reads through a .num file and calls the writer routine for
+$! each line.  It's also responsible for checking that order is properly kept
+$! in the .num file, check that each line applies to VMS and the architecture,
+$! and to fill in "holes" with dummy entries.
+$!
+$! The creator routines depend on the following variables:
+$! libnum       The name of the .num file to use as input
+$! libolb       The name of the object library to build from
+$! libid        The identification string of the shareable library
+$! libopt       The name of the .opt file to write
+$! libtit       The title of the assembler transfer vector file (VAX only)
+$! libmar       The name of the assembler transfer vector file (VAX only)
+$! libmap       The name of the map file to write
+$! libgoal      The name of the shareable library to write
+$! libref       The name of a shareable library to link in
+$!
+$! read_func_num depends on the following variables from the creator:
+$! libwriter    The name of the writer routine to call for each .num file line
+$! -----
+$
+$! ----- Subroutines for AXP
+$! -----
+$! The creator routine
+$ create_axp_shr:
+$   open/write opt 'libopt'
+$   write opt "identification=""",libid," ",libverstr,""""
+$   write opt libolb,"/lib"
+$   if libref .nes. "" then write opt libref,"/SHARE"
+$   write opt "SYMBOL_VECTOR=(-"
+$   libfirstentry := true
+$   libwrch   := opt
+$   libwriter := write_axp_transfer_entry
+$   textcount = 0
+$   gosub read_func_num
+$   write opt ")"
+$   write opt "GSMATCH=",libvmatch,",",libver
+$   close opt
+$   link/map='libmap'/full/share='libgoal' 'libopt'/option
+$   return
+$
+$! The record writer routine
+$ write_axp_transfer_entry:
+$   if libentry .eqs. ".dummy" then return
+$   if info_kind .eqs. "VARIABLE"
+$   then
+$     pr:=DATA
+$   else
+$     pr:=PROCEDURE
+$   endif
+$   textcount_this = f$length(pr) + f$length(libentry) + 5
+$   if textcount + textcount_this .gt. 1024
+$   then
+$     write opt ")"
+$     write opt "SYMBOL_VECTOR=(-"
+$     textcount = 16
+$     libfirstentry := true
+$   endif
+$   if libfirstentry
+$   then
+$     write 'libwrch' "    ",libentry,"=",pr," -"
+$   else
+$     write 'libwrch' "    ,",libentry,"=",pr," -"
+$   endif
+$   libfirstentry := false
+$   textcount = textcount + textcount_this
+$   return
+$
+$! ----- Subroutines for AXP
+$! -----
+$! The creator routine
+$ create_vax_shr:
+$   open/write mar 'libmar'
+$   type sys$input:/out=mar:
+;
+; Transfer vector for VAX shareable image
+;
+$   write mar " .TITLE ",libtit
+$   write mar " .IDENT /",libid,"/"
+$   type sys$input:/out=mar:
+;
+; Define macro to assist in building transfer vector entries.  Each entry
+; should take no more than 8 bytes.
+;
+        .MACRO FTRANSFER_ENTRY routine
+        .ALIGN QUAD
+        .TRANSFER routine
+        .MASK   routine
+        JMP     routine+2
+        .ENDM FTRANSFER_ENTRY
+;
+; Place entries in own program section.
+;
+$   write mar " .PSECT $$",libvec,",QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT"
+$   write mar libvec,"_xfer:"
+$   libwrch   := mar
+$   libwriter := write_vax_ftransfer_entry
+$   gosub read_func_num
+$   type sys$input:/out=mar:
+;
+; Allocate extra storage at end of vector to allow for expansion.
+;
+$   write mar " .BLKB 32768-<.-",libvec,"_xfer> ; 64 pages total."
+$!   libwriter := write_vax_vtransfer_entry
+$!   gosub read_func_num
+$   write mar " .END"
+$   close mar
+$   open/write opt 'libopt'
+$   write opt "identification=""",libid," ",libverstr,""""
+$   write opt libobj
+$   write opt libolb,"/lib"
+$   if libref .nes. "" then write opt libref,"/SHARE"
+$   type sys$input:/out=opt:
+!
+! Ensure transfer vector is at beginning of image
+!
+CLUSTER=FIRST
+$   write opt "COLLECT=FIRST,$$",libvec
+$   write opt "GSMATCH=",libvmatch,",",libver
+$   type sys$input:/out=opt:
+!
+! make psects nonshareable so image can be installed.
+!
+PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
+$   libwrch   := opt
+$   libwriter := write_vax_psect_attr
+$   gosub read_func_num
+$   close opt
+$   macro/obj='libobj' 'libmar'
+$   link/map='libmap'/full/share='libgoal' 'libopt'/option
+$   return
+$
+$! The record writer routine for VAX functions
+$ write_vax_ftransfer_entry:
+$   if info_kind .nes. "FUNCTION" then return
+$   if libentry .eqs ".dummy"
+$   then
+$     write 'libwrch' " .BLKB 8" ! Dummy is zeroes...
+$   else
+$     write 'libwrch' " FTRANSFER_ENTRY ",libentry
+$   endif
+$   return
+$! The record writer routine for VAX variables (should never happen!)
+$ write_vax_psect_attr:
+$   if info_kind .nes. "VARIABLE" then return
+$   if libentry .eqs ".dummy" then return
+$   write 'libwrch' "PSECT_ATTR=",libentry,",NOSHR"
+$   return
+$
+$! ----- Common subroutines
+$! -----
+$! The .num file reader.  This one has great responsability.
+$ read_func_num:
+$   open libnum 'libnum'
+$   goto read_nums
+$
+$ read_nums:
+$   libentrynum=0
+$   liblastentry:=false
+$   entrycount=0
+$   loop:
+$     read/end=loop_end/err=loop_end libnum line
+$     entrynum=f$int(f$element(1," ",f$edit(line,"COMPRESS,TRIM")))
+$     entryinfo=f$element(2," ",f$edit(line,"COMPRESS,TRIM"))
+$     curentry=f$element(0," ",f$edit(line,"COMPRESS,TRIM"))
+$     info_exist=f$element(0,":",entryinfo)
+$     info_platforms=","+f$element(1,":",entryinfo)+","
+$     info_kind=f$element(2,":",entryinfo)
+$     info_algorithms=","+f$element(3,":",entryinfo)+","
+$     if info_exist .eqs. "NOEXIST" then goto loop
+$     truesum = 0
+$     falsesum = 0
+$     negatives = 1
+$     plat_i = 0
+$     loop1:
+$       plat_entry = f$element(plat_i,",",info_platforms)
+$       plat_i = plat_i + 1
+$       if plat_entry .eqs. "" then goto loop1
+$       if plat_entry .nes. ","
+$       then
+$         if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
+$         if f$getsyi("CPU") .lt. 128
+$         then
+$           if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
+$             truesum = truesum + 1
+$           if plat_entry .eqs. "!EXPORT_VAR_AS_FUNCTION" then -
+$             falsesum = falsesum + 1
+$         endif
+$         if plat_entry .eqs. "VMS" then truesum = truesum + 1
+$         if plat_entry .eqs. "!VMS" then falsesum = falsesum + 1
+$         goto loop1
+$       endif
+$     endloop1:
+$!DEBUG!$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
+$!DEBUG!$     then
+$!DEBUG!$       write sys$output line
+$!DEBUG!$       write sys$output "        truesum = ",truesum,-
+$!DEBUG!                ", negatives = ",negatives,", falsesum = ",falsesum
+$!DEBUG!$     endif
+$     if falsesum .ne. 0 then goto loop
+$     if truesum+negatives .eq. 0 then goto loop
+$     alg_i = 0
+$     loop2:
+$       alg_entry = f$element(alg_i,",",info_algorithms)
+$       alg_i = alg_i + 1
+$       if alg_entry .eqs. "" then goto loop2
+$       if alg_entry .nes. ","
+$       then
+$         if alg_entry .eqs. "KRB5" then goto loop ! Special for now
+$         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
+$         goto loop2
+$       endif
+$     endloop2:
+$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
+$     then
+$!DEBUG!$     write sys$output curentry," ; ",entrynum," ; ",entryinfo
+$     endif
+$   redo:
+$     next:=loop
+$     tolibentry=curentry
+$     if libentrynum .ne. entrynum
+$     then
+$       entrycount=entrycount+1
+$       if entrycount .lt. entrynum
+$       then
+$!DEBUG!$         write sys$output "Info: entrycount: ''entrycount', entrynum: ''entrynum' => 0"
+$         tolibentry=".dummy"
+$         next:=redo
+$       endif
+$       if entrycount .gt. entrynum
+$       then
+$         write sys$error "Decreasing library entry numbers!  Can't continue"
+$         write sys$error """",line,""""
+$         close libnum
+$         return
+$       endif
+$       libentry=tolibentry
+$!DEBUG!$       write sys$output entrycount," ",libentry," ",entryinfo
+$       if libentry .nes. "" .and. libwriter .nes. "" then gosub 'libwriter'
+$     else
+$       write sys$error "Info: ""''curentry'"" is an alias for ""''libentry'"".  Overriding..."
+$     endif
+$     libentrynum=entrycount
+$     goto 'next'
+$   loop_end:
+$   close libnum
+$   return
+$
+$! The version number reader
+$ read_version_info:
+$   libver = ""
+$   open/read vf [.CRYPTO]OPENSSLV.H
+$   loop_rvi:
+$     read/err=endloop_rvi/end=endloop_rvi vf rvi_line
+$     if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
+        goto loop_rvi
+$     libverstr = f$element(1,"""",rvi_line)
+$     libvmajor = f$element(0,".",libverstr)
+$     libvminor = f$element(1,".",libverstr)
+$     libvedit = f$element(2,".",libverstr)
+$     libvpatch = f$cvui(0,8,f$extract(1,1,libvedit)+"@")-f$cvui(0,8,"@")
+$     libvedit = f$extract(0,1,libvedit)
+$     libver = f$string(f$int(libvmajor)*100)+","+-
+        f$string(f$int(libvminor)*100+f$int(libvedit)*10+f$int(libvpatch))
+$     if libvmajor .eqs. "0"
+$     then
+$       libvmatch = "EQUAL"
+$     else
+$       ! Starting with the 1.0 release, backward compatibility should be
+$       ! kept, so switch over to the following
+$       libvmatch = "LEQUAL"
+$     endif
+$   endloop_rvi:
+$   close vf
+$   return
diff --git a/src/lib/libssl/src/VMS/multinet_shr.opt b/src/lib/libssl/src/VMS/multinet_shr.opt
new file mode 100644
index 0000000000..610f42dddb
--- /dev/null
+++ b/src/lib/libssl/src/VMS/multinet_shr.opt
@@ -0,0 +1 @@
+multinet:multinet_socket_library.exe/share
diff --git a/src/lib/libssl/src/VMS/openssl_utils.com b/src/lib/libssl/src/VMS/openssl_utils.com
new file mode 100644
index 0000000000..ddc107394f
--- /dev/null
+++ b/src/lib/libssl/src/VMS/openssl_utils.com
@@ -0,0 +1,38 @@
+$!
+$!  APPS.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!
+$! Slightly modified by Richard Levitte <richard@levitte.org>
+$!
+$ OPENSSL  :== $SSLEXE:OPENSSL
+$ VERIFY   :== $SSLEXE:OPENSSL VERIFY
+$ ASN1PARSE:== $SSLEXE:OPENSSL ASN1PARS
+$ REQ      :== $SSLEXE:OPENSSL REQ
+$ DGST     :== $SSLEXE:OPENSSL DGST
+$ DH       :== $SSLEXE:OPENSSL DH
+$ ENC      :== $SSLEXE:OPENSSL ENC
+$ GENDH    :== $SSLEXE:OPENSSL GENDH
+$ ERRSTR   :== $SSLEXE:OPENSSL ERRSTR
+$ CA       :== $SSLEXE:OPENSSL CA
+$ CRL      :== $SSLEXE:OPENSSL CRL
+$ RSA      :== $SSLEXE:OPENSSL RSA
+$ DSA      :== $SSLEXE:OPENSSL DSA
+$ DSAPARAM :== $SSLEXE:OPENSSL DSAPARAM
+$ X509     :== $SSLEXE:OPENSSL X509
+$ GENRSA   :== $SSLEXE:OPENSSL GENRSA
+$ GENDSA   :== $SSLEXE:OPENSSL GENDSA
+$ S_SERVER :== $SSLEXE:OPENSSL S_SERVER
+$ S_CLIENT :== $SSLEXE:OPENSSL S_CLIENT
+$ SPEED    :== $SSLEXE:OPENSSL SPEED
+$ S_TIME   :== $SSLEXE:OPENSSL S_TIME
+$ VERSION  :== $SSLEXE:OPENSSL VERSION
+$ PKCS7    :== $SSLEXE:OPENSSL PKCS7
+$ CRL2PKCS7:== $SSLEXE:OPENSSL CRL2P7
+$ SESS_ID  :== $SSLEXE:OPENSSL SESS_ID
+$ CIPHERS  :== $SSLEXE:OPENSSL CIPHERS
+$ NSEQ     :== $SSLEXE:OPENSSL NSEQ
+$ PKCS12   :== $SSLEXE:OPENSSL PKCS12
diff --git a/src/lib/libssl/src/VMS/socketshr_shr.opt b/src/lib/libssl/src/VMS/socketshr_shr.opt
new file mode 100644
index 0000000000..f6e3131626
--- /dev/null
+++ b/src/lib/libssl/src/VMS/socketshr_shr.opt
@@ -0,0 +1 @@
+socketshr/share
diff --git a/src/lib/libssl/src/VMS/test-includes.com b/src/lib/libssl/src/VMS/test-includes.com
new file mode 100644
index 0000000000..c1d7ccd0ee
--- /dev/null
+++ b/src/lib/libssl/src/VMS/test-includes.com
@@ -0,0 +1,28 @@
+$! Quick script to check how well including individual header files works
+$! on VMS, even when the VMS macro isn't defined.
+$
+$       sav_def = f$env("DEFAULT")
+$       here = f$parse("A.;0",f$ENV("PROCEDURE")) - "A.;0"
+$       set default 'here'
+$       set default [-.include.openssl]
+$       define openssl 'f$env("DEFAULT")'
+$       set default [--]
+$
+$ loop:
+$       f = f$search("openssl:*.h")
+$       if f .eqs. "" then goto loop_end
+$       write sys$output "Checking ",f
+$       open/write foo foo.c
+$       write foo "#undef VMS"
+$       write foo "#include <stdio.h>"
+$       write foo "#include <openssl/",f$parse(f,,,"NAME"),".h>"
+$       write foo "main()"
+$       write foo "{printf(""foo\n"");}"
+$       close foo
+$       cc/STANDARD=ANSI89/NOLIST/PREFIX=ALL foo.c
+$       delete foo.c;
+$       goto loop
+$ loop_end:
+$       set default 'save_def'
+$       exit
+
diff --git a/src/lib/libssl/src/VMS/ucx_shr_decc.opt b/src/lib/libssl/src/VMS/ucx_shr_decc.opt
new file mode 100644
index 0000000000..28d84f4af6
--- /dev/null
+++ b/src/lib/libssl/src/VMS/ucx_shr_decc.opt
@@ -0,0 +1 @@
+sys$share:ucx$ipc_shr.exe/share
diff --git a/src/lib/libssl/src/VMS/ucx_shr_decc_log.opt b/src/lib/libssl/src/VMS/ucx_shr_decc_log.opt
new file mode 100644
index 0000000000..c9d9a96d09
--- /dev/null
+++ b/src/lib/libssl/src/VMS/ucx_shr_decc_log.opt
@@ -0,0 +1 @@
+ucx$ipc_shr/share
diff --git a/src/lib/libssl/src/VMS/ucx_shr_vaxc.opt b/src/lib/libssl/src/VMS/ucx_shr_vaxc.opt
new file mode 100644
index 0000000000..86bfaf0d07
--- /dev/null
+++ b/src/lib/libssl/src/VMS/ucx_shr_vaxc.opt
@@ -0,0 +1 @@
+sys$library:ucx$ipc.olb/library
diff --git a/src/lib/libssl/src/apps/CA.com b/src/lib/libssl/src/apps/CA.com
new file mode 100644
index 0000000000..f324788eca
--- /dev/null
+++ b/src/lib/libssl/src/apps/CA.com
@@ -0,0 +1,200 @@
+$! CA - wrapper around ca to make it easier to use ... basically ca requires
+$!      some setup stuff to be done before you can use it and this makes
+$!      things easier between now and when Eric is convinced to fix it :-)
+$!
+$! CA -newca ... will setup the right stuff
+$! CA -newreq ... will generate a certificate request 
+$! CA -sign ... will sign the generated request and output 
+$!
+$! At the end of that grab newreq.pem and newcert.pem (one has the key 
+$! and the other the certificate) and cat them together and that is what
+$! you want/need ... I'll make even this a little cleaner later.
+$!
+$!
+$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
+$!                  converts a certificate to a request and then signs it.
+$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+$!                 environment variable so this can be driven from
+$!                 a script.
+$! 25-Jul-96 eay    Cleaned up filenames some more.
+$! 11-Jun-96 eay    Fixed a few filename missmatches.
+$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
+$! 18-Apr-96 tjh    Original hacking
+$!
+$! Tim Hudson
+$! tjh@cryptsoft.com
+$!
+$!
+$! default ssleay.cnf file has setup as per the following
+$! demoCA ... where everything is stored
+$
+$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
+$
+$ DAYS   = "-days 365"
+$ REQ    = openssl + " req " + SSLEAY_CONFIG
+$ CA     = openssl + " ca " + SSLEAY_CONFIG
+$ VERIFY = openssl + " verify"
+$ X509   = openssl + " x509"
+$ echo   = "write sys$Output"
+$!
+$ s = F$PARSE(F$ENVIRONMENT("DEFAULT"),"[]") - "].;"
+$ CATOP  := 's'.demoCA
+$ CAKEY  := ]cakey.pem
+$ CACERT := ]cacert.pem
+$
+$ __INPUT := SYS$COMMAND
+$ RET = 1
+$!
+$ i = 1
+$opt_loop:
+$ if i .gt. 8 then goto opt_loop_end
+$
+$ prog_opt = F$EDIT(P'i',"lowercase")
+$
+$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
+$ THEN
+$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
+$   exit
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-input")
+$ THEN
+$   ! Get input from somewhere other than SYS$COMMAND
+$   i = i + 1
+$   __INPUT = P'i'
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newcert")
+$ THEN
+$   ! Create a certificate.
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
+$   RET=$STATUS
+$   echo "Certificate (and private key) is in newreq.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newreq")
+$ THEN
+$   ! Create a certificate request
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
+$   RET=$STATUS
+$   echo "Request (and private key) is in newreq.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-newca")
+$ THEN
+$   ! If explicitly asked for or it doesn't exist then setup the directory
+$   ! structure that Eric likes to manage things.
+$   IF F$SEARCH(CATOP+"]serial.") .EQS. ""
+$   THEN
+$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP']
+$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.certs]
+$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.crl]
+$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.newcerts]
+$     CREATE /DIR /PROTECTION=OWNER:RWED 'CATOP'.private]
+$     OPEN   /WRITE ser_file 'CATOP']serial. 
+$     WRITE ser_file "01"
+$     CLOSE ser_file
+$     APPEND/NEW NL: 'CATOP']index.txt
+$   ENDIF
+$!
+$   IF F$SEARCH(CATOP+".private"+CAKEY) .EQS. ""
+$   THEN
+$     READ '__INPUT' FILE -
+           /PROMT="CA certificate filename (or enter to create)"
+$     IF F$SEARCH(FILE) .NES. ""
+$     THEN
+$       COPY 'FILE' 'CATOP'.private'CAKEY'
+$       RET=$STATUS
+$     ELSE
+$       echo "Making CA certificate ..."
+$       DEFINE/USER SYS$INPUT '__INPUT'
+$       REQ -new -x509 -keyout 'CATOP'.private'CAKEY' -
+                       -out 'CATOP''CACERT' 'DAYS'
+$       RET=$STATUS
+$     ENDIF
+$   ENDIF
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-xsign")
+$ THEN
+$!
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -infiles newreq.pem
+$   RET=$STATUS
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
+$ THEN
+$!   
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
+$   RET=$STATUS
+$   type newcert.pem
+$   echo "Signed certificate is in newcert.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-signcert")
+$  THEN
+$!   
+$   echo "Cert passphrase will be requested twice - bug?"
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
+$   DEFINE/USER SYS$INPUT '__INPUT'
+$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+y
+y
+$   type newcert.pem
+$   echo "Signed certificate is in newcert.pem"
+$   GOTO opt_loop_continue
+$ ENDIF
+$!
+$ IF (prog_opt .EQS. "-verify")
+$ THEN
+$!   
+$   i = i + 1
+$   IF (p'i' .EQS. "")
+$   THEN
+$     DEFINE/USER SYS$INPUT '__INPUT'
+$     VERIFY "-CAfile" 'CATOP''CACERT' newcert.pem
+$   ELSE
+$     j = i
+$    verify_opt_loop:
+$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
+$     IF p'j' .NES. ""
+$     THEN 
+$       DEFINE/USER SYS$INPUT '__INPUT'
+$       __tmp = p'j'
+$       VERIFY "-CAfile" 'CATOP''CACERT' '__tmp'
+$       tmp=$STATUS
+$       IF tmp .NE. 0 THEN RET=tmp
+$     ENDIF
+$     j = j + 1
+$     GOTO verify_opt_loop
+$    verify_opt_loop_end:
+$   ENDIF
+$   
+$   GOTO opt_loop_end
+$ ENDIF
+$!
+$ IF (prog_opt .NES. "")
+$ THEN
+$!   
+$   echo "Unknown argument ''prog_opt'"
+$   
+$   EXIT 3
+$ ENDIF
+$
+$opt_loop_continue:
+$ i = i + 1
+$ GOTO opt_loop
+$
+$opt_loop_end:
+$ EXIT 'RET'
diff --git a/src/lib/libssl/src/apps/CA.pl b/src/lib/libssl/src/apps/CA.pl
new file mode 100644
index 0000000000..7c023ae71f
--- /dev/null
+++ b/src/lib/libssl/src/apps/CA.pl
@@ -0,0 +1,153 @@
+#!/usr/local/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#                  environment variable so this can be driven from
+#                  a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+        if ( /^(-\?|-h|-help)$/ ) {
+            print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+            exit 0;
+        } elsif (/^-newcert$/) {
+            # create a certificate
+            system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+            $RET=$?;
+            print "Certificate (and private key) is in newreq.pem\n"
+        } elsif (/^-newreq$/) {
+            # create a certificate request
+            system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+            $RET=$?;
+            print "Request (and private key) is in newreq.pem\n";
+        } elsif (/^-newca$/) {
+                # if explictly asked for or it doesn't exist then setup the
+                # directory structure that Eric likes to manage things 
+            $NEW="1";
+            if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+                # create the directory hierarchy
+                mkdir $CATOP, $DIRMODE;
+                mkdir "${CATOP}/certs", $DIRMODE;
+                mkdir "${CATOP}/crl", $DIRMODE ;
+                mkdir "${CATOP}/newcerts", $DIRMODE;
+                mkdir "${CATOP}/private", $DIRMODE;
+                open OUT, ">${CATOP}/serial";
+                print OUT "01\n";
+                close OUT;
+                open OUT, ">${CATOP}/index.txt";
+                close OUT;
+            }
+            if ( ! -f "${CATOP}/private/$CAKEY" ) {
+                print "CA certificate filename (or enter to create)\n";
+                $FILE = <STDIN>;
+
+                chop $FILE;
+
+                # ask user for existing CA certificate
+                if ($FILE) {
+                    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+                    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+                    $RET=$?;
+                } else {
+                    print "Making CA certificate ...\n";
+                    system ("$REQ -new -x509 -keyout " .
+                        "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+                    $RET=$?;
+                }
+            }
+        } elsif (/^-xsign$/) {
+            system ("$CA -policy policy_anything -infiles newreq.pem");
+            $RET=$?;
+        } elsif (/^(-sign|-signreq)$/) {
+            system ("$CA -policy policy_anything -out newcert.pem " .
+                                                        "-infiles newreq.pem");
+            $RET=$?;
+            print "Signed certificate is in newcert.pem\n";
+        } elsif (/^-signcert$/) {
+            system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+                                                                "-out tmp.pem");
+            system ("$CA -policy policy_anything -out newcert.pem " .
+                                                        "-infiles tmp.pem");
+            $RET = $?;
+            print "Signed certificate is in newcert.pem\n";
+        } elsif (/^-verify$/) {
+            if (shift) {
+                foreach $j (@ARGV) {
+                    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+                    $RET=$? if ($? != 0);
+                }
+                exit $RET;
+            } else {
+                    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+                    $RET=$?;
+                    exit 0;
+            }
+        } else {
+            print STDERR "Unknown arg $_\n";
+            print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+            exit 1;
+        }
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+        $flag = 1 if (/^-----BEGIN.*$bound/) ;
+        print OUT $_ if ($flag);
+        if (/^-----END.*$bound/) {
+                close IN;
+                close OUT;
+                return;
+        }
+}
+}
+
diff --git a/src/lib/libssl/src/apps/CA.pl.in b/src/lib/libssl/src/apps/CA.pl.in
new file mode 100644
index 0000000000..4eef57e6e3
--- /dev/null
+++ b/src/lib/libssl/src/apps/CA.pl.in
@@ -0,0 +1,162 @@
+#!/usr/local/bin/perl
+#
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
+#
+# CA -newca ... will setup the right stuff
+# CA -newreq ... will generate a certificate request 
+# CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#                  environment variable so this can be driven from
+#                  a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
+
+# default openssl.cnf file has setup as per the following
+# demoCA ... where everything is stored
+
+$DAYS="-days 365";
+$REQ="openssl req $SSLEAY_CONFIG";
+$CA="openssl ca $SSLEAY_CONFIG";
+$VERIFY="openssl verify";
+$X509="openssl x509";
+$PKCS12="openssl pkcs12";
+
+$CATOP="./demoCA";
+$CAKEY="cakey.pem";
+$CACERT="cacert.pem";
+
+$DIRMODE = 0777;
+
+$RET = 0;
+
+foreach (@ARGV) {
+        if ( /^(-\?|-h|-help)$/ ) {
+            print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+            exit 0;
+        } elsif (/^-newcert$/) {
+            # create a certificate
+            system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+            $RET=$?;
+            print "Certificate (and private key) is in newreq.pem\n"
+        } elsif (/^-newreq$/) {
+            # create a certificate request
+            system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+            $RET=$?;
+            print "Request (and private key) is in newreq.pem\n";
+        } elsif (/^-newca$/) {
+                # if explicitly asked for or it doesn't exist then setup the
+                # directory structure that Eric likes to manage things 
+            $NEW="1";
+            if ( "$NEW" || ! -f "${CATOP}/serial" ) {
+                # create the directory hierarchy
+                mkdir $CATOP, $DIRMODE;
+                mkdir "${CATOP}/certs", $DIRMODE;
+                mkdir "${CATOP}/crl", $DIRMODE ;
+                mkdir "${CATOP}/newcerts", $DIRMODE;
+                mkdir "${CATOP}/private", $DIRMODE;
+                open OUT, ">${CATOP}/serial";
+                print OUT "01\n";
+                close OUT;
+                open OUT, ">${CATOP}/index.txt";
+                close OUT;
+            }
+            if ( ! -f "${CATOP}/private/$CAKEY" ) {
+                print "CA certificate filename (or enter to create)\n";
+                $FILE = <STDIN>;
+
+                chop $FILE;
+
+                # ask user for existing CA certificate
+                if ($FILE) {
+                    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+                    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+                    $RET=$?;
+                } else {
+                    print "Making CA certificate ...\n";
+                    system ("$REQ -new -x509 -keyout " .
+                        "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+                    $RET=$?;
+                }
+            }
+        } elsif (/^-pkcs12$/) {
+            my $cname = $ARGV[1];
+            $cname = "My Certificate" unless defined $cname;
+            system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+                        "-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+                        "-export -name \"$cname\"");
+            $RET=$?;
+            exit $RET;
+        } elsif (/^-xsign$/) {
+            system ("$CA -policy policy_anything -infiles newreq.pem");
+            $RET=$?;
+        } elsif (/^(-sign|-signreq)$/) {
+            system ("$CA -policy policy_anything -out newcert.pem " .
+                                                        "-infiles newreq.pem");
+            $RET=$?;
+            print "Signed certificate is in newcert.pem\n";
+        } elsif (/^-signcert$/) {
+            system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+                                                                "-out tmp.pem");
+            system ("$CA -policy policy_anything -out newcert.pem " .
+                                                        "-infiles tmp.pem");
+            $RET = $?;
+            print "Signed certificate is in newcert.pem\n";
+        } elsif (/^-verify$/) {
+            if (shift) {
+                foreach $j (@ARGV) {
+                    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
+                    $RET=$? if ($? != 0);
+                }
+                exit $RET;
+            } else {
+                    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+                    $RET=$?;
+                    exit 0;
+            }
+        } else {
+            print STDERR "Unknown arg $_\n";
+            print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+            exit 1;
+        }
+}
+
+exit $RET;
+
+sub cp_pem {
+my ($infile, $outfile, $bound) = @_;
+open IN, $infile;
+open OUT, ">$outfile";
+my $flag = 0;
+while (<IN>) {
+        $flag = 1 if (/^-----BEGIN.*$bound/) ;
+        print OUT $_ if ($flag);
+        if (/^-----END.*$bound/) {
+                close IN;
+                close OUT;
+                return;
+        }
+}
+}
+
diff --git a/src/lib/libssl/src/apps/app_rand.c b/src/lib/libssl/src/apps/app_rand.c
new file mode 100644
index 0000000000..f7f133831d
--- /dev/null
+++ b/src/lib/libssl/src/apps/app_rand.c
@@ -0,0 +1,211 @@
+/* apps/app_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/rand.h>
+
+
+static int seeded = 0;
+static int egdsocket = 0;
+
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
+        {
+        int consider_randfile = (file == NULL);
+        char buffer[200];
+        
+#ifdef WINDOWS
+        BIO_printf(bio_e,"Loading 'screen' into random state -");
+        BIO_flush(bio_e);
+        RAND_screen();
+        BIO_printf(bio_e," done\n");
+#endif
+
+        if (file == NULL)
+                file = RAND_file_name(buffer, sizeof buffer);
+        else if (RAND_egd(file) > 0)
+                {
+                /* we try if the given filename is an EGD socket.
+                   if it is, we don't write anything back to the file. */
+                egdsocket = 1;
+                return 1;
+                }
+        if (file == NULL || !RAND_load_file(file, -1))
+                {
+                if (RAND_status() == 0 && !dont_warn)
+                        {
+                        BIO_printf(bio_e,"unable to load 'random state'\n");
+                        BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
+                        BIO_printf(bio_e,"with much random data.\n");
+                        if (consider_randfile) /* explanation does not apply when a file is explicitly named */
+                                {
+                                BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
+                                BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
+                                }
+                        }
+                return 0;
+                }
+        seeded = 1;
+        return 1;
+        }
+
+long app_RAND_load_files(char *name)
+        {
+        char *p,*n;
+        int last;
+        long tot=0;
+    int egd;
+        
+        for (;;)
+                {
+                last=0;
+                for (p=name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++);
+                if (*p == '\0') last=1;
+                *p='\0';
+                n=name;
+                name=p+1;
+                if (*n == '\0') break;
+
+        egd=RAND_egd(n);
+                if (egd > 0) tot+=egd;
+                tot+=RAND_load_file(n,1024L*1024L);
+                if (last) break;
+                }
+        if (tot > 512)
+                app_RAND_allow_write_file();
+        return(tot);
+        }
+
+int app_RAND_write_file(const char *file, BIO *bio_e)
+        {
+        char buffer[200];
+        
+        if (egdsocket || !seeded)
+                /* If we did not manage to read the seed file,
+                 * we should not write a low-entropy seed file back --
+                 * it would suppress a crucial warning the next time
+                 * we want to use it. */
+                return 0;
+
+        if (file == NULL)
+                file = RAND_file_name(buffer, sizeof buffer);
+        if (file == NULL || !RAND_write_file(file))
+                {
+                BIO_printf(bio_e,"unable to write 'random state'\n");
+                return 0;
+                }
+        return 1;
+        }
+
+void app_RAND_allow_write_file(void)
+        {
+        seeded = 1;
+        }
diff --git a/src/lib/libssl/src/apps/dh2048.pem b/src/lib/libssl/src/apps/dh2048.pem
new file mode 100644
index 0000000000..dcd0b8d01b
--- /dev/null
+++ b/src/lib/libssl/src/apps/dh2048.pem
@@ -0,0 +1,12 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV
+89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50
+T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb
+zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX
+Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT
+CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==
+-----END DH PARAMETERS-----
+
+These are the 2048 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
diff --git a/src/lib/libssl/src/apps/dh4096.pem b/src/lib/libssl/src/apps/dh4096.pem
new file mode 100644
index 0000000000..1b35ad8e62
--- /dev/null
+++ b/src/lib/libssl/src/apps/dh4096.pem
@@ -0,0 +1,18 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
+l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
+Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
+Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
+VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
+alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
+sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
+ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
+OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
+AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
+KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
+-----END DH PARAMETERS-----
+
+These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/src/lib/libssl/src/apps/dh512.pem b/src/lib/libssl/src/apps/dh512.pem
new file mode 100644
index 0000000000..200d16cd89
--- /dev/null
+++ b/src/lib/libssl/src/apps/dh512.pem
@@ -0,0 +1,9 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
+XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
+-----END DH PARAMETERS-----
+
+These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/src/lib/libssl/src/apps/dhparam.c b/src/lib/libssl/src/apps/dhparam.c
new file mode 100644
index 0000000000..293a400d0c
--- /dev/null
+++ b/src/lib/libssl/src/apps/dhparam.c
@@ -0,0 +1,368 @@
+/* apps/dhparam.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DH
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    dhparam_main
+
+#define DEFBITS 512
+
+/* -inform arg  - input format - default PEM (DER or PEM)
+ * -outform arg - output format - default PEM
+ * -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ * -check       - check the parameters are ok
+ * -noout
+ * -text
+ * -C
+ */
+
+static void MS_CALLBACK dh_cb(int p, int n, void *arg);
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        DH *dh=NULL;
+        int i,badops=0,text=0;
+        BIO *in=NULL,*out=NULL;
+        int informat,outformat,check=0,noout=0,C=0,ret=1;
+        char *infile,*outfile,*prog;
+        char *inrand=NULL;
+        int num = 0, g = 0;
+
+        apps_startup();
+
+        if (bio_err == NULL)
+                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+        infile=NULL;
+        outfile=NULL;
+        informat=FORMAT_PEM;
+        outformat=FORMAT_PEM;
+
+        prog=argv[0];
+        argc--;
+        argv++;
+        while (argc >= 1)
+                {
+                if      (strcmp(*argv,"-inform") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        informat=str2fmt(*(++argv));
+                        }
+                else if (strcmp(*argv,"-outform") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        outformat=str2fmt(*(++argv));
+                        }
+                else if (strcmp(*argv,"-in") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        infile= *(++argv);
+                        }
+                else if (strcmp(*argv,"-out") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        outfile= *(++argv);
+                        }
+                else if (strcmp(*argv,"-check") == 0)
+                        check=1;
+                else if (strcmp(*argv,"-text") == 0)
+                        text=1;
+                else if (strcmp(*argv,"-C") == 0)
+                        C=1;
+                else if (strcmp(*argv,"-noout") == 0)
+                        noout=1;
+                else if (strcmp(*argv,"-2") == 0)
+                        g=2;
+                else if (strcmp(*argv,"-5") == 0)
+                        g=5;
+                else if (strcmp(*argv,"-rand") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        inrand= *(++argv);
+                        }
+                else if (((sscanf(*argv,"%d",&num) == 0) || (num <= 0)))
+                        goto bad;
+                argv++;
+                argc--;
+                }
+
+        if (badops)
+                {
+bad:
+                BIO_printf(bio_err,"%s [options] [numbits]\n",prog);
+                BIO_printf(bio_err,"where options are\n");
+                BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
+                BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
+                BIO_printf(bio_err," -in arg       input file\n");
+                BIO_printf(bio_err," -out arg      output file\n");
+                BIO_printf(bio_err," -check        check the DH parameters\n");
+                BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
+                BIO_printf(bio_err," -C            Output C code\n");
+                BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
+                BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
+                BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+                BIO_printf(bio_err," -rand file:file:...\n");
+                BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
+                BIO_printf(bio_err,"               the random number generator\n");
+                BIO_printf(bio_err," -noout        no output\n");
+                goto end;
+                }
+
+        ERR_load_crypto_strings();
+
+        if(g && !num) num = DEFBITS;
+        else if(num && !g) g = 2;
+
+        if(num) {
+
+                if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+                        {
+                        BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+                        }
+                if (inrand != NULL)
+                        BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+                                app_RAND_load_files(inrand));
+
+                BIO_printf(bio_err,"Generating DH parameters, %d bit long strong prime, generator of %d\n",num,g);
+                BIO_printf(bio_err,"This is going to take a long time\n");
+                dh=DH_generate_parameters(num,g,dh_cb,bio_err);
+                        
+                if (dh == NULL) goto end;
+
+                app_RAND_write_file(NULL, bio_err);
+        } else {
+
+                in=BIO_new(BIO_s_file());
+                if (in == NULL)
+                        {
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+                if (infile == NULL)
+                        BIO_set_fp(in,stdin,BIO_NOCLOSE);
+                else
+                        {
+                        if (BIO_read_filename(in,infile) <= 0)
+                                {
+                                perror(infile);
+                                goto end;
+                                }
+                        }
+
+                if      (informat == FORMAT_ASN1)
+                        dh=d2i_DHparams_bio(in,NULL);
+                else if (informat == FORMAT_PEM)
+                        dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
+                else
+                        {
+                        BIO_printf(bio_err,"bad input format specified\n");
+                        goto end;
+                        }
+                if (dh == NULL)
+                        {
+                        BIO_printf(bio_err,"unable to load DH parameters\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+
+        }
+
+        out=BIO_new(BIO_s_file());
+        if (out == NULL)
+                {
+                ERR_print_errors(bio_err);
+                goto end;
+                }
+        if (outfile == NULL)
+                BIO_set_fp(out,stdout,BIO_NOCLOSE);
+        else
+                {
+                if (BIO_write_filename(out,outfile) <= 0)
+                        {
+                        perror(outfile);
+                        goto end;
+                        }
+                }
+
+        
+
+        if (text)
+                {
+                DHparams_print(out,dh);
+                }
+        
+        if (check)
+                {
+                if (!DH_check(dh,&i))
+                        {
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+                if (i & DH_CHECK_P_NOT_PRIME)
+                        printf("p value is not prime\n");
+                if (i & DH_CHECK_P_NOT_STRONG_PRIME)
+                        printf("p value is not a strong prime\n");
+                if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+                        printf("unable to check the generator value\n");
+                if (i & DH_NOT_SUITABLE_GENERATOR)
+                        printf("the g value is not a generator\n");
+                if (i == 0)
+                        printf("DH parameters appear to be ok.\n");
+                }
+        if (C)
+                {
+                unsigned char *data;
+                int len,l,bits;
+
+                len=BN_num_bytes(dh->p);
+                bits=BN_num_bits(dh->p);
+                data=(unsigned char *)Malloc(len);
+                if (data == NULL)
+                        {
+                        perror("Malloc");
+                        goto end;
+                        }
+                l=BN_bn2bin(dh->p,data);
+                printf("static unsigned char dh%d_p[]={",bits);
+                for (i=0; i<l; i++)
+                        {
+                        if ((i%12) == 0) printf("\n\t");
+                        printf("0x%02X,",data[i]);
+                        }
+                printf("\n\t};\n");
+
+                l=BN_bn2bin(dh->g,data);
+                printf("static unsigned char dh%d_g[]={",bits);
+                for (i=0; i<l; i++)
+                        {
+                        if ((i%12) == 0) printf("\n\t");
+                        printf("0x%02X,",data[i]);
+                        }
+                printf("\n\t};\n\n");
+
+                printf("DH *get_dh%d()\n\t{\n",bits);
+                printf("\tDH *dh;\n\n");
+                printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
+                printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+                        bits,bits);
+                printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+                        bits,bits);
+                printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+                printf("\t\treturn(NULL);\n");
+                printf("\treturn(dh);\n\t}\n");
+                Free(data);
+                }
+
+
+        if (!noout)
+                {
+                if      (outformat == FORMAT_ASN1)
+                        i=i2d_DHparams_bio(out,dh);
+                else if (outformat == FORMAT_PEM)
+                        i=PEM_write_bio_DHparams(out,dh);
+                else    {
+                        BIO_printf(bio_err,"bad output format specified for outfile\n");
+                        goto end;
+                        }
+                if (!i)
+                        {
+                        BIO_printf(bio_err,"unable to write DH parameters\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+                }
+        ret=0;
+end:
+        if (in != NULL) BIO_free(in);
+        if (out != NULL) BIO_free(out);
+        if (dh != NULL) DH_free(dh);
+        EXIT(ret);
+        }
+
+static void MS_CALLBACK dh_cb(int p, int n, void *arg)
+        {
+        char c='*';
+
+        if (p == 0) c='.';
+        if (p == 1) c='+';
+        if (p == 2) c='*';
+        if (p == 3) c='\n';
+        BIO_write((BIO *)arg,&c,1);
+        (void)BIO_flush((BIO *)arg);
+#ifdef LINT
+        p=n;
+#endif
+        }
+
+#endif
diff --git a/src/lib/libssl/src/apps/engine.c b/src/lib/libssl/src/apps/engine.c
new file mode 100644
index 0000000000..734ecb3e5d
--- /dev/null
+++ b/src/lib/libssl/src/apps/engine.c
@@ -0,0 +1,520 @@
+/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef OPENSSL_NO_STDIO
+#define APPS_WIN16
+#endif
+#include "apps.h"
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include <openssl/ssl.h>
+
+#undef PROG
+#define PROG    engine_main
+
+static char *engine_usage[]={
+"usage: engine opts [engine ...]\n",
+" -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
+"               -vv will additionally display each command's description\n",
+"               -vvv will also add the input flags for each command\n",
+"               -vvvv will also show internal input flags\n",
+" -c          - for each engine, also list the capabilities\n",
+" -t          - for each engine, check that they are really available\n",
+" -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
+"               to load it (if -t is used)\n",
+" -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
+"               (only used if -t is also provided)\n",
+" NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
+" line, or all supported ENGINEs if none are specified.\n",
+" Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
+" argument \"/lib/libdriver.so\".\n",
+NULL
+};
+
+static void identity(void *ptr)
+        {
+        return;
+        }
+
+static int append_buf(char **buf, const char *s, int *size, int step)
+        {
+        int l = strlen(s);
+
+        if (*buf == NULL)
+                {
+                *size = step;
+                *buf = OPENSSL_malloc(*size);
+                if (*buf == NULL)
+                        return 0;
+                **buf = '\0';
+                }
+
+        if (**buf != '\0')
+                l += 2;         /* ", " */
+
+        if (strlen(*buf) + strlen(s) >= (unsigned int)*size)
+                {
+                *size += step;
+                *buf = OPENSSL_realloc(*buf, *size);
+                }
+
+        if (*buf == NULL)
+                return 0;
+
+        if (**buf != '\0')
+                strcat(*buf, ", ");
+        strcat(*buf, s);
+
+        return 1;
+        }
+
+static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
+        {
+        int started = 0, err = 0;
+        /* Indent before displaying input flags */
+        BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
+        if(flags == 0)
+                {
+                BIO_printf(bio_out, "<no flags>\n");
+                return 1;
+                }
+        /* If the object is internal, mark it in a way that shows instead of
+         * having it part of all the other flags, even if it really is. */
+        if(flags & ENGINE_CMD_FLAG_INTERNAL)
+                {
+                BIO_printf(bio_out, "[Internal] ");
+                }
+
+        if(flags & ENGINE_CMD_FLAG_NUMERIC)
+                {
+                if(started)
+                        {
+                        BIO_printf(bio_out, "|");
+                        err = 1;
+                        }
+                BIO_printf(bio_out, "NUMERIC");
+                started = 1;
+                }
+        /* Now we check that no combinations of the mutually exclusive NUMERIC,
+         * STRING, and NO_INPUT flags have been used. Future flags that can be
+         * OR'd together with these would need to added after these to preserve
+         * the testing logic. */
+        if(flags & ENGINE_CMD_FLAG_STRING)
+                {
+                if(started)
+                        {
+                        BIO_printf(bio_out, "|");
+                        err = 1;
+                        }
+                BIO_printf(bio_out, "STRING");
+                started = 1;
+                }
+        if(flags & ENGINE_CMD_FLAG_NO_INPUT)
+                {
+                if(started)
+                        {
+                        BIO_printf(bio_out, "|");
+                        err = 1;
+                        }
+                BIO_printf(bio_out, "NO_INPUT");
+                started = 1;
+                }
+        /* Check for unknown flags */
+        flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
+                        ~ENGINE_CMD_FLAG_STRING &
+                        ~ENGINE_CMD_FLAG_NO_INPUT &
+                        ~ENGINE_CMD_FLAG_INTERNAL;
+        if(flags)
+                {
+                if(started) BIO_printf(bio_out, "|");
+                BIO_printf(bio_out, "<0x%04X>", flags);
+                }
+        if(err)
+                BIO_printf(bio_out, "  <illegal flags!>");
+        BIO_printf(bio_out, "\n");
+        return 1;
+        }
+
+static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent)
+        {
+        static const int line_wrap = 78;
+        int num;
+        int ret = 0;
+        char *name = NULL;
+        char *desc = NULL;
+        int flags;
+        int xpos = 0;
+        STACK *cmds = NULL;
+        if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
+                        ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
+                                        0, NULL, NULL)) <= 0))
+                {
+#if 0
+                BIO_printf(bio_out, "%s<no control commands>\n", indent);
+#endif
+                return 1;
+                }
+
+        cmds = sk_new_null();
+
+        if(!cmds)
+                goto err;
+        do {
+                int len;
+                /* Get the command input flags */
+                if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
+                                        NULL, NULL)) < 0)
+                        goto err;
+                if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4)
+                        {
+                        /* Get the command name */
+                        if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
+                                NULL, NULL)) <= 0)
+                                goto err;
+                        if((name = OPENSSL_malloc(len + 1)) == NULL)
+                                goto err;
+                        if(ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
+                                NULL) <= 0)
+                                goto err;
+                        /* Get the command description */
+                        if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
+                                NULL, NULL)) < 0)
+                                goto err;
+                        if(len > 0)
+                                {
+                                if((desc = OPENSSL_malloc(len + 1)) == NULL)
+                                        goto err;
+                                if(ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
+                                        NULL) <= 0)
+                                        goto err;
+                                }
+                        /* Now decide on the output */
+                        if(xpos == 0)
+                                /* Do an indent */
+                                xpos = BIO_printf(bio_out, indent);
+                        else
+                                /* Otherwise prepend a ", " */
+                                xpos += BIO_printf(bio_out, ", ");
+                        if(verbose == 1)
+                                {
+                                /* We're just listing names, comma-delimited */
+                                if((xpos > (int)strlen(indent)) &&
+                                        (xpos + (int)strlen(name) > line_wrap))
+                                        {
+                                        BIO_printf(bio_out, "\n");
+                                        xpos = BIO_printf(bio_out, indent);
+                                        }
+                                xpos += BIO_printf(bio_out, "%s", name);
+                                }
+                        else
+                                {
+                                /* We're listing names plus descriptions */
+                                BIO_printf(bio_out, "%s: %s\n", name,
+                                        (desc == NULL) ? "<no description>" : desc);
+                                /* ... and sometimes input flags */
+                                if((verbose >= 3) && !util_flags(bio_out, flags,
+                                        indent))
+                                        goto err;
+                                xpos = 0;
+                                }
+                        }
+                OPENSSL_free(name); name = NULL;
+                if(desc) { OPENSSL_free(desc); desc = NULL; }
+                /* Move to the next command */
+                num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
+                                        num, NULL, NULL);
+                } while(num > 0);
+        if(xpos > 0)
+                BIO_printf(bio_out, "\n");
+        ret = 1;
+err:
+        if(cmds) sk_pop_free(cmds, identity);
+        if(name) OPENSSL_free(name);
+        if(desc) OPENSSL_free(desc);
+        return ret;
+        }
+
+static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent)
+        {
+        int loop, res, num = sk_num(cmds);
+        if(num < 0)
+                {
+                BIO_printf(bio_out, "[Error]: internal stack error\n");
+                return;
+                }
+        for(loop = 0; loop < num; loop++)
+                {
+                char buf[256];
+                const char *cmd, *arg;
+                cmd = sk_value(cmds, loop);
+                res = 1; /* assume success */
+                /* Check if this command has no ":arg" */
+                if((arg = strstr(cmd, ":")) == NULL)
+                        {
+                        if(!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
+                                res = 0;
+                        }
+                else
+                        {
+                        if((int)(arg - cmd) > 254)
+                                {
+                                BIO_printf(bio_out,"[Error]: command name too long\n");
+                                return;
+                                }
+                        memcpy(buf, cmd, (int)(arg - cmd));
+                        buf[arg-cmd] = '\0';
+                        arg++; /* Move past the ":" */
+                        /* Call the command with the argument */
+                        if(!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
+                                res = 0;
+                        }
+                if(res)
+                        BIO_printf(bio_out, "[Success]: %s\n", cmd);
+                else
+                        {
+                        BIO_printf(bio_out, "[Failure]: %s\n", cmd);
+                        ERR_print_errors(bio_out);
+                        }
+                }
+        }
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        int ret=1,i;
+        char **pp;
+        int verbose=0, list_cap=0, test_avail=0;
+        ENGINE *e;
+        STACK *engines = sk_new_null();
+        STACK *pre_cmds = sk_new_null();
+        STACK *post_cmds = sk_new_null();
+        int badops=1;
+        BIO *bio_out=NULL;
+        const char *indent = "     ";
+
+        apps_startup();
+        SSL_load_error_strings();
+
+        if (bio_err == NULL)
+                bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+        if (!load_config(bio_err, NULL))
+                goto end;
+        bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+        {
+        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        bio_out = BIO_push(tmpbio, bio_out);
+        }
+#endif
+
+        argc--;
+        argv++;
+        while (argc >= 1)
+                {
+                if (strncmp(*argv,"-v",2) == 0)
+                        {
+                        if(strspn(*argv + 1, "v") < strlen(*argv + 1))
+                                goto skip_arg_loop;
+                        if((verbose=strlen(*argv + 1)) > 4)
+                                goto skip_arg_loop;
+                        }
+                else if (strcmp(*argv,"-c") == 0)
+                        list_cap=1;
+                else if (strcmp(*argv,"-t") == 0)
+                        test_avail=1;
+                else if (strcmp(*argv,"-pre") == 0)
+                        {
+                        argc--; argv++;
+                        sk_push(pre_cmds,*argv);
+                        }
+                else if (strcmp(*argv,"-post") == 0)
+                        {
+                        argc--; argv++;
+                        sk_push(post_cmds,*argv);
+                        }
+                else if ((strncmp(*argv,"-h",2) == 0) ||
+                                (strcmp(*argv,"-?") == 0))
+                        goto skip_arg_loop;
+                else
+                        sk_push(engines,*argv);
+                argc--;
+                argv++;
+                }
+        /* Looks like everything went OK */
+        badops = 0;
+skip_arg_loop:
+
+        if (badops)
+                {
+                for (pp=engine_usage; (*pp != NULL); pp++)
+                        BIO_printf(bio_err,"%s",*pp);
+                goto end;
+                }
+
+        if (sk_num(engines) == 0)
+                {
+                for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))
+                        {
+                        sk_push(engines,(char *)ENGINE_get_id(e));
+                        }
+                }
+
+        for (i=0; i<sk_num(engines); i++)
+                {
+                const char *id = sk_value(engines,i);
+                if ((e = ENGINE_by_id(id)) != NULL)
+                        {
+                        const char *name = ENGINE_get_name(e);
+                        /* Do "id" first, then "name". Easier to auto-parse. */
+                        BIO_printf(bio_out, "(%s) %s\n", id, name);
+                        util_do_cmds(e, pre_cmds, bio_out, indent);
+                        if (strcmp(ENGINE_get_id(e), id) != 0)
+                                {
+                                BIO_printf(bio_out, "Loaded: (%s) %s\n",
+                                        ENGINE_get_id(e), ENGINE_get_name(e));
+                                }
+                        if (list_cap)
+                                {
+                                int cap_size = 256;
+                                char *cap_buf = NULL;
+                                int k,n;
+                                const int *nids;
+                                ENGINE_CIPHERS_PTR fn_c;
+                                ENGINE_DIGESTS_PTR fn_d;
+
+                                if (ENGINE_get_RSA(e) != NULL
+                                        && !append_buf(&cap_buf, "RSA",
+                                                &cap_size, 256))
+                                        goto end;
+                                if (ENGINE_get_DSA(e) != NULL
+                                        && !append_buf(&cap_buf, "DSA",
+                                                &cap_size, 256))
+                                        goto end;
+                                if (ENGINE_get_DH(e) != NULL
+                                        && !append_buf(&cap_buf, "DH",
+                                                &cap_size, 256))
+                                        goto end;
+                                if (ENGINE_get_RAND(e) != NULL
+                                        && !append_buf(&cap_buf, "RAND",
+                                                &cap_size, 256))
+                                        goto end;
+
+                                fn_c = ENGINE_get_ciphers(e);
+                                if(!fn_c) goto skip_ciphers;
+                                n = fn_c(e, NULL, &nids, 0);
+                                for(k=0 ; k < n ; ++k)
+                                        if(!append_buf(&cap_buf,
+                                                       OBJ_nid2sn(nids[k]),
+                                                       &cap_size, 256))
+                                                goto end;
+
+skip_ciphers:
+                                fn_d = ENGINE_get_digests(e);
+                                if(!fn_d) goto skip_digests;
+                                n = fn_d(e, NULL, &nids, 0);
+                                for(k=0 ; k < n ; ++k)
+                                        if(!append_buf(&cap_buf,
+                                                       OBJ_nid2sn(nids[k]),
+                                                       &cap_size, 256))
+                                                goto end;
+
+skip_digests:
+                                if (cap_buf && (*cap_buf != '\0'))
+                                        BIO_printf(bio_out, " [%s]\n", cap_buf);
+
+                                OPENSSL_free(cap_buf);
+                                }
+                        if(test_avail)
+                                {
+                                BIO_printf(bio_out, "%s", indent);
+                                if (ENGINE_init(e))
+                                        {
+                                        BIO_printf(bio_out, "[ available ]\n");
+                                        util_do_cmds(e, post_cmds, bio_out, indent);
+                                        ENGINE_finish(e);
+                                        }
+                                else
+                                        {
+                                        BIO_printf(bio_out, "[ unavailable ]\n");
+                                        ERR_print_errors_fp(stdout);
+                                        ERR_clear_error();
+                                        }
+                                }
+                        if((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
+                                goto end;
+                        ENGINE_free(e);
+                        }
+                else
+                        ERR_print_errors(bio_err);
+                }
+
+        ret=0;
+end:
+        ERR_print_errors(bio_err);
+        sk_pop_free(engines, identity);
+        sk_pop_free(pre_cmds, identity);
+        sk_pop_free(post_cmds, identity);
+        if (bio_out != NULL) BIO_free_all(bio_out);
+        apps_shutdown();
+        EXIT(ret);
+        }
diff --git a/src/lib/libssl/src/apps/install.com b/src/lib/libssl/src/apps/install.com
new file mode 100644
index 0000000000..f927dc29f5
--- /dev/null
+++ b/src/lib/libssl/src/apps/install.com
@@ -0,0 +1,69 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1   root of the directory tree
+$!
+$       IF P1 .EQS. ""
+$       THEN
+$           WRITE SYS$OUTPUT "First argument missing."
+$           WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$           EXIT
+$       ENDIF
+$
+$       ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$       DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$       DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE]
+$       DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE]
+$       DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB]
+$
+$       IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$       IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVEXE:
+$       IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLAEXE:
+$       IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLLIB:
+$
+$       EXE := openssl
+$
+$       VEXE_DIR := [-.VAX.EXE.APPS]
+$       AEXE_DIR := [-.AXP.EXE.APPS]
+$
+$       I = 0
+$ LOOP_EXE: 
+$       E = F$EDIT(F$ELEMENT(I, ",", EXE),"TRIM")
+$       I = I + 1
+$       IF E .EQS. "," THEN GOTO LOOP_EXE_END
+$       SET NOON
+$       IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE
+$       ENDIF
+$       IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE
+$       ENDIF
+$       SET ON
+$       GOTO LOOP_EXE
+$ LOOP_EXE_END:
+$
+$       SET NOON
+$       COPY CA.COM WRK_SSLAEXE:CA.COM/LOG
+$       SET FILE/PROT=W:RE WRK_SSLAEXE:CA.COM
+$       COPY CA.COM WRK_SSLVEXE:CA.COM/LOG
+$       SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM
+$       COPY OPENSSL-VMS.CNF WRK_SSLROOT:[000000]OPENSSL.CNF/LOG
+$       SET FILE/PROT=W:R WRK_SSLROOT:[000000]OPENSSL.CNF
+$       SET ON
+$
+$       EXIT
diff --git a/src/lib/libssl/src/apps/makeapps.com b/src/lib/libssl/src/apps/makeapps.com
new file mode 100644
index 0000000000..8a15a130ed
--- /dev/null
+++ b/src/lib/libssl/src/apps/makeapps.com
@@ -0,0 +1,1138 @@
+$!
+$!  MAKEAPPS.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!
+$!  This command files compiles and creates all the various different
+$!  "application" programs for the different types of encryption for OpenSSL.
+$!  The EXE's are placed in the directory [.xxx.EXE.APPS] where "xxx" denotes
+$!  either AXP or VAX depending on your machine architecture.
+$!
+$!  It was written so it would try to determine what "C" compiler to
+$!  use or you can specify which "C" compiler to use.
+$!
+$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  the regular one.  If you specify NORSAREF it will compile with the
+$!  regular RSAREF routines.  (Note: If you are in the United States
+$!  you MUST compile with RSAREF unless you have a license from RSA).
+$!
+$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
+$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
+$!        get the ".tar-Z" file as the ".zip" file dosen't have the
+$!        directory structure stored.  You have to extract the file
+$!        into the [.RSAREF] directory under the root directory as that
+$!        is where the scripts will look for the files.
+$!
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
+$!  information.
+$!
+$!  Specify which compiler at P3 to try to compile under.
+$!
+$!         VAXC  For VAX C.
+$!         DECC  For DEC C.
+$!         GNUC  For GNU C.
+$!
+$!  If you don't speficy a compiler, it will try to determine which
+$!  "C" compiler to use.
+$!
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  keywords:
+$!
+$!      UCX             for UCX
+$!      SOCKETSHR       for SOCKETSHR+NETLIB
+$!
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!  P6, if defined, sets a choice of programs to compile.
+$!
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That Is, If We Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$!
+$! Check What Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128)
+$ THEN
+$!
+$!  The Architecture Is AXP.
+$!
+$   ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Define what programs should be compiled
+$!
+$ PROGRAMS := OPENSSL
+$!$ PROGRAMS := VERIFY,ASN1PARS,REQ,DGST,DH,ENC,GENDH,ERRSTR,CA,CRL,-
+$!            RSA,DSA,DSAPARAM,-
+$!            X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,-
+$!            S_TIME,VERSION,PKCS7,CRL2P7,SESS_ID,CIPHERS,NSEQ,
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The CRYPTO Library.
+$!
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$!
+$! Define The RSAREF Library.
+$!
+$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
+$!
+$! Define The SSL Library.
+$!
+$ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
+$!
+$! Define The OBJ Directory.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.APPS]
+$!
+$! Check To See If The OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'OBJ_DIR'
+$!
+$! End The OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory.
+$!
+$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.APPS]
+$!
+$! Check To See If The EXE Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'EXE_DIR'
+$!
+$! End The EXE Directory Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Define The Application Files.
+$!
+$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;ENC;GENDH;"+-
+              "ERRSTR;CA;"+-
+              "PKCS7;CRL2P7;CRL;"+-
+              "RSA;DSA;DSAPARAM;"+-
+              "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
+              "S_TIME;APPS;S_CB;S_SOCKET;VERSION;SESS_ID;"+-
+              "CIPHERS;NSEQ;PKCS12;PKCS8"
+$ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,ENC.OBJ,GENDH.OBJ,-
+               ERRSTR.OBJ,CA.OBJ,-
+               PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
+               RSA.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
+               X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
+               S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
+               CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ
+$ TCPIP_PROGRAMS = ",,"
+$ IF COMPILER .EQS. "VAXC" THEN -
+     TCPIP_PROGRAMS = ",OPENSSL,"
+$!$ APP_FILES := VERIFY;ASN1PARS;REQ;DGST;DH;ENC;GENDH;ERRSTR;CA;-
+$!             PKCS7;CRL2P7;CRL;-
+$!             RSA;DSA;DSAPARAM;-
+$!             X509;GENRSA;GENDSA;-
+$!             S_SERVER,'OBJ_DIR'S_SOCKET.OBJ,'OBJ_DIR'S_CB.OBJ;-
+$!             S_CLIENT,'OBJ_DIR'S_SOCKET.OBJ,'OBJ_DIR'S_CB.OBJ;-
+$!             SPEED;-
+$!             S_TIME,'OBJ_DIR'S_CB.OBJ;VERSION;SESS_ID;CIPHERS;NSEQ
+$!$ TCPIP_PROGRAMS = ",,"
+$!$ IF COMPILER .EQS. "VAXC" THEN -
+$!     TCPIP_PROGRAMS = ",S_SERVER,S_CLIENT,SESS_ID,CIPHERS,S_TIME,"
+$!
+$! Setup exceptional compilations
+$!
+$ COMPILEWITH_CC2 = ",S_SOCKET,S_SERVER,S_CLIENT,"
+$!
+$ PHASE := LIB
+$!
+$ RESTART: 
+$!
+$!  Define A File Counter And Set It To "0".
+$!
+$ FILE_COUNTER = 0
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME0 = F$EDIT(F$ELEMENT(FILE_COUNTER,";",'PHASE'_FILES),"TRIM")
+$ FILE_NAME = F$EDIT(F$ELEMENT(0,",",FILE_NAME0),"TRIM")
+$ EXTRA_OBJ = FILE_NAME0 - FILE_NAME
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME0.EQS.";")
+$ THEN
+$   IF (PHASE.EQS."LIB")
+$   THEN
+$     PHASE := APP
+$     GOTO RESTART
+$   ELSE
+$     GOTO FILE_DONE
+$   ENDIF
+$ ENDIF
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Check to see if this program should actually be compiled
+$!
+$ IF PHASE .EQS. "APP" .AND. -
+     ","+PROGRAMS+"," - (","+F$EDIT(FILE_NAME,"UPCASE")+",") .EQS. ","+PROGRAMS+","
+$ THEN
+$   GOTO NEXT_FILE
+$ ENDIF
+$!
+$! Create The Source File Name.
+$!
+$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$!
+$! Create The Executable File Name.
+$!
+$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   GOTO EXIT
+$!
+$! End The File Exist Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ IF (PHASE.EQS."LIB")
+$ THEN
+$   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File."
+$ ELSE
+$   WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program."
+$ ENDIF
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2
+$ THEN
+$   CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$ ELSE
+$   CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$ ENDIF
+$!
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$ IF (PHASE.EQS."LIB") 
+$ THEN 
+$   GOTO NEXT_FILE
+$ ENDIF
+$!
+$!  Check if this program works well without a TCPIP library
+$!
+$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - FILE_NAME .NES. TCPIP_PROGRAMS
+$ THEN
+$   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping..."
+$   GOTO NEXT_FILE
+$ ENDIF
+$!
+$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Link With The RSAREF Library And A Specific TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+          'OBJECT_FILE''EXTRA_OBJ', -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Link With The RSAREF Library And NO TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+          'OBJECT_FILE''EXTRA_OBJ', -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Don't Link With The RSAREF Routines.
+$!
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+            'OBJECT_FILE''EXTRA_OBJ', -
+            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+            'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!
+$       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+            'OBJECT_FILE''EXTRA_OBJ', -
+            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+            'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! End The RSAREF Link Check.
+$!
+$ ENDIF
+$!
+$! Go Back And Do It Again.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This File.
+$!
+$ FILE_DONE:
+$ EXIT:
+$!
+$! All Done, Time To Clean Up And Exit.
+$!
+$ GOSUB CLEANUP
+$ EXIT
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF ARCH.EQS."VAX"
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The AXP Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The VAX/AXP DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$!
+$! Check To See If We Have The Appropiate Libraries.
+$!
+$ LIB_CHECK:
+$!
+$! Look For The Library LIBCRYPTO.OLB.
+$!
+$ IF (F$SEARCH(CRYPTO_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBCRYPTO.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",CRYPTO_LIB,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The Crypto Library Check.
+$!
+$ ENDIF
+$!
+$! See If We Need The RSAREF Library.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Look For The Library LIBRSAGLUE.OLB.
+$!
+$   IF (F$SEARCH(RSAREF_LIB).EQS."")
+$   THEN
+$!
+$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
+$     WRITE SYS$OUTPUT "We Can't Link Without It."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Since We Can't Link Without It, Exit.
+$!
+$     EXIT
+$   ENDIF
+$!
+$! End The RSAREF Library Check.
+$!
+$ ENDIF
+$!
+$! Look For The Library LIBSSL.OLB.
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBSSL.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",SSL_LIB,"."
+$   WRITE SYS$OUTPUT "Some Of The Test Programs Need To Link To It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The SSL Library Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."NORSAREF")
+$ THEN
+$!
+$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!
+$    RSAREF = "FALSE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Use The RSAREF Library.
+$!
+$   IF (P1.EQS."RSAREF")
+$   THEN
+$!
+$!    Check To Make Sure We Have The RSAREF Source Code Directory.
+$!
+$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
+$     THEN
+$!
+$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
+$!      User This.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
+$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
+$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
+$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
+$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
+$       WRITE SYS$OUTPUT ""
+$!
+$!      Time To Exit.
+$!
+$       EXIT
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Compile Using The RSAREF Library.
+$!
+$       RSAREF = "TRUE"
+$!
+$!    End The RSAREF Soure Directory Check.
+$!
+$     ENDIF
+$!
+$!  Else...
+$!
+$   ELSE 
+$!
+$!    They Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
+$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NODEBUG")
+$ THEN
+$!
+$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!
+$    DEBUGGER  = "NODEBUG"
+$    TRACEBACK = "NOTRACEBACK" 
+$    GCC_OPTIMIZE = "OPTIMIZE"
+$    CC_OPTIMIZE = "OPTIMIZE"
+$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P2.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER  = "DEBUG"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$   ELSE
+$!
+$!    Tell The User Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P2 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P3 = "GNUC"
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!  Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P3 = "DECC"
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P3 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P4.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  Find out what socket library we have available
+$!
+$   IF F$PARSE("SOCKETSHR:") .NES. ""
+$   THEN
+$!
+$!    We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$     P4 = "SOCKETSHR"
+$!
+$!    Tell the user
+$!
+$     WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$!    Else, let's look for something else
+$!
+$   ELSE
+$!
+$!    Like UCX (the reason to do this before Multinet is that the UCX
+$!    emulation is easier to use...)
+$!
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+         .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+         .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$     THEN
+$!
+$!      Last resort: a UCX or UCX-compatible library
+$!
+$       P4 = "UCX"
+$!
+$!      Tell the user
+$!
+$       WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$!      That was all...
+$!
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1,MONOLITH"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+        CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$!  Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If The User Wanted DECC.
+$!
+$   IF (P3.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+         THEN CC = "CC/DECC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+           "/NOLIST/PREFIX=ALL" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P3.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."AXP"
+$     THEN
+$       WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$       EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$     CCDEFS = CCDEFS + ",""VAXC"""
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P3.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
+$     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Check To See If We Are To Compile With RSAREF Routines.
+$!
+$   IF (RSAREF.EQS."TRUE")
+$   THEN
+$!
+$!    Compile With RSAREF.
+$!
+$     CCDEFS = CCDEFS + ",""RSAref=1"""
+$!
+$!    Tell The User This.
+$!
+$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
+$!
+$!    Else, We Don't Care.  Compile Without The RSAREF Library.
+$!
+$   ELSE
+$!
+$!    Tell The User We Are Compile Without The RSAREF Routines.
+$!
+$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
+$!
+$!  End The RSAREF Check.
+$!
+$   ENDIF
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$ ENDIF
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ THEN
+$!
+$!  Check to see if SOCKETSHR was chosen
+$!
+$   IF P4.EQS."SOCKETSHR"
+$   THEN
+$!
+$!    Set the library to use SOCKETSHR
+$!
+$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$!
+$!    Done with SOCKETSHR
+$!
+$   ENDIF
+$!
+$!  Check to see if MULTINET was chosen
+$!
+$   IF P4.EQS."MULTINET"
+$   THEN
+$!
+$!    Set the library to use UCX emulation.
+$!
+$     P4 = "UCX"
+$!
+$!    Done with MULTINET
+$!
+$   ENDIF
+$!
+$!  Check to see if UCX was chosen
+$!
+$   IF P4.EQS."UCX"
+$   THEN
+$!
+$!    Set the library to use UCX.
+$!
+$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$     THEN
+$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$     ELSE
+$       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+          TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+$     ENDIF
+$!
+$!    Done with UCX
+$!
+$   ENDIF
+$!
+$!  Add TCP/IP type to CC definitions.
+$!
+$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
+$   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$!  Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$! Finish up the definition of CC.
+$!
+$ IF COMPILER .EQS. "DECC"
+$ THEN
+$   IF CCDISABLEWARNINGS .NES. ""
+$   THEN
+$     CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$   ENDIF
+$ ELSE
+$   CCDISABLEWARNINGS = ""
+$ ENDIF
+$ CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$!
+$! Show user the result
+$!
+$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P5.
+$!
+$ IF (P5.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN :=
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P5 Check.
+$!
+$ ENDIF
+$!
+$! Check if the user wanted to compile just a subset of all the programs.
+$!
+$ IF P6 .NES. ""
+$ THEN
+$   PROGRAMS = P6
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __TOP = __HERE - "APPS]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the logical name OPENSSL if it had a value
+$!
+$ IF __SAVE_OPENSSL .EQS. ""
+$ THEN
+$   DEASSIGN OPENSSL
+$ ELSE
+$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$ ENDIF
+$!
+$! Done
+$!
+$ RETURN
diff --git a/src/lib/libssl/src/apps/nseq.c b/src/lib/libssl/src/apps/nseq.c
new file mode 100644
index 0000000000..d9d01659e7
--- /dev/null
+++ b/src/lib/libssl/src/apps/nseq.c
@@ -0,0 +1,174 @@
+/* nseq.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include "apps.h"
+
+#undef PROG
+#define PROG nseq_main
+
+static int dump_cert_text(BIO *out, X509 *x);
+
+int MAIN(int argc, char **argv)
+{
+        char **args, *infile = NULL, *outfile = NULL;
+        BIO *in = NULL, *out = NULL;
+        int toseq = 0;
+        X509 *x509 = NULL;
+        NETSCAPE_CERT_SEQUENCE *seq = NULL;
+        int i, ret = 1;
+        int badarg = 0;
+        if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+        ERR_load_crypto_strings();
+        args = argv + 1;
+        while (!badarg && *args && *args[0] == '-') {
+                if (!strcmp (*args, "-toseq")) toseq = 1;
+                else if (!strcmp (*args, "-in")) {
+                        if (args[1]) {
+                                args++;
+                                infile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-out")) {
+                        if (args[1]) {
+                                args++;
+                                outfile = *args;
+                        } else badarg = 1;
+                } else badarg = 1;
+                args++;
+        }
+
+        if (badarg) {
+                BIO_printf (bio_err, "Netscape certificate sequence utility\n");
+                BIO_printf (bio_err, "Usage nseq [options]\n");
+                BIO_printf (bio_err, "where options are\n");
+                BIO_printf (bio_err, "-in file  input file\n");
+                BIO_printf (bio_err, "-out file output file\n");
+                BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
+                EXIT(1);
+        }
+
+        if (infile) {
+                if (!(in = BIO_new_file (infile, "r"))) {
+                        BIO_printf (bio_err,
+                                 "Can't open input file %s\n", infile);
+                        goto end;
+                }
+        } else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+        if (outfile) {
+                if (!(out = BIO_new_file (outfile, "w"))) {
+                        BIO_printf (bio_err,
+                                 "Can't open output file %s\n", outfile);
+                        goto end;
+                }
+        } else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+        if (toseq) {
+                seq = NETSCAPE_CERT_SEQUENCE_new();
+                seq->certs = sk_X509_new(NULL);
+                while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 
+                    sk_X509_push(seq->certs,x509);
+
+                if(!sk_X509_num(seq->certs))
+                {
+                        BIO_printf (bio_err, "Error reading certs file %s\n", infile);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+                PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
+                ret = 0;
+                goto end;
+        }
+
+        if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
+                BIO_printf (bio_err, "Error reading sequence file %s\n", infile);
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        for(i = 0; i < sk_X509_num(seq->certs); i++) {
+                x509 = sk_X509_value(seq->certs, i);
+                dump_cert_text(out, x509);
+                PEM_write_bio_X509(out, x509);
+        }
+        ret = 0;
+end:
+        BIO_free(in);
+        BIO_free(out);
+        NETSCAPE_CERT_SEQUENCE_free(seq);
+
+        EXIT(ret);
+}
+
+static int dump_cert_text(BIO *out, X509 *x)
+{
+        char buf[256];
+        X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+        BIO_puts(out,"subject=");
+        BIO_puts(out,buf);
+
+        X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+        BIO_puts(out,"\nissuer= ");
+        BIO_puts(out,buf);
+        BIO_puts(out,"\n");
+        return 0;
+}
+
diff --git a/src/lib/libssl/src/apps/ocsp.c b/src/lib/libssl/src/apps/ocsp.c
new file mode 100644
index 0000000000..c87edbc44b
--- /dev/null
+++ b/src/lib/libssl/src/apps/ocsp.c
@@ -0,0 +1,1211 @@
+/* ocsp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include "apps.h"
+
+/* Maximum leeway in validity period: default 5 minutes */
+#define MAX_VALIDITY_PERIOD     (5 * 60)
+
+/* CA index.txt definitions */
+#define DB_type         0
+#define DB_exp_date     1
+#define DB_rev_date     2
+#define DB_serial       3       /* index - unique */
+#define DB_file         4       
+#define DB_name         5       /* index - unique for active */
+#define DB_NUMBER       6
+
+#define DB_TYPE_REV     'R'
+#define DB_TYPE_EXP     'E'
+#define DB_TYPE_VAL     'V'
+
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
+                                STACK_OF(OCSP_CERTID) *ids);
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
+                                STACK_OF(OCSP_CERTID) *ids);
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+                                STACK *names, STACK_OF(OCSP_CERTID) *ids,
+                                long nsec, long maxage);
+
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+                        X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+                        STACK_OF(X509) *rother, unsigned long flags,
+                        int nmin, int ndays);
+
+static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser);
+static BIO *init_responder(char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
+static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+
+#undef PROG
+#define PROG ocsp_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        ENGINE *e = NULL;
+        char **args;
+        char *host = NULL, *port = NULL, *path = "/";
+        char *reqin = NULL, *respin = NULL;
+        char *reqout = NULL, *respout = NULL;
+        char *signfile = NULL, *keyfile = NULL;
+        char *rsignfile = NULL, *rkeyfile = NULL;
+        char *outfile = NULL;
+        int add_nonce = 1, noverify = 0, use_ssl = -1;
+        OCSP_REQUEST *req = NULL;
+        OCSP_RESPONSE *resp = NULL;
+        OCSP_BASICRESP *bs = NULL;
+        X509 *issuer = NULL, *cert = NULL;
+        X509 *signer = NULL, *rsigner = NULL;
+        EVP_PKEY *key = NULL, *rkey = NULL;
+        BIO *acbio = NULL, *cbio = NULL;
+        BIO *derbio = NULL;
+        BIO *out = NULL;
+        int req_text = 0, resp_text = 0;
+        long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
+        char *CAfile = NULL, *CApath = NULL;
+        X509_STORE *store = NULL;
+        SSL_CTX *ctx = NULL;
+        STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+        char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
+        unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
+        int ret = 1;
+        int accept_count = -1;
+        int badarg = 0;
+        int i;
+        STACK *reqnames = NULL;
+        STACK_OF(OCSP_CERTID) *ids = NULL;
+
+        X509 *rca_cert = NULL;
+        char *ridx_filename = NULL;
+        char *rca_filename = NULL;
+        TXT_DB *rdb = NULL;
+        int nmin = 0, ndays = -1;
+
+        if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+        if (!load_config(bio_err, NULL))
+                goto end;
+        SSL_load_error_strings();
+        args = argv + 1;
+        reqnames = sk_new_null();
+        ids = sk_OCSP_CERTID_new_null();
+        while (!badarg && *args && *args[0] == '-')
+                {
+                if (!strcmp(*args, "-out"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                outfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-url"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
+                                        {
+                                        BIO_printf(bio_err, "Error parsing URL\n");
+                                        badarg = 1;
+                                        }
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-host"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                host = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-port"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                port = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-noverify"))
+                        noverify = 1;
+                else if (!strcmp(*args, "-nonce"))
+                        add_nonce = 2;
+                else if (!strcmp(*args, "-no_nonce"))
+                        add_nonce = 0;
+                else if (!strcmp(*args, "-resp_no_certs"))
+                        rflags |= OCSP_NOCERTS;
+                else if (!strcmp(*args, "-resp_key_id"))
+                        rflags |= OCSP_RESPID_KEY;
+                else if (!strcmp(*args, "-no_certs"))
+                        sign_flags |= OCSP_NOCERTS;
+                else if (!strcmp(*args, "-no_signature_verify"))
+                        verify_flags |= OCSP_NOSIGS;
+                else if (!strcmp(*args, "-no_cert_verify"))
+                        verify_flags |= OCSP_NOVERIFY;
+                else if (!strcmp(*args, "-no_chain"))
+                        verify_flags |= OCSP_NOCHAIN;
+                else if (!strcmp(*args, "-no_cert_checks"))
+                        verify_flags |= OCSP_NOCHECKS;
+                else if (!strcmp(*args, "-no_explicit"))
+                        verify_flags |= OCSP_NOEXPLICIT;
+                else if (!strcmp(*args, "-trust_other"))
+                        verify_flags |= OCSP_TRUSTOTHER;
+                else if (!strcmp(*args, "-no_intern"))
+                        verify_flags |= OCSP_NOINTERN;
+                else if (!strcmp(*args, "-text"))
+                        {
+                        req_text = 1;
+                        resp_text = 1;
+                        }
+                else if (!strcmp(*args, "-req_text"))
+                        req_text = 1;
+                else if (!strcmp(*args, "-resp_text"))
+                        resp_text = 1;
+                else if (!strcmp(*args, "-reqin"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                reqin = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-respin"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                respin = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-signer"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                signfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-VAfile"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                verify_certfile = *args;
+                                verify_flags |= OCSP_TRUSTOTHER;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-sign_other"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                sign_certfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-verify_other"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                verify_certfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-CAfile"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                CAfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-CApath"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                CApath = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-validity_period"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                nsec = atol(*args);
+                                if (nsec < 0)
+                                        {
+                                        BIO_printf(bio_err,
+                                                "Illegal validity period %s\n",
+                                                *args);
+                                        badarg = 1;
+                                        }
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-status_age"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                maxage = atol(*args);
+                                if (maxage < 0)
+                                        {
+                                        BIO_printf(bio_err,
+                                                "Illegal validity age %s\n",
+                                                *args);
+                                        badarg = 1;
+                                        }
+                                }
+                        else badarg = 1;
+                        }
+                 else if (!strcmp(*args, "-signkey"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                keyfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-reqout"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                reqout = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-respout"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                respout = *args;
+                                }
+                        else badarg = 1;
+                        }
+                 else if (!strcmp(*args, "-path"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                path = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-issuer"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                X509_free(issuer);
+                                issuer = load_cert(bio_err, *args, FORMAT_PEM,
+                                        NULL, e, "issuer certificate");
+                                if(!issuer) goto end;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-cert"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                X509_free(cert);
+                                cert = load_cert(bio_err, *args, FORMAT_PEM,
+                                        NULL, e, "certificate");
+                                if(!cert) goto end;
+                                if(!add_ocsp_cert(&req, cert, issuer, ids))
+                                        goto end;
+                                if(!sk_push(reqnames, *args))
+                                        goto end;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-serial"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                if(!add_ocsp_serial(&req, *args, issuer, ids))
+                                        goto end;
+                                if(!sk_push(reqnames, *args))
+                                        goto end;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-index"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                ridx_filename = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-CA"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                rca_filename = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-nmin"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                nmin = atol(*args);
+                                if (nmin < 0)
+                                        {
+                                        BIO_printf(bio_err,
+                                                "Illegal update period %s\n",
+                                                *args);
+                                        badarg = 1;
+                                        }
+                                }
+                                if (ndays == -1)
+                                        ndays = 0;
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-nrequest"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                accept_count = atol(*args);
+                                if (accept_count < 0)
+                                        {
+                                        BIO_printf(bio_err,
+                                                "Illegal accept count %s\n",
+                                                *args);
+                                        badarg = 1;
+                                        }
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp (*args, "-ndays"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                ndays = atol(*args);
+                                if (ndays < 0)
+                                        {
+                                        BIO_printf(bio_err,
+                                                "Illegal update period %s\n",
+                                                *args);
+                                        badarg = 1;
+                                        }
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-rsigner"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                rsignfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-rkey"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                rkeyfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else if (!strcmp(*args, "-rother"))
+                        {
+                        if (args[1])
+                                {
+                                args++;
+                                rcertfile = *args;
+                                }
+                        else badarg = 1;
+                        }
+                else badarg = 1;
+                args++;
+                }
+
+        /* Have we anything to do? */
+        if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
+
+        if (badarg)
+                {
+                BIO_printf (bio_err, "OCSP utility\n");
+                BIO_printf (bio_err, "Usage ocsp [options]\n");
+                BIO_printf (bio_err, "where options are\n");
+                BIO_printf (bio_err, "-out file          output filename\n");
+                BIO_printf (bio_err, "-issuer file       issuer certificate\n");
+                BIO_printf (bio_err, "-cert file         certificate to check\n");
+                BIO_printf (bio_err, "-serial n          serial number to check\n");
+                BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
+                BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
+                BIO_printf (bio_err, "-sign_certs file   additional certificates to include in signed request\n");
+                BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
+                BIO_printf (bio_err, "-req_text          print text form of request\n");
+                BIO_printf (bio_err, "-resp_text         print text form of response\n");
+                BIO_printf (bio_err, "-text              print text form of request and response\n");
+                BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
+                BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
+                BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
+                BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
+                BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
+                BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
+                BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
+                BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
+                BIO_printf (bio_err, "-path              path to use in OCSP request\n");
+                BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
+                BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
+                BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
+                BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
+                BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
+                BIO_printf (bio_err, "-noverify          don't verify response at all\n");
+                BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
+                BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
+                BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
+                BIO_printf (bio_err, "-no_sig_verify     don't check signature on response\n");
+                BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
+                BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
+                BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
+                BIO_printf (bio_err, "-port num          port to run responder on\n");
+                BIO_printf (bio_err, "-index file        certificate status index file\n");
+                BIO_printf (bio_err, "-CA file           CA certificate\n");
+                BIO_printf (bio_err, "-rsigner file      responder certificate to sign requests with\n");
+                BIO_printf (bio_err, "-rkey file         responder key to sign requests with\n");
+                BIO_printf (bio_err, "-rother file       other certificates to include in response\n");
+                BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
+                BIO_printf (bio_err, "-nmin n            number of minutes before next update\n");
+                BIO_printf (bio_err, "-ndays n           number of days before next update\n");
+                BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
+                BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
+                goto end;
+                }
+
+        if(outfile) out = BIO_new_file(outfile, "w");
+        else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+        if(!out)
+                {
+                BIO_printf(bio_err, "Error opening output file\n");
+                goto end;
+                }
+
+        if (!req && (add_nonce != 2)) add_nonce = 0;
+
+        if (!req && reqin)
+                {
+                derbio = BIO_new_file(reqin, "rb");
+                if (!derbio)
+                        {
+                        BIO_printf(bio_err, "Error Opening OCSP request file\n");
+                        goto end;
+                        }
+                req = d2i_OCSP_REQUEST_bio(derbio, NULL);
+                BIO_free(derbio);
+                if(!req)
+                        {
+                        BIO_printf(bio_err, "Error reading OCSP request\n");
+                        goto end;
+                        }
+                }
+
+        if (!req && port)
+                {
+                acbio = init_responder(port);
+                if (!acbio)
+                        goto end;
+                }
+
+        if (rsignfile && !rdb)
+                {
+                if (!rkeyfile) rkeyfile = rsignfile;
+                rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
+                        NULL, e, "responder certificate");
+                if (!rsigner)
+                        {
+                        BIO_printf(bio_err, "Error loading responder certificate\n");
+                        goto end;
+                        }
+                rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
+                        NULL, e, "CA certificate");
+                if (rcertfile)
+                        {
+                        rother = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+                                NULL, e, "responder other certificates");
+                        if (!sign_other) goto end;
+                        }
+                rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL,
+                        "responder private key");
+                if (!rkey)
+                        goto end;
+                }
+        if(acbio)
+                BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
+
+        redo_accept:
+
+        if (acbio)
+                {
+                if (!do_responder(&req, &cbio, acbio, port))
+                        goto end;
+                if (!req)
+                        {
+                        resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
+                        send_ocsp_response(cbio, resp);
+                        goto done_resp;
+                        }
+                }
+
+        if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
+                {
+                BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
+                goto end;
+                }
+
+        if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
+
+        if (signfile)
+                {
+                if (!keyfile) keyfile = signfile;
+                signer = load_cert(bio_err, signfile, FORMAT_PEM,
+                        NULL, e, "signer certificate");
+                if (!signer)
+                        {
+                        BIO_printf(bio_err, "Error loading signer certificate\n");
+                        goto end;
+                        }
+                if (sign_certfile)
+                        {
+                        sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+                                NULL, e, "signer certificates");
+                        if (!sign_other) goto end;
+                        }
+                key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL,
+                        "signer private key");
+                if (!key)
+                        goto end;
+                if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
+                        {
+                        BIO_printf(bio_err, "Error signing OCSP request\n");
+                        goto end;
+                        }
+                }
+
+        if (req_text && req) OCSP_REQUEST_print(out, req, 0);
+
+        if (ridx_filename && (!rkey || !rsigner || !rca_cert))
+                {
+                BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
+                goto end;
+                }
+
+        if (ridx_filename && !rdb)
+                {
+                BIO *db_bio = NULL;
+                db_bio = BIO_new_file(ridx_filename, "r");
+                if (!db_bio)
+                        {
+                        BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename);
+                        goto end;
+                        }
+                rdb = TXT_DB_read(db_bio, DB_NUMBER);
+                BIO_free(db_bio);
+                if (!rdb)
+                        {
+                        BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename);
+                        goto end;
+                        }
+                if (!make_serial_index(rdb))
+                        goto end;
+                }
+
+        if (rdb)
+                {
+                i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
+                if (cbio)
+                        send_ocsp_response(cbio, resp);
+                }
+        else if (host)
+                {
+                cbio = BIO_new_connect(host);
+                if (!cbio)
+                        {
+                        BIO_printf(bio_err, "Error creating connect BIO\n");
+                        goto end;
+                        }
+                if (port) BIO_set_conn_port(cbio, port);
+                if (use_ssl == 1)
+                        {
+                        BIO *sbio;
+                        ctx = SSL_CTX_new(SSLv23_client_method());
+                        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+                        sbio = BIO_new_ssl(ctx, 1);
+                        cbio = BIO_push(sbio, cbio);
+                        }
+                if (BIO_do_connect(cbio) <= 0)
+                        {
+                        BIO_printf(bio_err, "Error connecting BIO\n");
+                        goto end;
+                        }
+                resp = OCSP_sendreq_bio(cbio, path, req);
+                BIO_free_all(cbio);
+                cbio = NULL;
+                if (!resp)
+                        {
+                        BIO_printf(bio_err, "Error querying OCSP responsder\n");
+                        goto end;
+                        }
+                }
+        else if (respin)
+                {
+                derbio = BIO_new_file(respin, "rb");
+                if (!derbio)
+                        {
+                        BIO_printf(bio_err, "Error Opening OCSP response file\n");
+                        goto end;
+                        }
+                resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
+                BIO_free(derbio);
+                if(!resp)
+                        {
+                        BIO_printf(bio_err, "Error reading OCSP response\n");
+                        goto end;
+                        }
+        
+                }
+        else
+                {
+                ret = 0;
+                goto end;
+                }
+
+        done_resp:
+
+        if (respout)
+                {
+                derbio = BIO_new_file(respout, "wb");
+                if(!derbio)
+                        {
+                        BIO_printf(bio_err, "Error opening file %s\n", respout);
+                        goto end;
+                        }
+                i2d_OCSP_RESPONSE_bio(derbio, resp);
+                BIO_free(derbio);
+                }
+
+        i = OCSP_response_status(resp);
+
+        if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
+                {
+                BIO_printf(out, "Responder Error: %s (%ld)\n",
+                                OCSP_response_status_str(i), i);
+                ret = 0;
+                goto end;
+                }
+
+        if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
+
+        /* If running as responder don't verify our own response */
+        if (cbio)
+                {
+                if (accept_count > 0)
+                        accept_count--;
+                /* Redo if more connections needed */
+                if (accept_count)
+                        {
+                        BIO_free_all(cbio);
+                        cbio = NULL;
+                        OCSP_REQUEST_free(req);
+                        req = NULL;
+                        OCSP_RESPONSE_free(resp);
+                        resp = NULL;
+                        goto redo_accept;
+                        }
+                goto end;
+                }
+
+        if (!store)
+                store = setup_verify(bio_err, CAfile, CApath);
+        if (verify_certfile)
+                {
+                verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
+                        NULL, e, "validator certificate");
+                if (!verify_other) goto end;
+                }
+
+        bs = OCSP_response_get1_basic(resp);
+
+        if (!bs)
+                {
+                BIO_printf(bio_err, "Error parsing response\n");
+                goto end;
+                }
+
+        if (!noverify)
+                {
+                if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
+                        {
+                        if (i == -1)
+                                BIO_printf(bio_err, "WARNING: no nonce in response\n");
+                        else
+                                {
+                                BIO_printf(bio_err, "Nonce Verify error\n");
+                                goto end;
+                                }
+                        }
+
+                i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
+                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
+
+                if(i <= 0)
+                        {
+                        BIO_printf(bio_err, "Response Verify Failure\n", i);
+                        ERR_print_errors(bio_err);
+                        }
+                else
+                        BIO_printf(bio_err, "Response verify OK\n");
+
+                }
+
+        if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
+                goto end;
+
+        ret = 0;
+
+end:
+        ERR_print_errors(bio_err);
+        X509_free(signer);
+        X509_STORE_free(store);
+        EVP_PKEY_free(key);
+        EVP_PKEY_free(rkey);
+        X509_free(issuer);
+        X509_free(cert);
+        X509_free(rsigner);
+        X509_free(rca_cert);
+        TXT_DB_free(rdb);
+        BIO_free_all(cbio);
+        BIO_free_all(acbio);
+        BIO_free(out);
+        OCSP_REQUEST_free(req);
+        OCSP_RESPONSE_free(resp);
+        OCSP_BASICRESP_free(bs);
+        sk_free(reqnames);
+        sk_OCSP_CERTID_free(ids);
+        sk_X509_pop_free(sign_other, X509_free);
+        sk_X509_pop_free(verify_other, X509_free);
+
+        if (use_ssl != -1)
+                {
+                OPENSSL_free(host);
+                OPENSSL_free(port);
+                OPENSSL_free(path);
+                SSL_CTX_free(ctx);
+                }
+
+        EXIT(ret);
+}
+
+static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
+                                STACK_OF(OCSP_CERTID) *ids)
+        {
+        OCSP_CERTID *id;
+        if(!issuer)
+                {
+                BIO_printf(bio_err, "No issuer certificate specified\n");
+                return 0;
+                }
+        if(!*req) *req = OCSP_REQUEST_new();
+        if(!*req) goto err;
+        id = OCSP_cert_to_id(NULL, cert, issuer);
+        if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
+        if(!OCSP_request_add0_id(*req, id)) goto err;
+        return 1;
+
+        err:
+        BIO_printf(bio_err, "Error Creating OCSP request\n");
+        return 0;
+        }
+
+static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
+                                STACK_OF(OCSP_CERTID) *ids)
+        {
+        OCSP_CERTID *id;
+        X509_NAME *iname;
+        ASN1_BIT_STRING *ikey;
+        ASN1_INTEGER *sno;
+        if(!issuer)
+                {
+                BIO_printf(bio_err, "No issuer certificate specified\n");
+                return 0;
+                }
+        if(!*req) *req = OCSP_REQUEST_new();
+        if(!*req) goto err;
+        iname = X509_get_subject_name(issuer);
+        ikey = X509_get0_pubkey_bitstr(issuer);
+        sno = s2i_ASN1_INTEGER(NULL, serial);
+        if(!sno)
+                {
+                BIO_printf(bio_err, "Error converting serial number %s\n", serial);
+                return 0;
+                }
+        id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
+        ASN1_INTEGER_free(sno);
+        if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
+        if(!OCSP_request_add0_id(*req, id)) goto err;
+        return 1;
+
+        err:
+        BIO_printf(bio_err, "Error Creating OCSP request\n");
+        return 0;
+        }
+
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+                                        STACK *names, STACK_OF(OCSP_CERTID) *ids,
+                                        long nsec, long maxage)
+        {
+        OCSP_CERTID *id;
+        char *name;
+        int i;
+
+        int status, reason;
+
+        ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+        if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
+                return 1;
+
+        for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
+                {
+                id = sk_OCSP_CERTID_value(ids, i);
+                name = sk_value(names, i);
+                BIO_printf(out, "%s: ", name);
+
+                if(!OCSP_resp_find_status(bs, id, &status, &reason,
+                                        &rev, &thisupd, &nextupd))
+                        {
+                        BIO_puts(out, "ERROR: No Status found.\n");
+                        continue;
+                        }
+
+                /* Check validity: if invalid write to output BIO so we
+                 * know which response this refers to.
+                 */
+                if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
+                        {
+                        BIO_puts(out, "WARNING: Status times invalid.\n");
+                        ERR_print_errors(out);
+                        }
+                BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
+
+                BIO_puts(out, "\tThis Update: ");
+                ASN1_GENERALIZEDTIME_print(out, thisupd);
+                BIO_puts(out, "\n");
+
+                if(nextupd)
+                        {
+                        BIO_puts(out, "\tNext Update: ");
+                        ASN1_GENERALIZEDTIME_print(out, nextupd);
+                        BIO_puts(out, "\n");
+                        }
+
+                if (status != V_OCSP_CERTSTATUS_REVOKED)
+                        continue;
+
+                if (reason != -1)
+                        BIO_printf(out, "\tReason: %s\n",
+                                OCSP_crl_reason_str(reason));
+
+                BIO_puts(out, "\tRevocation Time: ");
+                ASN1_GENERALIZEDTIME_print(out, rev);
+                BIO_puts(out, "\n");
+                }
+
+        return 1;
+        }
+
+
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+                        X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+                        STACK_OF(X509) *rother, unsigned long flags,
+                        int nmin, int ndays)
+        {
+        ASN1_TIME *thisupd = NULL, *nextupd = NULL;
+        OCSP_CERTID *cid, *ca_id = NULL;
+        OCSP_BASICRESP *bs = NULL;
+        int i, id_count, ret = 1;
+
+
+        id_count = OCSP_request_onereq_count(req);
+
+        if (id_count <= 0)
+                {
+                *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
+                goto end;
+                }
+
+        ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
+
+        bs = OCSP_BASICRESP_new();
+        thisupd = X509_gmtime_adj(NULL, 0);
+        if (ndays != -1)
+                nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
+
+        /* Examine each certificate id in the request */
+        for (i = 0; i < id_count; i++)
+                {
+                OCSP_ONEREQ *one;
+                ASN1_INTEGER *serial;
+                char **inf;
+                one = OCSP_request_onereq_get0(req, i);
+                cid = OCSP_onereq_get0_id(one);
+                /* Is this request about our CA? */
+                if (OCSP_id_issuer_cmp(ca_id, cid))
+                        {
+                        OCSP_basic_add1_status(bs, cid,
+                                                V_OCSP_CERTSTATUS_UNKNOWN,
+                                                0, NULL,
+                                                thisupd, nextupd);
+                        continue;
+                        }
+                OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
+                inf = lookup_serial(db, serial);
+                if (!inf)
+                        OCSP_basic_add1_status(bs, cid,
+                                                V_OCSP_CERTSTATUS_UNKNOWN,
+                                                0, NULL,
+                                                thisupd, nextupd);
+                else if (inf[DB_type][0] == DB_TYPE_VAL)
+                        OCSP_basic_add1_status(bs, cid,
+                                                V_OCSP_CERTSTATUS_GOOD,
+                                                0, NULL,
+                                                thisupd, nextupd);
+                else if (inf[DB_type][0] == DB_TYPE_REV)
+                        {
+                        ASN1_OBJECT *inst = NULL;
+                        ASN1_TIME *revtm = NULL;
+                        ASN1_GENERALIZEDTIME *invtm = NULL;
+                        OCSP_SINGLERESP *single;
+                        int reason = -1;
+                        unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
+                        single = OCSP_basic_add1_status(bs, cid,
+                                                V_OCSP_CERTSTATUS_REVOKED,
+                                                reason, revtm,
+                                                thisupd, nextupd);
+                        if (invtm)
+                                OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
+                        else if (inst)
+                                OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
+                        ASN1_OBJECT_free(inst);
+                        ASN1_TIME_free(revtm);
+                        ASN1_GENERALIZEDTIME_free(invtm);
+                        }
+                }
+
+        OCSP_copy_nonce(bs, req);
+                
+        OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
+
+        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
+
+        end:
+        ASN1_TIME_free(thisupd);
+        ASN1_TIME_free(nextupd);
+        OCSP_CERTID_free(ca_id);
+        OCSP_BASICRESP_free(bs);
+        return ret;
+
+        }
+
+static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
+        {
+        int i;
+        BIGNUM *bn = NULL;
+        char *itmp, *row[DB_NUMBER],**rrow;
+        for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
+        bn = ASN1_INTEGER_to_BN(ser,NULL);
+        itmp = BN_bn2hex(bn);
+        row[DB_serial] = itmp;
+        BN_free(bn);
+        rrow=TXT_DB_get_by_index(db,DB_serial,row);
+        OPENSSL_free(itmp);
+        return rrow;
+        }
+
+/* Quick and dirty OCSP server: read in and parse input request */
+
+static BIO *init_responder(char *port)
+        {
+        BIO *acbio = NULL, *bufbio = NULL;
+        bufbio = BIO_new(BIO_f_buffer());
+        if (!bufbio) 
+                goto err;
+        acbio = BIO_new_accept(port);
+        if (!acbio)
+                goto err;
+        BIO_set_accept_bios(acbio, bufbio);
+        bufbio = NULL;
+
+        if (BIO_do_accept(acbio) <= 0)
+                {
+                        BIO_printf(bio_err, "Error setting up accept BIO\n");
+                        ERR_print_errors(bio_err);
+                        goto err;
+                }
+
+        return acbio;
+
+        err:
+        BIO_free_all(acbio);
+        BIO_free(bufbio);
+        return NULL;
+        }
+
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
+        {
+        int have_post = 0, len;
+        OCSP_REQUEST *req = NULL;
+        char inbuf[1024];
+        BIO *cbio = NULL;
+
+        if (BIO_do_accept(acbio) <= 0)
+                {
+                        BIO_printf(bio_err, "Error accepting connection\n");
+                        ERR_print_errors(bio_err);
+                        return 0;
+                }
+
+        cbio = BIO_pop(acbio);
+        *pcbio = cbio;
+
+        for(;;)
+                {
+                len = BIO_gets(cbio, inbuf, 1024);
+                if (len <= 0)
+                        return 1;
+                /* Look for "POST" signalling start of query */
+                if (!have_post)
+                        {
+                        if(strncmp(inbuf, "POST", 4))
+                                {
+                                BIO_printf(bio_err, "Invalid request\n");
+                                return 1;
+                                }
+                        have_post = 1;
+                        }
+                /* Look for end of headers */
+                if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
+                        break;
+                }
+
+        /* Try to read OCSP request */
+
+        req = d2i_OCSP_REQUEST_bio(cbio, NULL);
+
+        if (!req)
+                {
+                BIO_printf(bio_err, "Error parsing OCSP request\n");
+                ERR_print_errors(bio_err);
+                }
+
+        *preq = req;
+
+        return 1;
+
+        }
+
+static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
+        {
+        char http_resp[] = 
+                "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
+                "Content-Length: %d\r\n\r\n";
+        if (!cbio)
+                return 0;
+        BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
+        i2d_OCSP_RESPONSE_bio(cbio, resp);
+        BIO_flush(cbio);
+        return 1;
+        }
+
diff --git a/src/lib/libssl/src/apps/oid.cnf b/src/lib/libssl/src/apps/oid.cnf
new file mode 100644
index 0000000000..faf425a156
--- /dev/null
+++ b/src/lib/libssl/src/apps/oid.cnf
@@ -0,0 +1,6 @@
+2.99999.1       SET.ex1         SET x509v3 extension 1
+2.99999.2       SET.ex2         SET x509v3 extension 2
+2.99999.3       SET.ex3         SET x509v3 extension 3
+2.99999.4       SET.ex4         SET x509v3 extension 4
+2.99999.5       SET.ex5         SET x509v3 extension 5
+2.99999.6       SET.ex6         SET x509v3 extension 6
diff --git a/src/lib/libssl/src/apps/openssl-vms.cnf b/src/lib/libssl/src/apps/openssl-vms.cnf
new file mode 100644
index 0000000000..13d10f21ed
--- /dev/null
+++ b/src/lib/libssl/src/apps/openssl-vms.cnf
@@ -0,0 +1,214 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE                = $ENV::HOME/.rnd
+oid_file                = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = sys\$disk:[.demoCA    # Where everything is kept
+certs           = $dir.certs]           # Where the issued certs are kept
+crl_dir         = $dir.crl]             # Where the issued crl are kept
+database        = $dir]index.txt        # database index file.
+new_certs_dir   = $dir.newcerts]        # default place for new certs.
+
+certificate     = $dir]cacert.pem       # The CA certificate
+serial          = $dir]serial.          # The current serial number
+crl             = $dir]crl.pem          # The current CRL
+private_key     = $dir.private]cakey.pem# The private key
+RANDFILE        = $dir.private].rand    # private random number file
+
+x509_extensions = usr_cert              # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_ca]
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# RAW DER hex encoding of an extension: beware experts only!
+# 1.2.3.5=RAW:02:03
+# You can even override a supported extension:
+# basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/src/lib/libssl/src/apps/openssl.c b/src/lib/libssl/src/apps/openssl.c
new file mode 100644
index 0000000000..9a337fb316
--- /dev/null
+++ b/src/lib/libssl/src/apps/openssl.c
@@ -0,0 +1,373 @@
+/* apps/openssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef DEBUG
+#undef DEBUG
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#define SSLEAY  /* turn off a few special case MONOLITH macros */
+#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
+#define SSLEAY_SRC
+#include "apps.h"
+#include "s_apps.h"
+#include <openssl/err.h>
+
+/*
+#ifdef WINDOWS
+#include "bss_file.c"
+#endif
+*/
+
+static unsigned long MS_CALLBACK hash(FUNCTION *a);
+static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b);
+static LHASH *prog_init(void );
+static int do_cmd(LHASH *prog,int argc,char *argv[]);
+LHASH *config=NULL;
+char *default_config_file=NULL;
+
+#ifdef DEBUG
+static void sig_stop(int i)
+        {
+        char *a=NULL;
+
+        *a='\0';
+        }
+#endif
+
+/* Make sure there is only one when MONOLITH is defined */
+#ifdef MONOLITH
+BIO *bio_err=NULL;
+#endif
+
+int main(int Argc, char *Argv[])
+        {
+        ARGS arg;
+#define PROG_NAME_SIZE  16
+        char pname[PROG_NAME_SIZE];
+        FUNCTION f,*fp;
+        MS_STATIC char *prompt,buf[1024],config_name[256];
+        int n,i,ret=0;
+        int argc;
+        char **argv,*p;
+        LHASH *prog=NULL;
+        long errline;
+ 
+        arg.data=NULL;
+        arg.count=0;
+
+        /* SSLeay_add_ssl_algorithms(); is called in apps_startup() */
+        apps_startup();
+
+#if defined(DEBUG) && !defined(WINDOWS) && !defined(MSDOS)
+#ifdef SIGBUS
+        signal(SIGBUS,sig_stop);
+#endif
+#ifdef SIGSEGV
+        signal(SIGSEGV,sig_stop);
+#endif
+#endif
+
+        if (bio_err == NULL)
+                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+        ERR_load_crypto_strings();
+
+        /* Lets load up our environment a little */
+        p=getenv("OPENSSL_CONF");
+        if (p == NULL)
+                p=getenv("SSLEAY_CONF");
+        if (p == NULL)
+                {
+                strcpy(config_name,X509_get_default_cert_area());
+#ifndef VMS
+                strcat(config_name,"/");
+#endif
+                strcat(config_name,OPENSSL_CONF);
+                p=config_name;
+                }
+
+        default_config_file=p;
+
+        config=CONF_load(config,p,&errline);
+        if (config == NULL) ERR_clear_error();
+
+        prog=prog_init();
+
+        /* first check the program name */
+        program_name(Argv[0],pname,PROG_NAME_SIZE);
+
+        f.name=pname;
+        fp=(FUNCTION *)lh_retrieve(prog,(char *)&f);
+        if (fp != NULL)
+                {
+                Argv[0]=pname;
+                ret=fp->func(Argc,Argv);
+                goto end;
+                }
+
+        /* ok, now check that there are not arguments, if there are,
+         * run with them, shifting the ssleay off the front */
+        if (Argc != 1)
+                {
+                Argc--;
+                Argv++;
+                ret=do_cmd(prog,Argc,Argv);
+                if (ret < 0) ret=0;
+                goto end;
+                }
+
+        /* ok, lets enter the old 'OpenSSL>' mode */
+        
+        for (;;)
+                {
+                ret=0;
+                p=buf;
+                n=1024;
+                i=0;
+                for (;;)
+                        {
+                        p[0]='\0';
+                        if (i++)
+                                prompt=">";
+                        else    prompt="OpenSSL> ";
+                        fputs(prompt,stdout);
+                        fflush(stdout);
+                        fgets(p,n,stdin);
+                        if (p[0] == '\0') goto end;
+                        i=strlen(p);
+                        if (i <= 1) break;
+                        if (p[i-2] != '\\') break;
+                        i-=2;
+                        p+=i;
+                        n-=i;
+                        }
+                if (!chopup_args(&arg,buf,&argc,&argv)) break;
+
+                ret=do_cmd(prog,argc,argv);
+                if (ret < 0)
+                        {
+                        ret=0;
+                        goto end;
+                        }
+                if (ret != 0)
+                        BIO_printf(bio_err,"error in %s\n",argv[0]);
+                (void)BIO_flush(bio_err);
+                }
+        BIO_printf(bio_err,"bad exit\n");
+        ret=1;
+end:
+        if (config != NULL)
+                {
+                CONF_free(config);
+                config=NULL;
+                }
+        if (prog != NULL) lh_free(prog);
+        if (arg.data != NULL) Free(arg.data);
+        ERR_remove_state(0);
+
+        EVP_cleanup();
+        ERR_free_strings();
+
+        CRYPTO_mem_leaks(bio_err);
+        if (bio_err != NULL)
+                {
+                BIO_free(bio_err);
+                bio_err=NULL;
+                }
+        EXIT(ret);
+        }
+
+#define LIST_STANDARD_COMMANDS "list-standard-commands"
+#define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands"
+#define LIST_CIPHER_COMMANDS "list-cipher-commands"
+
+static int do_cmd(LHASH *prog, int argc, char *argv[])
+        {
+        FUNCTION f,*fp;
+        int i,ret=1,tp,nl;
+
+        if ((argc <= 0) || (argv[0] == NULL))
+                { ret=0; goto end; }
+        f.name=argv[0];
+        fp=(FUNCTION *)lh_retrieve(prog,(char *)&f);
+        if (fp != NULL)
+                {
+                ret=fp->func(argc,argv);
+                }
+        else if ((strcmp(argv[0],"quit") == 0) ||
+                (strcmp(argv[0],"q") == 0) ||
+                (strcmp(argv[0],"exit") == 0) ||
+                (strcmp(argv[0],"bye") == 0))
+                {
+                ret= -1;
+                goto end;
+                }
+        else if ((strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0) ||
+                (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0) ||
+                (strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0))
+                {
+                int list_type;
+                BIO *bio_stdout;
+
+                if (strcmp(argv[0],LIST_STANDARD_COMMANDS) == 0)
+                        list_type = FUNC_TYPE_GENERAL;
+                else if (strcmp(argv[0],LIST_MESSAGE_DIGEST_COMMANDS) == 0)
+                        list_type = FUNC_TYPE_MD;
+                else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
+                        list_type = FUNC_TYPE_CIPHER;
+                bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
+                
+                for (fp=functions; fp->name != NULL; fp++)
+                        if (fp->type == list_type)
+                                BIO_printf(bio_stdout, "%s\n", fp->name);
+                BIO_free(bio_stdout);
+                ret=0;
+                goto end;
+                }
+        else
+                {
+                BIO_printf(bio_err,"openssl:Error: '%s' is an invalid command.\n",
+                        argv[0]);
+                BIO_printf(bio_err, "\nStandard commands");
+                i=0;
+                tp=0;
+                for (fp=functions; fp->name != NULL; fp++)
+                        {
+                        nl=0;
+                        if (((i++) % 5) == 0)
+                                {
+                                BIO_printf(bio_err,"\n");
+                                nl=1;
+                                }
+                        if (fp->type != tp)
+                                {
+                                tp=fp->type;
+                                if (!nl) BIO_printf(bio_err,"\n");
+                                if (tp == FUNC_TYPE_MD)
+                                        {
+                                        i=1;
+                                        BIO_printf(bio_err,
+                                                "\nMessage Digest commands (see the `dgst' command for more details)\n");
+                                        }
+                                else if (tp == FUNC_TYPE_CIPHER)
+                                        {
+                                        i=1;
+                                        BIO_printf(bio_err,"\nCipher commands (see the `enc' command for more details)\n");
+                                        }
+                                }
+                        BIO_printf(bio_err,"%-15s",fp->name);
+                        }
+                BIO_printf(bio_err,"\n\n");
+                ret=0;
+                }
+end:
+        return(ret);
+        }
+
+static int SortFnByName(const void *_f1,const void *_f2)
+    {
+    const FUNCTION *f1=_f1;
+    const FUNCTION *f2=_f2;
+
+    if(f1->type != f2->type)
+        return f1->type-f2->type;
+    return strcmp(f1->name,f2->name);
+    }
+
+static LHASH *prog_init(void)
+        {
+        LHASH *ret;
+        FUNCTION *f;
+        int i;
+
+        /* Purely so it looks nice when the user hits ? */
+        for(i=0,f=functions ; f->name != NULL ; ++f,++i)
+            ;
+        qsort(functions,i,sizeof *functions,SortFnByName);
+
+        if ((ret=lh_new(hash,cmp)) == NULL) return(NULL);
+
+        for (f=functions; f->name != NULL; f++)
+                lh_insert(ret,(char *)f);
+        return(ret);
+        }
+
+static int MS_CALLBACK cmp(FUNCTION *a, FUNCTION *b)
+        {
+        return(strncmp(a->name,b->name,8));
+        }
+
+static unsigned long MS_CALLBACK hash(FUNCTION *a)
+        {
+        return(lh_strhash(a->name));
+        }
+
+#undef SSLEAY
diff --git a/src/lib/libssl/src/apps/openssl.cnf b/src/lib/libssl/src/apps/openssl.cnf
new file mode 100644
index 0000000000..d70dd25622
--- /dev/null
+++ b/src/lib/libssl/src/apps/openssl.cnf
@@ -0,0 +1,214 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE                = $ENV::HOME/.rnd
+oid_file                = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            = 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = ./demoCA              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+x509_extensions = usr_cert              # The extentions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# RAW DER hex encoding of an extension: beware experts only!
+# 1.2.3.5=RAW:02:03
+# You can even override a supported extension:
+# basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/src/lib/libssl/src/apps/passwd.c b/src/lib/libssl/src/apps/passwd.c
new file mode 100644
index 0000000000..c7e21d2081
--- /dev/null
+++ b/src/lib/libssl/src/apps/passwd.c
@@ -0,0 +1,475 @@
+/* apps/passwd.c */
+
+#if defined NO_MD5 || defined CHARSET_EBCDIC
+# define NO_APR1
+#endif
+
+#if !defined(NO_DES) || !defined(NO_APR1)
+
+#include <assert.h>
+#include <string.h>
+
+#include "apps.h"
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+#ifndef NO_DES
+# include <openssl/des.h>
+#endif
+#ifndef NO_APR1
+# include <openssl/md5.h>
+#endif
+
+
+#undef PROG
+#define PROG passwd_main
+
+
+static unsigned const char cov_2char[64]={
+        /* from crypto/des/fcrypt.c */
+        0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
+        0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
+        0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
+        0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
+        0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
+        0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
+        0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
+        0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
+};
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+        char *passwd, BIO *out, int quiet, int table, int reverse,
+        size_t pw_maxlen, int usecrypt, int useapr1);
+
+/* -crypt        - standard Unix password algorithm (default, only choice)
+ * -apr1         - MD5-based password algorithm
+ * -salt string  - salt
+ * -in file      - read passwords from file
+ * -stdin        - read passwords from stdin
+ * -quiet        - no warnings
+ * -table        - format output as table
+ * -reverse      - switch table columns
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        int ret = 1;
+        char *infile = NULL;
+        int in_stdin = 0;
+        char *salt = NULL, *passwd = NULL, **passwds = NULL;
+        char *salt_malloc = NULL, *passwd_malloc = NULL;
+        int pw_source_defined = 0;
+        BIO *in = NULL, *out = NULL;
+        int i, badopt, opt_done;
+        int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
+        int usecrypt = 0, useapr1 = 0;
+        size_t pw_maxlen = 0;
+
+        apps_startup();
+
+        if (bio_err == NULL)
+                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+                        BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        out = BIO_new(BIO_s_file());
+        if (out == NULL)
+                goto err;
+        BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+
+        badopt = 0, opt_done = 0;
+        i = 0;
+        while (!badopt && !opt_done && argv[++i] != NULL)
+                {
+                if (strcmp(argv[i], "-crypt") == 0)
+                        usecrypt = 1;
+                else if (strcmp(argv[i], "-apr1") == 0)
+                        useapr1 = 1;
+                else if (strcmp(argv[i], "-salt") == 0)
+                        {
+                        if ((argv[i+1] != NULL) && (salt == NULL))
+                                {
+                                passed_salt = 1;
+                                salt = argv[++i];
+                                }
+                        else
+                                badopt = 1;
+                        }
+                else if (strcmp(argv[i], "-in") == 0)
+                        {
+                        if ((argv[i+1] != NULL) && !pw_source_defined)
+                                {
+                                pw_source_defined = 1;
+                                infile = argv[++i];
+                                }
+                        else
+                                badopt = 1;
+                        }
+                else if (strcmp(argv[i], "-stdin") == 0)
+                        {
+                        if (!pw_source_defined)
+                                {
+                                pw_source_defined = 1;
+                                in_stdin = 1;
+                                }
+                        else
+                                badopt = 1;
+                        }
+                else if (strcmp(argv[i], "-quiet") == 0)
+                        quiet = 1;
+                else if (strcmp(argv[i], "-table") == 0)
+                        table = 1;
+                else if (strcmp(argv[i], "-reverse") == 0)
+                        reverse = 1;
+                else if (argv[i][0] == '-')
+                        badopt = 1;
+                else if (!pw_source_defined)
+                        /* non-option arguments, use as passwords */
+                        {
+                        pw_source_defined = 1;
+                        passwds = &argv[i];
+                        opt_done = 1;
+                        }
+                else
+                        badopt = 1;
+                }
+
+        if (!usecrypt && !useapr1) /* use default */
+                usecrypt = 1;
+        if (usecrypt + useapr1 > 1) /* conflict */
+                badopt = 1;
+
+        /* reject unsupported algorithms */
+#ifdef NO_DES
+        if (usecrypt) badopt = 1;
+#endif
+#ifdef NO_APR1
+        if (useapr1) badopt = 1;
+#endif
+
+        if (badopt) 
+                {
+                BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
+                BIO_printf(bio_err, "where options are\n");
+#ifndef NO_DES
+                BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
+#endif
+#ifndef NO_APR1
+                BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
+#endif
+                BIO_printf(bio_err, "-salt string       use provided salt\n");
+                BIO_printf(bio_err, "-in file           read passwords from file\n");
+                BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
+                BIO_printf(bio_err, "-quiet             no warnings\n");
+                BIO_printf(bio_err, "-table             format output as table\n");
+                BIO_printf(bio_err, "-reverse           switch table columns\n");
+                
+                goto err;
+                }
+
+        if ((infile != NULL) || in_stdin)
+                {
+                in = BIO_new(BIO_s_file());
+                if (in == NULL)
+                        goto err;
+                if (infile != NULL)
+                        {
+                        assert(in_stdin == 0);
+                        if (BIO_read_filename(in, infile) <= 0)
+                                goto err;
+                        }
+                else
+                        {
+                        assert(in_stdin);
+                        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+                        }
+                }
+        
+        if (usecrypt)
+                pw_maxlen = 8;
+        else if (useapr1)
+                pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
+
+        if (passwds == NULL)
+                {
+                /* no passwords on the command line */
+                passwd = passwd_malloc = Malloc(pw_maxlen + 1);
+                if (passwd_malloc == NULL)
+                        goto err;
+                }
+
+        if ((in == NULL) && (passwds == NULL))
+                {
+                /* build a null-terminated list */
+                static char *passwds_static[2] = {NULL, NULL};
+                
+                passwds = passwds_static;
+                if (in == NULL)
+                        if (EVP_read_pw_string(passwd_malloc, pw_maxlen + 1, "Password: ", 0) != 0)
+                                goto err;
+                passwds[0] = passwd_malloc;
+                }
+
+        if (in == NULL)
+                {
+                assert(passwds != NULL);
+                assert(*passwds != NULL);
+                
+                do /* loop over list of passwords */
+                        {
+                        passwd = *passwds++;
+                        if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+                                quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+                                goto err;
+                        }
+                while (*passwds != NULL);
+                }
+        else
+                /* in != NULL */
+                {
+                int done;
+
+                assert (passwd != NULL);
+                do
+                        {
+                        int r = BIO_gets(in, passwd, pw_maxlen + 1);
+                        if (r > 0)
+                                {
+                                char *c = (strchr(passwd, '\n')) ;
+                                if (c != NULL)
+                                        *c = 0; /* truncate at newline */
+                                else
+                                        {
+                                        /* ignore rest of line */
+                                        char trash[BUFSIZ];
+                                        do
+                                                r = BIO_gets(in, trash, sizeof trash);
+                                        while ((r > 0) && (!strchr(trash, '\n')));
+                                        }
+                                
+                                if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+                                        quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+                                        goto err;
+                                }
+                        done = (r <= 0);
+                        }
+                while (!done);
+                }
+
+err:
+        ERR_print_errors(bio_err);
+        if (salt_malloc)
+                Free(salt_malloc);
+        if (passwd_malloc)
+                Free(passwd_malloc);
+        if (in)
+                BIO_free(in);
+        if (out)
+                BIO_free(out);
+        EXIT(ret);
+        }
+
+
+#ifndef NO_APR1
+/* MD5-based password algorithm compatible to the one found in Apache
+ * (should probably be available as a library function;
+ * then the static buffer would not be acceptable) */
+static char *apr1_crypt(const char *passwd, const char *salt)
+        {
+        static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
+        unsigned char buf[MD5_DIGEST_LENGTH];
+        char *salt_out;
+        int n, i;
+        MD5_CTX md;
+        size_t passwd_len, salt_len;
+
+        passwd_len = strlen(passwd);
+        strcpy(out_buf, "$apr1$");
+        strncat(out_buf, salt, 8);
+        assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
+        salt_out = out_buf + 6;
+        salt_len = strlen(salt_out);
+        assert(salt_len <= 8);
+        
+        MD5_Init(&md);
+        MD5_Update(&md, passwd, passwd_len);
+        MD5_Update(&md, "$apr1$", 6);
+        MD5_Update(&md, salt_out, salt_len);
+        
+         {
+                MD5_CTX md2;
+
+                MD5_Init(&md2);
+                MD5_Update(&md2, passwd, passwd_len);
+                MD5_Update(&md2, salt_out, salt_len);
+                MD5_Update(&md2, passwd, passwd_len);
+                MD5_Final(buf, &md2);
+         }
+        for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
+                MD5_Update(&md, buf, sizeof buf);
+        MD5_Update(&md, buf, i);
+        
+        n = passwd_len;
+        while (n)
+                {
+                MD5_Update(&md, (n & 1) ? "\0" : passwd, 1);
+                n >>= 1;
+                }
+        MD5_Final(buf, &md);
+
+        for (i = 0; i < 1000; i++)
+                {
+                MD5_CTX md2;
+
+                MD5_Init(&md2);
+                MD5_Update(&md2, (i & 1) ? (unsigned char *) passwd : buf,
+                                 (i & 1) ? passwd_len : sizeof buf);
+                if (i % 3)
+                        MD5_Update(&md2, salt_out, salt_len);
+                if (i % 7)
+                        MD5_Update(&md2, passwd, passwd_len);
+                MD5_Update(&md2, (i & 1) ? buf : (unsigned char *) passwd,
+                                 (i & 1) ? sizeof buf : passwd_len);
+                MD5_Final(buf, &md2);
+                }
+        
+         {
+                /* transform buf into output string */
+        
+                unsigned char buf_perm[sizeof buf];
+                int dest, source;
+                char *output;
+
+                /* silly output permutation */
+                for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
+                        buf_perm[dest] = buf[source];
+                buf_perm[14] = buf[5];
+                buf_perm[15] = buf[11];
+#ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */
+                assert(16 == sizeof buf_perm);
+#endif
+                
+                output = salt_out + salt_len;
+                assert(output == out_buf + strlen(out_buf));
+                
+                *output++ = '$';
+
+                for (i = 0; i < 15; i += 3)
+                        {
+                        *output++ = cov_2char[buf_perm[i+2] & 0x3f];
+                        *output++ = cov_2char[((buf_perm[i+1] & 0xf) << 2) |
+                                                  (buf_perm[i+2] >> 6)];
+                        *output++ = cov_2char[((buf_perm[i] & 3) << 4) |
+                                                  (buf_perm[i+1] >> 4)];
+                        *output++ = cov_2char[buf_perm[i] >> 2];
+                        }
+                assert(i == 15);
+                *output++ = cov_2char[buf_perm[i] & 0x3f];
+                *output++ = cov_2char[buf_perm[i] >> 6];
+                *output = 0;
+                assert(strlen(out_buf) < sizeof(out_buf));
+         }
+
+        return out_buf;
+        }
+#endif
+
+
+static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
+        char *passwd, BIO *out, int quiet, int table, int reverse,
+        size_t pw_maxlen, int usecrypt, int useapr1)
+        {
+        char *hash = NULL;
+
+        assert(salt_p != NULL);
+        assert(salt_malloc_p != NULL);
+
+        /* first make sure we have a salt */
+        if (!passed_salt)
+                {
+#ifndef NO_DES
+                if (usecrypt)
+                        {
+                        if (*salt_malloc_p == NULL)
+                                {
+                                *salt_p = *salt_malloc_p = Malloc(3);
+                                if (*salt_malloc_p == NULL)
+                                        goto err;
+                                }
+                        if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+                                goto err;
+                        (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
+                        (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
+                        (*salt_p)[2] = 0;
+#ifdef CHARSET_EBCDIC
+                        ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert
+                                                            * back to ASCII */
+#endif
+                        }
+#endif /* !NO_DES */
+
+#ifndef NO_APR1
+                if (useapr1)
+                        {
+                        int i;
+                        
+                        if (*salt_malloc_p == NULL)
+                                {
+                                *salt_p = *salt_malloc_p = Malloc(9);
+                                if (*salt_malloc_p == NULL)
+                                        goto err;
+                                }
+                        if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+                                goto err;
+                        
+                        for (i = 0; i < 8; i++)
+                                (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
+                        (*salt_p)[8] = 0;
+                        }
+#endif /* !NO_APR1 */
+                }
+        
+        assert(*salt_p != NULL);
+        
+        /* truncate password if necessary */
+        if ((strlen(passwd) > pw_maxlen))
+                {
+                if (!quiet)
+                        BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen);
+                passwd[pw_maxlen] = 0;
+                }
+        assert(strlen(passwd) <= pw_maxlen);
+        
+        /* now compute password hash */
+#ifndef NO_DES
+        if (usecrypt)
+                hash = des_crypt(passwd, *salt_p);
+#endif
+#ifndef NO_APR1
+        if (useapr1)
+                hash = apr1_crypt(passwd, *salt_p);
+#endif
+        assert(hash != NULL);
+
+        if (table && !reverse)
+                BIO_printf(out, "%s\t%s\n", passwd, hash);
+        else if (table && reverse)
+                BIO_printf(out, "%s\t%s\n", hash, passwd);
+        else
+                BIO_printf(out, "%s\n", hash);
+        return 1;
+        
+err:
+        return 0;
+        }
+#else
+
+int MAIN(int argc, char **argv)
+        {
+        fputs("Program not available.\n", stderr)
+        EXIT(1);
+        }
+#endif
diff --git a/src/lib/libssl/src/apps/pkcs12.c b/src/lib/libssl/src/apps/pkcs12.c
new file mode 100644
index 0000000000..5defddeb32
--- /dev/null
+++ b/src/lib/libssl/src/apps/pkcs12.c
@@ -0,0 +1,703 @@
+/* pkcs12.c */
+#if !defined(NO_DES) && !defined(NO_SHA1)
+
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/des.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+#include "apps.h"
+#define PROG pkcs12_main
+
+EVP_CIPHER *enc;
+
+
+#define NOKEYS          0x1
+#define NOCERTS         0x2
+#define INFO            0x4
+#define CLCERTS         0x8
+#define CACERTS         0x10
+
+int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
+int dump_cert_text (BIO *out, X509 *x);
+int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options);
+int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options);
+int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options);
+int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
+void hex_prin(BIO *out, unsigned char *buf, int len);
+int alg_print(BIO *x, X509_ALGOR *alg);
+int cert_load(BIO *in, STACK_OF(X509) *sk);
+int MAIN(int argc, char **argv)
+{
+    char *infile=NULL, *outfile=NULL, *keyname = NULL;  
+    char *certfile=NULL;
+    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
+    char **args;
+    char *name = NULL;
+    PKCS12 *p12 = NULL;
+    char pass[50], macpass[50];
+    int export_cert = 0;
+    int options = 0;
+    int chain = 0;
+    int badarg = 0;
+    int iter = PKCS12_DEFAULT_ITER;
+    int maciter = 1;
+    int twopass = 0;
+    int keytype = 0;
+    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int ret = 1;
+    int macver = 1;
+    int noprompt = 0;
+    STACK *canames = NULL;
+    char *cpass = NULL, *mpass = NULL;
+
+    apps_startup();
+
+    enc = EVP_des_ede3_cbc();
+    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
+    args = argv + 1;
+
+
+    while (*args) {
+        if (*args[0] == '-') {
+                if (!strcmp (*args, "-nokeys")) options |= NOKEYS;
+                else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;
+                else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;
+                else if (!strcmp (*args, "-nocerts")) options |= NOCERTS;
+                else if (!strcmp (*args, "-clcerts")) options |= CLCERTS;
+                else if (!strcmp (*args, "-cacerts")) options |= CACERTS;
+                else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS);
+                else if (!strcmp (*args, "-info")) options |= INFO;
+                else if (!strcmp (*args, "-chain")) chain = 1;
+                else if (!strcmp (*args, "-twopass")) twopass = 1;
+                else if (!strcmp (*args, "-nomacver")) macver = 0;
+                else if (!strcmp (*args, "-descert"))
+                        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+                else if (!strcmp (*args, "-export")) export_cert = 1;
+                else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
+#ifndef NO_IDEA
+                else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
+#endif
+                else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+                else if (!strcmp (*args, "-noiter")) iter = 1;
+                else if (!strcmp (*args, "-maciter"))
+                                         maciter = PKCS12_DEFAULT_ITER;
+                else if (!strcmp (*args, "-nodes")) enc=NULL;
+                else if (!strcmp (*args, "-inkey")) {
+                    if (args[1]) {
+                        args++; 
+                        keyname = *args;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-certfile")) {
+                    if (args[1]) {
+                        args++; 
+                        certfile = *args;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-name")) {
+                    if (args[1]) {
+                        args++; 
+                        name = *args;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-caname")) {
+                    if (args[1]) {
+                        args++; 
+                        if (!canames) canames = sk_new(NULL);
+                        sk_push(canames, *args);
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-in")) {
+                    if (args[1]) {
+                        args++; 
+                        infile = *args;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-out")) {
+                    if (args[1]) {
+                        args++; 
+                        outfile = *args;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-envpass")) {
+                    if (args[1]) {
+                        args++; 
+                        if(!(cpass = getenv(*args))) {
+                                BIO_printf(bio_err,
+                                 "Can't read environment variable %s\n", *args);
+                                goto end;
+                        }
+                        noprompt = 1;
+                    } else badarg = 1;
+                } else if (!strcmp (*args, "-password")) {
+                    if (args[1]) {
+                        args++; 
+                        cpass = *args;
+                        noprompt = 1;
+                    } else badarg = 1;
+                } else badarg = 1;
+
+        } else badarg = 1;
+        args++;
+    }
+
+    if (badarg) {
+        BIO_printf (bio_err, "Usage: pkcs12 [options]\n");
+        BIO_printf (bio_err, "where options are\n");
+        BIO_printf (bio_err, "-export       output PKCS12 file\n");
+        BIO_printf (bio_err, "-chain        add certificate chain\n");
+        BIO_printf (bio_err, "-inkey file   private key if not infile\n");
+        BIO_printf (bio_err, "-certfile f   add all certs in f\n");
+        BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");
+        BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
+        BIO_printf (bio_err, "-in  infile   input filename\n");
+        BIO_printf (bio_err, "-out outfile  output filename\n");
+        BIO_printf (bio_err, "-noout        don't output anything, just verify.\n");
+        BIO_printf (bio_err, "-nomacver     don't verify MAC.\n");
+        BIO_printf (bio_err, "-nocerts      don't output certificates.\n");
+        BIO_printf (bio_err, "-clcerts      only output client certificates.\n");
+        BIO_printf (bio_err, "-cacerts      only output CA certificates.\n");
+        BIO_printf (bio_err, "-nokeys       don't output private keys.\n");
+        BIO_printf (bio_err, "-info         give info about PKCS#12 structure.\n");
+        BIO_printf (bio_err, "-des          encrypt private keys with DES\n");
+        BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
+#ifndef NO_IDEA
+        BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
+#endif
+        BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
+        BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
+        BIO_printf (bio_err, "-maciter      use MAC iteration\n");
+        BIO_printf (bio_err, "-twopass      separate MAC, encryption passwords\n");
+        BIO_printf (bio_err, "-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
+        BIO_printf (bio_err, "-keyex        set MS key exchange type\n");
+        BIO_printf (bio_err, "-keysig       set MS key signature type\n");
+        BIO_printf (bio_err, "-password p   set import/export password (NOT RECOMMENDED)\n");
+        BIO_printf (bio_err, "-envpass p    set import/export password from environment\n");
+        goto end;
+    }
+
+    if(cpass) mpass = cpass;
+    else {
+        cpass = pass;
+        mpass = macpass;
+    }
+
+    ERR_load_crypto_strings();
+
+    if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    else in = BIO_new_file(infile, "rb");
+    if (!in) {
+            BIO_printf(bio_err, "Error opening input file %s\n",
+                                                infile ? infile : "<stdin>");
+            perror (infile);
+            goto end;
+   }
+
+   if (certfile) {
+        if(!(certsin = BIO_new_file(certfile, "r"))) {
+            BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
+            perror (certfile);
+            goto end;
+        }
+    }
+
+    if (keyname) {
+        if(!(inkey = BIO_new_file(keyname, "r"))) {
+            BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
+            perror (keyname);
+            goto end;
+        }
+     }
+
+    if (!outfile) out = BIO_new_fp(stdout, BIO_NOCLOSE);
+    else out = BIO_new_file(outfile, "wb");
+    if (!out) {
+        BIO_printf(bio_err, "Error opening output file %s\n",
+                                                outfile ? outfile : "<stdout>");
+        perror (outfile);
+        goto end;
+    }
+    if (twopass) {
+        if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+        {
+            BIO_printf (bio_err, "Can't read Password\n");
+            goto end;
+        }
+    }
+
+if (export_cert) {
+        EVP_PKEY *key;
+        STACK *bags, *safes;
+        PKCS12_SAFEBAG *bag;
+        PKCS8_PRIV_KEY_INFO *p8;
+        PKCS7 *authsafe;
+        X509 *cert = NULL, *ucert = NULL;
+        STACK_OF(X509) *certs;
+        char *catmp;
+        int i;
+        unsigned char keyid[EVP_MAX_MD_SIZE];
+        unsigned int keyidlen = 0;
+        key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, NULL);
+        if (!inkey) (void) BIO_reset(in);
+        if (!key) {
+                BIO_printf (bio_err, "Error loading private key\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        certs = sk_X509_new(NULL);
+
+        /* Load in all certs in input file */
+        if(!cert_load(in, certs)) {
+                BIO_printf(bio_err, "Error loading certificates from input\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        for(i = 0; i < sk_X509_num(certs); i++) {
+                ucert = sk_X509_value(certs, i);
+                if(X509_check_private_key(ucert, key)) {
+                        X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+                        break;
+                }
+        }
+
+        if(!keyidlen) {
+                BIO_printf(bio_err, "No certificate matches private key\n");
+                goto end;
+        }
+        
+        bags = sk_new (NULL);
+
+        /* Add any more certificates asked for */
+        if (certsin) {
+                if(!cert_load(certsin, certs)) {
+                        BIO_printf(bio_err, "Error loading certificates from certfile\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+                BIO_free(certsin);
+        }
+
+        /* If chaining get chain from user cert */
+        if (chain) {
+                int vret;
+                STACK_OF(X509) *chain2;
+                vret = get_cert_chain (ucert, &chain2);
+                if (vret) {
+                        BIO_printf (bio_err, "Error %s getting chain.\n",
+                                        X509_verify_cert_error_string(vret));
+                        goto end;
+                }
+                /* Exclude verified certificate */
+                for (i = 1; i < sk_X509_num (chain2) ; i++) 
+                                 sk_X509_push(certs, sk_X509_value (chain2, i));
+                sk_X509_free(chain2);
+                        
+        }
+
+        /* We now have loads of certificates: include them all */
+        for(i = 0; i < sk_X509_num(certs); i++) {
+                cert = sk_X509_value(certs, i);
+                bag = M_PKCS12_x5092certbag(cert);
+                /* If it matches private key set id */
+                if(cert == ucert) {
+                        if(name) PKCS12_add_friendlyname(bag, name, -1);
+                        PKCS12_add_localkeyid(bag, keyid, keyidlen);
+                } else if((catmp = sk_shift(canames))) 
+                                PKCS12_add_friendlyname(bag, catmp, -1);
+                sk_push(bags, (char *)bag);
+        }
+
+        if (canames) sk_free(canames);
+
+        if(!noprompt &&
+                EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+            BIO_printf (bio_err, "Can't read Password\n");
+            goto end;
+        }
+        if (!twopass) strcpy(macpass, pass);
+        /* Turn certbags into encrypted authsafe */
+        authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
+                                                                 iter, bags);
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+
+        if (!authsafe) {
+                ERR_print_errors (bio_err);
+                goto end;
+        }
+
+        safes = sk_new (NULL);
+        sk_push (safes, (char *)authsafe);
+
+        /* Make a shrouded key bag */
+        p8 = EVP_PKEY2PKCS8 (key);
+        EVP_PKEY_free(key);
+        if(keytype) PKCS8_add_keyusage(p8, keytype);
+        bag = PKCS12_MAKE_SHKEYBAG(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+                        cpass, -1, NULL, 0, iter, p8);
+        PKCS8_PRIV_KEY_INFO_free(p8);
+        if (name) PKCS12_add_friendlyname (bag, name, -1);
+        PKCS12_add_localkeyid (bag, keyid, keyidlen);
+        bags = sk_new(NULL);
+        sk_push (bags, (char *)bag);
+        /* Turn it into unencrypted safe bag */
+        authsafe = PKCS12_pack_p7data (bags);
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+        sk_push (safes, (char *)authsafe);
+
+        p12 = PKCS12_init (NID_pkcs7_data);
+
+        M_PKCS12_pack_authsafes (p12, safes);
+
+        sk_pop_free(safes, PKCS7_free);
+
+        PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
+
+        i2d_PKCS12_bio (out, p12);
+
+        PKCS12_free(p12);
+
+        ret = 0;
+        goto end;
+        
+    }
+
+    if (!(p12 = d2i_PKCS12_bio (in, NULL))) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+        BIO_printf (bio_err, "Can't read Password\n");
+        goto end;
+    }
+
+    if (!twopass) strcpy(macpass, pass);
+
+    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
+    if(macver) {
+        if (!PKCS12_verify_mac (p12, mpass, -1)) {
+            BIO_printf (bio_err, "Mac verify errror: invalid password?\n");
+            ERR_print_errors (bio_err);
+            goto end;
+        } else BIO_printf (bio_err, "MAC verified OK\n");
+    }
+
+    if (!dump_certs_keys_p12 (out, p12, cpass, -1, options)) {
+        BIO_printf(bio_err, "Error outputting keys and certificates\n");
+        ERR_print_errors (bio_err);
+        goto end;
+    }
+    PKCS12_free(p12);
+    ret = 0;
+    end:
+    BIO_free(out);
+    EXIT(ret);
+}
+
+int dump_cert_text (BIO *out, X509 *x)
+{
+        char buf[256];
+        X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+        BIO_puts(out,"subject=");
+        BIO_puts(out,buf);
+
+        X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+        BIO_puts(out,"\nissuer= ");
+        BIO_puts(out,buf);
+        BIO_puts(out,"\n");
+        return 0;
+}
+
+int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
+             int passlen, int options)
+{
+        STACK *asafes, *bags;
+        int i, bagnid;
+        PKCS7 *p7;
+        if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+        for (i = 0; i < sk_num (asafes); i++) {
+                p7 = (PKCS7 *) sk_value (asafes, i);
+                bagnid = OBJ_obj2nid (p7->type);
+                if (bagnid == NID_pkcs7_data) {
+                        bags = M_PKCS12_unpack_p7data (p7);
+                        if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n");
+                } else if (bagnid == NID_pkcs7_encrypted) {
+                        if (options & INFO) {
+                                BIO_printf (bio_err, "PKCS7 Encrypted data: ");
+                                alg_print (bio_err, 
+                                        p7->d.encrypted->enc_data->algorithm);
+                        }
+                        bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+                } else continue;
+                if (!bags) return 0;
+                if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
+                                                         options)) {
+                        sk_pop_free (bags, PKCS12_SAFEBAG_free);
+                        return 0;
+                }
+                sk_pop_free (bags, PKCS12_SAFEBAG_free);
+        }
+        sk_pop_free (asafes, PKCS7_free);
+        return 1;
+}
+
+int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
+             int passlen, int options)
+{
+        int i;
+        for (i = 0; i < sk_num (bags); i++) {
+                if (!dump_certs_pkeys_bag (out,
+                         (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
+                                                        options)) return 0;
+        }
+        return 1;
+}
+
+int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
+             int passlen, int options)
+{
+        EVP_PKEY *pkey;
+        PKCS8_PRIV_KEY_INFO *p8;
+        X509 *x509;
+        
+        switch (M_PKCS12_bag_type(bag))
+        {
+        case NID_keyBag:
+                if (options & INFO) BIO_printf (bio_err, "Key bag\n");
+                if (options & NOKEYS) return 1;
+                print_attribs (out, bag->attrib, "Bag Attributes");
+                p8 = bag->value.keybag;
+                if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+                print_attribs (out, p8->attributes, "Key Attributes");
+                PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+                EVP_PKEY_free(pkey);
+        break;
+
+        case NID_pkcs8ShroudedKeyBag:
+                if (options & INFO) {
+                        BIO_printf (bio_err, "Shrouded Keybag: ");
+                        alg_print (bio_err, bag->value.shkeybag->algor);
+                }
+                if (options & NOKEYS) return 1;
+                print_attribs (out, bag->attrib, "Bag Attributes");
+                if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
+                                return 0;
+                if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+                print_attribs (out, p8->attributes, "Key Attributes");
+                PKCS8_PRIV_KEY_INFO_free(p8);
+                PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, NULL);
+                EVP_PKEY_free(pkey);
+        break;
+
+        case NID_certBag:
+                if (options & INFO) BIO_printf (bio_err, "Certificate bag\n");
+                if (options & NOCERTS) return 1;
+                if (PKCS12_get_attr(bag, NID_localKeyID)) {
+                        if (options & CACERTS) return 1;
+                } else if (options & CLCERTS) return 1;
+                print_attribs (out, bag->attrib, "Bag Attributes");
+                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
+                                                                 return 1;
+                if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+                dump_cert_text (out, x509);
+                PEM_write_bio_X509 (out, x509);
+                X509_free(x509);
+        break;
+
+        case NID_safeContentsBag:
+                if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n");
+                print_attribs (out, bag->attrib, "Bag Attributes");
+                return dump_certs_pkeys_bags (out, bag->value.safes, pass,
+                                                            passlen, options);
+                                        
+        default:
+                BIO_printf (bio_err, "Warning unsupported bag type: ");
+                i2a_ASN1_OBJECT (bio_err, bag->type);
+                BIO_printf (bio_err, "\n");
+                return 1;
+        break;
+        }
+        return 1;
+}
+
+/* Given a single certificate return a verified chain or NULL if error */
+
+/* Hope this is OK .... */
+
+int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
+{
+        X509_STORE *store;
+        X509_STORE_CTX store_ctx;
+        STACK_OF(X509) *chn;
+        int i;
+        X509 *x;
+        store = X509_STORE_new ();
+        X509_STORE_set_default_paths (store);
+        X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
+        if (X509_verify_cert(&store_ctx) <= 0) {
+                i = X509_STORE_CTX_get_error (&store_ctx);
+                goto err;
+        }
+        chn =  sk_X509_dup(X509_STORE_CTX_get_chain (&store_ctx));
+        for (i = 0; i < sk_X509_num(chn); i++) {
+                x = sk_X509_value(chn, i);
+                CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+        }
+        i = 0;
+        *chain = chn;
+err:
+        X509_STORE_CTX_cleanup(&store_ctx);
+        X509_STORE_free(store);
+        
+        return i;
+}       
+
+int alg_print (BIO *x, X509_ALGOR *alg)
+{
+        PBEPARAM *pbe;
+        unsigned char *p;
+        p = alg->parameter->value.sequence->data;
+        pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length);
+        BIO_printf (bio_err, "%s, Iteration %d\n", 
+        OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter));
+        PBEPARAM_free (pbe);
+        return 0;
+}
+
+/* Load all certificates from a given file */
+
+int cert_load(BIO *in, STACK_OF(X509) *sk)
+{
+        int ret;
+        X509 *cert;
+        ret = 0;
+        while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+                ret = 1;
+                sk_X509_push(sk, cert);
+        }
+        if(ret) ERR_clear_error();
+        return ret;
+}
+
+/* Generalised attribute print: handle PKCS#8 and bag attributes */
+
+int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
+{
+        X509_ATTRIBUTE *attr;
+        ASN1_TYPE *av;
+        char *value;
+        int i, attr_nid;
+        if(!attrlst) {
+                BIO_printf(out, "%s: <No Attributes>\n", name);
+                return 1;
+        }
+        if(!sk_X509_ATTRIBUTE_num(attrlst)) {
+                BIO_printf(out, "%s: <Empty Attributes>\n", name);
+                return 1;
+        }
+        BIO_printf(out, "%s\n", name);
+        for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
+                attr = sk_X509_ATTRIBUTE_value(attrlst, i);
+                attr_nid = OBJ_obj2nid(attr->object);
+                BIO_printf(out, "    ");
+                if(attr_nid == NID_undef) {
+                        i2a_ASN1_OBJECT (out, attr->object);
+                        BIO_printf(out, ": ");
+                } else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
+
+                if(sk_ASN1_TYPE_num(attr->value.set)) {
+                        av = sk_ASN1_TYPE_value(attr->value.set, 0);
+                        switch(av->type) {
+                                case V_ASN1_BMPSTRING:
+                                value = uni2asc(av->value.bmpstring->data,
+                                               av->value.bmpstring->length);
+                                BIO_printf(out, "%s\n", value);
+                                Free(value);
+                                break;
+
+                                case V_ASN1_OCTET_STRING:
+                                hex_prin(out, av->value.bit_string->data,
+                                        av->value.bit_string->length);
+                                BIO_printf(out, "\n");  
+                                break;
+
+                                case V_ASN1_BIT_STRING:
+                                hex_prin(out, av->value.octet_string->data,
+                                        av->value.octet_string->length);
+                                BIO_printf(out, "\n");  
+                                break;
+
+                                default:
+                                        BIO_printf(out, "<Unsupported tag %d>\n", av->type);
+                                break;
+                        }
+                } else BIO_printf(out, "<No Values>\n");
+        }
+        return 1;
+}
+
+void hex_prin(BIO *out, unsigned char *buf, int len)
+{
+        int i;
+        for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]);
+}
+
+#endif
diff --git a/src/lib/libssl/src/apps/pkcs8.c b/src/lib/libssl/src/apps/pkcs8.c
new file mode 100644
index 0000000000..a05388300a
--- /dev/null
+++ b/src/lib/libssl/src/apps/pkcs8.c
@@ -0,0 +1,274 @@
+/* pkcs8.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+
+#include "apps.h"
+#define PROG pkcs8_main
+
+
+int MAIN(int argc, char **argv)
+{
+        char **args, *infile = NULL, *outfile = NULL;
+        BIO *in = NULL, *out = NULL;
+        int topk8 = 0;
+        int pbe_nid = -1;
+        const EVP_CIPHER *cipher = NULL;
+        int iter = PKCS12_DEFAULT_ITER;
+        int informat, outformat;
+        int p8_broken = PKCS8_OK;
+        int nocrypt = 0;
+        X509_SIG *p8;
+        PKCS8_PRIV_KEY_INFO *p8inf;
+        EVP_PKEY *pkey;
+        char pass[50];
+        int badarg = 0;
+        if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+        informat=FORMAT_PEM;
+        outformat=FORMAT_PEM;
+        ERR_load_crypto_strings();
+        SSLeay_add_all_algorithms();
+        args = argv + 1;
+        while (!badarg && *args && *args[0] == '-') {
+                if (!strcmp(*args,"-v2")) {
+                        if (args[1]) {
+                                args++;
+                                cipher=EVP_get_cipherbyname(*args);
+                                if(!cipher) {
+                                        BIO_printf(bio_err,
+                                                 "Unknown cipher %s\n", *args);
+                                        badarg = 1;
+                                }
+                        } else badarg = 1;
+                } else if (!strcmp(*args,"-inform")) {
+                        if (args[1]) {
+                                args++;
+                                informat=str2fmt(*args);
+                        } else badarg = 1;
+                } else if (!strcmp(*args,"-outform")) {
+                        if (args[1]) {
+                                args++;
+                                outformat=str2fmt(*args);
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-topk8")) topk8 = 1;
+                else if (!strcmp (*args, "-noiter")) iter = 1;
+                else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
+                else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
+                else if (!strcmp (*args, "-in")) {
+                        if (args[1]) {
+                                args++;
+                                infile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-out")) {
+                        if (args[1]) {
+                                args++;
+                                outfile = *args;
+                        } else badarg = 1;
+                } else badarg = 1;
+                args++;
+        }
+
+        if (badarg) {
+                BIO_printf (bio_err, "Usage pkcs8 [options]\n");
+                BIO_printf (bio_err, "where options are\n");
+                BIO_printf (bio_err, "-in file   input file\n");
+                BIO_printf (bio_err, "-inform X  input format (DER or PEM)\n");
+                BIO_printf (bio_err, "-outform X output format (DER or PEM)\n");
+                BIO_printf (bio_err, "-out file  output file\n");
+                BIO_printf (bio_err, "-topk8     output PKCS8 file\n");
+                BIO_printf (bio_err, "-nooct     use (broken) no octet form\n");
+                BIO_printf (bio_err, "-noiter    use 1 as iteration count\n");
+                BIO_printf (bio_err, "-nocrypt   use or expect unencrypted private key\n");
+                BIO_printf (bio_err, "-v2 alg    use PKCS#5 v2.0 and cipher \"alg\"\n");
+                return (1);
+        }
+
+        if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
+
+        if (infile) {
+                if (!(in = BIO_new_file (infile, "rb"))) {
+                        BIO_printf (bio_err,
+                                 "Can't open input file %s\n", infile);
+                        return (1);
+                }
+        } else in = BIO_new_fp (stdin, BIO_NOCLOSE);
+
+        if (outfile) {
+                if (!(out = BIO_new_file (outfile, "wb"))) {
+                        BIO_printf (bio_err,
+                                 "Can't open output file %s\n", outfile);
+                        return (1);
+                }
+        } else out = BIO_new_fp (stdout, BIO_NOCLOSE);
+
+        if (topk8) {
+                if (!(pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL))) {
+                        BIO_printf (bio_err, "Error reading key\n", outfile);
+                        ERR_print_errors(bio_err);
+                        return (1);
+                }
+                BIO_free(in);
+                if (!(p8inf = EVP_PKEY2PKCS8(pkey))) {
+                        BIO_printf (bio_err, "Error converting key\n", outfile);
+                        ERR_print_errors(bio_err);
+                        return (1);
+                }
+                PKCS8_set_broken(p8inf, p8_broken);
+                if(nocrypt) {
+                        if(outformat == FORMAT_PEM) 
+                                PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+                        else if(outformat == FORMAT_ASN1)
+                                i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+                        else {
+                                BIO_printf(bio_err, "Bad format specified for key\n");
+                                return (1);
+                        }
+                } else {
+                        EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+                        if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
+                                        pass, strlen(pass),
+                                        NULL, 0, iter, p8inf))) {
+                                BIO_printf (bio_err, "Error encrypting key\n",
+                                                                 outfile);
+                                ERR_print_errors(bio_err);
+                                return (1);
+                        }
+                        if(outformat == FORMAT_PEM) 
+                                PEM_write_bio_PKCS8 (out, p8);
+                        else if(outformat == FORMAT_ASN1)
+                                i2d_PKCS8_bio(out, p8);
+                        else {
+                                BIO_printf(bio_err, "Bad format specified for key\n");
+                                return (1);
+                        }
+                        X509_SIG_free(p8);
+                }
+                PKCS8_PRIV_KEY_INFO_free (p8inf);
+                EVP_PKEY_free(pkey);
+                BIO_free(out);
+                return (0);
+        }
+
+        if(nocrypt) {
+                if(informat == FORMAT_PEM) 
+                        p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
+                else if(informat == FORMAT_ASN1)
+                        p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
+                else {
+                        BIO_printf(bio_err, "Bad format specified for key\n");
+                        return (1);
+                }
+        } else {
+                if(informat == FORMAT_PEM) 
+                        p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
+                else if(informat == FORMAT_ASN1)
+                        p8 = d2i_PKCS8_bio(in, NULL);
+                else {
+                        BIO_printf(bio_err, "Bad format specified for key\n");
+                        return (1);
+                }
+
+                if (!p8) {
+                        BIO_printf (bio_err, "Error reading key\n", outfile);
+                        ERR_print_errors(bio_err);
+                        return (1);
+                }
+                EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+                p8inf = M_PKCS8_decrypt(p8, pass, strlen(pass));
+                X509_SIG_free(p8);
+        }
+
+        if (!p8inf) {
+                BIO_printf(bio_err, "Error decrypting key\n", outfile);
+                ERR_print_errors(bio_err);
+                return (1);
+        }
+
+        if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+                BIO_printf(bio_err, "Error converting key\n", outfile);
+                ERR_print_errors(bio_err);
+                return (1);
+        }
+        
+        if (p8inf->broken) {
+                BIO_printf(bio_err, "Warning: broken key encoding: ");
+                switch (p8inf->broken) {
+                        case PKCS8_NO_OCTET:
+                        BIO_printf(bio_err, "No Octet String\n");
+                        break;
+
+                        default:
+                        BIO_printf(bio_err, "Unknown broken type\n");
+                        break;
+                }
+        }
+        
+        PKCS8_PRIV_KEY_INFO_free(p8inf);
+
+        PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
+
+        EVP_PKEY_free(pkey);
+        BIO_free(out);
+        BIO_free(in);
+
+        return (0);
+}
diff --git a/src/lib/libssl/src/apps/progs.pl b/src/lib/libssl/src/apps/progs.pl
new file mode 100644
index 0000000000..7a69fc7b18
--- /dev/null
+++ b/src/lib/libssl/src/apps/progs.pl
@@ -0,0 +1,77 @@
+#!/usr/local/bin/perl
+
+print "/* This file was generated by progs.pl. */\n\n";
+
+grep(s/^asn1pars$/asn1parse/,@ARGV);
+
+foreach (@ARGV)
+        { printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
+
+print <<'EOF';
+
+#ifdef SSLEAY_SRC  /* Defined only in openssl.c. */
+
+#define FUNC_TYPE_GENERAL       1
+#define FUNC_TYPE_MD            2
+#define FUNC_TYPE_CIPHER        3
+
+typedef struct {
+        int type;
+        char *name;
+        int (*func)();
+        } FUNCTION;
+
+FUNCTION functions[] = {
+EOF
+
+foreach (@ARGV)
+        {
+        push(@files,$_);
+        $str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
+        if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
+                { print "#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(O_SSL3))\n${str}#endif\n"; } 
+        elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) ) 
+                { print "#ifndef NO_RSA\n${str}#endif\n";  }
+        elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
+                { print "#ifndef NO_DSA\n${str}#endif\n"; }
+        elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/))
+                { print "#ifndef NO_DH\n${str}#endif\n"; }
+        else
+                { print $str; }
+        }
+
+foreach ("md2","md5","sha","sha1","mdc2","rmd160")
+        {
+        push(@files,$_);
+        printf "\t{FUNC_TYPE_MD,\"%s\",dgst_main},\n",$_;
+        }
+
+foreach (
+        "base64",
+        "des", "des3", "desx", "idea", "rc4", "rc2","bf","cast","rc5",
+        "des-ecb", "des-ede",    "des-ede3",
+        "des-cbc", "des-ede-cbc","des-ede3-cbc",
+        "des-cfb", "des-ede-cfb","des-ede3-cfb",
+        "des-ofb", "des-ede-ofb","des-ede3-ofb",
+        "idea-cbc","idea-ecb",   "idea-cfb", "idea-ofb",
+        "rc2-cbc", "rc2-ecb",    "rc2-cfb",  "rc2-ofb",
+        "bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
+        "cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
+        "cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
+        {
+        push(@files,$_);
+
+        $t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
+        if    ($_ =~ /des/)  { $t="#ifndef NO_DES\n${t}#endif\n"; }
+        elsif ($_ =~ /idea/) { $t="#ifndef NO_IDEA\n${t}#endif\n"; }
+        elsif ($_ =~ /rc4/)  { $t="#ifndef NO_RC4\n${t}#endif\n"; }
+        elsif ($_ =~ /rc2/)  { $t="#ifndef NO_RC2\n${t}#endif\n"; }
+        elsif ($_ =~ /bf/)   { $t="#ifndef NO_BF\n${t}#endif\n"; }
+        elsif ($_ =~ /cast/) { $t="#ifndef NO_CAST\n${t}#endif\n"; }
+        elsif ($_ =~ /rc5/)  { $t="#ifndef NO_RC5\n${t}#endif\n"; }
+        print $t;
+        }
+
+print "\t{0,NULL,NULL}\n\t};\n";
+print "#endif\n\n";
+
diff --git a/src/lib/libssl/src/apps/rand.c b/src/lib/libssl/src/apps/rand.c
new file mode 100644
index 0000000000..cfbba30755
--- /dev/null
+++ b/src/lib/libssl/src/apps/rand.c
@@ -0,0 +1,140 @@
+/* apps/rand.c */
+
+#include "apps.h"
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#undef PROG
+#define PROG rand_main
+
+/* -out file         - write to file
+ * -rand file:file   - PRNG seed files
+ * -base64           - encode output
+ * num               - write 'num' bytes
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        int i, r, ret = 1;
+        int badopt;
+        char *outfile = NULL;
+        char *inrand = NULL;
+        int base64 = 0;
+        BIO *out = NULL;
+        int num = -1;
+
+        apps_startup();
+
+        if (bio_err == NULL)
+                if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+                        BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+
+        badopt = 0;
+        i = 0;
+        while (!badopt && argv[++i] != NULL)
+                {
+                if (strcmp(argv[i], "-out") == 0)
+                        {
+                        if ((argv[i+1] != NULL) && (outfile == NULL))
+                                outfile = argv[++i];
+                        else
+                                badopt = 1;
+                        }
+                else if (strcmp(argv[i], "-rand") == 0)
+                        {
+                        if ((argv[i+1] != NULL) && (inrand == NULL))
+                                inrand = argv[++i];
+                        else
+                                badopt = 1;
+                        }
+                else if (strcmp(argv[i], "-base64") == 0)
+                        {
+                        if (!base64)
+                                base64 = 1;
+                        else
+                                badopt = 1;
+                        }
+                else if (isdigit(argv[i][0]))
+                        {
+                        if (num < 0)
+                                {
+                                r = sscanf(argv[i], "%d", &num);
+                                if (r == 0 || num < 0)
+                                        badopt = 1;
+                                }
+                        else
+                                badopt = 1;
+                        }
+                else
+                        badopt = 1;
+                }
+
+        if (num < 0)
+                badopt = 1;
+        
+        if (badopt) 
+                {
+                BIO_printf(bio_err, "Usage: rand [options] num\n");
+                BIO_printf(bio_err, "where options are\n");
+                BIO_printf(bio_err, "-out file            - write to file\n");
+                BIO_printf(bio_err, "-rand file%cfile%c...  - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+                BIO_printf(bio_err, "-base64              - encode output\n");
+                goto err;
+                }
+
+        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        if (inrand != NULL)
+                BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+                        app_RAND_load_files(inrand));
+
+        out = BIO_new(BIO_s_file());
+        if (out == NULL)
+                goto err;
+        if (outfile != NULL)
+                r = BIO_write_filename(out, outfile);
+        else
+                r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
+        if (r <= 0)
+                goto err;
+
+        if (base64)
+                {
+                BIO *b64 = BIO_new(BIO_f_base64());
+                if (b64 == NULL)
+                        goto err;
+                out = BIO_push(b64, out);
+                }
+        
+        while (num > 0) 
+                {
+                unsigned char buf[4096];
+                int chunk;
+
+                chunk = num;
+                if (chunk > sizeof buf)
+                        chunk = sizeof buf;
+                r = RAND_bytes(buf, chunk);
+                if (r <= 0)
+                        goto err;
+                BIO_write(out, buf, chunk);
+                num -= chunk;
+                }
+        BIO_flush(out);
+
+        app_RAND_write_file(NULL, bio_err);
+        ret = 0;
+        
+err:
+        ERR_print_errors(bio_err);
+        if (out)
+                BIO_free_all(out);
+        EXIT(ret);
+        }
diff --git a/src/lib/libssl/src/apps/rsautl.c b/src/lib/libssl/src/apps/rsautl.c
new file mode 100644
index 0000000000..2ef75649dd
--- /dev/null
+++ b/src/lib/libssl/src/apps/rsautl.c
@@ -0,0 +1,315 @@
+/* rsautl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include "apps.h"
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/engine.h>
+
+#define RSA_SIGN        1
+#define RSA_VERIFY      2
+#define RSA_ENCRYPT     3
+#define RSA_DECRYPT     4
+
+#define KEY_PRIVKEY     1
+#define KEY_PUBKEY      2
+#define KEY_CERT        3
+
+static void usage(void);
+
+#undef PROG
+
+#define PROG rsautl_main
+
+int MAIN(int argc, char **);
+
+int MAIN(int argc, char **argv)
+{
+        ENGINE *e = NULL;
+        BIO *in = NULL, *out = NULL;
+        char *infile = NULL, *outfile = NULL;
+        char *keyfile = NULL;
+        char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+        int keyform = FORMAT_PEM;
+        char need_priv = 0, badarg = 0, rev = 0;
+        char hexdump = 0, asn1parse = 0;
+        X509 *x;
+        EVP_PKEY *pkey = NULL;
+        RSA *rsa = NULL;
+        unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
+        int rsa_inlen, rsa_outlen = 0;
+        int keysize;
+        char *engine=NULL;
+
+        int ret = 1;
+
+        argc--;
+        argv++;
+
+        if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+        ERR_load_crypto_strings();
+        OpenSSL_add_all_algorithms();
+        pad = RSA_PKCS1_PADDING;
+        
+        while(argc >= 1)
+        {
+                if (!strcmp(*argv,"-in")) {
+                        if (--argc < 1) badarg = 1;
+                        infile= *(++argv);
+                } else if (!strcmp(*argv,"-out")) {
+                        if (--argc < 1) badarg = 1;
+                        outfile= *(++argv);
+                } else if(!strcmp(*argv, "-inkey")) {
+                        if (--argc < 1) badarg = 1;
+                        keyfile = *(++argv);
+                } else if(!strcmp(*argv, "-engine")) {
+                        if (--argc < 1) badarg = 1;
+                        engine = *(++argv);
+                } else if(!strcmp(*argv, "-pubin")) {
+                        key_type = KEY_PUBKEY;
+                } else if(!strcmp(*argv, "-certin")) {
+                        key_type = KEY_CERT;
+                } 
+                else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1;
+                else if(!strcmp(*argv, "-hexdump")) hexdump = 1;
+                else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING;
+                else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
+                else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
+                else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
+                else if(!strcmp(*argv, "-sign")) {
+                        rsa_mode = RSA_SIGN;
+                        need_priv = 1;
+                } else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY;
+                else if(!strcmp(*argv, "-rev")) rev = 1;
+                else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT;
+                else if(!strcmp(*argv, "-decrypt")) {
+                        rsa_mode = RSA_DECRYPT;
+                        need_priv = 1;
+                } else badarg = 1;
+                if(badarg) {
+                        usage();
+                        goto end;
+                }
+                argc--;
+                argv++;
+        }
+
+        if(need_priv && (key_type != KEY_PRIVKEY)) {
+                BIO_printf(bio_err, "A private key is needed for this operation\n");
+                goto end;
+        }
+
+        if (engine != NULL)
+                {
+                if((e = ENGINE_by_id(engine)) == NULL)
+                        {
+                        BIO_printf(bio_err,"invalid engine \"%s\"\n",
+                                engine);
+                        goto end;
+                        }
+                if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+                        {
+                        BIO_printf(bio_err,"can't use that engine\n");
+                        goto end;
+                        }
+                BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+                /* Free our "structural" reference. */
+                ENGINE_free(e);
+                }
+
+/* FIXME: seed PRNG only if needed */
+        app_RAND_load_file(NULL, bio_err, 0);
+        
+        switch(key_type) {
+                case KEY_PRIVKEY:
+                pkey = load_key(bio_err, keyfile, keyform, NULL);
+                break;
+
+                case KEY_PUBKEY:
+                pkey = load_pubkey(bio_err, keyfile, keyform);
+                break;
+
+                case KEY_CERT:
+                x = load_cert(bio_err, keyfile, keyform);
+                if(x) {
+                        pkey = X509_get_pubkey(x);
+                        X509_free(x);
+                }
+                break;
+        }
+
+        if(!pkey) {
+                BIO_printf(bio_err, "Error loading key\n");
+                return 1;
+        }
+
+        rsa = EVP_PKEY_get1_RSA(pkey);
+        EVP_PKEY_free(pkey);
+
+        if(!rsa) {
+                BIO_printf(bio_err, "Error getting RSA key\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+
+        if(infile) {
+                if(!(in = BIO_new_file(infile, "rb"))) {
+                        BIO_printf(bio_err, "Error Reading Input File\n");
+                        ERR_print_errors(bio_err);      
+                        goto end;
+                }
+        } else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+        if(outfile) {
+                if(!(out = BIO_new_file(outfile, "wb"))) {
+                        BIO_printf(bio_err, "Error Reading Output File\n");
+                        ERR_print_errors(bio_err);      
+                        goto end;
+                }
+        } else {
+                out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef VMS
+                {
+                    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                    out = BIO_push(tmpbio, out);
+                }
+#endif
+        }
+
+        keysize = RSA_size(rsa);
+
+        rsa_in = OPENSSL_malloc(keysize * 2);
+        rsa_out = OPENSSL_malloc(keysize);
+
+        /* Read the input data */
+        rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
+        if(rsa_inlen <= 0) {
+                BIO_printf(bio_err, "Error reading input Data\n");
+                exit(1);
+        }
+        if(rev) {
+                int i;
+                unsigned char ctmp;
+                for(i = 0; i < rsa_inlen/2; i++) {
+                        ctmp = rsa_in[i];
+                        rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
+                        rsa_in[rsa_inlen - 1 - i] = ctmp;
+                }
+        }
+        switch(rsa_mode) {
+
+                case RSA_VERIFY:
+                        rsa_outlen  = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+                break;
+
+                case RSA_SIGN:
+                        rsa_outlen  = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+                break;
+
+                case RSA_ENCRYPT:
+                        rsa_outlen  = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+                break;
+
+                case RSA_DECRYPT:
+                        rsa_outlen  = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+                break;
+
+        }
+
+        if(rsa_outlen <= 0) {
+                BIO_printf(bio_err, "RSA operation error\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+        ret = 0;
+        if(asn1parse) {
+                if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
+                        ERR_print_errors(bio_err);
+                }
+        } else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
+        else BIO_write(out, rsa_out, rsa_outlen);
+        end:
+        RSA_free(rsa);
+        BIO_free(in);
+        BIO_free_all(out);
+        if(rsa_in) OPENSSL_free(rsa_in);
+        if(rsa_out) OPENSSL_free(rsa_out);
+        return ret;
+}
+
+static void usage()
+{
+        BIO_printf(bio_err, "Usage: rsautl [options]\n");
+        BIO_printf(bio_err, "-in file        input file\n");
+        BIO_printf(bio_err, "-out file       output file\n");
+        BIO_printf(bio_err, "-inkey file     input key\n");
+        BIO_printf(bio_err, "-pubin          input is an RSA public\n");
+        BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
+        BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
+        BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
+        BIO_printf(bio_err, "-raw            use no padding\n");
+        BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
+        BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
+        BIO_printf(bio_err, "-sign           sign with private key\n");
+        BIO_printf(bio_err, "-verify         verify with public key\n");
+        BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
+        BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
+        BIO_printf(bio_err, "-hexdump        hex dump output\n");
+}
+
diff --git a/src/lib/libssl/src/apps/smime.c b/src/lib/libssl/src/apps/smime.c
new file mode 100644
index 0000000000..77633cfb60
--- /dev/null
+++ b/src/lib/libssl/src/apps/smime.c
@@ -0,0 +1,646 @@
+/* smime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* S/MIME utility function */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+#undef PROG
+#define PROG smime_main
+static X509 *load_cert(char *file);
+static EVP_PKEY *load_key(char *file, char *pass);
+static STACK_OF(X509) *load_certs(char *file);
+static X509_STORE *setup_verify(char *CAfile, char *CApath);
+static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+
+#define SMIME_OP        0x10
+#define SMIME_ENCRYPT   (1 | SMIME_OP)
+#define SMIME_DECRYPT   2
+#define SMIME_SIGN      (3 | SMIME_OP)
+#define SMIME_VERIFY    4
+#define SMIME_PK7OUT    5
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+{
+        int operation = 0;
+        int ret = 0;
+        char **args;
+        char *inmode = "r", *outmode = "w";
+        char *infile = NULL, *outfile = NULL;
+        char *signerfile = NULL, *recipfile = NULL;
+        char *certfile = NULL, *keyfile = NULL;
+        EVP_CIPHER *cipher = NULL;
+        PKCS7 *p7 = NULL;
+        X509_STORE *store = NULL;
+        X509 *cert = NULL, *recip = NULL, *signer = NULL;
+        EVP_PKEY *key = NULL;
+        STACK_OF(X509) *encerts = NULL, *other = NULL;
+        BIO *in = NULL, *out = NULL, *indata = NULL;
+        int badarg = 0;
+        int flags = PKCS7_DETACHED;
+        char *to = NULL, *from = NULL, *subject = NULL;
+        char *CAfile = NULL, *CApath = NULL;
+        char *passargin = NULL, *passin = NULL;
+        char *inrand = NULL;
+        int need_rand = 0;
+        args = argv + 1;
+
+        ret = 1;
+
+        while (!badarg && *args && *args[0] == '-') {
+                if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
+                else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
+                else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN;
+                else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY;
+                else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT;
+#ifndef NO_DES
+                else if (!strcmp (*args, "-des3")) 
+                                cipher = EVP_des_ede3_cbc();
+                else if (!strcmp (*args, "-des")) 
+                                cipher = EVP_des_cbc();
+#endif
+#ifndef NO_RC2
+                else if (!strcmp (*args, "-rc2-40")) 
+                                cipher = EVP_rc2_40_cbc();
+                else if (!strcmp (*args, "-rc2-128")) 
+                                cipher = EVP_rc2_cbc();
+                else if (!strcmp (*args, "-rc2-64")) 
+                                cipher = EVP_rc2_64_cbc();
+#endif
+                else if (!strcmp (*args, "-text")) 
+                                flags |= PKCS7_TEXT;
+                else if (!strcmp (*args, "-nointern")) 
+                                flags |= PKCS7_NOINTERN;
+                else if (!strcmp (*args, "-noverify")) 
+                                flags |= PKCS7_NOVERIFY;
+                else if (!strcmp (*args, "-nochain")) 
+                                flags |= PKCS7_NOCHAIN;
+                else if (!strcmp (*args, "-nocerts")) 
+                                flags |= PKCS7_NOCERTS;
+                else if (!strcmp (*args, "-noattr")) 
+                                flags |= PKCS7_NOATTR;
+                else if (!strcmp (*args, "-nodetach")) 
+                                flags &= ~PKCS7_DETACHED;
+                else if (!strcmp (*args, "-binary"))
+                                flags |= PKCS7_BINARY;
+                else if (!strcmp (*args, "-nosigs"))
+                                flags |= PKCS7_NOSIGS;
+                else if (!strcmp(*args,"-rand")) {
+                        if (args[1]) {
+                                args++;
+                                inrand = *args;
+                        } else badarg = 1;
+                        need_rand = 1;
+                } else if (!strcmp(*args,"-passin")) {
+                        if (args[1]) {
+                                args++;
+                                passargin = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-to")) {
+                        if (args[1]) {
+                                args++;
+                                to = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-from")) {
+                        if (args[1]) {
+                                args++;
+                                from = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-subject")) {
+                        if (args[1]) {
+                                args++;
+                                subject = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-signer")) {
+                        if (args[1]) {
+                                args++;
+                                signerfile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-recip")) {
+                        if (args[1]) {
+                                args++;
+                                recipfile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-inkey")) {
+                        if (args[1]) {
+                                args++;
+                                keyfile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-certfile")) {
+                        if (args[1]) {
+                                args++;
+                                certfile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-CAfile")) {
+                        if (args[1]) {
+                                args++;
+                                CAfile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-CApath")) {
+                        if (args[1]) {
+                                args++;
+                                CApath = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-in")) {
+                        if (args[1]) {
+                                args++;
+                                infile = *args;
+                        } else badarg = 1;
+                } else if (!strcmp (*args, "-out")) {
+                        if (args[1]) {
+                                args++;
+                                outfile = *args;
+                        } else badarg = 1;
+                } else badarg = 1;
+                args++;
+        }
+
+        if(operation == SMIME_SIGN) {
+                if(!signerfile) {
+                        BIO_printf(bio_err, "No signer certificate specified\n");
+                        badarg = 1;
+                }
+                need_rand = 1;
+        } else if(operation == SMIME_DECRYPT) {
+                if(!recipfile) {
+                        BIO_printf(bio_err, "No recipient certificate and key specified\n");
+                        badarg = 1;
+                }
+        } else if(operation == SMIME_ENCRYPT) {
+                if(!*args) {
+                        BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+                        badarg = 1;
+                }
+                need_rand = 1;
+        } else if(!operation) badarg = 1;
+
+        if (badarg) {
+                BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
+                BIO_printf (bio_err, "where options are\n");
+                BIO_printf (bio_err, "-encrypt       encrypt message\n");
+                BIO_printf (bio_err, "-decrypt       decrypt encrypted message\n");
+                BIO_printf (bio_err, "-sign          sign message\n");
+                BIO_printf (bio_err, "-verify        verify signed message\n");
+                BIO_printf (bio_err, "-pk7out        output PKCS#7 structure\n");
+#ifndef NO_DES
+                BIO_printf (bio_err, "-des3          encrypt with triple DES\n");
+                BIO_printf (bio_err, "-des           encrypt with DES\n");
+#endif
+#ifndef NO_RC2
+                BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
+                BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
+                BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
+#endif
+                BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
+                BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
+                BIO_printf (bio_err, "-noverify      don't verify signers certificate\n");
+                BIO_printf (bio_err, "-nocerts       don't include signers certificate when signing\n");
+                BIO_printf (bio_err, "-nodetach      use opaque signing\n");
+                BIO_printf (bio_err, "-noattr        don't include any signed attributes\n");
+                BIO_printf (bio_err, "-binary        don't translate message to text\n");
+                BIO_printf (bio_err, "-certfile file other certificates file\n");
+                BIO_printf (bio_err, "-signer file   signer certificate file\n");
+                BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
+                BIO_printf (bio_err, "-in file       input file\n");
+                BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
+                BIO_printf (bio_err, "-out file      output file\n");
+                BIO_printf (bio_err, "-to addr       to address\n");
+                BIO_printf (bio_err, "-from ad       from address\n");
+                BIO_printf (bio_err, "-subject s     subject\n");
+                BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
+                BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
+                BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+                BIO_printf(bio_err,  "-rand file:file:...\n");
+                BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
+                BIO_printf(bio_err,  "               the random number generator\n");
+                BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
+                goto end;
+        }
+
+        if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+                BIO_printf(bio_err, "Error getting password\n");
+                goto end;
+        }
+
+        if (need_rand) {
+                app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+                if (inrand != NULL)
+                        BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+                                app_RAND_load_files(inrand));
+        }
+
+        ret = 2;
+
+        if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
+
+        if(flags & PKCS7_BINARY) {
+                if(operation & SMIME_OP) inmode = "rb";
+                else outmode = "rb";
+        }
+
+        if(operation == SMIME_ENCRYPT) {
+                if (!cipher) {
+#ifndef NO_RC2                  
+                        cipher = EVP_rc2_40_cbc();
+#else
+                        BIO_printf(bio_err, "No cipher selected\n");
+                        goto end;
+#endif
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("load encryption certificates");
+#endif          
+                encerts = sk_X509_new_null();
+                while (*args) {
+                        if(!(cert = load_cert(*args))) {
+                                BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
+                                goto end;
+                        }
+                        sk_X509_push(encerts, cert);
+                        cert = NULL;
+                        args++;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        if(signerfile && (operation == SMIME_SIGN)) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("load signer certificate");
+#endif          
+                if(!(signer = load_cert(signerfile))) {
+                        BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        if(certfile) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("load other certfiles");
+#endif          
+                if(!(other = load_certs(certfile))) {
+                        BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        if(recipfile && (operation == SMIME_DECRYPT)) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("load recipient certificate");
+#endif          
+                if(!(recip = load_cert(recipfile))) {
+                        BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        if(operation == SMIME_DECRYPT) {
+                if(!keyfile) keyfile = recipfile;
+        } else if(operation == SMIME_SIGN) {
+                if(!keyfile) keyfile = signerfile;
+        } else keyfile = NULL;
+
+        if(keyfile) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("load keyfile");
+#endif          
+                if(!(key = load_key(keyfile, passin))) {
+                        BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("open input files");
+#endif          
+        if (infile) {
+                if (!(in = BIO_new_file(infile, inmode))) {
+                        BIO_printf (bio_err,
+                                 "Can't open input file %s\n", infile);
+                        goto end;
+                }
+        } else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+#endif          
+
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("open output files");
+#endif          
+        if (outfile) {
+                if (!(out = BIO_new_file(outfile, outmode))) {
+                        BIO_printf (bio_err,
+                                 "Can't open output file %s\n", outfile);
+                        goto end;
+                }
+        } else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+#endif          
+
+        if(operation == SMIME_VERIFY) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("setup_verify");
+#endif          
+                if(!(store = setup_verify(CAfile, CApath))) goto end;
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        ret = 3;
+
+        if(operation == SMIME_ENCRYPT) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("PKCS7_encrypt");
+#endif          
+                p7 = PKCS7_encrypt(encerts, in, cipher, flags);
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        } else if(operation == SMIME_SIGN) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("PKCS7_sign");
+#endif          
+                p7 = PKCS7_sign(signer, key, other, in, flags);
+                BIO_reset(in);
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        } else {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("SMIME_read_PKCS7");
+#endif          
+                if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
+                        BIO_printf(bio_err, "Error reading S/MIME message\n");
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        }
+
+        if(!p7) {
+                BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
+                goto end;
+        }
+
+        ret = 4;
+        if(operation == SMIME_DECRYPT) {
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("PKCS7_decrypt");
+#endif          
+                if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
+                        BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+        } else if(operation == SMIME_VERIFY) {
+                STACK_OF(X509) *signers;
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_push_info("PKCS7_verify");
+#endif          
+                if(PKCS7_verify(p7, other, store, indata, out, flags)) {
+                        BIO_printf(bio_err, "Verification Successful\n");
+                } else {
+                        BIO_printf(bio_err, "Verification Failure\n");
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+                CRYPTO_push_info("PKCS7_get0_signers");
+#endif          
+                signers = PKCS7_get0_signers(p7, other, flags);
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+                CRYPTO_push_info("save_certs");
+#endif          
+                if(!save_certs(signerfile, signers)) {
+                        BIO_printf(bio_err, "Error writing signers to %s\n",
+                                                                signerfile);
+                        ret = 5;
+                        goto end;
+                }
+#ifdef CRYPTO_MDEBUG
+                CRYPTO_pop_info();
+#endif          
+                sk_X509_free(signers);
+        } else if(operation == SMIME_PK7OUT) {
+                PEM_write_bio_PKCS7(out, p7);
+        } else {
+                if(to) BIO_printf(out, "To: %s\n", to);
+                if(from) BIO_printf(out, "From: %s\n", from);
+                if(subject) BIO_printf(out, "Subject: %s\n", subject);
+                SMIME_write_PKCS7(out, p7, in, flags);
+        }
+        ret = 0;
+end:
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_remove_all_info();
+#endif
+        if (need_rand)
+                app_RAND_write_file(NULL, bio_err);
+        if(ret) ERR_print_errors(bio_err);
+        sk_X509_pop_free(encerts, X509_free);
+        sk_X509_pop_free(other, X509_free);
+        X509_STORE_free(store);
+        X509_free(cert);
+        X509_free(recip);
+        X509_free(signer);
+        EVP_PKEY_free(key);
+        PKCS7_free(p7);
+        BIO_free(in);
+        BIO_free(indata);
+        BIO_free(out);
+        if(passin) Free(passin);
+        return (ret);
+}
+
+static X509 *load_cert(char *file)
+{
+        BIO *in;
+        X509 *cert;
+        if(!(in = BIO_new_file(file, "r"))) return NULL;
+        cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
+        BIO_free(in);
+        return cert;
+}
+
+static EVP_PKEY *load_key(char *file, char *pass)
+{
+        BIO *in;
+        EVP_PKEY *key;
+        if(!(in = BIO_new_file(file, "r"))) return NULL;
+        key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
+        BIO_free(in);
+        return key;
+}
+
+static STACK_OF(X509) *load_certs(char *file)
+{
+        BIO *in;
+        int i;
+        STACK_OF(X509) *othercerts;
+        STACK_OF(X509_INFO) *allcerts;
+        X509_INFO *xi;
+        if(!(in = BIO_new_file(file, "r"))) return NULL;
+        othercerts = sk_X509_new(NULL);
+        if(!othercerts) return NULL;
+        allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+        for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
+                xi = sk_X509_INFO_value (allcerts, i);
+                if (xi->x509) {
+                        sk_X509_push(othercerts, xi->x509);
+                        xi->x509 = NULL;
+                }
+        }
+        sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
+        BIO_free(in);
+        return othercerts;
+}
+
+static X509_STORE *setup_verify(char *CAfile, char *CApath)
+{
+        X509_STORE *store;
+        X509_LOOKUP *lookup;
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_push_info("X509_STORE_new");
+#endif  
+        if(!(store = X509_STORE_new())) goto end;
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("X509_STORE_add_lookup(...file)");
+#endif  
+        lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+        if (lookup == NULL) goto end;
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("X509_LOOKUP_load_file");
+#endif  
+        if (CAfile) {
+                if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+                        BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+                        goto end;
+                }
+        } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+                
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("X509_STORE_add_lookup(...hash_dir)");
+#endif  
+        lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+        if (lookup == NULL) goto end;
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+        CRYPTO_push_info("X509_LOOKUP_add_dir");
+#endif  
+        if (CApath) {
+                if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+                        BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+                        goto end;
+                }
+        } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+#ifdef CRYPTO_MDEBUG
+        CRYPTO_pop_info();
+#endif  
+
+        ERR_clear_error();
+        return store;
+        end:
+        X509_STORE_free(store);
+        return NULL;
+}
+
+static int save_certs(char *signerfile, STACK_OF(X509) *signers)
+{
+        int i;
+        BIO *tmp;
+        if(!signerfile) return 1;
+        tmp = BIO_new_file(signerfile, "w");
+        if(!tmp) return 0;
+        for(i = 0; i < sk_X509_num(signers); i++)
+                PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+        BIO_free(tmp);
+        return 1;
+}
+        
diff --git a/src/lib/libssl/src/apps/spkac.c b/src/lib/libssl/src/apps/spkac.c
new file mode 100644
index 0000000000..b35354a8d7
--- /dev/null
+++ b/src/lib/libssl/src/apps/spkac.c
@@ -0,0 +1,274 @@
+/* apps/spkac.c */
+
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999. Based on an original idea by Massimiliano Pala
+ * (madwolf@openca.org).
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#undef PROG
+#define PROG    spkac_main
+
+/* -in arg      - input file - default stdin
+ * -out arg     - output file - default stdout
+ */
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+        {
+        int i,badops=0, ret = 1;
+        BIO *in = NULL,*out = NULL, *key = NULL;
+        int verify=0,noout=0,pubkey=0;
+        char *infile = NULL,*outfile = NULL,*prog;
+        char *passargin = NULL, *passin = NULL;
+        char *spkac = "SPKAC", *spksect = "default", *spkstr = NULL;
+        char *challenge = NULL, *keyfile = NULL;
+        LHASH *conf = NULL;
+        NETSCAPE_SPKI *spki = NULL;
+        EVP_PKEY *pkey = NULL;
+
+        apps_startup();
+
+        if (!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+        prog=argv[0];
+        argc--;
+        argv++;
+        while (argc >= 1)
+                {
+                if (strcmp(*argv,"-in") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        infile= *(++argv);
+                        }
+                else if (strcmp(*argv,"-out") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        outfile= *(++argv);
+                        }
+                else if (strcmp(*argv,"-passin") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        passargin= *(++argv);
+                        }
+                else if (strcmp(*argv,"-key") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        keyfile= *(++argv);
+                        }
+                else if (strcmp(*argv,"-challenge") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        challenge= *(++argv);
+                        }
+                else if (strcmp(*argv,"-spkac") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        spkac= *(++argv);
+                        }
+                else if (strcmp(*argv,"-spksect") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        spksect= *(++argv);
+                        }
+                else if (strcmp(*argv,"-noout") == 0)
+                        noout=1;
+                else if (strcmp(*argv,"-pubkey") == 0)
+                        pubkey=1;
+                else if (strcmp(*argv,"-verify") == 0)
+                        verify=1;
+                else badops = 1;
+                argc--;
+                argv++;
+                }
+
+        if (badops)
+                {
+bad:
+                BIO_printf(bio_err,"%s [options]\n",prog);
+                BIO_printf(bio_err,"where options are\n");
+                BIO_printf(bio_err," -in arg        input file\n");
+                BIO_printf(bio_err," -out arg       output file\n");
+                BIO_printf(bio_err," -key arg       create SPKAC using private key\n");
+                BIO_printf(bio_err," -passin arg    input file pass phrase source\n");
+                BIO_printf(bio_err," -challenge arg challenge string\n");
+                BIO_printf(bio_err," -spkac arg     alternative SPKAC name\n");
+                BIO_printf(bio_err," -noout         don't print SPKAC\n");
+                BIO_printf(bio_err," -pubkey        output public key\n");
+                BIO_printf(bio_err," -verify        verify SPKAC signature\n");
+                goto end;
+                }
+
+        ERR_load_crypto_strings();
+        if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+                BIO_printf(bio_err, "Error getting password\n");
+                goto end;
+        }
+
+        if(keyfile) {
+                if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
+                else key = BIO_new_fp(stdin, BIO_NOCLOSE);
+                if(!key) {
+                        BIO_printf(bio_err, "Error opening key file\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+                pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, passin);
+                if(!pkey) {
+                        BIO_printf(bio_err, "Error reading private key\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+                spki = NETSCAPE_SPKI_new();
+                if(challenge) ASN1_STRING_set(spki->spkac->challenge,
+                                                 challenge, strlen(challenge));
+                NETSCAPE_SPKI_set_pubkey(spki, pkey);
+                NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
+                spkstr = NETSCAPE_SPKI_b64_encode(spki);
+
+                if (outfile) out = BIO_new_file(outfile, "w");
+                else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+                if(!out) {
+                        BIO_printf(bio_err, "Error opening output file\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+                BIO_printf(out, "SPKAC=%s\n", spkstr);
+                Free(spkstr);
+                ret = 0;
+                goto end;
+        }
+
+        
+
+        if (infile) in = BIO_new_file(infile, "r");
+        else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+        if(!in) {
+                BIO_printf(bio_err, "Error opening input file\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        conf = CONF_load_bio(NULL, in, NULL);
+
+        if(!conf) {
+                BIO_printf(bio_err, "Error parsing config file\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        spkstr = CONF_get_string(conf, spksect, spkac);
+                
+        if(!spkstr) {
+                BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac);
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
+        
+        if(!spki) {
+                BIO_printf(bio_err, "Error loading SPKAC\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        if (outfile) out = BIO_new_file(outfile, "w");
+        else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+        if(!out) {
+                BIO_printf(bio_err, "Error opening output file\n");
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+
+        if(!noout) NETSCAPE_SPKI_print(out, spki);
+        pkey = NETSCAPE_SPKI_get_pubkey(spki);
+        if(verify) {
+                i = NETSCAPE_SPKI_verify(spki, pkey);
+                if(i) BIO_printf(bio_err, "Signature OK\n");
+                else {
+                        BIO_printf(bio_err, "Signature Failure\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+        }
+        if(pubkey) PEM_write_bio_PUBKEY(out, pkey);
+
+        ret = 0;
+
+end:
+        CONF_free(conf);
+        NETSCAPE_SPKI_free(spki);
+        BIO_free(in);
+        BIO_free(out);
+        BIO_free(key);
+        EVP_PKEY_free(pkey);
+        if(passin) Free(passin);
+        EXIT(ret);
+        }
diff --git a/src/lib/libssl/src/apps/winrand.c b/src/lib/libssl/src/apps/winrand.c
new file mode 100644
index 0000000000..d042258b50
--- /dev/null
+++ b/src/lib/libssl/src/apps/winrand.c
@@ -0,0 +1,149 @@
+/* apps/winrand.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Usage: winrand [filename]
+ *
+ * Collects entropy from mouse movements and other events and writes
+ * random data to filename or .rnd
+ */
+
+#include <windows.h>
+#include <openssl/opensslv.h>
+#include <openssl/rand.h>
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+const char *filename;
+
+int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
+        PSTR cmdline, int iCmdShow)
+        {
+        static char appname[] = "OpenSSL";
+        HWND hwnd;
+        MSG msg;
+        WNDCLASSEX wndclass;
+        char buffer[200];
+
+        if (cmdline[0] == '\0')
+                filename = RAND_file_name(buffer, sizeof buffer);
+        else
+                filename = cmdline;
+
+        RAND_load_file(filename, -1);
+
+        wndclass.cbSize = sizeof(wndclass);
+        wndclass.style = CS_HREDRAW | CS_VREDRAW;
+        wndclass.lpfnWndProc = WndProc;
+        wndclass.cbClsExtra = 0;
+        wndclass.cbWndExtra = 0;
+        wndclass.hInstance = hInstance;
+        wndclass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
+        wndclass.hCursor = LoadCursor(NULL, IDC_ARROW);
+        wndclass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH);
+        wndclass.lpszMenuName = NULL;
+        wndclass.lpszClassName = appname;
+        wndclass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
+        RegisterClassEx(&wndclass);
+
+        hwnd = CreateWindow(appname, OPENSSL_VERSION_TEXT,
+                WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,
+                CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL);
+
+        ShowWindow(hwnd, iCmdShow);
+        UpdateWindow(hwnd);
+
+
+        while (GetMessage(&msg, NULL, 0, 0))
+                {
+                TranslateMessage(&msg);
+                DispatchMessage(&msg);
+                }
+
+        return msg.wParam;
+        }
+
+LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
+        {
+        HDC hdc;
+        PAINTSTRUCT ps;
+        RECT rect;
+        char buffer[200];
+        static int seeded = 0;
+
+        switch (iMsg)
+                {
+        case WM_PAINT:
+                hdc = BeginPaint(hwnd, &ps);
+                GetClientRect(hwnd, &rect);
+                DrawText(hdc, "Seeding the PRNG. Please move the mouse!", -1,
+                        &rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER);
+                EndPaint(hwnd, &ps);
+                return 0;
+                
+        case WM_DESTROY:
+                PostQuitMessage(0);
+                return 0;
+                }
+
+        if (RAND_event(iMsg, wParam, lParam) == 1 && seeded == 0)
+                {
+                seeded = 1;
+                if (RAND_write_file(filename) <= 0)
+                        MessageBox(hwnd, "Couldn't write random file!",
+                                "OpenSSL", MB_OK | MB_ICONERROR);
+                PostQuitMessage(0);
+                }
+
+        return DefWindowProc(hwnd, iMsg, wParam, lParam);
+        }
diff --git a/src/lib/libssl/src/bugs/ultrixcc.c b/src/lib/libssl/src/bugs/ultrixcc.c
new file mode 100644
index 0000000000..7ba75b140f
--- /dev/null
+++ b/src/lib/libssl/src/bugs/ultrixcc.c
@@ -0,0 +1,45 @@
+#include <stdio.h>
+
+/* This is a cc optimiser bug for ultrix 4.3, mips CPU.
+ * What happens is that the compiler, due to the (a)&7,
+ * does
+ * i=a&7;
+ * i--;
+ * i*=4;
+ * Then uses i as the offset into a jump table.
+ * The problem is that a value of 0 generates an offset of
+ * 0xfffffffc.
+ */
+
+main()
+        {
+        f(5);
+        f(0);
+        }
+
+int f(a)
+int a;
+        {
+        switch(a&7)
+                {
+        case 7:
+                printf("7\n");
+        case 6:
+                printf("6\n");
+        case 5:
+                printf("5\n");
+        case 4:
+                printf("4\n");
+        case 3:
+                printf("3\n");
+        case 2:
+                printf("2\n");
+        case 1:
+                printf("1\n");
+#ifdef FIX_BUG
+        case 0:
+                ;
+#endif
+                }
+        }       
+
diff --git a/src/lib/libssl/src/certs/RegTP-5R.pem b/src/lib/libssl/src/certs/RegTP-5R.pem
new file mode 100644
index 0000000000..9eb79aa17c
--- /dev/null
+++ b/src/lib/libssl/src/certs/RegTP-5R.pem
@@ -0,0 +1,19 @@
+issuer= CN=5R-CA 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+notBefore=Mar 22 08:55:51 2000 GMT
+notAfter=Mar 22 08:55:51 2005 GMT
+subject= CN=5R-CA 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+-----BEGIN CERTIFICATE-----
+MIICaDCCAdSgAwIBAgIDDIOqMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0w
+OwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0
+aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjVSLUNBIDE6UE4w
+IhgPMjAwMDAzMjIwODU1NTFaGA8yMDA1MDMyMjA4NTU1MVowbzELMAkGA1UEBhMC
+REUxPTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11
+bmlrYXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNVItQ0Eg
+MTpQTjCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsCgYEAih5BUycfBpqKhU8RDsaS
+vV5AtzWeXQRColL9CH3t0DKnhjKAlJ8iccFtJNv+d3bh8bb9sh0maRSo647xP7hs
+HTjKgTE4zM5BYNfXvST79OtcMgAzrnDiGjQIIWv8xbfV1MqxxdtZJygrwzRMb9jG
+CAGoJEymoyzAMNG7tSdBWnUCBQDAAAABoxIwEDAOBgNVHQ8BAf8EBAMCAQYwCgYG
+KyQDAwECBQADgYEAOaK8ihVSBUcL2IdVBxZYYUKwMz5m7H3zqhN8W9w+iafWudH6
+b+aahkbENEwzg3C3v5g8nze7v7ssacQze657LHjP+e7ksUDIgcS4R1pU2eN16bjS
+P/qGPF3rhrIEHoK5nJULkjkZYTtNiOvmQ/+G70TXDi3Os/TwLlWRvu+7YLM=
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/RegTP-6R.pem b/src/lib/libssl/src/certs/RegTP-6R.pem
new file mode 100644
index 0000000000..4d79c74e5a
--- /dev/null
+++ b/src/lib/libssl/src/certs/RegTP-6R.pem
@@ -0,0 +1,19 @@
+issuer= CN=6R-Ca 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+notBefore=Feb  1 09:52:17 2001 GMT
+notAfter=Jun  1 09:52:17 2005 GMT
+subject= CN=6R-Ca 1:PN+0.2.262.1.10.7.20=#130131,O=Regulierungsbeh\C3\88orde f\C3\88ur Telekommunikation und Post,C=DE
+-----BEGIN CERTIFICATE-----
+MIICaDCCAdSgAwIBAgIDMtGNMAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0w
+OwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0
+aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjZSLUNhIDE6UE4w
+IhgPMjAwMTAyMDEwOTUyMTdaGA8yMDA1MDYwMTA5NTIxN1owbzELMAkGA1UEBhMC
+REUxPTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11
+bmlrYXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNlItQ2Eg
+MTpQTjCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsCgYEAg6KrFSTNXKqe+2GKGeW2
+wTmbVeflNkp5H/YxA9K1zmEn5XjKm0S0jH4Wfms6ipPlURVaFwTfnB1s++AnJAWf
+mayaE9BP/pdIY6WtZGgW6aZc32VDMCMKPWyBNyagsJVDmzlakIA5cXBVa7Xqqd3P
+ew8i2feMnQXcqHfDv02CW88CBQDAAAABoxIwEDAOBgNVHQ8BAf8EBAMCAQYwCgYG
+KyQDAwECBQADgYEAOkqkUwdaTCt8wcJLA2zLuOwL5ADHMWLhv6gr5zEF+VckA6qe
+IVLVf8e7fYlRmzQd+5OJcGglCQJLGT+ZplI3Mjnrd4plkoTNKV4iOzBcvJD7K4tn
+XPvs9wCFcC7QU7PLvc1FDsAlr7e4wyefZRDL+wbqNfI7QZTSF1ubLd9AzeQ=
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/expired/ICE-CA.pem b/src/lib/libssl/src/certs/expired/ICE-CA.pem
new file mode 100644
index 0000000000..75652366c2
--- /dev/null
+++ b/src/lib/libssl/src/certs/expired/ICE-CA.pem
@@ -0,0 +1,59 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:35:53 1997 GMT
+            Not After : Apr  2 17:35:53 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:82:75:ba:f6:d1:60:b5:f9:15:b3:6a:dd:29:8f:
+                    8b:a4:6f:1a:88:e0:50:43:40:0b:79:41:d5:d3:16:
+                    44:7d:74:65:17:42:06:52:0b:e9:50:c8:10:cd:24:
+                    e2:ae:8d:22:30:73:e6:b4:b7:93:1f:e5:6e:a2:ae:
+                    49:11:a5:c9:45
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0.........z.."p......e..
+            X509v3 Subject Key Identifier: 
+                ..~r..:..B.44fu......3
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...
+            X509v3 Subject Alternative Name: 
+                0!..secude-support@darmstadt.gmd.de
+            X509v3 Issuer Alternative Name: 
+                0I..ice-tel-ca@darmstadt.gmd.de.*http://www.darmstadt.gmd.de/ice-tel/euroca
+            X509v3 Basic Constraints: critical
+                0....
+            X509v3 CRL Distribution Points: 
+                0200...,.*http://www.darmstadt.gmd.de/ice-tel/euroca
+    Signature Algorithm: md5WithRSAEncryption
+        17:a2:88:b7:99:5a:05:41:e4:13:34:67:e6:1f:3e:26:ec:4b:
+        69:f9:3e:28:22:be:9d:1c:ab:41:6f:0c:00:85:fe:45:74:f6:
+        98:f0:ce:9b:65:53:4a:50:42:c7:d4:92:bd:d7:a2:a8:3d:98:
+        88:73:cd:60:28:79:a3:fc:48:7a
+-----BEGIN CERTIFICATE-----
+MIICzDCCAnagAwIBAgIBATANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzU1M1oXDTk4MDQwMjE3MzU1M1owXDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTESMBAGA1UEBxMJRGFybXN0YWR0MFkwCgYEVQgB
+AQICAgADSwAwSAJBAIJ1uvbRYLX5FbNq3SmPi6RvGojgUENAC3lB1dMWRH10ZRdC
+BlIL6VDIEM0k4q6NIjBz5rS3kx/lbqKuSRGlyUUCAwEAAaOCATgwggE0MB8GA1Ud
+IwQYMBaAFIr3yNUOx3ro1yJw4AuJ1bbsZbzPMB0GA1UdDgQWBBR+cvL4OoacQog0
+NGZ1w9T80aIRMzAOBgNVHQ8BAf8EBAMCAfYwFAYDVR0gAQH/BAowCDAGBgQqAwQF
+MCoGA1UdEQQjMCGBH3NlY3VkZS1zdXBwb3J0QGRhcm1zdGFkdC5nbWQuZGUwUgYD
+VR0SBEswSYEbaWNlLXRlbC1jYUBkYXJtc3RhZHQuZ21kLmRlhipodHRwOi8vd3d3
+LmRhcm1zdGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2EwDwYDVR0TAQH/BAUwAwEB
+/zA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmRhcm1zdGFkdC5nbWQuZGUv
+aWNlLXRlbC9ldXJvY2EwDQYJKoZIhvcNAQEEBQADQQAXooi3mVoFQeQTNGfmHz4m
+7Etp+T4oIr6dHKtBbwwAhf5FdPaY8M6bZVNKUELH1JK916KoPZiIc81gKHmj/Eh6
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/expired/ICE-root.pem b/src/lib/libssl/src/certs/expired/ICE-root.pem
new file mode 100644
index 0000000000..fa991599c9
--- /dev/null
+++ b/src/lib/libssl/src/certs/expired/ICE-root.pem
@@ -0,0 +1,48 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority
+        Validity
+            Not Before: Apr  2 17:33:36 1997 GMT
+            Not After : Apr  2 17:33:36 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:80:3e:eb:ae:47:a9:fe:10:54:0b:81:8b:9c:2b:
+                    82:ab:3a:61:36:65:8b:f3:73:9f:ac:ac:7a:15:a7:
+                    13:8f:b4:c4:ba:a3:0f:bc:a5:58:8d:cc:b1:93:31:
+                    9e:81:9e:8c:19:61:86:fa:52:73:54:d1:97:76:22:
+                    e7:c7:9f:41:cd
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                ........z.."p......e..
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Subject Alternative Name: 
+                0I.*http://www.darmstadt.gmd.de/ice-tel/euroca..ice-tel-ca@darmstadt.gmd.de
+            X509v3 Basic Constraints: critical
+                0....
+    Signature Algorithm: md5WithRSAEncryption
+        76:69:61:db:b7:cf:8b:06:9e:d8:8c:96:53:d2:4d:a8:23:a6:
+        03:44:e8:8f:24:a5:c0:84:a8:4b:77:d4:2d:2b:7d:37:91:67:
+        f2:2c:ce:02:31:4c:6b:cc:ce:f2:68:a6:11:11:ab:7d:88:b8:
+        7e:22:9f:25:06:60:bd:79:30:3d
+-----BEGIN CERTIFICATE-----
+MIICFjCCAcCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBIMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MB4XDTk3MDQwMjE3MzMzNloXDTk4MDQwMjE3MzMzNlowSDEhMB8G
+A1UEChMYRXVyb3BlYW4gSUNFLVRFTCBwcm9qZWN0MSMwIQYDVQQLExpWMy1DZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTBZMAoGBFUIAQECAgIAA0sAMEgCQQCAPuuuR6n+
+EFQLgYucK4KrOmE2ZYvzc5+srHoVpxOPtMS6ow+8pViNzLGTMZ6BnowZYYb6UnNU
+0Zd2IufHn0HNAgMBAAGjgZcwgZQwHQYDVR0OBBYEFIr3yNUOx3ro1yJw4AuJ1bbs
+ZbzPMA4GA1UdDwEB/wQEAwIB9jBSBgNVHREESzBJhipodHRwOi8vd3d3LmRhcm1z
+dGFkdC5nbWQuZGUvaWNlLXRlbC9ldXJvY2GBG2ljZS10ZWwtY2FAZGFybXN0YWR0
+LmdtZC5kZTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA0EAdmlh27fP
+iwae2IyWU9JNqCOmA0TojySlwISoS3fULSt9N5Fn8izOAjFMa8zO8mimERGrfYi4
+fiKfJQZgvXkwPQ==
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/expired/ICE-user.pem b/src/lib/libssl/src/certs/expired/ICE-user.pem
new file mode 100644
index 0000000000..28065fd37d
--- /dev/null
+++ b/src/lib/libssl/src/certs/expired/ICE-user.pem
@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt
+        Validity
+            Not Before: Apr  2 17:35:59 1997 GMT
+            Not After : Apr  2 17:35:59 1998 GMT
+        Subject: O=European ICE-TEL project, OU=V3-Certification Authority, L=Darmstadt, CN=USER
+        Subject Public Key Info:
+            Public Key Algorithm: rsa
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:a8:a8:53:63:49:1b:93:c3:c3:0b:6c:88:11:55:
+                    de:7e:6a:e2:f9:52:a0:dc:69:25:c4:c8:bf:55:e1:
+                    31:a8:ce:e4:a9:29:85:99:8a:15:9a:de:f6:2f:e1:
+                    b4:50:5f:5e:04:75:a6:f4:76:dc:3c:0e:39:dc:3a:
+                    be:3e:a4:61:8b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                0...~r..:..B.44fu......3
+            X509v3 Subject Key Identifier: 
+                ...... .*...1.*.......
+            X509v3 Key Usage: critical
+                ....
+            X509v3 Certificate Policies: critical
+                0.0...*...0.......
+            X509v3 Subject Alternative Name: 
+                0:..user@darmstadt.gmd.de.!http://www.darmstadt.gmd.de/~user
+            X509v3 Issuer Alternative Name: 
+                0....gmdca@gmd.de..http://www.gmd.de..saturn.darmstadt.gmd.de.\1!0...U.
+..European ICE-TEL project1#0!..U....V3-Certification Authority1.0...U....Darmstadt..141.12.62.26
+            X509v3 Basic Constraints: critical
+                0.
+            X509v3 CRL Distribution Points: 
+                0.0.......gmdca@gmd.de
+    Signature Algorithm: md5WithRSAEncryption
+        69:0c:e1:b7:a7:f2:d8:fb:e8:69:c0:13:cd:37:ad:21:06:22:
+        4d:e8:c6:db:f1:04:0b:b7:e0:b3:d6:0c:81:03:ce:c3:6a:3e:
+        c7:e7:24:24:a4:92:64:c2:83:83:06:42:53:0e:6f:09:1e:84:
+        9a:f7:6f:63:9b:94:99:83:d6:a4
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv
+cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g
+QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN
+OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl
+Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH
+EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA
+qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e
+BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG
+nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G
+A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV
+HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0
+YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0
+dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD
+VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42
+Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k
+ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW
+DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ=
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/expired/ICE.crl b/src/lib/libssl/src/certs/expired/ICE.crl
new file mode 100644
index 0000000000..21939e8cc4
--- /dev/null
+++ b/src/lib/libssl/src/certs/expired/ICE.crl
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBNDCBnjANBgkqhkiG9w0BAQIFADBFMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0Ut
+VEVMIFByb2plY3QxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05
+NzA2MDkxNDQyNDNaFw05NzA3MDkxNDQyNDNaMCgwEgIBChcNOTcwMzAzMTQ0MjU0
+WjASAgEJFw05NjEwMDIxMjI5MjdaMA0GCSqGSIb3DQEBAgUAA4GBAH4vgWo2Tej/
+i7kbiw4Imd30If91iosjClNpBFwvwUDBclPEeMuYimHbLOk4H8Nofc0fw11+U/IO
+KSNouUDcqG7B64oY7c4SXKn+i1MWOb5OJiWeodX3TehHjBlyWzoNMWCnYA8XqFP1
+mOKp8Jla1BibEZf14+/HqCi2hnZUiEXh
+-----END X509 CRL-----
diff --git a/src/lib/libssl/src/certs/expired/rsa-ssca.pem b/src/lib/libssl/src/certs/expired/rsa-ssca.pem
new file mode 100644
index 0000000000..c9403212d1
--- /dev/null
+++ b/src/lib/libssl/src/certs/expired/rsa-ssca.pem
@@ -0,0 +1,19 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=941109235417Z
+notAfter =991231235417Z
+-----BEGIN X509 CERTIFICATE-----
+
+MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
+HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
+IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
+Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
+YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
+roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
+aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
+HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
+iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
+suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
+cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
+-----END X509 CERTIFICATE-----
diff --git a/src/lib/libssl/src/certs/vsignss.pem b/src/lib/libssl/src/certs/vsignss.pem
new file mode 100644
index 0000000000..5de48bfcf9
--- /dev/null
+++ b/src/lib/libssl/src/certs/vsignss.pem
@@ -0,0 +1,17 @@
+subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
+notBefore=Nov  9 00:00:00 1994 GMT
+notAfter=Jan  7 23:59:59 2010 GMT
+-----BEGIN CERTIFICATE-----
+MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
+VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
+MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
+BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
+dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
+ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
+0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
+uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
+hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
+YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
+1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/crypto/aes/README b/src/lib/libssl/src/crypto/aes/README
new file mode 100644
index 0000000000..0f9620a80e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/README
@@ -0,0 +1,3 @@
+This is an OpenSSL-compatible version of AES (also called Rijndael).
+aes_core.c is basically the same as rijndael-alg-fst.c but with an
+API that looks like the rest of the OpenSSL symmetric cipher suite.
diff --git a/src/lib/libssl/src/crypto/aes/aes.h b/src/lib/libssl/src/crypto/aes/aes.h
new file mode 100644
index 0000000000..e8da921ec5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes.h
@@ -0,0 +1,109 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_H
+#define HEADER_AES_H
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+static const int AES_DECRYPT = 0;
+static const int AES_ENCRYPT = 1;
+/* Because array size can't be a const in C, the following two are macros.
+   Both sizes are in bytes. */
+#define AES_MAXNR 14
+#define AES_BLOCK_SIZE 16
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* This should be a hidden type, but EVP requires that the size be known */
+struct aes_key_st {
+    unsigned long rd_key[4 *(AES_MAXNR + 1)];
+    int rounds;
+};
+typedef struct aes_key_st AES_KEY;
+
+const char *AES_options(void);
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key, const int enc);
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, const int enc);
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num);
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num);
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* !HEADER_AES_H */
diff --git a/src/lib/libssl/src/crypto/aes/aes_cbc.c b/src/lib/libssl/src/crypto/aes/aes_cbc.c
new file mode 100644
index 0000000000..3dfd7aba2a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_cbc.c
@@ -0,0 +1,89 @@
+/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     const unsigned long length, const AES_KEY *key,
+                     unsigned char *ivec, const int enc) {
+
+        int n;
+        unsigned long len = length;
+        unsigned char tmp[16];
+
+        assert(in && out && key && ivec);
+        assert(length % AES_BLOCK_SIZE == 0);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                while (len > 0) {
+                        for(n=0; n < 16; ++n)
+                                tmp[n] = in[n] ^ ivec[n];
+                        AES_encrypt(tmp, out, key);
+                        memcpy(ivec, out, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+        else
+                while (len > 0) {
+                        memcpy(tmp, in, 16);
+                        AES_decrypt(in, out, key);
+                        for(n=0; n < 16; ++n)
+                                out[n] ^= ivec[n];
+                        memcpy(ivec, tmp, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+}
diff --git a/src/lib/libssl/src/crypto/aes/aes_cfb.c b/src/lib/libssl/src/crypto/aes/aes_cfb.c
new file mode 100644
index 0000000000..9b2917298a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_cfb.c
@@ -0,0 +1,151 @@
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc) {
+
+        unsigned int n;
+        unsigned long l = length;
+        unsigned char c;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        if (enc) {
+                while (l--) {
+                        if (n == 0) {
+                                AES_encrypt(ivec, ivec, key);
+                        }
+                        ivec[n] = *(out++) = *(in++) ^ ivec[n];
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        } else {
+                while (l--) {
+                        if (n == 0) {
+                                AES_decrypt(ivec, ivec, key);
+                        }
+                        c = *(in);
+                        *(out++) = *(in++) ^ ivec[n];
+                        ivec[n] = c;
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        }
+
+        *num=n;
+}
+
diff --git a/src/lib/libssl/src/crypto/aes/aes_core.c b/src/lib/libssl/src/crypto/aes/aes_core.c
new file mode 100644
index 0000000000..937988dd8c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_core.c
@@ -0,0 +1,1251 @@
+/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
+/**
+ * rijndael-alg-fst.c
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Note: rewritten a little bit to provide error control and an OpenSSL-
+   compatible API */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+
+Td0[x] = Si[x].[0e, 09, 0d, 0b];
+Td1[x] = Si[x].[0b, 0e, 09, 0d];
+Td2[x] = Si[x].[0d, 0b, 0e, 09];
+Td3[x] = Si[x].[09, 0d, 0b, 0e];
+Td4[x] = Si[x].[01, 01, 01, 01];
+*/
+
+static const u32 Te0[256] = {
+    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const u32 Te1[256] = {
+    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const u32 Te2[256] = {
+    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const u32 Te3[256] = {
+
+    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const u32 Te4[256] = {
+    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+static const u32 Td0[256] = {
+    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
+    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
+    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
+    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
+    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
+    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
+    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
+    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
+    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
+    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
+    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
+    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
+    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
+    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
+    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
+    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
+    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
+    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
+    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
+    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
+    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
+    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
+    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
+    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
+    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
+    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
+    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
+    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
+    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
+    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
+    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
+    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
+    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
+    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
+    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
+    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
+    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
+    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
+    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
+    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
+    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
+    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
+    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
+    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
+    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
+    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
+    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
+    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
+    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
+    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
+    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
+    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
+    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
+    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
+    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
+    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
+    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
+    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
+    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
+    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
+    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
+    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
+    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
+    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
+};
+static const u32 Td1[256] = {
+    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
+    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
+    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
+    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
+    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
+    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
+    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
+    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
+    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
+    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
+    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
+    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
+    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
+    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
+    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
+    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
+    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
+    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
+    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
+    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
+    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
+    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
+    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
+    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
+    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
+    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
+    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
+    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
+    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
+    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
+    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
+    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
+    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
+    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
+    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
+    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
+    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
+    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
+    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
+    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
+    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
+    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
+    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
+    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
+    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
+    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
+    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
+    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
+    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
+    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
+    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
+    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
+    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
+    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
+    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
+    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
+    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
+    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
+    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
+    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
+    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
+    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
+    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
+    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
+};
+static const u32 Td2[256] = {
+    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
+    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
+    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
+    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
+    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
+    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
+    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
+    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
+    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
+    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
+    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
+    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
+    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
+    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
+    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
+    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
+    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
+    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
+    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
+    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
+
+    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
+    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
+    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
+    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
+    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
+    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
+    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
+    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
+    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
+    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
+    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
+    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
+    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
+    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
+    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
+    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
+    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
+    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
+    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
+    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
+    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
+    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
+    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
+    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
+    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
+    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
+    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
+    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
+    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
+    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
+    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
+    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
+    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
+    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
+    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
+    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
+    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
+    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
+    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
+    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
+    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
+    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
+    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
+    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
+};
+static const u32 Td3[256] = {
+    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
+    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
+    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
+    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
+    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
+    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
+    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
+    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
+    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
+    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
+    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
+    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
+    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
+    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
+    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
+    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
+    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
+    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
+    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
+    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
+    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
+    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
+    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
+    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
+    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
+    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
+    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
+    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
+    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
+    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
+    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
+    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
+    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
+    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
+    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
+    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
+    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
+    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
+    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
+    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
+    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
+    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
+    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
+    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
+    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
+    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
+    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
+    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
+    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
+    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
+    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
+    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
+    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
+    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
+    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
+    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
+    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
+    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
+    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
+    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
+    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
+    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
+    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
+    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
+};
+static const u32 Td4[256] = {
+    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
+    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
+    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
+    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
+    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
+    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
+    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
+    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
+    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
+    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
+    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
+    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
+    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
+    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
+    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
+    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
+    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
+    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
+    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
+    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
+    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
+    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
+    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
+    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
+    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
+    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
+    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
+    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
+    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
+    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
+    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
+    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
+    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
+    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
+    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
+    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
+    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
+    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
+    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
+    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
+    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
+    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
+    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
+    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
+    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
+    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
+    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
+    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
+    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
+    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
+    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
+    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
+    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
+    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
+    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
+    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
+    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
+    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
+    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
+    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
+    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
+    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
+    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
+    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
+};
+static const u32 rcon[] = {
+        0x01000000, 0x02000000, 0x04000000, 0x08000000,
+        0x10000000, 0x20000000, 0x40000000, 0x80000000,
+        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ */
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key) {
+
+        u32 *rk;
+        int i = 0;
+        u32 temp;
+
+        if (!userKey || !key)
+                return -1;
+        if (bits != 128 && bits != 192 && bits != 256)
+                return -2;
+
+        rk = key->rd_key;
+
+        if (bits==128)
+                key->rounds = 10;
+        else if (bits==192)
+                key->rounds = 12;
+        else
+                key->rounds = 14;
+
+        rk[0] = GETU32(userKey     );
+        rk[1] = GETU32(userKey +  4);
+        rk[2] = GETU32(userKey +  8);
+        rk[3] = GETU32(userKey + 12);
+        if (bits == 128) {
+                for (;;) {
+                        temp  = rk[3];
+                        rk[4] = rk[0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[5] = rk[1] ^ rk[4];
+                        rk[6] = rk[2] ^ rk[5];
+                        rk[7] = rk[3] ^ rk[6];
+                        if (++i == 10) {
+                                return 0;
+                        }
+                        rk += 4;
+                }
+        }
+        rk[4] = GETU32(userKey + 16);
+        rk[5] = GETU32(userKey + 20);
+        if (bits == 192) {
+                for (;;) {
+                        temp = rk[ 5];
+                        rk[ 6] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 7] = rk[ 1] ^ rk[ 6];
+                        rk[ 8] = rk[ 2] ^ rk[ 7];
+                        rk[ 9] = rk[ 3] ^ rk[ 8];
+                        if (++i == 8) {
+                                return 0;
+                        }
+                        rk[10] = rk[ 4] ^ rk[ 9];
+                        rk[11] = rk[ 5] ^ rk[10];
+                        rk += 6;
+                }
+        }
+        rk[6] = GETU32(userKey + 24);
+        rk[7] = GETU32(userKey + 28);
+        if (bits == 256) {
+                for (;;) {
+                        temp = rk[ 7];
+                        rk[ 8] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 9] = rk[ 1] ^ rk[ 8];
+                        rk[10] = rk[ 2] ^ rk[ 9];
+                        rk[11] = rk[ 3] ^ rk[10];
+                        if (++i == 7) {
+                                return 0;
+                        }
+                        temp = rk[11];
+                        rk[12] = rk[ 4] ^
+                                (Te4[(temp >> 24)       ] & 0xff000000) ^
+                                (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp      ) & 0xff] & 0x000000ff);
+                        rk[13] = rk[ 5] ^ rk[12];
+                        rk[14] = rk[ 6] ^ rk[13];
+                        rk[15] = rk[ 7] ^ rk[14];
+
+                        rk += 8;
+                }
+        }
+        return 0;
+}
+
+/**
+ * Expand the cipher key into the decryption key schedule.
+ */
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                         AES_KEY *key) {
+
+        u32 *rk;
+        int i, j, status;
+        u32 temp;
+
+        /* first, start with an encryption schedule */
+        status = AES_set_encrypt_key(userKey, bits, key);
+        if (status < 0)
+                return status;
+
+        rk = key->rd_key;
+
+        /* invert the order of the round keys: */
+        for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
+                temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
+                temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
+                temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
+                temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
+        }
+        /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+        for (i = 1; i < (key->rounds); i++) {
+                rk += 4;
+                rk[0] =
+                        Td0[Te4[(rk[0] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[0]      ) & 0xff] & 0xff];
+                rk[1] =
+                        Td0[Te4[(rk[1] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[1]      ) & 0xff] & 0xff];
+                rk[2] =
+                        Td0[Te4[(rk[2] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[2]      ) & 0xff] & 0xff];
+                rk[3] =
+                        Td0[Te4[(rk[3] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[3]      ) & 0xff] & 0xff];
+        }
+        return 0;
+}
+
+/*
+ * Encrypt a single block
+ * in and out can overlap
+ */
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(in     ) ^ rk[0];
+        s1 = GETU32(in +  4) ^ rk[1];
+        s2 = GETU32(in +  8) ^ rk[2];
+        s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+        /* round 1: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+        /* round 2: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+        /* round 3: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+        /* round 4: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+        /* round 5: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+        /* round 6: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+        /* round 7: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+        /* round 8: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+        /* round 9: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+            s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+            s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+            s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+            t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+            t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+            t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+        }
+    }
+    rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Te0[(s0 >> 24)       ] ^
+            Te1[(s1 >> 16) & 0xff] ^
+            Te2[(s2 >>  8) & 0xff] ^
+            Te3[(s3      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Te0[(s1 >> 24)       ] ^
+            Te1[(s2 >> 16) & 0xff] ^
+            Te2[(s3 >>  8) & 0xff] ^
+            Te3[(s0      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Te0[(s2 >> 24)       ] ^
+            Te1[(s3 >> 16) & 0xff] ^
+            Te2[(s0 >>  8) & 0xff] ^
+            Te3[(s1      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Te0[(s3 >> 24)       ] ^
+            Te1[(s0 >> 16) & 0xff] ^
+            Te2[(s1 >>  8) & 0xff] ^
+            Te3[(s2      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Te0[(t0 >> 24)       ] ^
+            Te1[(t1 >> 16) & 0xff] ^
+            Te2[(t2 >>  8) & 0xff] ^
+            Te3[(t3      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Te0[(t1 >> 24)       ] ^
+            Te1[(t2 >> 16) & 0xff] ^
+            Te2[(t3 >>  8) & 0xff] ^
+            Te3[(t0      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Te0[(t2 >> 24)       ] ^
+            Te1[(t3 >> 16) & 0xff] ^
+            Te2[(t0 >>  8) & 0xff] ^
+            Te3[(t1      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Te0[(t3 >> 24)       ] ^
+            Te1[(t0 >> 16) & 0xff] ^
+            Te2[(t1 >>  8) & 0xff] ^
+            Te3[(t2      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Te4[(t0 >> 24)       ] & 0xff000000) ^
+                (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Te4[(t1 >> 24)       ] & 0xff000000) ^
+                (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Te4[(t2 >> 24)       ] & 0xff000000) ^
+                (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Te4[(t3 >> 24)       ] & 0xff000000) ^
+                (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
+/*
+ * Decrypt a single block
+ * in and out can overlap
+ */
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+    s0 = GETU32(in     ) ^ rk[0];
+    s1 = GETU32(in +  4) ^ rk[1];
+    s2 = GETU32(in +  8) ^ rk[2];
+    s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+    /* round 1: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
+    /* round 2: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
+    /* round 3: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
+    /* round 4: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
+    /* round 5: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
+    /* round 6: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
+    /* round 7: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
+    /* round 8: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
+    /* round 9: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
+        s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
+        s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
+        s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
+        t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
+        t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
+        t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
+            s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
+            s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
+            s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
+            t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
+            t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
+            t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
+        }
+    }
+        rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Td0[(s0 >> 24)       ] ^
+            Td1[(s3 >> 16) & 0xff] ^
+            Td2[(s2 >>  8) & 0xff] ^
+            Td3[(s1      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Td0[(s1 >> 24)       ] ^
+            Td1[(s0 >> 16) & 0xff] ^
+            Td2[(s3 >>  8) & 0xff] ^
+            Td3[(s2      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Td0[(s2 >> 24)       ] ^
+            Td1[(s1 >> 16) & 0xff] ^
+            Td2[(s0 >>  8) & 0xff] ^
+            Td3[(s3      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Td0[(s3 >> 24)       ] ^
+            Td1[(s2 >> 16) & 0xff] ^
+            Td2[(s1 >>  8) & 0xff] ^
+            Td3[(s0      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Td0[(t0 >> 24)       ] ^
+            Td1[(t3 >> 16) & 0xff] ^
+            Td2[(t2 >>  8) & 0xff] ^
+            Td3[(t1      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Td0[(t1 >> 24)       ] ^
+            Td1[(t0 >> 16) & 0xff] ^
+            Td2[(t3 >>  8) & 0xff] ^
+            Td3[(t2      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Td0[(t2 >> 24)       ] ^
+            Td1[(t1 >> 16) & 0xff] ^
+            Td2[(t0 >>  8) & 0xff] ^
+            Td3[(t3      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Td0[(t3 >> 24)       ] ^
+            Td1[(t2 >> 16) & 0xff] ^
+            Td2[(t1 >>  8) & 0xff] ^
+            Td3[(t0      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Td4[(t0 >> 24)       ] & 0xff000000) ^
+                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Td4[(t1 >> 24)       ] & 0xff000000) ^
+                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Td4[(t2 >> 24)       ] & 0xff000000) ^
+                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Td4[(t3 >> 24)       ] & 0xff000000) ^
+                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
diff --git a/src/lib/libssl/src/crypto/aes/aes_ctr.c b/src/lib/libssl/src/crypto/aes/aes_ctr.c
new file mode 100644
index 0000000000..8e800481de
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_ctr.c
@@ -0,0 +1,117 @@
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* NOTE: CTR mode is big-endian.  The rest of the AES code
+ * is endian-neutral. */
+
+/* increment counter (128-bit int) by 2^64 */
+static void AES_ctr128_inc(unsigned char *counter) {
+        unsigned long c;
+
+        /* Grab 3rd dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 8);
+        c++;
+        PUTU32(counter + 8, c);
+#else
+        c = GETU32(counter + 4);
+        c++;
+        PUTU32(counter + 4, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab top dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 12);
+        c++;
+        PUTU32(counter + 12, c);
+#else
+        c = GETU32(counter +  0);
+        c++;
+        PUTU32(counter +  0, c);
+#endif
+
+}
+
+/* The input encrypted as though 128bit counter mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+        unsigned char tmp[AES_BLOCK_SIZE];
+
+        assert(in && out && key && counter && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_ctr128_inc(counter);
+                        AES_encrypt(counter, tmp, key);
+                }
+                *(out++) = *(in++) ^ tmp[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libssl/src/crypto/aes/aes_ecb.c b/src/lib/libssl/src/crypto/aes/aes_ecb.c
new file mode 100644
index 0000000000..1cb2e07d3d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_ecb.c
@@ -0,0 +1,67 @@
+/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+                     const AES_KEY *key, const int enc) {
+
+        assert(in && out && key);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                AES_encrypt(in, out, key);
+        else
+                AES_decrypt(in, out, key);
+}
+
diff --git a/src/lib/libssl/src/crypto/aes/aes_locl.h b/src/lib/libssl/src/crypto/aes/aes_locl.h
new file mode 100644
index 0000000000..541d1d6e84
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_locl.h
@@ -0,0 +1,88 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_LOCL_H
+#define HEADER_AES_LOCL_H
+
+#include <openssl/e_os2.h>
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
+#include <string.h>
+#endif
+
+#ifdef _MSC_VER
+# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+# define GETU32(p) SWAP(*((u32 *)(p)))
+# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
+#else
+# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
+# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
+#endif
+
+typedef unsigned long u32;
+typedef unsigned short u16;
+typedef unsigned char u8;
+
+#define MAXKC   (256/32)
+#define MAXKB   (256/8)
+#define MAXNR   14
+
+/* This controls loop-unrolling in aes_core.c */
+#undef FULL_UNROLL
+
+#endif /* !HEADER_AES_LOCL_H */
diff --git a/src/lib/libssl/src/crypto/aes/aes_misc.c b/src/lib/libssl/src/crypto/aes/aes_misc.c
new file mode 100644
index 0000000000..090def25d5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_misc.c
@@ -0,0 +1,64 @@
+/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+const char *AES_version="AES" OPENSSL_VERSION_PTEXT;
+
+const char *AES_options(void) {
+#ifdef FULL_UNROLL
+        return "aes(full)";
+#else   
+        return "aes(partial)";
+#endif
+}
diff --git a/src/lib/libssl/src/crypto/aes/aes_ofb.c b/src/lib/libssl/src/crypto/aes/aes_ofb.c
new file mode 100644
index 0000000000..e33bdaea28
--- /dev/null
+++ b/src/lib/libssl/src/crypto/aes/aes_ofb.c
@@ -0,0 +1,136 @@
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_encrypt(ivec, ivec, key);
+                }
+                *(out++) = *(in++) ^ ivec[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/a_enum.c b/src/lib/libssl/src/crypto/asn1/a_enum.c
new file mode 100644
index 0000000000..9239ecc439
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_enum.c
@@ -0,0 +1,326 @@
+/* crypto/asn1/a_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* 
+ * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
+ * for comments on encoding see a_int.c
+ */
+
+int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
+        {
+        int pad=0,ret,r,i,t;
+        unsigned char *p,*n,pb=0;
+
+        if ((a == NULL) || (a->data == NULL)) return(0);
+        t=a->type;
+        if (a->length == 0)
+                ret=1;
+        else
+                {
+                ret=a->length;
+                i=a->data[0];
+                if ((t == V_ASN1_ENUMERATED) && (i > 127)) {
+                        pad=1;
+                        pb=0;
+                } else if(t == V_ASN1_NEG_ENUMERATED) {
+                        if(i>128) {
+                                pad=1;
+                                pb=0xFF;
+                        } else if(i == 128) {
+                                for(i = 1; i < a->length; i++) if(a->data[i]) {
+                                                pad=1;
+                                                pb=0xFF;
+                                                break;
+                                }
+                        }
+                }
+                ret+=pad;
+                }
+        r=ASN1_object_size(0,ret,V_ASN1_ENUMERATED);
+        if (pp == NULL) return(r);
+        p= *pp;
+
+        ASN1_put_object(&p,0,ret,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
+        if (pad) *(p++)=pb;
+        if (a->length == 0)
+                *(p++)=0;
+        else if (t == V_ASN1_ENUMERATED)
+                {
+                memcpy(p,a->data,(unsigned int)a->length);
+                p+=a->length;
+                }
+        else {
+                /* Begin at the end of the encoding */
+                n=a->data + a->length - 1;
+                p += a->length - 1;
+                i = a->length;
+                /* Copy zeros to destination as long as source is zero */
+                while(!*n) {
+                        *(p--) = 0;
+                        n--;
+                        i--;
+                }
+                /* Complement and increment next octet */
+                *(p--) = ((*(n--)) ^ 0xff) + 1;
+                i--;
+                /* Complement any octets left */
+                for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
+                p += a->length;
+        }
+
+        *pp=p;
+        return(r);
+        }
+
+ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
+             long length)
+        {
+        ASN1_ENUMERATED *ret=NULL;
+        unsigned char *p,*to,*s;
+        long len;
+        int inf,tag,xclass;
+        int i;
+
+        if ((a == NULL) || ((*a) == NULL))
+                {
+                if ((ret=ASN1_ENUMERATED_new()) == NULL) return(NULL);
+                ret->type=V_ASN1_ENUMERATED;
+                }
+        else
+                ret=(*a);
+
+        p= *pp;
+        inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
+        if (inf & 0x80)
+                {
+                i=ASN1_R_BAD_OBJECT_HEADER;
+                goto err;
+                }
+
+        if (tag != V_ASN1_ENUMERATED)
+                {
+                i=ASN1_R_EXPECTING_AN_ENUMERATED;
+                goto err;
+                }
+
+        /* We must Malloc stuff, even for 0 bytes otherwise it
+         * signifies a missing NULL parameter. */
+        s=(unsigned char *)Malloc((int)len+1);
+        if (s == NULL)
+                {
+                i=ERR_R_MALLOC_FAILURE;
+                goto err;
+                }
+        to=s;
+        if (*p & 0x80) /* a negative number */
+                {
+                ret->type=V_ASN1_NEG_ENUMERATED;
+                if ((*p == 0xff) && (len != 1)) {
+                        p++;
+                        len--;
+                }
+                i = len;
+                p += i - 1;
+                to += i - 1;
+                while((!*p) && i) {
+                        *(to--) = 0;
+                        i--;
+                        p--;
+                }
+                if(!i) {
+                        *s = 1;
+                        s[len] = 0;
+                        p += len;
+                        len++;
+                } else {
+                        *(to--) = (*(p--) ^ 0xff) + 1;
+                        i--;
+                        for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
+                        p += len;
+                }
+        } else {
+                ret->type=V_ASN1_ENUMERATED;
+                if ((*p == 0) && (len != 1))
+                        {
+                        p++;
+                        len--;
+                        }
+                memcpy(s,p,(int)len);
+                p+=len;
+        }
+
+        if (ret->data != NULL) Free((char *)ret->data);
+        ret->data=s;
+        ret->length=(int)len;
+        if (a != NULL) (*a)=ret;
+        *pp=p;
+        return(ret);
+err:
+        ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
+        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+                ASN1_ENUMERATED_free(ret);
+        return(NULL);
+        }
+
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
+        {
+        int i,j,k;
+        unsigned char buf[sizeof(long)+1];
+        long d;
+
+        a->type=V_ASN1_ENUMERATED;
+        if (a->length < (sizeof(long)+1))
+                {
+                if (a->data != NULL)
+                        Free((char *)a->data);
+                if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+                        memset((char *)a->data,0,sizeof(long)+1);
+                }
+        if (a->data == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_ENUMERATED_SET,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        d=v;
+        if (d < 0)
+                {
+                d= -d;
+                a->type=V_ASN1_NEG_ENUMERATED;
+                }
+
+        for (i=0; i<sizeof(long); i++)
+                {
+                if (d == 0) break;
+                buf[i]=(int)d&0xff;
+                d>>=8;
+                }
+        j=0;
+        for (k=i-1; k >=0; k--)
+                a->data[j++]=buf[k];
+        a->length=j;
+        return(1);
+        }
+
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+        {
+        int neg=0,i;
+        long r=0;
+
+        if (a == NULL) return(0L);
+        i=a->type;
+        if (i == V_ASN1_NEG_ENUMERATED)
+                neg=1;
+        else if (i != V_ASN1_ENUMERATED)
+                return(0);
+        
+        if (a->length > sizeof(long))
+                {
+                /* hmm... a bit ugly */
+                return(0xffffffffL);
+                }
+        if (a->data == NULL)
+                return(0);
+
+        for (i=0; i<a->length; i++)
+                {
+                r<<=8;
+                r|=(unsigned char)a->data[i];
+                }
+        if (neg) r= -r;
+        return(r);
+        }
+
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+        {
+        ASN1_ENUMERATED *ret;
+        int len,j;
+
+        if (ai == NULL)
+                ret=ASN1_ENUMERATED_new();
+        else
+                ret=ai;
+        if (ret == NULL)
+                {
+                ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+                }
+        if(bn->neg) ret->type = V_ASN1_NEG_ENUMERATED;
+        else ret->type=V_ASN1_ENUMERATED;
+        j=BN_num_bits(bn);
+        len=((j == 0)?0:((j/8)+1));
+        ret->data=(unsigned char *)Malloc(len+4);
+        ret->length=BN_bn2bin(bn,ret->data);
+        return(ret);
+err:
+        if (ret != ai) ASN1_ENUMERATED_free(ret);
+        return(NULL);
+        }
+
+BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+        {
+        BIGNUM *ret;
+
+        if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
+                ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
+        if(ai->type == V_ASN1_NEG_ENUMERATED) bn->neg = 1;
+        return(ret);
+        }
diff --git a/src/lib/libssl/src/crypto/asn1/a_gentm.c b/src/lib/libssl/src/crypto/asn1/a_gentm.c
new file mode 100644
index 0000000000..226474f057
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_gentm.c
@@ -0,0 +1,224 @@
+/* crypto/asn1/a_gentm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* GENERALIZEDTIME implementation, written by Steve Henson. Based on UTCTIME */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp)
+        {
+#ifdef CHARSET_EBCDIC
+        /* KLUDGE! We convert to ascii before writing DER */
+        int len;
+        char tmp[24];
+        ASN1_STRING tmpstr = *(ASN1_STRING *)a;
+
+        len = tmpstr.length;
+        ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+        tmpstr.data = tmp;
+
+        a = (ASN1_GENERALIZEDTIME *) &tmpstr;
+#endif
+        return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+                V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL));
+        }
+
+
+ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,
+             unsigned char **pp, long length)
+        {
+        ASN1_GENERALIZEDTIME *ret=NULL;
+
+        ret=(ASN1_GENERALIZEDTIME *)d2i_ASN1_bytes((ASN1_STRING **)a,pp,length,
+                V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL);
+        if (ret == NULL)
+                {
+                ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ERR_R_NESTED_ASN1_ERROR);
+                return(NULL);
+                }
+#ifdef CHARSET_EBCDIC
+        ascii2ebcdic(ret->data, ret->data, ret->length);
+#endif
+        if (!ASN1_GENERALIZEDTIME_check(ret))
+                {
+                ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ASN1_R_INVALID_TIME_FORMAT);
+                goto err;
+                }
+
+        return(ret);
+err:
+        if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+                ASN1_GENERALIZEDTIME_free(ret);
+        return(NULL);
+        }
+
+int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
+        {
+        static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
+        static int max[9]={99, 99,12,31,23,59,59,12,59};
+        char *a;
+        int n,i,l,o;
+
+        if (d->type != V_ASN1_GENERALIZEDTIME) return(0);
+        l=d->length;
+        a=(char *)d->data;
+        o=0;
+        /* GENERALIZEDTIME is similar to UTCTIME except the year is
+         * represented as YYYY. This stuff treats everything as a two digit
+         * field so make first two fields 00 to 99
+         */
+        if (l < 13) goto err;
+        for (i=0; i<7; i++)
+                {
+                if ((i == 6) && ((a[o] == 'Z') ||
+                        (a[o] == '+') || (a[o] == '-')))
+                        { i++; break; }
+                if ((a[o] < '0') || (a[o] > '9')) goto err;
+                n= a[o]-'0';
+                if (++o > l) goto err;
+
+                if ((a[o] < '0') || (a[o] > '9')) goto err;
+                n=(n*10)+ a[o]-'0';
+                if (++o > l) goto err;
+
+                if ((n < min[i]) || (n > max[i])) goto err;
+                }
+        if (a[o] == 'Z')
+                o++;
+        else if ((a[o] == '+') || (a[o] == '-'))
+                {
+                o++;
+                if (o+4 > l) goto err;
+                for (i=7; i<9; i++)
+                        {
+                        if ((a[o] < '0') || (a[o] > '9')) goto err;
+                        n= a[o]-'0';
+                        o++;
+                        if ((a[o] < '0') || (a[o] > '9')) goto err;
+                        n=(n*10)+ a[o]-'0';
+                        if ((n < min[i]) || (n > max[i])) goto err;
+                        o++;
+                        }
+                }
+        return(o == l);
+err:
+        return(0);
+        }
+
+int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
+        {
+        ASN1_GENERALIZEDTIME t;
+
+        t.type=V_ASN1_GENERALIZEDTIME;
+        t.length=strlen(str);
+        t.data=(unsigned char *)str;
+        if (ASN1_GENERALIZEDTIME_check(&t))
+                {
+                if (s != NULL)
+                        {
+                        ASN1_STRING_set((ASN1_STRING *)s,
+                                (unsigned char *)str,t.length);
+                        }
+                return(1);
+                }
+        else
+                return(0);
+        }
+
+ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
+             time_t t)
+        {
+        char *p;
+        struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+        struct tm data;
+#endif
+
+        if (s == NULL)
+                s=ASN1_GENERALIZEDTIME_new();
+        if (s == NULL)
+                return(NULL);
+
+#if defined(THREADS) && !defined(WIN32)
+        gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+        ts=&data;
+#else
+        ts=gmtime(&t);
+#endif
+        p=(char *)s->data;
+        if ((p == NULL) || (s->length < 16))
+                {
+                p=Malloc(20);
+                if (p == NULL) return(NULL);
+                if (s->data != NULL)
+                        Free(s->data);
+                s->data=(unsigned char *)p;
+                }
+
+        sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
+                ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+        s->length=strlen(p);
+        s->type=V_ASN1_GENERALIZEDTIME;
+#ifdef CHARSET_EBCDIC_not
+        ebcdic2ascii(s->data, s->data, s->length);
+#endif
+        return(s);
+        }
diff --git a/src/lib/libssl/src/crypto/asn1/a_mbstr.c b/src/lib/libssl/src/crypto/asn1/a_mbstr.c
new file mode 100644
index 0000000000..7a710d5459
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_mbstr.c
@@ -0,0 +1,390 @@
+/* a_mbstr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+                 int (*rfunc)(unsigned long value, void *in), void *arg);
+static int in_utf8(unsigned long value, void *arg);
+static int out_utf8(unsigned long value, void *arg);
+static int type_str(unsigned long value, void *arg);
+static int cpy_asc(unsigned long value, void *arg);
+static int cpy_bmp(unsigned long value, void *arg);
+static int cpy_univ(unsigned long value, void *arg);
+static int cpy_utf8(unsigned long value, void *arg);
+static int is_printable(unsigned long value);
+
+/* These functions take a string in UTF8, ASCII or multibyte form and
+ * a mask of permissible ASN1 string types. It then works out the minimal
+ * type (using the order Printable < IA5 < T61 < BMP < Universal < UTF8)
+ * and creates a string of the correct type with the supplied data.
+ * Yes this is horrible: it has to be :-(
+ * The 'ncopy' form checks minimum and maximum size limits too.
+ */
+
+int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
+                                        int inform, unsigned long mask)
+{
+        return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0);
+}
+
+int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+                                        int inform, unsigned long mask, 
+                                        long minsize, long maxsize)
+{
+        int str_type;
+        int ret;
+        int outform, outlen;
+        ASN1_STRING *dest;
+        unsigned char *p;
+        int nchar;
+        char strbuf[32];
+        int (*cpyfunc)(unsigned long,void *) = NULL;
+        if(len == -1) len = strlen((const char *)in);
+        if(!mask) mask = DIRSTRING_TYPE;
+
+        /* First do a string check and work out the number of characters */
+        switch(inform) {
+
+                case MBSTRING_BMP:
+                if(len & 1) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                         ASN1_R_INVALID_BMPSTRING_LENGTH);
+                        return -1;
+                }
+                nchar = len >> 1;
+                break;
+
+                case MBSTRING_UNIV:
+                if(len & 3) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                         ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
+                        return -1;
+                }
+                nchar = len >> 2;
+                break;
+
+                case MBSTRING_UTF8:
+                nchar = 0;
+                /* This counts the characters and does utf8 syntax checking */
+                ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
+                if(ret < 0) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                                 ASN1_R_INVALID_UTF8STRING);
+                        return -1;
+                }
+                break;
+
+                case MBSTRING_ASC:
+                nchar = len;
+                break;
+
+                default:
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT);
+                return -1;
+        }
+
+        if((minsize > 0) && (nchar < minsize)) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
+                sprintf(strbuf, "%ld", minsize);
+                ERR_add_error_data(2, "minsize=", strbuf);
+                return -1;
+        }
+
+        if((maxsize > 0) && (nchar > maxsize)) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
+                sprintf(strbuf, "%ld", maxsize);
+                ERR_add_error_data(2, "maxsize=", strbuf);
+                return -1;
+        }
+
+        /* Now work out minimal type (if any) */
+        if(traverse_string(in, len, inform, type_str, &mask) < 0) {
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS);
+                return -1;
+        }
+
+
+        /* Now work out output format and string type */
+        outform = MBSTRING_ASC;
+        if(mask & B_ASN1_PRINTABLESTRING) str_type = V_ASN1_PRINTABLESTRING;
+        else if(mask & B_ASN1_IA5STRING) str_type = V_ASN1_IA5STRING;
+        else if(mask & B_ASN1_T61STRING) str_type = V_ASN1_T61STRING;
+        else if(mask & B_ASN1_BMPSTRING) {
+                str_type = V_ASN1_BMPSTRING;
+                outform = MBSTRING_BMP;
+        } else if(mask & B_ASN1_UNIVERSALSTRING) {
+                str_type = V_ASN1_UNIVERSALSTRING;
+                outform = MBSTRING_UNIV;
+        } else {
+                str_type = V_ASN1_UTF8STRING;
+                outform = MBSTRING_UTF8;
+        }
+        if(!out) return str_type;
+        if(*out) {
+                dest = *out;
+                if(dest->data) {
+                        dest->length = 0;
+                        Free(dest->data);
+                        dest->data = NULL;
+                }
+                dest->type = str_type;
+        } else {
+                dest = ASN1_STRING_type_new(str_type);
+                if(!dest) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+                                                        ERR_R_MALLOC_FAILURE);
+                        return -1;
+                }
+                *out = dest;
+        }
+        /* If both the same type just copy across */
+        if(inform == outform) {
+                if(!ASN1_STRING_set(dest, in, len)) {
+                        ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                }
+                return str_type;
+        } 
+
+        /* Work out how much space the destination will need */
+        switch(outform) {
+                case MBSTRING_ASC:
+                outlen = nchar;
+                cpyfunc = cpy_asc;
+                break;
+
+                case MBSTRING_BMP:
+                outlen = nchar << 1;
+                cpyfunc = cpy_bmp;
+                break;
+
+                case MBSTRING_UNIV:
+                outlen = nchar << 2;
+                cpyfunc = cpy_univ;
+                break;
+
+                case MBSTRING_UTF8:
+                outlen = 0;
+                traverse_string(in, len, inform, out_utf8, &outlen);
+                cpyfunc = cpy_utf8;
+                break;
+        }
+        if(!(p = Malloc(outlen + 1))) {
+                ASN1_STRING_free(dest);
+                ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+                return -1;
+        }
+        dest->length = outlen;
+        dest->data = p;
+        p[outlen] = 0;
+        traverse_string(in, len, inform, cpyfunc, &p);
+        return str_type;        
+}
+
+/* This function traverses a string and passes the value of each character
+ * to an optional function along with a void * argument.
+ */
+
+static int traverse_string(const unsigned char *p, int len, int inform,
+                 int (*rfunc)(unsigned long value, void *in), void *arg)
+{
+        unsigned long value;
+        int ret;
+        while(len) {
+                if(inform == MBSTRING_ASC) {
+                        value = *p++;
+                        len--;
+                } else if(inform == MBSTRING_BMP) {
+                        value = *p++ << 8;
+                        value |= *p++;
+                        len -= 2;
+                } else if(inform == MBSTRING_UNIV) {
+                        value = *p++ << 24;
+                        value |= *p++ << 16;
+                        value |= *p++ << 8;
+                        value |= *p++;
+                        len -= 4;
+                } else {
+                        ret = UTF8_getc(p, len, &value);
+                        if(ret < 0) return -1;
+                        len -= ret;
+                        p += ret;
+                }
+                if(rfunc) {
+                        ret = rfunc(value, arg);
+                        if(ret <= 0) return ret;
+                }
+        }
+        return 1;
+}
+
+/* Various utility functions for traverse_string */
+
+/* Just count number of characters */
+
+static int in_utf8(unsigned long value, void *arg)
+{
+        int *nchar;
+        nchar = arg;
+        (*nchar)++;
+        return 1;
+}
+
+/* Determine size of output as a UTF8 String */
+
+static int out_utf8(unsigned long value, void *arg)
+{
+        long *outlen;
+        outlen = arg;
+        *outlen += UTF8_putc(NULL, -1, value);
+        return 1;
+}
+
+/* Determine the "type" of a string: check each character against a
+ * supplied "mask".
+ */
+
+static int type_str(unsigned long value, void *arg)
+{
+        unsigned long types;
+        types = *((unsigned long *)arg);
+        if((types & B_ASN1_PRINTABLESTRING) && !is_printable(value))
+                                        types &= ~B_ASN1_PRINTABLESTRING;
+        if((types & B_ASN1_IA5STRING) && (value > 127))
+                                        types &= ~B_ASN1_IA5STRING;
+        if((types & B_ASN1_T61STRING) && (value > 0xff))
+                                        types &= ~B_ASN1_T61STRING;
+        if((types & B_ASN1_BMPSTRING) && (value > 0xffff))
+                                        types &= ~B_ASN1_BMPSTRING;
+        if(!types) return -1;
+        *((unsigned long *)arg) = types;
+        return 1;
+}
+
+/* Copy one byte per character ASCII like strings */
+
+static int cpy_asc(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q = (unsigned char) value;
+        (*p)++;
+        return 1;
+}
+
+/* Copy two byte per character BMPStrings */
+
+static int cpy_bmp(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q++ = (unsigned char) ((value >> 8) & 0xff);
+        *q = (unsigned char) (value & 0xff);
+        *p += 2;
+        return 1;
+}
+
+/* Copy four byte per character UniversalStrings */
+
+static int cpy_univ(unsigned long value, void *arg)
+{
+        unsigned char **p, *q;
+        p = arg;
+        q = *p;
+        *q++ = (unsigned char) ((value >> 24) & 0xff);
+        *q++ = (unsigned char) ((value >> 16) & 0xff);
+        *q++ = (unsigned char) ((value >> 8) & 0xff);
+        *q = (unsigned char) (value & 0xff);
+        *p += 4;
+        return 1;
+}
+
+/* Copy to a UTF8String */
+
+static int cpy_utf8(unsigned long value, void *arg)
+{
+        unsigned char **p;
+        int ret;
+        p = arg;
+        /* We already know there is enough room so pass 0xff as the length */
+        ret = UTF8_putc(*p, 0xff, value);
+        *p += ret;
+        return 1;
+}
+
+/* Return 1 if the character is permitted in a PrintableString */
+static int is_printable(unsigned long value)
+{
+        int ch;
+        if(value > 0x7f) return 0;
+        ch = (int) value;
+        /* Note: we can't use 'isalnum' because certain accented 
+         * characters may count as alphanumeric in some environments.
+         */
+        if((ch >= 'a') && (ch <= 'z')) return 1;
+        if((ch >= 'A') && (ch <= 'Z')) return 1;
+        if((ch >= '0') && (ch <= '9')) return 1;
+        if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1;
+        return 0;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/a_strex.c b/src/lib/libssl/src/crypto/asn1/a_strex.c
new file mode 100644
index 0000000000..569b811998
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_strex.c
@@ -0,0 +1,533 @@
+/* a_strex.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+#include "charmap.h"
+
+/* ASN1_STRING_print_ex() and X509_NAME_print_ex().
+ * Enhanced string and name printing routines handling
+ * multibyte characters, RFC2253 and a host of other
+ * options.
+ */
+
+
+#define CHARTYPE_BS_ESC         (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
+
+
+/* Three IO functions for sending data to memory, a BIO and
+ * and a FILE pointer.
+ */
+
+int send_mem_chars(void *arg, const void *buf, int len)
+{
+        unsigned char **out = arg;
+        if(!out) return 1;
+        memcpy(*out, buf, len);
+        *out += len;
+        return 1;
+}
+
+int send_bio_chars(void *arg, const void *buf, int len)
+{
+        if(!arg) return 1;
+        if(BIO_write(arg, buf, len) != len) return 0;
+        return 1;
+}
+
+int send_fp_chars(void *arg, const void *buf, int len)
+{
+        if(!arg) return 1;
+        if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
+        return 1;
+}
+
+typedef int char_io(void *arg, const void *buf, int len);
+
+/* This function handles display of
+ * strings, one character at a time.
+ * It is passed an unsigned long for each
+ * character because it could come from 2 or even
+ * 4 byte forms.
+ */
+
+static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
+{
+        unsigned char chflgs, chtmp;
+        char tmphex[11];
+        if(c > 0xffff) {
+                BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+                if(!io_ch(arg, tmphex, 10)) return -1;
+                return 10;
+        }
+        if(c > 0xff) {
+                BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+                if(!io_ch(arg, tmphex, 6)) return -1;
+                return 6;
+        }
+        chtmp = (unsigned char)c;
+        if(chtmp > 0x7f) chflgs = flags & ASN1_STRFLGS_ESC_MSB;
+        else chflgs = char_type[chtmp] & flags;
+        if(chflgs & CHARTYPE_BS_ESC) {
+                /* If we don't escape with quotes, signal we need quotes */
+                if(chflgs & ASN1_STRFLGS_ESC_QUOTE) {
+                        if(do_quotes) *do_quotes = 1;
+                        if(!io_ch(arg, &chtmp, 1)) return -1;
+                        return 1;
+                }
+                if(!io_ch(arg, "\\", 1)) return -1;
+                if(!io_ch(arg, &chtmp, 1)) return -1;
+                return 2;
+        }
+        if(chflgs & (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) {
+                BIO_snprintf(tmphex, 11, "\\%02X", chtmp);
+                if(!io_ch(arg, tmphex, 3)) return -1;
+                return 3;
+        }
+        if(!io_ch(arg, &chtmp, 1)) return -1;
+        return 1;
+}
+
+#define BUF_TYPE_WIDTH_MASK     0x7
+#define BUF_TYPE_CONVUTF8       0x8
+
+/* This function sends each character in a buffer to
+ * do_esc_char(). It interprets the content formats
+ * and converts to or from UTF8 as appropriate.
+ */
+
+static int do_buf(unsigned char *buf, int buflen,
+                        int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg)
+{
+        int i, outlen, len;
+        unsigned char orflags, *p, *q;
+        unsigned long c;
+        p = buf;
+        q = buf + buflen;
+        outlen = 0;
+        while(p != q) {
+                if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
+                else orflags = 0;
+                switch(type & BUF_TYPE_WIDTH_MASK) {
+                        case 4:
+                        c = ((unsigned long)*p++) << 24;
+                        c |= ((unsigned long)*p++) << 16;
+                        c |= ((unsigned long)*p++) << 8;
+                        c |= *p++;
+                        break;
+
+                        case 2:
+                        c = ((unsigned long)*p++) << 8;
+                        c |= *p++;
+                        break;
+
+                        case 1:
+                        c = *p++;
+                        break;
+                        
+                        case 0:
+                        i = UTF8_getc(p, buflen, &c);
+                        if(i < 0) return -1;    /* Invalid UTF8String */
+                        p += i;
+                        break;
+                }
+                if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
+                if(type & BUF_TYPE_CONVUTF8) {
+                        unsigned char utfbuf[6];
+                        int utflen;
+                        utflen = UTF8_putc(utfbuf, 6, c);
+                        for(i = 0; i < utflen; i++) {
+                                /* We don't need to worry about setting orflags correctly
+                                 * because if utflen==1 its value will be correct anyway 
+                                 * otherwise each character will be > 0x7f and so the 
+                                 * character will never be escaped on first and last.
+                                 */
+                                len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), quotes, io_ch, arg);
+                                if(len < 0) return -1;
+                                outlen += len;
+                        }
+                } else {
+                        len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, io_ch, arg);
+                        if(len < 0) return -1;
+                        outlen += len;
+                }
+        }
+        return outlen;
+}
+
+/* This function hex dumps a buffer of characters */
+
+static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
+{
+        const static char hexdig[] = "0123456789ABCDEF";
+        unsigned char *p, *q;
+        char hextmp[2];
+        if(arg) {
+                p = buf;
+                q = buf + buflen;
+                while(p != q) {
+                        hextmp[0] = hexdig[*p >> 4];
+                        hextmp[1] = hexdig[*p & 0xf];
+                        if(!io_ch(arg, hextmp, 2)) return -1;
+                        p++;
+                }
+        }
+        return buflen << 1;
+}
+
+/* "dump" a string. This is done when the type is unknown,
+ * or the flags request it. We can either dump the content
+ * octets or the entire DER encoding. This uses the RFC2253
+ * #01234 format.
+ */
+
+int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+{
+        /* Placing the ASN1_STRING in a temp ASN1_TYPE allows
+         * the DER encoding to readily obtained
+         */
+        ASN1_TYPE t;
+        unsigned char *der_buf, *p;
+        int outlen, der_len;
+
+        if(!io_ch(arg, "#", 1)) return -1;
+        /* If we don't dump DER encoding just dump content octets */
+        if(!(lflags & ASN1_STRFLGS_DUMP_DER)) {
+                outlen = do_hex_dump(io_ch, arg, str->data, str->length);
+                if(outlen < 0) return -1;
+                return outlen + 1;
+        }
+        t.type = str->type;
+        t.value.ptr = (char *)str;
+        der_len = i2d_ASN1_TYPE(&t, NULL);
+        der_buf = OPENSSL_malloc(der_len);
+        if(!der_buf) return -1;
+        p = der_buf;
+        i2d_ASN1_TYPE(&t, &p);
+        outlen = do_hex_dump(io_ch, arg, der_buf, der_len);
+        OPENSSL_free(der_buf);
+        if(outlen < 0) return -1;
+        return outlen + 1;
+}
+
+/* Lookup table to convert tags to character widths,
+ * 0 = UTF8 encoded, -1 is used for non string types
+ * otherwise it is the number of bytes per character
+ */
+
+const static char tag2nbyte[] = {
+        -1, -1, -1, -1, -1,     /* 0-4 */
+        -1, -1, -1, -1, -1,     /* 5-9 */
+        -1, -1, 0, -1,          /* 10-13 */
+        -1, -1, -1, -1,         /* 15-17 */
+        -1, 1, 1,               /* 18-20 */
+        -1, 1, -1,-1,           /* 21-24 */
+        -1, 1, -1,              /* 25-27 */
+        4, -1, 2                /* 28-30 */
+};
+
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+                  ASN1_STRFLGS_ESC_QUOTE | \
+                  ASN1_STRFLGS_ESC_CTRL | \
+                  ASN1_STRFLGS_ESC_MSB)
+
+/* This is the main function, print out an
+ * ASN1_STRING taking note of various escape
+ * and display options. Returns number of
+ * characters written or -1 if an error
+ * occurred.
+ */
+
+static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str)
+{
+        int outlen, len;
+        int type;
+        char quotes;
+        unsigned char flags;
+        quotes = 0;
+        /* Keep a copy of escape flags */
+        flags = (unsigned char)(lflags & ESC_FLAGS);
+
+        type = str->type;
+
+        outlen = 0;
+
+
+        if(lflags & ASN1_STRFLGS_SHOW_TYPE) {
+                const char *tagname;
+                tagname = ASN1_tag2str(type);
+                outlen += strlen(tagname);
+                if(!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; 
+                outlen++;
+        }
+
+        /* Decide what to do with type, either dump content or display it */
+
+        /* Dump everything */
+        if(lflags & ASN1_STRFLGS_DUMP_ALL) type = -1;
+        /* Ignore the string type */
+        else if(lflags & ASN1_STRFLGS_IGNORE_TYPE) type = 1;
+        else {
+                /* Else determine width based on type */
+                if((type > 0) && (type < 31)) type = tag2nbyte[type];
+                else type = -1;
+                if((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) type = 1;
+        }
+
+        if(type == -1) {
+                len = do_dump(lflags, io_ch, arg, str);
+                if(len < 0) return -1;
+                outlen += len;
+                return outlen;
+        }
+
+        if(lflags & ASN1_STRFLGS_UTF8_CONVERT) {
+                /* Note: if string is UTF8 and we want
+                 * to convert to UTF8 then we just interpret
+                 * it as 1 byte per character to avoid converting
+                 * twice.
+                 */
+                if(!type) type = 1;
+                else type |= BUF_TYPE_CONVUTF8;
+        }
+
+        len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
+        if(outlen < 0) return -1;
+        outlen += len;
+        if(quotes) outlen += 2;
+        if(!arg) return outlen;
+        if(quotes && !io_ch(arg, "\"", 1)) return -1;
+        do_buf(str->data, str->length, type, flags, NULL, io_ch, arg);
+        if(quotes && !io_ch(arg, "\"", 1)) return -1;
+        return outlen;
+}
+
+/* Used for line indenting: print 'indent' spaces */
+
+static int do_indent(char_io *io_ch, void *arg, int indent)
+{
+        int i;
+        for(i = 0; i < indent; i++)
+                        if(!io_ch(arg, " ", 1)) return 0;
+        return 1;
+}
+
+
+static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
+                                int indent, unsigned long flags)
+{
+        int i, prev = -1, orflags, cnt;
+        int fn_opt, fn_nid;
+        ASN1_OBJECT *fn;
+        ASN1_STRING *val;
+        X509_NAME_ENTRY *ent;
+        char objtmp[80];
+        const char *objbuf;
+        int outlen, len;
+        char *sep_dn, *sep_mv, *sep_eq;
+        int sep_dn_len, sep_mv_len, sep_eq_len;
+        if(indent < 0) indent = 0;
+        outlen = indent;
+        if(!do_indent(io_ch, arg, indent)) return -1;
+        switch (flags & XN_FLAG_SEP_MASK)
+        {
+                case XN_FLAG_SEP_MULTILINE:
+                sep_dn = "\n";
+                sep_dn_len = 1;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                break;
+
+                case XN_FLAG_SEP_COMMA_PLUS:
+                sep_dn = ",";
+                sep_dn_len = 1;
+                sep_mv = "+";
+                sep_mv_len = 1;
+                indent = 0;
+                break;
+
+                case XN_FLAG_SEP_CPLUS_SPC:
+                sep_dn = ", ";
+                sep_dn_len = 2;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                indent = 0;
+                break;
+
+                case XN_FLAG_SEP_SPLUS_SPC:
+                sep_dn = "; ";
+                sep_dn_len = 2;
+                sep_mv = " + ";
+                sep_mv_len = 3;
+                indent = 0;
+                break;
+
+                default:
+                return -1;
+        }
+
+        if(flags & XN_FLAG_SPC_EQ) {
+                sep_eq = " = ";
+                sep_eq_len = 3;
+        } else {
+                sep_eq = "=";
+                sep_eq_len = 1;
+        }
+
+        fn_opt = flags & XN_FLAG_FN_MASK;
+
+        cnt = X509_NAME_entry_count(n); 
+        for(i = 0; i < cnt; i++) {
+                if(flags & XN_FLAG_DN_REV)
+                                ent = X509_NAME_get_entry(n, cnt - i - 1);
+                else ent = X509_NAME_get_entry(n, i);
+                if(prev != -1) {
+                        if(prev == ent->set) {
+                                if(!io_ch(arg, sep_mv, sep_mv_len)) return -1;
+                                outlen += sep_mv_len;
+                        } else {
+                                if(!io_ch(arg, sep_dn, sep_dn_len)) return -1;
+                                outlen += sep_dn_len;
+                                if(!do_indent(io_ch, arg, indent)) return -1;
+                                outlen += indent;
+                        }
+                }
+                prev = ent->set;
+                fn = X509_NAME_ENTRY_get_object(ent);
+                val = X509_NAME_ENTRY_get_data(ent);
+                fn_nid = OBJ_obj2nid(fn);
+                if(fn_opt != XN_FLAG_FN_NONE) {
+                        int objlen;
+                        if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
+                                OBJ_obj2txt(objtmp, 80, fn, 1);
+                                objbuf = objtmp;
+                        } else {
+                                if(fn_opt == XN_FLAG_FN_SN) 
+                                        objbuf = OBJ_nid2sn(fn_nid);
+                                else if(fn_opt == XN_FLAG_FN_LN)
+                                        objbuf = OBJ_nid2ln(fn_nid);
+                                else objbuf = "";
+                        }
+                        objlen = strlen(objbuf);
+                        if(!io_ch(arg, objbuf, objlen)) return -1;
+                        if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
+                        outlen += objlen + sep_eq_len;
+                }
+                /* If the field name is unknown then fix up the DER dump
+                 * flag. We might want to limit this further so it will
+                 * DER dump on anything other than a few 'standard' fields.
+                 */
+                if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) 
+                                        orflags = ASN1_STRFLGS_DUMP_ALL;
+                else orflags = 0;
+     
+                len = do_print_ex(io_ch, arg, flags | orflags, val);
+                if(len < 0) return -1;
+                outlen += len;
+        }
+        return outlen;
+}
+
+/* Wrappers round the main functions */
+
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
+{
+        return do_name_ex(send_bio_chars, out, nm, indent, flags);
+}
+
+
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
+{
+        return do_name_ex(send_fp_chars, fp, nm, indent, flags);
+}
+
+int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
+{
+        return do_print_ex(send_bio_chars, out, flags, str);
+}
+
+
+int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
+{
+        return do_print_ex(send_fp_chars, fp, flags, str);
+}
+
+/* Utility function: convert any string type to UTF8, returns number of bytes
+ * in output string or a negative error code
+ */
+
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
+{
+        ASN1_STRING stmp, *str = &stmp;
+        int mbflag, type, ret;
+        if(!*out || !in) return -1;
+        type = in->type;
+        if((type < 0) || (type > 30)) return -1;
+        mbflag = tag2nbyte[type];
+        if(mbflag == -1) return -1;
+        mbflag |= MBSTRING_FLAG;
+        stmp.data = NULL;
+        ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
+        if(ret < 0) return ret;
+        if(out) *out = stmp.data;
+        return stmp.length;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/a_strnid.c b/src/lib/libssl/src/crypto/asn1/a_strnid.c
new file mode 100644
index 0000000000..ab8417ffab
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_strnid.c
@@ -0,0 +1,247 @@
+/* a_strnid.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+
+
+static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
+static void st_free(ASN1_STRING_TABLE *tbl);
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+
+
+/* This is the global mask for the mbstring functions: this is use to
+ * mask out certain types (such as BMPString and UTF8String) because
+ * certain software (e.g. Netscape) has problems with them.
+ */
+
+static unsigned long global_mask = 0xFFFFFFFFL;
+
+void ASN1_STRING_set_default_mask(unsigned long mask)
+{
+        global_mask = mask;
+}
+
+unsigned long ASN1_STRING_get_default_mask(void)
+{
+        return global_mask;
+}
+
+/* This function sets the default to various "flavours" of configuration.
+ * based on an ASCII string. Currently this is:
+ * MASK:XXXX : a numerical mask value.
+ * nobmp : Don't use BMPStrings (just Printable, T61).
+ * pkix : PKIX recommendation in RFC2459.
+ * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004).
+ * default:   the default value, Printable, T61, BMP.
+ */
+
+int ASN1_STRING_set_default_mask_asc(char *p)
+{
+        unsigned long mask;
+        char *end;
+        if(!strncmp(p, "MASK:", 5)) {
+                if(!p[5]) return 0;
+                mask = strtoul(p + 5, &end, 0);
+                if(*end) return 0;
+        } else if(!strcmp(p, "nombstr"))
+                         mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
+        else if(!strcmp(p, "pkix"))
+                        mask = ~B_ASN1_T61STRING;
+        else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
+        else if(!strcmp(p, "default"))
+            mask = 0xFFFFFFFFL;
+        else return 0;
+        ASN1_STRING_set_default_mask(mask);
+        return 1;
+}
+
+/* The following function generates an ASN1_STRING based on limits in a table.
+ * Frequently the types and length of an ASN1_STRING are restricted by a 
+ * corresponding OID. For example certificates and certificate requests.
+ */
+
+ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
+                                        int inlen, int inform, int nid)
+{
+        ASN1_STRING_TABLE *tbl;
+        ASN1_STRING *str = NULL;
+        unsigned long mask;
+        int ret;
+        if(!out) out = &str;
+        tbl = ASN1_STRING_TABLE_get(nid);
+        if(tbl) {
+                mask = tbl->mask;
+                if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
+                ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+                                        tbl->minsize, tbl->maxsize);
+        } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
+        if(ret <= 0) return NULL;
+        return *out;
+}
+
+/* Now the tables and helper functions for the string table:
+ */
+
+/* size limits: this stuff is taken straight from RFC2459 */
+
+#define ub_name                         32768
+#define ub_common_name                  64
+#define ub_locality_name                128
+#define ub_state_name                   128
+#define ub_organization_name            64
+#define ub_organization_unit_name       64
+#define ub_title                        64
+#define ub_email_address                128
+
+/* This table must be kept in NID order */
+
+static ASN1_STRING_TABLE tbl_standard[] = {
+{NID_commonName,                1, ub_common_name, DIRSTRING_TYPE, 0},
+{NID_countryName,               2, 2, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_localityName,              1, ub_locality_name, DIRSTRING_TYPE, 0},
+{NID_stateOrProvinceName,       1, ub_state_name, DIRSTRING_TYPE, 0},
+{NID_organizationName,          1, ub_organization_name, DIRSTRING_TYPE, 0},
+{NID_organizationalUnitName,    1, ub_organization_unit_name, DIRSTRING_TYPE, 0},
+{NID_pkcs9_emailAddress,        1, ub_email_address, B_ASN1_IA5STRING, STABLE_NO_MASK},
+{NID_pkcs9_unstructuredName,    1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_challengePassword,   1, -1, PKCS9STRING_TYPE, 0},
+{NID_pkcs9_unstructuredAddress, 1, -1, DIRSTRING_TYPE, 0},
+{NID_givenName,                 1, ub_name, DIRSTRING_TYPE, 0},
+{NID_surname,                   1, ub_name, DIRSTRING_TYPE, 0},
+{NID_initials,                  1, ub_name, DIRSTRING_TYPE, 0},
+{NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
+{NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
+};
+
+static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+{
+        return (*a)->nid - (*b)->nid;
+}
+
+static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+{
+        return a->nid - b->nid;
+}
+
+ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
+{
+        int idx;
+        ASN1_STRING_TABLE *ttmp;
+        ASN1_STRING_TABLE fnd;
+        fnd.nid = nid;
+        ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
+                                        (char *)tbl_standard, 
+                        sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
+                        sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+        if(ttmp) return ttmp;
+        if(!stable) return NULL;
+        idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
+        if(idx < 0) return NULL;
+        return sk_ASN1_STRING_TABLE_value(stable, idx);
+}
+        
+int ASN1_STRING_TABLE_add(int nid,
+                 long minsize, long maxsize, unsigned long mask,
+                                unsigned long flags)
+{
+        ASN1_STRING_TABLE *tmp;
+        char new_nid = 0;
+        flags &= ~STABLE_FLAGS_MALLOC;
+        if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
+        if(!stable) {
+                ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
+                tmp = Malloc(sizeof(ASN1_STRING_TABLE));
+                if(!tmp) {
+                        ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD,
+                                                        ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                tmp->flags = flags | STABLE_FLAGS_MALLOC;
+                tmp->nid = nid;
+                new_nid = 1;
+        } else tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
+        if(minsize != -1) tmp->minsize = minsize;
+        if(maxsize != -1) tmp->maxsize = maxsize;
+        tmp->mask = mask;
+        if(new_nid) sk_ASN1_STRING_TABLE_push(stable, tmp);
+        return 1;
+}
+
+void ASN1_STRING_TABLE_cleanup(void)
+{
+        STACK_OF(ASN1_STRING_TABLE) *tmp;
+        tmp = stable;
+        if(!tmp) return;
+        stable = NULL;
+        sk_ASN1_STRING_TABLE_pop_free(tmp, st_free);
+}
+
+static void st_free(ASN1_STRING_TABLE *tbl)
+{
+        if(tbl->flags & STABLE_FLAGS_MALLOC) Free(tbl);
+}
+
+IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
diff --git a/src/lib/libssl/src/crypto/asn1/a_time.c b/src/lib/libssl/src/crypto/asn1/a_time.c
new file mode 100644
index 0000000000..c1690a5694
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_time.c
@@ -0,0 +1,123 @@
+/* crypto/asn1/a_time.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* This is an implementation of the ASN1 Time structure which is:
+ *    Time ::= CHOICE {
+ *      utcTime        UTCTime,
+ *      generalTime    GeneralizedTime }
+ * written by Steve Henson.
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
+        {
+#ifdef CHARSET_EBCDIC
+        /* KLUDGE! We convert to ascii before writing DER */
+        char tmp[24];
+        ASN1_STRING tmpstr;
+
+        if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) {
+            int len;
+
+            tmpstr = *(ASN1_STRING *)a;
+            len = tmpstr.length;
+            ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+            tmpstr.data = tmp;
+            a = (ASN1_GENERALIZEDTIME *) &tmpstr;
+        }
+#endif
+        if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME)
+                                return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+                                     a->type ,V_ASN1_UNIVERSAL));
+        ASN1err(ASN1_F_I2D_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+        return -1;
+        }
+
+
+ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
+        {
+        unsigned char tag;
+        tag = **pp & ~V_ASN1_CONSTRUCTED;
+        if(tag == (V_ASN1_UTCTIME|V_ASN1_UNIVERSAL))
+                                         return d2i_ASN1_UTCTIME(a, pp, length);
+        if(tag == (V_ASN1_GENERALIZEDTIME|V_ASN1_UNIVERSAL))
+                                return d2i_ASN1_GENERALIZEDTIME(a, pp, length);
+        ASN1err(ASN1_F_D2I_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
+        return(NULL);
+        }
+
+
+ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
+        {
+        struct tm *ts;
+#if defined(THREADS) && !defined(WIN32)
+        struct tm data;
+#endif
+
+#if defined(THREADS) && !defined(WIN32)
+        gmtime_r(&t,&data);
+        ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
+#else
+        ts=gmtime(&t);
+#endif
+        if((ts->tm_year >= 50) && (ts->tm_year < 150))
+                                        return ASN1_UTCTIME_set(s, t);
+        return ASN1_GENERALIZEDTIME_set(s,t);
+        }
diff --git a/src/lib/libssl/src/crypto/asn1/a_utf8.c b/src/lib/libssl/src/crypto/asn1/a_utf8.c
new file mode 100644
index 0000000000..4a8a92e9e4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/a_utf8.c
@@ -0,0 +1,83 @@
+/* crypto/asn1/a_utf8.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+int i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a, unsigned char **pp)
+        {
+        return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
+                V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL));
+        }
+
+ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a, unsigned char **pp,
+             long length)
+        {
+        ASN1_UTF8STRING *ret=NULL;
+
+        ret=(ASN1_UTF8STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
+                pp,length,V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL);
+        if (ret == NULL)
+                {
+                ASN1err(ASN1_F_D2I_ASN1_UTF8STRING,ERR_R_NESTED_ASN1_ERROR);
+                return(NULL);
+                }
+        return(ret);
+        }
+
diff --git a/src/lib/libssl/src/crypto/asn1/asn1t.h b/src/lib/libssl/src/crypto/asn1/asn1t.h
new file mode 100644
index 0000000000..ed372f8554
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/asn1t.h
@@ -0,0 +1,846 @@
+/* asn1t.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_ASN1T_H
+#define HEADER_ASN1T_H
+
+#include <stddef.h>
+#include <openssl/e_os2.h>
+#include <openssl/asn1.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+/* ASN1 template defines, structures and functions */
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        OPENSSL_GLOBAL const ASN1_ITEM itname##_it = {
+
+#define ASN1_ITEM_end(itname) \
+                };
+
+#else
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr()))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        const ASN1_ITEM * itname##_it(void) \
+        { \
+                static const ASN1_ITEM local_it = { \
+
+#define ASN1_ITEM_end(itname) \
+                }; \
+        return &local_it; \
+        }
+
+#endif
+
+
+/* Macros to aid ASN1 template writing */
+
+#define ASN1_ITEM_TEMPLATE(tname) \
+        const static ASN1_TEMPLATE tname##_item_tt 
+
+#define ASN1_ITEM_TEMPLATE_END(tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_PRIMITIVE,\
+                -1,\
+                &tname##_item_tt,\
+                0,\
+                NULL,\
+                0,\
+                #tname \
+        ASN1_ITEM_end(tname)
+
+
+/* This is a ASN1 type which just embeds a template */
+ 
+/* This pair helps declare a SEQUENCE. We can do:
+ *
+ *      ASN1_SEQUENCE(stname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END(stname)
+ *
+ *      This will produce an ASN1_ITEM called stname_it
+ *      for a structure called stname.
+ *
+ *      If you want the same structure but a different
+ *      name then use:
+ *
+ *      ASN1_SEQUENCE(itname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END_name(stname, itname)
+ *
+ *      This will create an item called itname_it using
+ *      a structure called stname.
+ */
+
+#define ASN1_SEQUENCE(tname) \
+        const static ASN1_TEMPLATE tname##_seq_tt[] 
+
+#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
+
+#define ASN1_SEQUENCE_END_name(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_SEQUENCE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE(tname) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_ref(tname, cb, lck) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_enc(tname, enc, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname)
+
+#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_ref(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+
+/* This pair helps declare a CHOICE type. We can do:
+ *
+ *      ASN1_CHOICE(chname) = {
+ *              ... CHOICE options ...
+ *      ASN1_CHOICE_END(chname)
+ *
+ *      This will produce an ASN1_ITEM called chname_it
+ *      for a structure called chname. The structure
+ *      definition must look like this:
+ *      typedef struct {
+ *              int type;
+ *              union {
+ *                      ASN1_SOMETHING *opt1;
+ *                      ASN1_SOMEOTHER *opt2;
+ *              } value;
+ *      } chname;
+ *      
+ *      the name of the selector must be 'type'.
+ *      to use an alternative selector name use the
+ *      ASN1_CHOICE_END_selector() version.
+ */
+
+#define ASN1_CHOICE(tname) \
+        const static ASN1_TEMPLATE tname##_ch_tt[] 
+
+#define ASN1_CHOICE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_CHOICE(tname)
+
+#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
+
+#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type)
+
+#define ASN1_CHOICE_END_selector(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_CHOICE_END_cb(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+/* This helps with the template wrapper form of ASN1_ITEM */
+
+#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \
+        (flags), (tag), 0,\
+        #name, ASN1_ITEM_ref(type) }
+
+/* These help with SEQUENCE or CHOICE components */
+
+/* used to declare other types */
+
+#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \
+        (flags), (tag), offsetof(stname, field),\
+        #field, ASN1_ITEM_ref(type) }
+
+/* used when the structure is combined with the parent */
+
+#define ASN1_EX_COMBINE(flags, tag, type) { \
+        (flags)|ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) }
+
+/* implicit and explicit helper macros */
+
+#define ASN1_IMP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
+
+#define ASN1_EXP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
+
+/* Any defined by macros: the field used is in the table itself */
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#else
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, tblname##_adb }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, tblname##_adb }
+#endif
+/* Plain simple type */
+#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type)
+
+/* OPTIONAL simple type */
+#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* IMPLICIT tagged simple type */
+#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0)
+
+/* IMPLICIT tagged OPTIONAL simple type */
+#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* Same as above but EXPLICIT */
+
+#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* SEQUENCE OF type */
+#define ASN1_SEQUENCE_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
+
+/* OPTIONAL SEQUENCE OF */
+#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Same as above but for SET OF */
+
+#define ASN1_SET_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
+
+#define ASN1_SET_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */
+
+#define ASN1_IMP_SET_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_EXP_SET_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+/* Macros for the ASN1_ADB structure */
+
+#define ASN1_ADB(name) \
+        const static ASN1_ADB_TABLE name##_adbtbl[] 
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ADB name##_adb = {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+        }
+
+#else
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ITEM *name##_adb(void) \
+        { \
+        const static ASN1_ADB internal_adb = \
+                {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+                }; \
+                return (const ASN1_ITEM *) &internal_adb; \
+        } \
+        void dummy_function(void)
+
+#endif
+
+#define ADB_ENTRY(val, template) {val, template}
+
+#define ASN1_ADB_TEMPLATE(name) \
+        const static ASN1_TEMPLATE name##_tt 
+
+/* This is the ASN1 template structure that defines
+ * a wrapper round the actual type. It determines the
+ * actual position of the field in the value structure,
+ * various flags such as OPTIONAL and the field name.
+ */
+
+struct ASN1_TEMPLATE_st {
+unsigned long flags;            /* Various flags */
+long tag;                       /* tag, not used if no tagging */
+unsigned long offset;           /* Offset of this field in structure */
+#ifndef NO_ASN1_FIELD_NAMES
+char *field_name;               /* Field name */
+#endif
+ASN1_ITEM_EXP *item;            /* Relevant ASN1_ITEM or ASN1_ADB */
+};
+
+/* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */
+
+#define ASN1_TEMPLATE_item(t) (t->item_ptr)
+#define ASN1_TEMPLATE_adb(t) (t->item_ptr)
+
+typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;
+typedef struct ASN1_ADB_st ASN1_ADB;
+
+struct ASN1_ADB_st {
+        unsigned long flags;    /* Various flags */
+        unsigned long offset;   /* Offset of selector field */
+        STACK_OF(ASN1_ADB_TABLE) **app_items; /* Application defined items */
+        const ASN1_ADB_TABLE *tbl;      /* Table of possible types */
+        long tblcount;          /* Number of entries in tbl */
+        const ASN1_TEMPLATE *default_tt;  /* Type to use if no match */
+        const ASN1_TEMPLATE *null_tt;  /* Type to use if selector is NULL */
+};
+
+struct ASN1_ADB_TABLE_st {
+        long value;             /* NID for an object or value for an int */
+        const ASN1_TEMPLATE tt;         /* item for this value */
+};
+
+/* template flags */
+
+/* Field is optional */
+#define ASN1_TFLG_OPTIONAL      (0x1)
+
+/* Field is a SET OF */
+#define ASN1_TFLG_SET_OF        (0x1 << 1)
+
+/* Field is a SEQUENCE OF */
+#define ASN1_TFLG_SEQUENCE_OF   (0x2 << 1)
+
+/* Special case: this refers to a SET OF that
+ * will be sorted into DER order when encoded *and*
+ * the corresponding STACK will be modified to match
+ * the new order.
+ */
+#define ASN1_TFLG_SET_ORDER     (0x3 << 1)
+
+/* Mask for SET OF or SEQUENCE OF */
+#define ASN1_TFLG_SK_MASK       (0x3 << 1)
+
+/* These flags mean the tag should be taken from the
+ * tag field. If EXPLICIT then the underlying type
+ * is used for the inner tag.
+ */
+
+/* IMPLICIT tagging */
+#define ASN1_TFLG_IMPTAG        (0x1 << 3)
+
+
+/* EXPLICIT tagging, inner tag from underlying type */
+#define ASN1_TFLG_EXPTAG        (0x2 << 3)
+
+#define ASN1_TFLG_TAG_MASK      (0x3 << 3)
+
+/* context specific IMPLICIT */
+#define ASN1_TFLG_IMPLICIT      ASN1_TFLG_IMPTAG|ASN1_TFLG_CONTEXT
+
+/* context specific EXPLICIT */
+#define ASN1_TFLG_EXPLICIT      ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT
+
+/* If tagging is in force these determine the
+ * type of tag to use. Otherwise the tag is
+ * determined by the underlying type. These 
+ * values reflect the actual octet format.
+ */
+
+/* Universal tag */ 
+#define ASN1_TFLG_UNIVERSAL     (0x0<<6)
+/* Application tag */ 
+#define ASN1_TFLG_APPLICATION   (0x1<<6)
+/* Context specific tag */ 
+#define ASN1_TFLG_CONTEXT       (0x2<<6)
+/* Private tag */ 
+#define ASN1_TFLG_PRIVATE       (0x3<<6)
+
+#define ASN1_TFLG_TAG_CLASS     (0x3<<6)
+
+/* These are for ANY DEFINED BY type. In this case
+ * the 'item' field points to an ASN1_ADB structure
+ * which contains a table of values to decode the
+ * relevant type
+ */
+
+#define ASN1_TFLG_ADB_MASK      (0x3<<8)
+
+#define ASN1_TFLG_ADB_OID       (0x1<<8)
+
+#define ASN1_TFLG_ADB_INT       (0x1<<9)
+
+/* This flag means a parent structure is passed
+ * instead of the field: this is useful is a
+ * SEQUENCE is being combined with a CHOICE for
+ * example. Since this means the structure and
+ * item name will differ we need to use the
+ * ASN1_CHOICE_END_name() macro for example.
+ */
+
+#define ASN1_TFLG_COMBINE       (0x1<<10)
+
+/* This is the actual ASN1 item itself */
+
+struct ASN1_ITEM_st {
+char itype;                     /* The item type, primitive, SEQUENCE, CHOICE or extern */
+long utype;                     /* underlying type */
+const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */
+long tcount;                    /* Number of templates if SEQUENCE or CHOICE */
+const void *funcs;              /* functions that handle this type */
+long size;                      /* Structure size (usually)*/
+#ifndef NO_ASN1_FIELD_NAMES
+const char *sname;              /* Structure name */
+#endif
+};
+
+/* These are values for the itype field and
+ * determine how the type is interpreted.
+ *
+ * For PRIMITIVE types the underlying type
+ * determines the behaviour if items is NULL.
+ *
+ * Otherwise templates must contain a single 
+ * template and the type is treated in the
+ * same way as the type specified in the template.
+ *
+ * For SEQUENCE types the templates field points
+ * to the members, the size field is the
+ * structure size.
+ *
+ * For CHOICE types the templates field points
+ * to each possible member (typically a union)
+ * and the 'size' field is the offset of the
+ * selector.
+ *
+ * The 'funcs' field is used for application
+ * specific functions. 
+ *
+ * For COMPAT types the funcs field gives a
+ * set of functions that handle this type, this
+ * supports the old d2i, i2d convention.
+ *
+ * The EXTERN type uses a new style d2i/i2d.
+ * The new style should be used where possible
+ * because it avoids things like the d2i IMPLICIT
+ * hack.
+ *
+ * MSTRING is a multiple string type, it is used
+ * for a CHOICE of character strings where the
+ * actual strings all occupy an ASN1_STRING
+ * structure. In this case the 'utype' field
+ * has a special meaning, it is used as a mask
+ * of acceptable types using the B_ASN1 constants.
+ *
+ */
+
+#define ASN1_ITYPE_PRIMITIVE    0x0
+
+#define ASN1_ITYPE_SEQUENCE     0x1
+
+#define ASN1_ITYPE_CHOICE       0x2
+
+#define ASN1_ITYPE_COMPAT       0x3
+
+#define ASN1_ITYPE_EXTERN       0x4
+
+#define ASN1_ITYPE_MSTRING      0x5
+
+/* Cache for ASN1 tag and length, so we
+ * don't keep re-reading it for things
+ * like CHOICE
+ */
+
+struct ASN1_TLC_st{
+        char valid;     /* Values below are valid */
+        int ret;        /* return value */
+        long plen;      /* length */
+        int ptag;       /* class value */
+        int pclass;     /* class value */
+        int hdrlen;     /* header length */
+};
+
+/* Typedefs for ASN1 function pointers */
+
+typedef ASN1_VALUE * ASN1_new_func(void);
+typedef void ASN1_free_func(ASN1_VALUE *a);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, unsigned char ** in, long length);
+typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
+
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+typedef struct ASN1_COMPAT_FUNCS_st {
+        ASN1_new_func *asn1_new;
+        ASN1_free_func *asn1_free;
+        ASN1_d2i_func *asn1_d2i;
+        ASN1_i2d_func *asn1_i2d;
+} ASN1_COMPAT_FUNCS;
+
+typedef struct ASN1_EXTERN_FUNCS_st {
+        void *app_data;
+        ASN1_ex_new_func *asn1_ex_new;
+        ASN1_ex_free_func *asn1_ex_free;
+        ASN1_ex_free_func *asn1_ex_clear;
+        ASN1_ex_d2i *asn1_ex_d2i;
+        ASN1_ex_i2d *asn1_ex_i2d;
+} ASN1_EXTERN_FUNCS;
+
+typedef struct ASN1_PRIMITIVE_FUNCS_st {
+        void *app_data;
+        unsigned long flags;
+        ASN1_ex_new_func *prim_new;
+        ASN1_ex_free_func *prim_free;
+        ASN1_ex_free_func *prim_clear;
+        ASN1_primitive_c2i *prim_c2i;
+        ASN1_primitive_i2c *prim_i2c;
+} ASN1_PRIMITIVE_FUNCS;
+
+/* This is the ASN1_AUX structure: it handles various
+ * miscellaneous requirements. For example the use of
+ * reference counts and an informational callback.
+ *
+ * The "informational callback" is called at various
+ * points during the ASN1 encoding and decoding. It can
+ * be used to provide minor customisation of the structures
+ * used. This is most useful where the supplied routines
+ * *almost* do the right thing but need some extra help
+ * at a few points. If the callback returns zero then
+ * it is assumed a fatal error has occurred and the 
+ * main operation should be abandoned.
+ *
+ * If major changes in the default behaviour are required
+ * then an external type is more appropriate.
+ */
+
+typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it);
+
+typedef struct ASN1_AUX_st {
+        void *app_data;
+        int flags;
+        int ref_offset;         /* Offset of reference value */
+        int ref_lock;           /* Lock type to use */
+        ASN1_aux_cb *asn1_cb;
+        int enc_offset;         /* Offset of ASN1_ENCODING structure */
+} ASN1_AUX;
+
+/* Flags in ASN1_AUX */
+
+/* Use a reference count */
+#define ASN1_AFLG_REFCOUNT      1
+/* Save the encoding of structure (useful for signatures) */
+#define ASN1_AFLG_ENCODING      2
+/* The Sequence length is invalid */
+#define ASN1_AFLG_BROKEN        4
+
+/* operation values for asn1_cb */
+
+#define ASN1_OP_NEW_PRE         0
+#define ASN1_OP_NEW_POST        1
+#define ASN1_OP_FREE_PRE        2
+#define ASN1_OP_FREE_POST       3
+#define ASN1_OP_D2I_PRE         4
+#define ASN1_OP_D2I_POST        5
+#define ASN1_OP_I2D_PRE         6
+#define ASN1_OP_I2D_POST        7
+
+/* Macro to implement a primitive type */
+#define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)
+#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement a multi string type */
+#define IMPLEMENT_ASN1_MSTRING(itname, mask) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement an ASN1_ITEM in terms of old style funcs */
+
+#define IMPLEMENT_COMPAT_ASN1(sname) IMPLEMENT_COMPAT_ASN1_type(sname, V_ASN1_SEQUENCE)
+
+#define IMPLEMENT_COMPAT_ASN1_type(sname, tag) \
+        static const ASN1_COMPAT_FUNCS sname##_ff = { \
+                (ASN1_new_func *)sname##_new, \
+                (ASN1_free_func *)sname##_free, \
+                (ASN1_d2i_func *)d2i_##sname, \
+                (ASN1_i2d_func *)i2d_##sname, \
+        }; \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_COMPAT, \
+                tag, \
+                NULL, \
+                0, \
+                &sname##_ff, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_EXTERN, \
+                tag, \
+                NULL, \
+                0, \
+                &fptrs, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+/* Macro to implement standard functions in terms of ASN1_ITEM structures */
+
+#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
+                        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
+        stname *fname##_new(void) \
+        { \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        } \
+        void fname##_free(stname *a) \
+        { \
+                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+/* This includes evil casts to remove const: they will go away when full
+ * ASN1 constification is done.
+ */
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, (unsigned char **)in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(const stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \
+        stname * stname##_dup(stname *x) \
+        { \
+        return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \
+                IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+/* external definitions for primitive types */
+
+DECLARE_ASN1_ITEM(ASN1_BOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_TBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_FBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_ANY)
+DECLARE_ASN1_ITEM(ASN1_SEQUENCE)
+DECLARE_ASN1_ITEM(CBIGNUM)
+DECLARE_ASN1_ITEM(BIGNUM)
+DECLARE_ASN1_ITEM(LONG)
+DECLARE_ASN1_ITEM(ZLONG)
+
+DECLARE_STACK_OF(ASN1_VALUE)
+
+/* Functions used internally by the ASN1 code */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt);
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt);
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
+
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr);
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it);
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/asn1/asn_moid.c b/src/lib/libssl/src/crypto/asn1/asn_moid.c
new file mode 100644
index 0000000000..be20db4bad
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/asn_moid.c
@@ -0,0 +1,95 @@
+/* asn_moid.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+/* Simple ASN1 OID module: add all objects in a given section */
+
+static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        int i;
+        const char *oid_section;
+        STACK_OF(CONF_VALUE) *sktmp;
+        CONF_VALUE *oval;
+        oid_section = CONF_imodule_get_value(md);
+        if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+                {
+                ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
+                return 0;
+                }
+        for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+                {
+                oval = sk_CONF_VALUE_value(sktmp, i);
+                if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
+                        {
+                        ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
+                        return 0;
+                        }
+                }
+        return 1;
+}
+
+void ASN1_add_oid_module(void)
+        {
+        CONF_module_add("oid_section", oid_module_init, 0);
+        }
diff --git a/src/lib/libssl/src/crypto/asn1/asn_pack.c b/src/lib/libssl/src/crypto/asn1/asn_pack.c
new file mode 100644
index 0000000000..662a2626a1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/asn_pack.c
@@ -0,0 +1,145 @@
+/* asn_pack.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+/* ASN1 packing and unpacking functions */
+
+/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
+
+STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
+             void (*free_func)())
+{
+    STACK *sk;
+    unsigned char *pbuf;
+    pbuf =  buf;
+    if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
+                                        V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL)))
+                 ASN1err(ASN1_F_ASN1_SEQ_UNPACK,ASN1_R_DECODE_ERROR);
+    return sk;
+}
+
+/* Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a
+ * Malloc'ed buffer
+ */
+
+unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
+             int *len)
+{
+        int safelen;
+        unsigned char *safe, *p;
+        if (!(safelen = i2d_ASN1_SET(safes, NULL, i2d, V_ASN1_SEQUENCE,
+                                              V_ASN1_UNIVERSAL, IS_SEQUENCE))) {
+                ASN1err(ASN1_F_ASN1_SEQ_PACK,ASN1_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(safe = Malloc (safelen))) {
+                ASN1err(ASN1_F_ASN1_SEQ_PACK,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = safe;
+        i2d_ASN1_SET(safes, &p, i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
+                                                                 IS_SEQUENCE);
+        if (len) *len = safelen;
+        if (buf) *buf = safe;
+        return safe;
+}
+
+/* Extract an ASN1 object from an ASN1_STRING */
+
+void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
+{
+        unsigned char *p;
+        char *ret;
+
+        p = oct->data;
+        if(!(ret = d2i(NULL, &p, oct->length)))
+                ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+        return ret;
+}
+
+/* Pack an ASN1 object into an ASN1_STRING */
+
+ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
+{
+        unsigned char *p;
+        ASN1_STRING *octmp;
+
+        if (!oct || !*oct) {
+                if (!(octmp = ASN1_STRING_new ())) {
+                        ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                if (oct) *oct = octmp;
+        } else octmp = *oct;
+                
+        if (!(octmp->length = i2d(obj, NULL))) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(p = Malloc (octmp->length))) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        octmp->data = p;
+        i2d (obj, &p);
+        return octmp;
+}
+
diff --git a/src/lib/libssl/src/crypto/asn1/charmap.h b/src/lib/libssl/src/crypto/asn1/charmap.h
new file mode 100644
index 0000000000..bd020a9562
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/charmap.h
@@ -0,0 +1,15 @@
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+120, 0, 1,40, 0, 0, 0,16,16,16, 0,25,25,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 9, 9,16, 9,16,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 1, 0, 0, 0,
+ 0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
+16,16,16,16,16,16,16,16,16,16,16, 0, 0, 0, 0, 2
+};
+
diff --git a/src/lib/libssl/src/crypto/asn1/charmap.pl b/src/lib/libssl/src/crypto/asn1/charmap.pl
new file mode 100644
index 0000000000..2875c59867
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/charmap.pl
@@ -0,0 +1,80 @@
+#!/usr/local/bin/perl -w
+
+use strict;
+
+my ($i, @arr);
+
+# Set up an array with the type of ASCII characters
+# Each set bit represents a character property.
+
+# RFC2253 character properties
+my $RFC2253_ESC = 1;    # Character escaped with \
+my $ESC_CTRL    = 2;    # Escaped control character
+# These are used with RFC1779 quoting using "
+my $NOESC_QUOTE = 8;    # Not escaped if quoted
+my $PSTRING_CHAR = 0x10;        # Valid PrintableString character
+my $RFC2253_FIRST_ESC = 0x20; # Escaped with \ if first character
+my $RFC2253_LAST_ESC = 0x40;  # Escaped with \ if last character
+
+for($i = 0; $i < 128; $i++) {
+        # Set the RFC2253 escape characters (control)
+        $arr[$i] = 0;
+        if(($i < 32) || ($i > 126)) {
+                $arr[$i] |= $ESC_CTRL;
+        }
+
+        # Some PrintableString characters
+        if(                ( ( $i >= ord("a")) && ( $i <= ord("z")) )
+                        || (  ( $i >= ord("A")) && ( $i <= ord("Z")) )
+                        || (  ( $i >= ord("0")) && ( $i <= ord("9")) )  ) {
+                $arr[$i] |= $PSTRING_CHAR;
+        }
+}
+
+# Now setup the rest
+
+# Remaining RFC2253 escaped characters
+
+$arr[ord(" ")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC | $RFC2253_LAST_ESC;
+$arr[ord("#")] |= $NOESC_QUOTE | $RFC2253_FIRST_ESC;
+
+$arr[ord(",")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("+")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord("\"")] |= $RFC2253_ESC;
+$arr[ord("\\")] |= $RFC2253_ESC;
+$arr[ord("<")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(">")] |= $NOESC_QUOTE | $RFC2253_ESC;
+$arr[ord(";")] |= $NOESC_QUOTE | $RFC2253_ESC;
+
+# Remaining PrintableString characters
+
+$arr[ord(" ")] |= $PSTRING_CHAR;
+$arr[ord("'")] |= $PSTRING_CHAR;
+$arr[ord("(")] |= $PSTRING_CHAR;
+$arr[ord(")")] |= $PSTRING_CHAR;
+$arr[ord("+")] |= $PSTRING_CHAR;
+$arr[ord(",")] |= $PSTRING_CHAR;
+$arr[ord("-")] |= $PSTRING_CHAR;
+$arr[ord(".")] |= $PSTRING_CHAR;
+$arr[ord("/")] |= $PSTRING_CHAR;
+$arr[ord(":")] |= $PSTRING_CHAR;
+$arr[ord("=")] |= $PSTRING_CHAR;
+$arr[ord("?")] |= $PSTRING_CHAR;
+
+# Now generate the C code
+
+print <<EOF;
+/* Auto generated with chartype.pl script.
+ * Mask of various character properties
+ */
+
+static unsigned char char_type[] = {
+EOF
+
+for($i = 0; $i < 128; $i++) {
+        print("\n") if($i && (($i % 16) == 0));
+        printf("%2d", $arr[$i]);
+        print(",") if ($i != 127);
+}
+print("\n};\n\n");
+
diff --git a/src/lib/libssl/src/crypto/asn1/f_enum.c b/src/lib/libssl/src/crypto/asn1/f_enum.c
new file mode 100644
index 0000000000..3bcceecdb8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/f_enum.c
@@ -0,0 +1,207 @@
+/* crypto/asn1/f_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+/* Based on a_int.c: equivalent ENUMERATED functions */
+
+int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+        {
+        int i,n=0;
+        static const char *h="0123456789ABCDEF";
+        char buf[2];
+
+        if (a == NULL) return(0);
+
+        if (a->length == 0)
+                {
+                if (BIO_write(bp,"00",2) != 2) goto err;
+                n=2;
+                }
+        else
+                {
+                for (i=0; i<a->length; i++)
+                        {
+                        if ((i != 0) && (i%35 == 0))
+                                {
+                                if (BIO_write(bp,"\\\n",2) != 2) goto err;
+                                n+=2;
+                                }
+                        buf[0]=h[((unsigned char)a->data[i]>>4)&0x0f];
+                        buf[1]=h[((unsigned char)a->data[i]   )&0x0f];
+                        if (BIO_write(bp,buf,2) != 2) goto err;
+                        n+=2;
+                        }
+                }
+        return(n);
+err:
+        return(-1);
+        }
+
+int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
+        {
+        int ret=0;
+        int i,j,k,m,n,again,bufsize;
+        unsigned char *s=NULL,*sp;
+        unsigned char *bufp;
+        int num=0,slen=0,first=1;
+
+        bs->type=V_ASN1_ENUMERATED;
+
+        bufsize=BIO_gets(bp,buf,size);
+        for (;;)
+                {
+                if (bufsize < 1) goto err_sl;
+                i=bufsize;
+                if (buf[i-1] == '\n') buf[--i]='\0';
+                if (i == 0) goto err_sl;
+                if (buf[i-1] == '\r') buf[--i]='\0';
+                if (i == 0) goto err_sl;
+                again=(buf[i-1] == '\\');
+
+                for (j=0; j<i; j++)
+                        {
+                        if (!(  ((buf[j] >= '0') && (buf[j] <= '9')) ||
+                                ((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+                                ((buf[j] >= 'A') && (buf[j] <= 'F'))))
+                                {
+                                i=j;
+                                break;
+                                }
+                        }
+                buf[i]='\0';
+                /* We have now cleared all the crap off the end of the
+                 * line */
+                if (i < 2) goto err_sl;
+
+                bufp=(unsigned char *)buf;
+                if (first)
+                        {
+                        first=0;
+                        if ((bufp[0] == '0') && (buf[1] == '0'))
+                                {
+                                bufp+=2;
+                                i-=2;
+                                }
+                        }
+                k=0;
+                i-=again;
+                if (i%2 != 0)
+                        {
+                        ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_ODD_NUMBER_OF_CHARS);
+                        goto err;
+                        }
+                i/=2;
+                if (num+i > slen)
+                        {
+                        if (s == NULL)
+                                sp=(unsigned char *)Malloc(
+                                        (unsigned int)num+i*2);
+                        else
+                                sp=(unsigned char *)Realloc(s,
+                                        (unsigned int)num+i*2);
+                        if (sp == NULL)
+                                {
+                                ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+                                if (s != NULL) Free((char *)s);
+                                goto err;
+                                }
+                        s=sp;
+                        slen=num+i*2;
+                        }
+                for (j=0; j<i; j++,k+=2)
+                        {
+                        for (n=0; n<2; n++)
+                                {
+                                m=bufp[k+n];
+                                if ((m >= '0') && (m <= '9'))
+                                        m-='0';
+                                else if ((m >= 'a') && (m <= 'f'))
+                                        m=m-'a'+10;
+                                else if ((m >= 'A') && (m <= 'F'))
+                                        m=m-'A'+10;
+                                else
+                                        {
+                                        ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_NON_HEX_CHARACTERS);
+                                        goto err;
+                                        }
+                                s[num+j]<<=4;
+                                s[num+j]|=m;
+                                }
+                        }
+                num+=i;
+                if (again)
+                        bufsize=BIO_gets(bp,buf,size);
+                else
+                        break;
+                }
+        bs->length=num;
+        bs->data=s;
+        ret=1;
+err:
+        if (0)
+                {
+err_sl:
+                ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,ASN1_R_SHORT_LINE);
+                }
+        return(ret);
+        }
+
diff --git a/src/lib/libssl/src/crypto/asn1/nsseq.c b/src/lib/libssl/src/crypto/asn1/nsseq.c
new file mode 100644
index 0000000000..417d024b81
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/nsseq.c
@@ -0,0 +1,118 @@
+/* nsseq.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+
+/* Netscape certificate sequence structure */
+
+int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+                                             V_ASN1_SEQUENCE,v);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
+                                             V_ASN1_SEQUENCE,v);
+
+        M_ASN1_I2D_finish();
+}
+
+NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void)
+{
+        NETSCAPE_CERT_SEQUENCE *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, NETSCAPE_CERT_SEQUENCE);
+        /* Note hardcoded object type */
+        ret->type = OBJ_nid2obj(NID_netscape_cert_sequence);
+        ret->certs = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW);
+}
+
+NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,NETSCAPE_CERT_SEQUENCE *,
+                                        NETSCAPE_CERT_SEQUENCE_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
+        M_ASN1_D2I_get_EXP_set_opt_type(X509,ret->certs,d2i_X509,X509_free,0,
+                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, NETSCAPE_CERT_SEQUENCE_free,
+                          ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE);
+}
+
+void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->type);
+        if(a->certs)
+            sk_X509_pop_free(a->certs, X509_free);
+        Free (a);
+}
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbe.c b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
new file mode 100644
index 0000000000..b831836e7b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
@@ -0,0 +1,156 @@
+/* p5_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 password based encryption structure */
+
+int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->salt, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->salt, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_finish();
+}
+
+PBEPARAM *PBEPARAM_new(void)
+{
+        PBEPARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBEPARAM);
+        M_ASN1_New(ret->iter,ASN1_INTEGER_new);
+        M_ASN1_New(ret->salt,ASN1_OCTET_STRING_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBEPARAM_NEW);
+}
+
+PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PBEPARAM *,PBEPARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->salt, d2i_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, PBEPARAM_free, ASN1_F_D2I_PBEPARAM);
+}
+
+void PBEPARAM_free (PBEPARAM *a)
+{
+        if(a==NULL) return;
+        ASN1_OCTET_STRING_free(a->salt);
+        ASN1_INTEGER_free (a->iter);
+        Free ((char *)a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 PBE algorithm */
+
+X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
+             int saltlen)
+{
+        PBEPARAM *pbe;
+        ASN1_OBJECT *al;
+        X509_ALGOR *algor;
+        ASN1_TYPE *astype;
+
+        if (!(pbe = PBEPARAM_new ())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+        ASN1_INTEGER_set (pbe->iter, iter);
+        if (!saltlen) saltlen = PKCS5_SALT_LEN;
+        if (!(pbe->salt->data = Malloc (saltlen))) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        pbe->salt->length = saltlen;
+        if (salt) memcpy (pbe->salt->data, salt, saltlen);
+        else RAND_bytes (pbe->salt->data, saltlen);
+
+        if (!(astype = ASN1_TYPE_new())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        astype->type = V_ASN1_SEQUENCE;
+        if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        PBEPARAM_free (pbe);
+        
+        al = OBJ_nid2obj(alg); /* never need to free al */
+        if (!(algor = X509_ALGOR_new())) {
+                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_OBJECT_free(algor->algorithm);
+        algor->algorithm = al;
+        algor->parameter = astype;
+
+        return (algor);
+}
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbev2.c b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
new file mode 100644
index 0000000000..09f4bf6112
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
@@ -0,0 +1,274 @@
+/* p5_pbev2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* PKCS#5 v2.0 password based encryption structures */
+
+int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->keyfunc, i2d_X509_ALGOR);
+        M_ASN1_I2D_len (a->encryption, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->keyfunc, i2d_X509_ALGOR);
+        M_ASN1_I2D_put (a->encryption, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_finish();
+}
+
+PBE2PARAM *PBE2PARAM_new(void)
+{
+        PBE2PARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBE2PARAM);
+        M_ASN1_New(ret->keyfunc,X509_ALGOR_new);
+        M_ASN1_New(ret->encryption,X509_ALGOR_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBE2PARAM_NEW);
+}
+
+PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PBE2PARAM *,PBE2PARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->keyfunc, d2i_X509_ALGOR);
+        M_ASN1_D2I_get (ret->encryption, d2i_X509_ALGOR);
+        M_ASN1_D2I_Finish(a, PBE2PARAM_free, ASN1_F_D2I_PBE2PARAM);
+}
+
+void PBE2PARAM_free (PBE2PARAM *a)
+{
+        if(a==NULL) return;
+        X509_ALGOR_free(a->keyfunc);
+        X509_ALGOR_free(a->encryption);
+        Free ((char *)a);
+}
+
+int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        M_ASN1_I2D_len (a->salt, i2d_ASN1_TYPE);
+        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->keylength, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->prf, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->salt, i2d_ASN1_TYPE);
+        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->keylength, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->prf, i2d_X509_ALGOR);
+
+        M_ASN1_I2D_finish();
+}
+
+PBKDF2PARAM *PBKDF2PARAM_new(void)
+{
+        PBKDF2PARAM *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PBKDF2PARAM);
+        M_ASN1_New(ret->salt, ASN1_TYPE_new);
+        M_ASN1_New(ret->iter, ASN1_INTEGER_new);
+        ret->keylength = NULL;
+        ret->prf = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PBKDF2PARAM_NEW);
+}
+
+PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,PBKDF2PARAM *,PBKDF2PARAM_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->salt, d2i_ASN1_TYPE);
+        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get_opt (ret->keylength, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+        M_ASN1_D2I_get_opt (ret->prf, d2i_X509_ALGOR, V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, PBKDF2PARAM_free, ASN1_F_D2I_PBKDF2PARAM);
+}
+
+void PBKDF2PARAM_free (PBKDF2PARAM *a)
+{
+        if(a==NULL) return;
+        ASN1_TYPE_free(a->salt);
+        ASN1_INTEGER_free(a->iter);
+        ASN1_INTEGER_free(a->keylength);
+        X509_ALGOR_free(a->prf);
+        Free ((char *)a);
+}
+
+/* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
+ * yes I know this is horrible!
+ */
+
+X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
+                                 unsigned char *salt, int saltlen)
+{
+        X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
+        int alg_nid;
+        EVP_CIPHER_CTX ctx;
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+        PBKDF2PARAM *kdf = NULL;
+        PBE2PARAM *pbe2 = NULL;
+        ASN1_OCTET_STRING *osalt = NULL;
+
+        if(!(pbe2 = PBE2PARAM_new())) goto merr;
+
+        /* Setup the AlgorithmIdentifier for the encryption scheme */
+        scheme = pbe2->encryption;
+
+        alg_nid = EVP_CIPHER_type(cipher);
+
+        scheme->algorithm = OBJ_nid2obj(alg_nid);
+        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
+
+        /* Create random IV */
+        RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+
+        /* Dummy cipherinit to just setup the IV */
+        EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
+        if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
+                ASN1err(ASN1_F_PKCS5_PBE2_SET,
+                                        ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+                goto err;
+        }
+        EVP_CIPHER_CTX_cleanup(&ctx);
+
+        if(!(kdf = PBKDF2PARAM_new())) goto merr;
+        if(!(osalt = ASN1_OCTET_STRING_new())) goto merr;
+
+        if (!saltlen) saltlen = PKCS5_SALT_LEN;
+        if (!(osalt->data = Malloc (saltlen))) goto merr;
+        osalt->length = saltlen;
+        if (salt) memcpy (osalt->data, salt, saltlen);
+        else RAND_bytes (osalt->data, saltlen);
+
+        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
+        if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
+
+        /* Now include salt in kdf structure */
+        kdf->salt->value.octet_string = osalt;
+        kdf->salt->type = V_ASN1_OCTET_STRING;
+        osalt = NULL;
+
+        /* If its RC2 then we'd better setup the key length */
+
+        if(alg_nid == NID_rc2_cbc) {
+                if(!(kdf->keylength = ASN1_INTEGER_new())) goto merr;
+                if(!ASN1_INTEGER_set (kdf->keylength,
+                                 EVP_CIPHER_key_length(cipher))) goto merr;
+        }
+
+        /* prf can stay NULL because we are using hmacWithSHA1 */
+
+        /* Now setup the PBE2PARAM keyfunc structure */
+
+        pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+
+        /* Encode PBKDF2PARAM into parameter of pbe2 */
+
+        if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
+
+        if(!ASN1_pack_string(kdf, i2d_PBKDF2PARAM,
+                         &pbe2->keyfunc->parameter->value.sequence)) goto merr;
+        pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
+
+        PBKDF2PARAM_free(kdf);
+        kdf = NULL;
+
+        /* Now set up top level AlgorithmIdentifier */
+
+        if(!(ret = X509_ALGOR_new())) goto merr;
+        if(!(ret->parameter = ASN1_TYPE_new())) goto merr;
+
+        ret->algorithm = OBJ_nid2obj(NID_pbes2);
+
+        /* Encode PBE2PARAM into parameter */
+
+        if(!ASN1_pack_string(pbe2, i2d_PBE2PARAM,
+                                 &ret->parameter->value.sequence)) goto merr;
+        ret->parameter->type = V_ASN1_SEQUENCE;
+
+        PBE2PARAM_free(pbe2);
+        pbe2 = NULL;
+
+        return ret;
+
+        merr:
+        ASN1err(ASN1_F_PKCS5_PBE2_SET,ERR_R_MALLOC_FAILURE);
+
+        err:
+        PBE2PARAM_free(pbe2);
+        /* Note 'scheme' is freed as part of pbe2 */
+        ASN1_OCTET_STRING_free(osalt);
+        PBKDF2PARAM_free(kdf);
+        X509_ALGOR_free(kalg);
+        X509_ALGOR_free(ret);
+
+        return NULL;
+
+}
diff --git a/src/lib/libssl/src/crypto/asn1/p8_key.c b/src/lib/libssl/src/crypto/asn1/p8_key.c
new file mode 100644
index 0000000000..0b24374627
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/p8_key.c
@@ -0,0 +1,131 @@
+/* crypto/asn1/p8_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/objects.h>
+
+int i2d_X509_KEY(X509 *a, unsigned char **pp)
+        {
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len(a->cert_info,    i2d_X509_CINF);
+        M_ASN1_I2D_len(a->sig_alg,      i2d_X509_ALGOR);
+        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put(a->cert_info,    i2d_X509_CINF);
+        M_ASN1_I2D_put(a->sig_alg,      i2d_X509_ALGOR);
+        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
+
+        M_ASN1_I2D_finish();
+        }
+
+X509 *d2i_X509_KEY(X509 **a, unsigned char **pp, long length)
+        {
+        M_ASN1_D2I_vars(a,X509 *,X509_new);
+
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
+        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
+        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
+        M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
+        }
+
+X509 *X509_KEY_new(void)
+        {
+        X509_KEY *ret=NULL;
+
+        M_ASN1_New_Malloc(ret,X509_KEY);
+        ret->references=1;
+        ret->type=NID
+        M_ASN1_New(ret->cert_info,X509_CINF_new);
+        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
+        M_ASN1_New(ret->signature,ASN1_BIT_STRING_new);
+        return(ret);
+        M_ASN1_New_Error(ASN1_F_X509_NEW);
+        }
+
+void X509_KEY_free(X509 *a)
+        {
+        int i;
+
+        if (a == NULL) return;
+
+        i=CRYPTO_add_lock(&a->references,-1,CRYPTO_LOCK_X509_KEY);
+#ifdef REF_PRINT
+        REF_PRINT("X509_KEY",a);
+#endif
+        if (i > 0) return;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"X509_KEY_free, bad reference count\n");
+                abort();
+                }
+#endif
+
+        X509_CINF_free(a->cert_info);
+        X509_ALGOR_free(a->sig_alg);
+        ASN1_BIT_STRING_free(a->signature);
+        Free(a);
+        }
+
diff --git a/src/lib/libssl/src/crypto/asn1/p8_pkey.c b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
new file mode 100644
index 0000000000..aa9a4f6c96
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/p8_pkey.c
@@ -0,0 +1,129 @@
+/* p8_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+int i2d_PKCS8_PRIV_KEY_INFO (PKCS8_PRIV_KEY_INFO *a, unsigned char **pp)
+{
+
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->pkeyalg, i2d_X509_ALGOR);
+        M_ASN1_I2D_len (a->pkey, i2d_ASN1_TYPE);
+        M_ASN1_I2D_len_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+                                         i2d_X509_ATTRIBUTE, 0);
+        
+        M_ASN1_I2D_seq_total ();
+
+        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->pkeyalg, i2d_X509_ALGOR);
+        M_ASN1_I2D_put (a->pkey, i2d_ASN1_TYPE);
+        M_ASN1_I2D_put_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
+                                         i2d_X509_ATTRIBUTE, 0);
+
+        M_ASN1_I2D_finish();
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void)
+{
+        PKCS8_PRIV_KEY_INFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PKCS8_PRIV_KEY_INFO);
+        M_ASN1_New (ret->version, ASN1_INTEGER_new);
+        M_ASN1_New (ret->pkeyalg, X509_ALGOR_new);
+        M_ASN1_New (ret->pkey, ASN1_TYPE_new);
+        ret->attributes = NULL;
+        ret->broken = PKCS8_OK;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PKCS8_PRIV_KEY_INFO_NEW);
+}
+
+PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PKCS8_PRIV_KEY_INFO *,PKCS8_PRIV_KEY_INFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get (ret->pkeyalg, d2i_X509_ALGOR);
+        M_ASN1_D2I_get (ret->pkey, d2i_ASN1_TYPE);
+        M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE, ret->attributes,
+                                        d2i_X509_ATTRIBUTE,
+                                        X509_ATTRIBUTE_free, 0);
+        if (ASN1_TYPE_get(ret->pkey) == V_ASN1_SEQUENCE) 
+                                                ret->broken = PKCS8_NO_OCTET;
+        M_ASN1_D2I_Finish(a, PKCS8_PRIV_KEY_INFO_free, ASN1_F_D2I_PKCS8_PRIV_KEY_INFO);
+}
+
+void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free (a->version);
+        X509_ALGOR_free(a->pkeyalg);
+        /* Clear sensitive data */
+        if (a->pkey->value.octet_string)
+                memset (a->pkey->value.octet_string->data,
+                                 0, a->pkey->value.octet_string->length);
+        ASN1_TYPE_free (a->pkey);
+        sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
+        Free (a);
+}
diff --git a/src/lib/libssl/src/crypto/asn1/t_bitst.c b/src/lib/libssl/src/crypto/asn1/t_bitst.c
new file mode 100644
index 0000000000..8ee789f082
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/t_bitst.c
@@ -0,0 +1,99 @@
+/* t_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
+                                BIT_STRING_BITNAME *tbl, int indent)
+{
+        BIT_STRING_BITNAME *bnam;
+        char first = 1;
+        BIO_printf(out, "%*s", indent, "");
+        for(bnam = tbl; bnam->lname; bnam++) {
+                if(ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
+                        if(!first) BIO_puts(out, ", ");
+                        BIO_puts(out, bnam->lname);
+                        first = 0;
+                }
+        }
+        BIO_puts(out, "\n");
+        return 1;
+}
+
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
+                                BIT_STRING_BITNAME *tbl)
+{
+        int bitnum;
+        bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
+        if(bitnum < 0) return 0;
+        if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value);
+        return 1;
+}
+
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
+{
+        BIT_STRING_BITNAME *bnam;
+        for(bnam = tbl; bnam->lname; bnam++) {
+                if(!strcmp(bnam->sname, name) ||
+                        !strcmp(bnam->lname, name) ) return bnam->bitnum;
+        }
+        return -1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/t_crl.c b/src/lib/libssl/src/crypto/asn1/t_crl.c
new file mode 100644
index 0000000000..c2e447ce6f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/t_crl.c
@@ -0,0 +1,166 @@
+/* t_crl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static void ext_print(BIO *out, X509_EXTENSION *ex);
+#ifndef NO_FP_API
+int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=X509_CRL_print(b, x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int X509_CRL_print(BIO *out, X509_CRL *x)
+{
+        char buf[256];
+        unsigned char *s;
+        STACK_OF(X509_REVOKED) *rev;
+        X509_REVOKED *r;
+        long l;
+        int i, j, n;
+
+        BIO_printf(out, "Certificate Revocation List (CRL):\n");
+        l = X509_CRL_get_version(x);
+        BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l);
+        i = OBJ_obj2nid(x->sig_alg->algorithm);
+        BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
+                                 (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
+        X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
+        BIO_printf(out,"%8sIssuer: %s\n","",buf);
+        BIO_printf(out,"%8sLast Update: ","");
+        ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
+        BIO_printf(out,"\n%8sNext Update: ","");
+        if (X509_CRL_get_nextUpdate(x))
+                 ASN1_TIME_print(out,X509_CRL_get_nextUpdate(x));
+        else BIO_printf(out,"NONE");
+        BIO_printf(out,"\n");
+
+        n=X509_CRL_get_ext_count(x);
+        if (n > 0) {
+                BIO_printf(out,"%8sCRL extensions:\n","");
+                for (i=0; i<n; i++) ext_print(out, X509_CRL_get_ext(x, i));
+        }
+
+
+        rev = X509_CRL_get_REVOKED(x);
+
+        if(sk_X509_REVOKED_num(rev))
+            BIO_printf(out, "Revoked Certificates:\n");
+        else BIO_printf(out, "No Revoked Certificates.\n");
+
+        for(i = 0; i < sk_X509_REVOKED_num(rev); i++) {
+                r = sk_X509_REVOKED_value(rev, i);
+                BIO_printf(out,"    Serial Number: ");
+                i2a_ASN1_INTEGER(out,r->serialNumber);
+                BIO_printf(out,"\n        Revocation Date: ","");
+                ASN1_TIME_print(out,r->revocationDate);
+                BIO_printf(out,"\n");
+                for(j = 0; j < X509_REVOKED_get_ext_count(r); j++)
+                                ext_print(out, X509_REVOKED_get_ext(r, j));
+        }
+
+        i=OBJ_obj2nid(x->sig_alg->algorithm);
+        BIO_printf(out,"    Signature Algorithm: %s",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+        s = x->signature->data;
+        n = x->signature->length;
+        for (i=0; i<n; i++, s++)
+        {
+                if ((i%18) == 0) BIO_write(out,"\n        ",9);
+                BIO_printf(out,"%02x%s",*s, ((i+1) == n)?"":":");
+        }
+        BIO_write(out,"\n",1);
+
+        return 1;
+
+}
+
+static void ext_print(BIO *out, X509_EXTENSION *ex)
+{
+        ASN1_OBJECT *obj;
+        int j;
+        BIO_printf(out,"%12s","");
+        obj=X509_EXTENSION_get_object(ex);
+        i2a_ASN1_OBJECT(out,obj);
+        j=X509_EXTENSION_get_critical(ex);
+        BIO_printf(out, ": %s\n", j ? "critical":"","");
+        if(!X509V3_EXT_print(out, ex, 0, 16)) {
+                BIO_printf(out, "%16s", "");
+                ASN1_OCTET_STRING_print(out,ex->value);
+        }
+        BIO_write(out,"\n",1);
+}
diff --git a/src/lib/libssl/src/crypto/asn1/t_spki.c b/src/lib/libssl/src/crypto/asn1/t_spki.c
new file mode 100644
index 0000000000..d708434fca
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/t_spki.c
@@ -0,0 +1,116 @@
+/* t_spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+/* Print out an SPKI */
+
+int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
+{
+        EVP_PKEY *pkey;
+        ASN1_IA5STRING *chal;
+        int i, n;
+        char *s;
+        BIO_printf(out, "Netscape SPKI:\n");
+        i=OBJ_obj2nid(spki->spkac->pubkey->algor->algorithm);
+        BIO_printf(out,"  Public Key Algorithm: %s\n",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+        pkey = X509_PUBKEY_get(spki->spkac->pubkey);
+        if(!pkey) BIO_printf(out, "  Unable to load public key\n");
+        else {
+#ifndef NO_RSA
+                if (pkey->type == EVP_PKEY_RSA)
+                        {
+                        BIO_printf(out,"  RSA Public Key: (%d bit)\n",
+                                BN_num_bits(pkey->pkey.rsa->n));
+                        RSA_print(out,pkey->pkey.rsa,2);
+                        }
+                else 
+#endif
+#ifndef NO_DSA
+                if (pkey->type == EVP_PKEY_DSA)
+                {
+                BIO_printf(out,"  DSA Public Key:\n");
+                DSA_print(out,pkey->pkey.dsa,2);
+                }
+                else
+#endif
+                        BIO_printf(out,"  Unknown Public Key:\n");
+                EVP_PKEY_free(pkey);
+        }
+        chal = spki->spkac->challenge;
+        if(chal->length)
+                BIO_printf(out, "  Challenge String: %s\n", chal->data);
+        i=OBJ_obj2nid(spki->sig_algor->algorithm);
+        BIO_printf(out,"  Signature Algorithm: %s",
+                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
+
+        n=spki->signature->length;
+        s=(char *)spki->signature->data;
+        for (i=0; i<n; i++)
+                {
+                if ((i%18) == 0) BIO_write(out,"\n      ",7);
+                BIO_printf(out,"%02x%s",(unsigned char)s[i],
+                                                ((i+1) == n)?"":":");
+                }
+        BIO_write(out,"\n",1);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/t_x509a.c b/src/lib/libssl/src/crypto/asn1/t_x509a.c
new file mode 100644
index 0000000000..a18ebb586c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/t_x509a.c
@@ -0,0 +1,102 @@
+/* t_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX and string set routines
+ */
+
+int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+{
+        char oidstr[80], first;
+        int i;
+        if(!aux) return 1;
+        if(aux->trust) {
+                first = 1;
+                BIO_printf(out, "%*sTrusted Uses:\n%*s",
+                                                indent, "", indent + 2, "");
+                for(i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
+                        if(!first) BIO_puts(out, ", ");
+                        else first = 0;
+                        OBJ_obj2txt(oidstr, 80,
+                                sk_ASN1_OBJECT_value(aux->trust, i), 0);
+                        BIO_puts(out, oidstr);
+                }
+                BIO_puts(out, "\n");
+        } else BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
+        if(aux->reject) {
+                first = 1;
+                BIO_printf(out, "%*sRejected Uses:\n%*s",
+                                                indent, "", indent + 2, "");
+                for(i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
+                        if(!first) BIO_puts(out, ", ");
+                        else first = 0;
+                        OBJ_obj2txt(oidstr, 80,
+                                sk_ASN1_OBJECT_value(aux->reject, i), 0);
+                        BIO_puts(out, oidstr);
+                }
+                BIO_puts(out, "\n");
+        } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+        if(aux->alias) BIO_printf(out, "%*sAlias: %s\n", indent, "",
+                                                        aux->alias->data);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
new file mode 100644
index 0000000000..0fc1f421e2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
@@ -0,0 +1,958 @@
+/* tasn_dec.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+static int asn1_check_eoc(unsigned char **in, long len);
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                        unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx);
+static int asn1_template_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long len,
+                                        const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+/* Table to convert tags to bit values, used for MSTRING type */
+static unsigned long tag2bit[32]={
+0,      0,      0,      B_ASN1_BIT_STRING,      /* tags  0 -  3 */
+B_ASN1_OCTET_STRING,    0,      0,              B_ASN1_UNKNOWN,/* tags  4- 7 */
+B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags  8-11 */
+B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
+0,      0,      B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,   /* tags 16-19 */
+B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,       /* tags 20-22 */
+B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,                        /* tags 23-24 */ 
+B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,  /* tags 25-27 */
+B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */
+        };
+
+unsigned long ASN1_tag2bit(int tag)
+{
+        if((tag < 0) || (tag > 30)) return 0;
+        return tag2bit[tag];
+}
+
+/* Macro to initialize and invalidate the cache */
+
+#define asn1_tlc_clear(c)       if(c) (c)->valid = 0
+
+/* Decode an ASN1 item, this currently behaves just 
+ * like a standard 'd2i' function. 'in' points to 
+ * a buffer to read the data from, in future we will
+ * have more advanced versions that can input data
+ * a piece at a time and this will simply be a special
+ * case.
+ */
+
+ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it)
+{
+        ASN1_TLC c;
+        ASN1_VALUE *ptmpval = NULL;
+        if(!pval) pval = &ptmpval;
+        asn1_tlc_clear(&c);
+        if(ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+                return *pval;
+        return NULL;
+}
+
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt)
+{
+        ASN1_TLC c;
+        asn1_tlc_clear(&c);
+        return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
+}
+
+
+/* Decode an item, taking care of IMPLICIT tagging, if any.
+ * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
+ */
+
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        const ASN1_TEMPLATE *tt, *errtt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        unsigned char *p, *q, imphack = 0, oclass;
+        char seq_eoc, seq_nolen, cst, isopt;
+        long tmplen;
+        int i;
+        int otag;
+        int ret = 0;
+        ASN1_VALUE *pchval, **pchptr, *ptmpval;
+        if(!pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        /* tagging or OPTIONAL is currently illegal on an item template
+                         * because the flags can't get passed down. In practice this isn't
+                         * a problem: we include the relevant flags from the item template
+                         * in the template itself.
+                         */
+                        if ((tag != -1) || opt) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+                                goto err;
+                        }
+                        return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx);
+                }
+                return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                p = *in;
+                /* Just read in tag and class */
+                ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } 
+                /* Must be UNIVERSAL class */
+                if(oclass != V_ASN1_UNIVERSAL) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+                        goto err;
+                } 
+                /* Check tag matches bit map */
+                if(!(ASN1_tag2bit(otag) & it->utype)) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG);
+                        goto err;
+                } 
+                return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
+
+                case ASN1_ITYPE_EXTERN:
+                /* Use new style d2i */
+                ef = it->funcs;
+                return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+
+                case ASN1_ITYPE_COMPAT:
+                /* we must resort to old style evil hackery */
+                cf = it->funcs;
+
+                /* If OPTIONAL see if it is there */
+                if(opt) {
+                        int exptag;
+                        p = *in;
+                        if(tag == -1) exptag = it->utype;
+                        else exptag = tag;
+                        /* Don't care about anything other than presence of expected tag */
+                        ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, &p, len, exptag, aclass, 1, ctx);
+                        if(!ret) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        if(ret == -1) return -1;
+                }
+                /* This is the old style evil hack IMPLICIT handling:
+                 * since the underlying code is expecting a tag and
+                 * class other than the one present we change the
+                 * buffer temporarily then change it back afterwards.
+                 * This doesn't and never did work for tags > 30.
+                 *
+                 * Yes this is *horrible* but it is only needed for
+                 * old style d2i which will hopefully not be around
+                 * for much longer.
+                 * FIXME: should copy the buffer then modify it so
+                 * the input buffer can be const: we should *always*
+                 * copy because the old style d2i might modify the
+                 * buffer.
+                 */
+
+                if(tag != -1) {
+                        p = *in;
+                        imphack = *p;
+                        *p = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype);
+                }
+
+                ptmpval = cf->asn1_d2i(pval, in, len);
+
+                if(tag != -1) *p = imphack;
+
+                if(ptmpval) return 1;
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Allocate structure */
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                /* CHOICE type, try each possibility in turn */
+                pchval = NULL;
+                p = *in;
+                for(i = 0, tt=it->templates; i < it->tcount; i++, tt++) {
+                        pchptr = asn1_get_field_ptr(pval, tt);
+                        /* We mark field as OPTIONAL so its absence
+                         * can be recognised.
+                         */
+                        ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+                        /* If field not present, try the next one */
+                        if(ret == -1) continue;
+                        /* If positive return, read OK, break loop */
+                        if(ret > 0) break;
+                        /* Otherwise must be an ASN1 parsing error */
+                        errtt = tt;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                }
+                /* Did we fall off the end without reading anything? */
+                if(i == it->tcount) {
+                        /* If OPTIONAL, this is OK */
+                        if(opt) {
+                                /* Free and zero it */
+                                ASN1_item_ex_free(pval, it);
+                                return -1;
+                        }
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+                        goto err;
+                }
+                asn1_set_choice_selector(pval, i, it);
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                case ASN1_ITYPE_SEQUENCE:
+                p = *in;
+                tmplen = len;
+
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                /* Get SEQUENCE length and update len, p */
+                ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, &p, len, tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+                if(aux && (aux->flags & ASN1_AFLG_BROKEN)) {
+                        len = tmplen - (p - *in);
+                        seq_nolen = 1;
+                } else seq_nolen = seq_eoc;     /* If indefinite we don't do a length check */
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+                        goto err;
+                }
+
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* Have we ran out of data? */
+                        if(!len) break;
+                        q = p;
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!seq_eoc) {
+                                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                seq_eoc = 0;
+                                q = p;
+                                break;
+                        }
+                        /* This determines the OPTIONAL flag value. The field cannot
+                         * be omitted if it is the last of a SEQUENCE and there is
+                         * still data to be read. This isn't strictly necessary but
+                         * it increases efficiency in some cases.
+                         */
+                        if(i == (it->tcount - 1)) isopt = 0;
+                        else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
+                        /* attempt to read in field, allowing each to be OPTIONAL */
+                        ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
+                        if(!ret) {
+                                errtt = seqtt;
+                                goto err;
+                        } else if(ret == -1) {
+                                /* OPTIONAL component absent. Free and zero the field
+                                 */
+                                ASN1_template_free(pseqval, seqtt);
+                                continue;
+                        }
+                        /* Update length */
+                        len -= p - q;
+                }
+                /* Check for EOC if expecting one */
+                if(seq_eoc && !asn1_check_eoc(&p, len)) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+                /* Check all data read */
+                if(!seq_nolen && len) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+                        goto err;
+                }
+
+                /* If we get here we've got no more data in the SEQUENCE,
+                 * however we may not have read all fields so check all
+                 * remaining are OPTIONAL and clear any that are.
+                 */
+                for(; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        if(seqtt->flags & ASN1_TFLG_OPTIONAL) {
+                                ASN1_VALUE **pseqval;
+                                pseqval = asn1_get_field_ptr(pval, seqtt);
+                                ASN1_template_free(pseqval, seqtt);
+                        } else {
+                                errtt = seqtt;
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING);
+                                goto err;
+                        }
+                }
+                /* Save encoding */
+                if(!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr;
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                default:
+                return 0;
+        }
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+        err:
+        ASN1_item_ex_free(pval, it);
+        if(errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname);
+        else ERR_add_error_data(2, "Type=", it->sname);
+        return 0;
+}
+
+/* Templates are handled with two separate functions. One handles any EXPLICIT tag and the other handles the
+ * rest.
+ */
+
+static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        long len;
+        unsigned char *p, *q;
+        char exp_eoc;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+
+        /* Check if EXPLICIT tag expected */
+        if(flags & ASN1_TFLG_EXPTAG) {
+                char cst;
+                /* Need to work out amount of data available to the inner content and where it
+                 * starts: so read in EXPLICIT header to get the info.
+                 */
+                ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, &p, inlen, tt->tag, aclass, opt, ctx);
+                q = p;
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+                        return 0;
+                }
+                /* We've found the field so it can't be OPTIONAL now */
+                ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* We read the field in OK so update length */
+                len -= p - q;
+                if(exp_eoc) {
+                        /* If NDEF we must have an EOC here */
+                        if(!asn1_check_eoc(&p, len)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                                goto err;
+                        }
+                } else {
+                        /* Otherwise we must hit the EXPLICIT tag end or its an error */
+                        if(len) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+                                goto err;
+                        }
+                }
+        } else 
+                return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        unsigned char *p, *q;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+        q = p;
+
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                int sktag, skaclass;
+                char sk_eoc;
+                /* First work out expected inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(flags & ASN1_TFLG_SET_OF) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Get the tag */
+                ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, &p, len, sktag, skaclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!*val) *val = (ASN1_VALUE *)sk_new_null();
+                else {
+                        /* We've got a valid STACK: free up any items present */
+                        STACK *sktmp = (STACK *)*val;
+                        ASN1_VALUE *vtmp;
+                        while(sk_num(sktmp) > 0) {
+                                vtmp = (ASN1_VALUE *)sk_pop(sktmp);
+                                ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
+                        }
+                }
+                                
+                if(!*val) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                /* Read as many items as we can */
+                while(len > 0) {
+                        ASN1_VALUE *skfield;
+                        q = p;
+                        /* See if EOC found */
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!sk_eoc) {
+                                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                sk_eoc = 0;
+                                break;
+                        }
+                        skfield = NULL;
+                        if(!ASN1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        len -= p - q;
+                        if(!sk_push((STACK *)*val, (char *)skfield)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                }
+                if(sk_eoc) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+        } else if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        } else {
+                /* Nothing special */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        }
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inlen, 
+                                                const ASN1_ITEM *it,
+                                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        int ret = 0, utype;
+        long plen;
+        char cst, inf, free_cont = 0;
+        unsigned char *p;
+        BUF_MEM buf;
+        unsigned char *cont = NULL;
+        long len; 
+        if(!pval) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
+                return 0; /* Should never happen */
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = tag;
+                tag = -1;
+        } else utype = it->utype;
+
+        if(utype == V_ASN1_ANY) {
+                /* If type is ANY need to figure out type from tag */
+                unsigned char oclass;
+                if(tag >= 0) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY);
+                        return 0;
+                }
+                if(opt) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_OPTIONAL_ANY);
+                        return 0;
+                }
+                p = *in;
+                ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, &p, inlen, -1, 0, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                if(oclass != V_ASN1_UNIVERSAL) utype = V_ASN1_OTHER;
+        }
+        if(tag == -1) {
+                tag = utype;
+                aclass = V_ASN1_UNIVERSAL;
+        }
+        p = *in;
+        /* Check header */
+        ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx);
+        if(!ret) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                return 0;
+        } else if(ret == -1) return -1;
+        /* SEQUENCE, SET and "OTHER" are left in encoded form */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
+                /* Clear context cache for type OTHER because the auto clear when
+                 * we have a exact match wont work
+                 */
+                if(utype == V_ASN1_OTHER) {
+                        asn1_tlc_clear(ctx);
+                /* SEQUENCE and SET must be constructed */
+                } else if(!cst) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_CONSTRUCTED);
+                        return 0;
+                }
+
+                cont = *in;
+                /* If indefinite length constructed find the real end */
+                if(inf) {
+                        if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+                        len = p - cont;
+                } else {
+                        len = p - cont + plen;
+                        p += plen;
+                        buf.data = NULL;
+                }
+        } else if(cst) {
+                buf.length = 0;
+                buf.max = 0;
+                buf.data = NULL;
+                /* Should really check the internal tags are correct but
+                 * some things may get this wrong. The relevant specs
+                 * say that constructed string types should be OCTET STRINGs
+                 * internally irrespective of the type. So instead just check
+                 * for UNIVERSAL class and ignore the tag.
+                 */
+                if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
+                len = buf.length;
+                /* Append a final null to string */
+                if(!BUF_MEM_grow(&buf, len + 1)) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                buf.data[len] = 0;
+                cont = (unsigned char *)buf.data;
+                free_cont = 1;
+        } else {
+                cont = p;
+                len = plen;
+                p += plen;
+        }
+
+        /* We now have content length and type: translate into a structure */
+        if(!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) goto err;
+
+        *in = p;
+        ret = 1;
+        err:
+        if(free_cont && buf.data) OPENSSL_free(buf.data);
+        return ret;
+}
+
+/* Translate ASN1 content octets into a structure */
+
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        ASN1_STRING *stmp;
+        ASN1_TYPE *typ = NULL;
+        int ret = 0;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        ASN1_INTEGER **tint;
+        pf = it->funcs;
+        if(pf && pf->prim_c2i) return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
+        /* If ANY type clear type and set pointer to internal value */
+        if(it->utype == V_ASN1_ANY) {
+                if(!*pval) {
+                        typ = ASN1_TYPE_new();
+                        *pval = (ASN1_VALUE *)typ;
+                } else typ = (ASN1_TYPE *)*pval;
+                if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        }
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                if(!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_NULL:
+                if(len) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_NULL_IS_WRONG_LENGTH);
+                        goto err;
+                }
+                *pval = (ASN1_VALUE *)1;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                if(len != 1) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
+                        goto err;
+                } else {
+                        ASN1_BOOLEAN *tbool;
+                        tbool = (ASN1_BOOLEAN *)pval;
+                        *tbool = *cont;
+                }
+                break;
+
+                case V_ASN1_BIT_STRING:
+                if(!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                tint = (ASN1_INTEGER **)pval;
+                if(!c2i_ASN1_INTEGER(tint, &cont, len)) goto err;
+                /* Fixup type to match the expected form */
+                (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_OTHER:
+                case V_ASN1_SET:
+                case V_ASN1_SEQUENCE:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                if(!*pval) {
+                        stmp = ASN1_STRING_type_new(utype);
+                        if(!stmp) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                        *pval = (ASN1_VALUE *)stmp;
+                } else {
+                        stmp = (ASN1_STRING *)*pval;
+                        stmp->type = utype;
+                }
+                /* If we've already allocated a buffer use it */
+                if(*free_cont) {
+                        if(stmp->data) OPENSSL_free(stmp->data);
+                        stmp->data = cont;
+                        stmp->length = len;
+                        *free_cont = 0;
+                } else {
+                        if(!ASN1_STRING_set(stmp, cont, len)) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                ASN1_STRING_free(stmp); 
+                                *pval = NULL;
+                                goto err;
+                        }
+                }
+                break;
+        }
+        /* If ASN1_ANY and NULL type fix up value */
+        if(typ && utype==V_ASN1_NULL) typ->value.ptr = NULL;
+
+        ret = 1;
+        err:
+        if(!ret) ASN1_TYPE_free(typ);
+        return ret;
+}
+
+/* This function collects the asn1 data from a constructred string
+ * type into a buffer. The values of 'in' and 'len' should refer
+ * to the contents of the constructed type and 'inf' should be set
+ * if it is indefinite length. If 'buf' is NULL then we just want
+ * to find the end of the current structure: useful for indefinite
+ * length constructed stuff.
+ */
+
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
+{
+        unsigned char *p, *q;
+        long plen;
+        char cst, ininf;
+        p = *in;
+        inf &= 1;
+        /* If no buffer and not indefinite length constructed just pass over the encoded data */
+        if(!buf && !inf) {
+                *in += len;
+                return 1;
+        }
+        while(len > 0) {
+                q = p;
+                /* Check for EOC */
+                if(asn1_check_eoc(&p, len)) {
+                        /* EOC is illegal outside indefinite length constructed form */
+                        if(!inf) {
+                                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC);
+                                return 0;
+                        }
+                        inf = 0;
+                        break;
+                }
+                if(!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, len, tag, aclass, 0, NULL)) {
+                        ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* If indefinite length constructed update max length */
+                if(cst) {
+                        if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
+                } else {
+                        if(!collect_data(buf, &p, plen)) return 0;
+                }
+                len -= p - q;
+        }
+        if(inf) {
+                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC);
+                return 0;
+        }
+        *in = p;
+        return 1;
+}
+
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
+{
+                int len;
+                if(buf) {
+                        len = buf->length;
+                        if(!BUF_MEM_grow(buf, len + plen)) {
+                                ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
+                                return 0;
+                        }
+                        memcpy(buf->data + len, *p, plen);
+                }
+                *p += plen;
+                return 1;
+}
+
+/* Check for ASN1 EOC and swallow it if found */
+
+static int asn1_check_eoc(unsigned char **in, long len)
+{
+        unsigned char *p;
+        if(len < 2) return 0;
+        p = *in;
+        if(!p[0] && !p[1]) {
+                *in += 2;
+                return 1;
+        }
+        return 0;
+}
+
+/* Check an ASN1 tag and length: a bit like ASN1_get_object
+ * but it sets the length for indefinite length constructed
+ * form, we don't know the exact length but we can set an
+ * upper bound to the amount of data available minus the
+ * header length just read.
+ */
+
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx)
+{
+        int i;
+        int ptag, pclass;
+        long plen;
+        unsigned char *p, *q;
+        p = *in;
+        q = p;
+
+        if(ctx && ctx->valid) {
+                i = ctx->ret;
+                plen = ctx->plen;
+                pclass = ctx->pclass;
+                ptag = ctx->ptag;
+                p += ctx->hdrlen;
+        } else {
+                i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
+                if(ctx) {
+                        ctx->ret = i;
+                        ctx->plen = plen;
+                        ctx->pclass = pclass;
+                        ctx->ptag = ptag;
+                        ctx->hdrlen = p - q;
+                        ctx->valid = 1;
+                        /* If definite length, length + header can't exceed total
+                         * amount of data available.
+                         */
+                        if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
+                                asn1_tlc_clear(ctx);
+                                return 0;
+                        }
+                }
+        }
+
+        if(i & 0x80) {
+                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER);
+                asn1_tlc_clear(ctx);
+                return 0;
+        }
+        if(exptag >= 0) {
+                if((exptag != ptag) || (expclass != pclass)) {
+                        /* If type is OPTIONAL, not an error, but indicate missing
+                         * type.
+                         */
+                        if(opt) return -1;
+                        asn1_tlc_clear(ctx);
+                        ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
+                        return 0;
+                }
+                /* We have a tag and class match, so assume we are going to do something with it */
+                asn1_tlc_clear(ctx);
+        }
+
+        if(i & 1) plen = len - (p - q);
+
+        if(inf) *inf = i & 1;
+
+        if(cst) *cst = i & V_ASN1_CONSTRUCTED;
+
+        if(olen) *olen = plen;
+        if(oclass) *oclass = pclass;
+        if(otag) *otag = ptag;
+
+        *in = p;
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_enc.c b/src/lib/libssl/src/crypto/asn1/tasn_enc.c
new file mode 100644
index 0000000000..f6c8ddef0a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_enc.c
@@ -0,0 +1,497 @@
+/* tasn_enc.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *seq, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int isset);
+
+/* Encode an ASN1 item, this is compatible with the
+ * standard 'i2d' function. 'out' points to 
+ * a buffer to output the data to, in future we will
+ * have more advanced versions that can output data
+ * a piece at a time and this will simply be a special
+ * case.
+ *
+ * The new i2d has one additional feature. If the output
+ * buffer is NULL (i.e. *out == NULL) then a buffer is
+ * allocated and populated with the encoding.
+ */
+
+
+int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
+{
+        if(out && !*out) {
+                unsigned char *p, *buf;
+                int len;
+                len = ASN1_item_ex_i2d(&val, NULL, it, -1, 0);
+                if(len <= 0) return len;
+                buf = OPENSSL_malloc(len);
+                if(!buf) return -1;
+                p = buf;
+                ASN1_item_ex_i2d(&val, &p, it, -1, 0);
+                *out = buf;
+                return len;
+        }
+                
+        return ASN1_item_ex_i2d(&val, out, it, -1, 0);
+}
+
+/* Encode an item, taking care of IMPLICIT tagging (if any).
+ * This function performs the normal item handling: it can be
+ * used in external types.
+ */
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        unsigned char *p = NULL;
+        int i, seqcontlen, seqlen;
+        ASN1_STRING *strtmp;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_i2d(pval, out, it->templates);
+                return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                strtmp = (ASN1_STRING *)*pval;
+                return asn1_i2d_ex_primitive(pval, out, it, -1, 0);
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                i = asn1_get_choice_selector(pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        const ASN1_TEMPLATE *chtt;
+                        chtt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, chtt);
+                        return ASN1_template_i2d(pchval, out, chtt);
+                } 
+                /* Fixme: error condition if selector out of range */
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                /* If new style i2d it does all the work */
+                ef = it->funcs;
+                return ef->asn1_ex_i2d(pval, out, it, tag, aclass);
+
+                case ASN1_ITYPE_COMPAT:
+                /* old style hackery... */
+                cf = it->funcs;
+                if(out) p = *out;
+                i = cf->asn1_i2d(*pval, out);
+                /* Fixup for IMPLICIT tag: note this messes up for tags > 30,
+                 * but so did the old code. Tags > 30 are very rare anyway.
+                 */
+                if(out && (tag != -1))
+                        *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED);
+                return i;
+                
+                case ASN1_ITYPE_SEQUENCE:
+                i = asn1_enc_restore(&seqcontlen, out, pval, it);
+                /* An error occurred */
+                if(i < 0) return 0;
+                /* We have a valid cached encoding... */
+                if(i > 0) return seqcontlen;
+                /* Otherwise carry on */
+                seqcontlen = 0;
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                /* First work out sequence content length */
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        /* FIXME: special handling of indefinite length encoding */
+                        seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
+                }
+                seqlen = ASN1_object_size(1, seqcontlen, tag);
+                if(!out) return seqlen;
+                /* Output SEQUENCE header */
+                ASN1_put_object(out, 1, seqcontlen, tag, aclass);
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        ASN1_template_i2d(pseqval, out, seqtt);
+                }
+                if(asn1_cb  && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                return seqlen;
+
+                default:
+                return 0;
+        }
+        return 0;
+}
+
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt)
+{
+        int i, ret, flags, aclass;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                int isset, sktag, skaclass;
+                int skcontlen, sklen;
+                ASN1_VALUE *skitem;
+                if(!*pval) return 0;
+                if(flags & ASN1_TFLG_SET_OF) {
+                        isset = 1;
+                        /* 2 means we reorder */
+                        if(flags & ASN1_TFLG_SEQUENCE_OF) isset = 2;
+                } else isset = 0;
+                /* First work out inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(isset) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Now work out length of items */
+                skcontlen = 0;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        skcontlen += ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                sklen = ASN1_object_size(1, skcontlen, sktag);
+                /* If EXPLICIT need length of surrounding tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ret = ASN1_object_size(1, sklen, tt->tag);
+                else ret = sklen;
+
+                if(!out) return ret;
+
+                /* Now encode this lot... */
+                /* EXPLICIT tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ASN1_put_object(out, 1, sklen, tt->tag, aclass);
+                /* SET or SEQUENCE and IMPLICIT tag */
+                ASN1_put_object(out, 1, skcontlen, sktag, skaclass);
+                /* And finally the stuff itself */
+                asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset);
+
+                return ret;
+        }
+                        
+        if(flags & ASN1_TFLG_EXPTAG) {
+                /* EXPLICIT tagging */
+                /* Find length of tagged item */
+                i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                if(!i) return 0;
+                /* Find length of EXPLICIT tag */
+                ret = ASN1_object_size(1, i, tt->tag);
+                if(out) {
+                        /* Output tag and item */
+                        ASN1_put_object(out, 1, i, tt->tag, aclass);
+                        ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                return ret;
+        }
+        if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), tt->tag, aclass);
+        }
+        /* Nothing special: treat as normal */
+        return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+}
+
+/* Temporary structure used to hold DER encoding of items for SET OF */
+
+typedef struct {
+        unsigned char *data;
+        int length;
+        ASN1_VALUE *field;
+} DER_ENC;
+
+static int der_cmp(const void *a, const void *b)
+{
+        const DER_ENC *d1 = a, *d2 = b;
+        int cmplen, i;
+        cmplen = (d1->length < d2->length) ? d1->length : d2->length;
+        i = memcmp(d1->data, d2->data, cmplen);
+        if(i) return i;
+        return d1->length - d2->length;
+}
+
+/* Output the content octets of SET OF or SEQUENCE OF */
+
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort)
+{
+        int i;
+        ASN1_VALUE *skitem;
+        unsigned char *tmpdat = NULL, *p = NULL;
+        DER_ENC *derlst = NULL, *tder;
+        if(do_sort) {
+                /* Don't need to sort less than 2 items */
+                if(sk_ASN1_VALUE_num(sk) < 2) do_sort = 0;
+                else {
+                        derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst));
+                        tmpdat = OPENSSL_malloc(skcontlen);
+                        if(!derlst || !tmpdat) return 0;
+                }
+        }
+        /* If not sorting just output each item */
+        if(!do_sort) {
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        ASN1_item_i2d(skitem, out, item);
+                }
+                return 1;
+        }
+        p = tmpdat;
+        /* Doing sort: build up a list of each member's DER encoding */
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                skitem = sk_ASN1_VALUE_value(sk, i);
+                tder->data = p;
+                tder->length = ASN1_item_i2d(skitem, &p, item);
+                tder->field = skitem;
+        }
+        /* Now sort them */
+        qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp);
+        /* Output sorted DER encoding */        
+        p = *out;
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                memcpy(p, tder->data, tder->length);
+                p += tder->length;
+        }
+        *out = p;
+        /* If do_sort is 2 then reorder the STACK */
+        if(do_sort == 2) {
+                for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+                        sk_ASN1_VALUE_set(sk, i, tder->field);
+        }
+        OPENSSL_free(derlst);
+        OPENSSL_free(tmpdat);
+        return 1;
+}
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        int len;
+        int utype;
+        int usetag;
+
+        utype = it->utype;
+
+        /* Get length of content octets and maybe find
+         * out the underlying type.
+         */
+
+        len = asn1_ex_i2c(pval, NULL, &utype, it);
+
+        /* If SEQUENCE, SET or OTHER then header is
+         * included in pseudo content octets so don't
+         * include tag+length. We need to check here
+         * because the call to asn1_ex_i2c() could change
+         * utype.
+         */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
+           (utype == V_ASN1_OTHER))
+                usetag = 0;
+        else usetag = 1;
+
+        /* -1 means omit type */
+
+        if(len == -1) return 0;
+
+        /* If not implicitly tagged get tag from underlying type */
+        if(tag == -1) tag = utype;
+
+        /* Output tag+length followed by content octets */
+        if(out) {
+                if(usetag) ASN1_put_object(out, 0, len, tag, aclass);
+                asn1_ex_i2c(pval, *out, &utype, it);
+                *out += len;
+        }
+
+        if(usetag) return ASN1_object_size(0, len, tag);
+        return len;
+}
+
+/* Produce content octets from a structure */
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ITEM *it)
+{
+        ASN1_BOOLEAN *tbool = NULL;
+        ASN1_STRING *strtmp;
+        ASN1_OBJECT *otmp;
+        int utype;
+        unsigned char *cont, c;
+        int len;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_i2c) return pf->prim_i2c(pval, cout, putype, it);
+
+        /* Should type be omitted? */
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {
+                if(!*pval) return -1;
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                /* If MSTRING type set the underlying type */
+                strtmp = (ASN1_STRING *)*pval;
+                utype = strtmp->type;
+                *putype = utype;
+        } else if(it->utype == V_ASN1_ANY) {
+                /* If ANY set type and pointer to value */
+                ASN1_TYPE *typ;
+                typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                *putype = utype;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        } else utype = *putype;
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                otmp = (ASN1_OBJECT *)*pval;
+                cont = otmp->data;
+                len = otmp->length;
+                break;
+
+                case V_ASN1_NULL:
+                cont = NULL;
+                len = 0;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                tbool = (ASN1_BOOLEAN *)pval;
+                if(*tbool == -1) return -1;
+                /* Default handling if value == size field then omit */
+                if(*tbool && (it->size > 0)) return -1;
+                if(!*tbool && !it->size) return -1;
+                c = (unsigned char)*tbool;
+                cont = &c;
+                len = 1;
+                break;
+
+                case V_ASN1_BIT_STRING:
+                return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                /* These are all have the same content format
+                 * as ASN1_INTEGER
+                 */
+                return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_SEQUENCE:
+                case V_ASN1_SET:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                strtmp = (ASN1_STRING *)*pval;
+                cont = strtmp->data;
+                len = strtmp->length;
+
+                break;
+
+        }
+        if(cout && len) memcpy(cout, cont, len);
+        return len;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_fre.c b/src/lib/libssl/src/crypto/asn1/tasn_fre.c
new file mode 100644
index 0000000000..c7610776f2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_fre.c
@@ -0,0 +1,226 @@
+/* tasn_fre.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+
+/* Free up an ASN1 structure */
+
+void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(&val, it, 0);
+}
+
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(pval, it, 0);
+}
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL, *seqtt;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        int i;
+        if(!pval) return;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) ASN1_template_free(pval, it->templates);
+                else ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }
+                i = asn1_get_choice_selector(pval, it);
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        tt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, tt);
+                        ASN1_template_free(pchval, tt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_free) cf->asn1_free(*pval);
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_free) ef->asn1_ex_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_do_lock(pval, -1, it) > 0) return;
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }               
+                asn1_enc_free(pval, it);
+                /* If we free up as normal we will invalidate any
+                 * ANY DEFINED BY field and we wont be able to 
+                 * determine the type of the field it defines. So
+                 * free up in reverse order.
+                 */
+                tt = it->templates + it->tcount - 1;
+                for(i = 0; i < it->tcount; tt--, i++) {
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 0);
+                        if(!seqtt) continue;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        ASN1_template_free(pseqval, seqtt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+        }
+}
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        int i;
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        ASN1_VALUE *vtmp;
+                        vtmp = sk_ASN1_VALUE_value(sk, i);
+                        asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item), 0);
+                }
+                sk_ASN1_VALUE_free(sk);
+                *pval = NULL;
+        } else asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
+                                                tt->flags & ASN1_TFLG_COMBINE);
+}
+
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        if(it) {
+                const ASN1_PRIMITIVE_FUNCS *pf;
+                pf = it->funcs;
+                if(pf && pf->prim_free) {
+                        pf->prim_free(pval, it);
+                        return;
+                }
+        }
+        /* Special case: if 'it' is NULL free contents of ASN1_TYPE */
+        if(!it) {
+                ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+                if(!*pval) return;
+        } else if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = -1;
+                if(!*pval) return;
+        } else {
+                utype = it->utype;
+                if((utype != V_ASN1_BOOLEAN) && !*pval) return;
+        }
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                ASN1_OBJECT_free((ASN1_OBJECT *)*pval);
+                break;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return;
+
+                case V_ASN1_NULL:
+                break;
+
+                case V_ASN1_ANY:
+                ASN1_primitive_free(pval, NULL);
+                OPENSSL_free(*pval);
+                break;
+
+                default:
+                ASN1_STRING_free((ASN1_STRING *)*pval);
+                *pval = NULL;
+                break;
+        }
+        *pval = NULL;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_new.c b/src/lib/libssl/src/crypto/asn1/tasn_new.c
new file mode 100644
index 0000000000..e33861f864
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_new.c
@@ -0,0 +1,348 @@
+/* tasn_new.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <string.h>
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it)
+{
+        ASN1_VALUE *ret = NULL;
+        if(ASN1_item_ex_new(&ret, it) > 0) return ret;
+        return NULL;
+}
+
+/* Allocate an ASN1 structure */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        return asn1_item_ex_combine_new(pval, it, 0);
+}
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        ASN1_VALUE **pseqval;
+        int i;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        if(!combine) *pval = NULL;
+
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_push_info(it->sname);
+#endif
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_new) {
+                        if(!ef->asn1_ex_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_new) {
+                        *pval = cf->asn1_new();
+                        if(!*pval) goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        if(!ASN1_template_new(pval, it->templates))
+                                goto memerr;
+                } else {
+                        if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                }
+                asn1_set_choice_selector(pval, -1, it);
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                        asn1_do_lock(pval, 0, it);
+                        asn1_enc_init(pval, it);
+                }
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        pseqval = asn1_get_field_ptr(pval, tt);
+                        if(!ASN1_template_new(pseqval, tt)) goto memerr;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 1;
+
+        memerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ERR_R_MALLOC_FAILURE);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ASN1_R_AUX_ERROR);
+        ASN1_item_ex_free(pval, it);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+}
+
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_EXTERN_FUNCS *ef;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_clear) 
+                        ef->asn1_ex_clear(pval, it);
+                else *pval = NULL;
+                break;
+
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) 
+                        asn1_template_clear(pval, it->templates);
+                else
+                        asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                case ASN1_ITYPE_CHOICE:
+                case ASN1_ITYPE_SEQUENCE:
+                *pval = NULL;
+                break;
+        }
+}
+
+
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
+        int ret;
+        if(tt->flags & ASN1_TFLG_OPTIONAL) {
+                asn1_template_clear(pval, tt);
+                return 1;
+        }
+        /* If ANY DEFINED BY nothing to do */
+
+        if(tt->flags & ASN1_TFLG_ADB_MASK) {
+                *pval = NULL;
+                return 1;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(tt->field_name) CRYPTO_push_info(tt->field_name);
+#endif
+        /* If SET OF or SEQUENCE OF, its a STACK */
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *skval;
+                skval = sk_ASN1_VALUE_new_null();
+                if(!skval) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_NEW, ERR_R_MALLOC_FAILURE);
+                        ret = 0;
+                        goto done;
+                }
+                *pval = (ASN1_VALUE *)skval;
+                ret = 1;
+                goto done;
+        }
+        /* Otherwise pass it back to the item routine */
+        ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
+        done:
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return ret;
+}
+
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        /* If ADB or STACK just NULL the field */
+        if(tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK)) 
+                *pval = NULL;
+        else
+                asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));
+}
+
+
+/* NB: could probably combine most of the real XXX_new() behaviour and junk all the old
+ * functions.
+ */
+
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_TYPE *typ;
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_new) return pf->prim_new(pval, it);
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
+                return 1;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return 1;
+
+                case V_ASN1_NULL:
+                *pval = (ASN1_VALUE *)1;
+                return 1;
+
+                case V_ASN1_ANY:
+                typ = OPENSSL_malloc(sizeof(ASN1_TYPE));
+                if(!typ) return 0;
+                typ->value.ptr = NULL;
+                typ->type = -1;
+                *pval = (ASN1_VALUE *)typ;
+                break;
+
+                default:
+                *pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
+                break;
+        }
+        if(*pval) return 1;
+        return 0;
+}
+
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf) {
+                if(pf->prim_clear)
+                        pf->prim_clear(pval, it);
+                else 
+                        *pval = NULL;
+                return;
+        }
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        if(utype == V_ASN1_BOOLEAN)
+                *(ASN1_BOOLEAN *)pval = it->size;
+        else *pval = NULL;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_prn.c b/src/lib/libssl/src/crypto/asn1/tasn_prn.c
new file mode 100644
index 0000000000..fab67ae5ac
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_prn.c
@@ -0,0 +1,198 @@
+/* tasn_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/nasn.h>
+
+/* Print routines. Print out a whole structure from a template.
+ */
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name);
+
+int ASN1_item_print(BIO *out, void *fld, int indent, const ASN1_ITEM *it)
+{
+        return asn1_item_print_nm(out, fld, indent, it, it->sname);
+}
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name)
+{
+        ASN1_STRING *str;
+        const ASN1_TEMPLATE *tt;
+        void *tmpfld;
+        int i;
+        if(!fld) {
+                BIO_printf(out, "%*s%s ABSENT\n", indent, "", name);
+                return 1;
+        }
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_print(out, fld, indent, it->templates);
+                return asn1_primitive_print(out, fld, it->utype, indent, name);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                str = fld;
+                return asn1_primitive_print(out, fld, str->type, indent, name);
+
+                case ASN1_ITYPE_EXTERN:
+                BIO_printf(out, "%*s%s:EXTERNAL TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+                case ASN1_ITYPE_COMPAT:
+                BIO_printf(out, "%*s%s:COMPATIBLE TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+
+
+                case ASN1_ITYPE_CHOICE:
+                /* CHOICE type, get selector */
+                i = asn1_get_choice_selector(fld, it);
+                /* This should never happen... */
+                if((i < 0) || (i >= it->tcount)) {
+                        BIO_printf(out, "%s selector [%d] out of range\n", it->sname, i);
+                        return 1;
+                }
+                tt = it->templates + i;
+                tmpfld = asn1_get_field(fld, tt);
+                return ASN1_template_print(out, tmpfld, indent, tt);
+
+                case ASN1_ITYPE_SEQUENCE:
+                BIO_printf(out, "%*s%s {\n", indent, "", name);
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        tmpfld = asn1_get_field(fld, tt);
+                        ASN1_template_print(out, tmpfld, indent + 2, tt);
+                }
+                BIO_printf(out, "%*s}\n", indent, "");
+                return 1;
+
+                default:
+                return 0;
+        }
+}
+
+int ASN1_template_print(BIO *out, void *fld, int indent, const ASN1_TEMPLATE *tt)
+{
+        int i, flags;
+#if 0
+        if(!fld) return 0; 
+#endif
+        flags = tt->flags;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                char *tname;
+                void *skitem;
+                /* SET OF, SEQUENCE OF */
+                if(flags & ASN1_TFLG_SET_OF) tname = "SET";
+                else tname = "SEQUENCE";
+                if(fld) {
+                        BIO_printf(out, "%*s%s OF %s {\n", indent, "", tname, tt->field_name);
+                        for(i = 0; i < sk_num(fld); i++) {
+                                skitem = sk_value(fld, i);
+                                asn1_item_print_nm(out, skitem, indent + 2, tt->item, "");
+                        }
+                        BIO_printf(out, "%*s}\n", indent, "");
+                } else 
+                        BIO_printf(out, "%*s%s OF %s ABSENT\n", indent, "", tname, tt->field_name);
+                return 1;
+        }
+        return asn1_item_print_nm(out, fld, indent, tt->item, tt->field_name);
+}
+
+static int asn1_primitive_print(BIO *out, void *fld, long utype, int indent, const char *name)
+{
+        ASN1_STRING *str = fld;
+        if(fld) {
+                if(utype == V_ASN1_BOOLEAN) {
+                        int *bool = fld;
+if(*bool == -1) printf("BOOL MISSING\n");
+                        BIO_printf(out, "%*s%s:%s", indent, "", "BOOLEAN", *bool ? "TRUE" : "FALSE");
+                } else if((utype == V_ASN1_INTEGER) 
+                          || (utype == V_ASN1_ENUMERATED)) {
+                        char *s, *nm;
+                        s = i2s_ASN1_INTEGER(NULL, fld);
+                        if(utype == V_ASN1_INTEGER) nm = "INTEGER";
+                        else nm = "ENUMERATED";
+                        BIO_printf(out, "%*s%s:%s", indent, "", nm, s);
+                        OPENSSL_free(s);
+                } else if(utype == V_ASN1_NULL) {
+                        BIO_printf(out, "%*s%s", indent, "", "NULL");
+                } else if(utype == V_ASN1_UTCTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "UTCTIME");
+                        ASN1_UTCTIME_print(out, str);
+                } else if(utype == V_ASN1_GENERALIZEDTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "GENERALIZEDTIME");
+                        ASN1_GENERALIZEDTIME_print(out, str);
+                } else if(utype == V_ASN1_OBJECT) {
+                        char objbuf[80], *ln;
+                        ln = OBJ_nid2ln(OBJ_obj2nid(fld));
+                        if(!ln) ln = "";
+                        OBJ_obj2txt(objbuf, 80, fld, 1);
+                        BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf);
+                } else {
+                        BIO_printf(out, "%*s%s:", indent, "", name);
+                        ASN1_STRING_print_ex(out, str, ASN1_STRFLGS_DUMP_UNKNOWN|ASN1_STRFLGS_SHOW_TYPE);
+                }
+                BIO_printf(out, "\n");
+        } else BIO_printf(out, "%*s%s [ABSENT]\n", indent, "", name);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_typ.c b/src/lib/libssl/src/crypto/asn1/tasn_typ.c
new file mode 100644
index 0000000000..804d2eeba2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_typ.c
@@ -0,0 +1,133 @@
+/* tasn_typ.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+/* Declarations for string types */
+
+
+IMPLEMENT_ASN1_TYPE(ASN1_INTEGER)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_NULL)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OBJECT)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_T61STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ANY)
+
+/* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */
+IMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE)
+
+IMPLEMENT_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
+
+/* Multistring types */
+
+IMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE)
+
+IMPLEMENT_ASN1_MSTRING(DISPLAYTEXT, B_ASN1_DISPLAYTEXT)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT)
+
+IMPLEMENT_ASN1_MSTRING(DIRECTORYSTRING, B_ASN1_DIRECTORYSTRING)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
+
+/* Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE */
+IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0)
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_utl.c b/src/lib/libssl/src/crypto/asn1/tasn_utl.c
new file mode 100644
index 0000000000..8996ce8c13
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/tasn_utl.c
@@ -0,0 +1,253 @@
+/* tasn_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+
+/* Utility functions for manipulating fields and offsets */
+
+/* Add 'offset' to 'addr' */
+#define offset2ptr(addr, offset) (void *)(((char *) addr) + offset)
+
+/* Given an ASN1_ITEM CHOICE type return
+ * the selector value
+ */
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int *sel = offset2ptr(*pval, it->utype);
+        return *sel;
+}
+
+/* Given an ASN1_ITEM CHOICE type set
+ * the selector value, return old value.
+ */
+
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it)
+{       
+        int *sel, ret;
+        sel = offset2ptr(*pval, it->utype);
+        ret = *sel;
+        *sel = value;
+        return ret;
+}
+
+/* Do reference counting. The value 'op' decides what to do. 
+ * if it is +1 then the count is incremented. If op is 0 count is
+ * set to 1. If op is -1 count is decremented and the return value
+ * is the current refrence count or 0 if no reference count exists.
+ */
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        int *lck, ret;
+        if(it->itype != ASN1_ITYPE_SEQUENCE) return 0;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) return 0;
+        lck = offset2ptr(*pval, aux->ref_offset);
+        if(op == 0) {
+                *lck = 1;
+                return 1;
+        }
+        ret = CRYPTO_add(lck, op, aux->ref_lock);
+#ifdef REF_PRINT
+        fprintf(stderr, "%s: Reference Count: %d\n", it->sname, *lck);
+#endif
+#ifdef REF_CHECK
+        if(ret < 0) 
+                fprintf(stderr, "%s, bad reference count\n", it->sname);
+#endif
+        return ret;
+}
+
+static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        if(!pval || !*pval) return NULL;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_ENCODING)) return NULL;
+        return offset2ptr(*pval, aux->enc_offset);
+}
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                if(enc->enc) OPENSSL_free(enc->enc);
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc) return 1;
+
+        if(enc->enc) OPENSSL_free(enc->enc);
+        enc->enc = OPENSSL_malloc(inlen);
+        if(!enc->enc) return 0;
+        memcpy(enc->enc, in, inlen);
+        enc->len = inlen;
+        enc->modified = 0;
+
+        return 1;
+}
+                
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc || enc->modified) return 0;
+        if(out) {
+                memcpy(*out, enc->enc, enc->len);
+                *out += enc->len;
+        }
+        if(len) *len = enc->len;
+        return 1;
+}
+
+/* Given an ASN1_TEMPLATE get a pointer to a field */
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        ASN1_VALUE **pvaltmp;
+        if(tt->flags & ASN1_TFLG_COMBINE) return pval;
+        pvaltmp = offset2ptr(*pval, tt->offset);
+        /* NOTE for BOOLEAN types the field is just a plain
+         * int so we can't return int **, so settle for
+         * (int *).
+         */
+        return pvaltmp;
+}
+
+/* Handle ANY DEFINED BY template, find the selector, look up
+ * the relevant ASN1_TEMPLATE in the table and return it.
+ */
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr)
+{
+        const ASN1_ADB *adb;
+        const ASN1_ADB_TABLE *atbl;
+        long selector;
+        ASN1_VALUE **sfld;
+        int i;
+        if(!(tt->flags & ASN1_TFLG_ADB_MASK)) return tt;
+
+        /* Else ANY DEFINED BY ... get the table */
+        adb = ASN1_ADB_ptr(tt->item);
+
+        /* Get the selector field */
+        sfld = offset2ptr(*pval, adb->offset);
+
+        /* Check if NULL */
+        if(!sfld) {
+                if(!adb->null_tt) goto err;
+                return adb->null_tt;
+        }
+
+        /* Convert type to a long:
+         * NB: don't check for NID_undef here because it
+         * might be a legitimate value in the table
+         */
+        if(tt->flags & ASN1_TFLG_ADB_OID) 
+                selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);
+        else 
+                selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld);
+
+        /* Try to find matching entry in table
+         * Maybe should check application types first to
+         * allow application override? Might also be useful
+         * to have a flag which indicates table is sorted and
+         * we can do a binary search. For now stick to a
+         * linear search.
+         */
+
+        for(atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++)
+                if(atbl->value == selector) return &atbl->tt;
+
+        /* FIXME: need to search application table too */
+
+        /* No match, return default type */
+        if(!adb->default_tt) goto err;          
+        return adb->default_tt;
+        
+        err:
+        /* FIXME: should log the value or OID of unsupported type */
+        if(nullerr) ASN1err(ASN1_F_ASN1_DO_ADB, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
+        return NULL;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/x_bignum.c b/src/lib/libssl/src/crypto/asn1/x_bignum.c
new file mode 100644
index 0000000000..848c7a0877
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/x_bignum.c
@@ -0,0 +1,137 @@
+/* x_bignum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER as a
+ * BIGNUM directly. Currently it ignores the sign which isn't a problem since all
+ * BIGNUMs used are non negative and anything that looks negative is normally due
+ * to an encoding error.
+ */
+
+#define BN_SENSITIVE    1
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS bignum_pf = {
+        NULL, 0,
+        bn_new,
+        bn_free,
+        0,
+        bn_c2i,
+        bn_i2c
+};
+
+ASN1_ITEM_start(BIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
+ASN1_ITEM_end(BIGNUM)
+
+ASN1_ITEM_start(CBIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
+ASN1_ITEM_end(CBIGNUM)
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *pval = (ASN1_VALUE *)BN_new();
+        if(*pval) return 1;
+        else return 0;
+}
+
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(!*pval) return;
+        if(it->size & BN_SENSITIVE) BN_clear_free((BIGNUM *)*pval);
+        else BN_free((BIGNUM *)*pval);
+        *pval = NULL;
+}
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        int pad;
+        if(!*pval) return -1;
+        bn = (BIGNUM *)*pval;
+        /* If MSB set in an octet we need a padding byte */
+        if(BN_num_bits(bn) & 0x7) pad = 0;
+        else pad = 1;
+        if(cont) {
+                if(pad) *cont++ = 0;
+                BN_bn2bin(bn, cont);
+        }
+        return pad + BN_num_bytes(bn);
+}
+
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        if(!*pval) bn_new(pval, it);
+        bn  = (BIGNUM *)*pval;
+        if(!BN_bin2bn(cont, len, bn)) {
+                bn_free(pval, it);
+                return 0;
+        }
+        return 1;
+}
+
+
diff --git a/src/lib/libssl/src/crypto/asn1/x_long.c b/src/lib/libssl/src/crypto/asn1/x_long.c
new file mode 100644
index 0000000000..c5f25956cb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/x_long.c
@@ -0,0 +1,169 @@
+/* x_long.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for long handling. This converts between an ASN1_INTEGER
+ * and a long directly.
+ */
+
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS long_pf = {
+        NULL, 0,
+        long_new,
+        long_free,
+        long_free,      /* Clear should set to initial value */
+        long_c2i,
+        long_i2c
+};
+
+ASN1_ITEM_start(LONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG"
+ASN1_ITEM_end(LONG)
+
+ASN1_ITEM_start(ZLONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG"
+ASN1_ITEM_end(ZLONG)
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+        return 1;
+}
+
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+}
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        long ltmp;
+        unsigned long utmp;
+        int clen, pad, i;
+        /* this exists to bypass broken gcc optimization */
+        char *cp = (char *)pval;
+
+        /* use memcpy, because we may not be long aligned */
+        memcpy(&ltmp, cp, sizeof(long));
+
+        if(ltmp == it->size) return -1;
+        /* Convert the long to positive: we subtract one if negative so
+         * we can cleanly handle the padding if only the MSB of the leading
+         * octet is set. 
+         */
+        if(ltmp < 0) utmp = -ltmp - 1;
+        else utmp = ltmp;
+        clen = BN_num_bits_word(utmp);
+        /* If MSB of leading octet set we need to pad */
+        if(!(clen & 0x7)) pad = 1;
+        else pad = 0;
+
+        /* Convert number of bits to number of octets */
+        clen = (clen + 7) >> 3;
+
+        if(cont) {
+                if(pad) *cont++ = (ltmp < 0) ? 0xff : 0;
+                for(i = clen - 1; i >= 0; i--) {
+                        cont[i] = (unsigned char)(utmp & 0xff);
+                        if(ltmp < 0) cont[i] ^= 0xff;
+                        utmp >>= 8;
+                }
+        }
+        return clen + pad;
+}
+
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        int neg, i;
+        long ltmp;
+        unsigned long utmp = 0;
+        char *cp = (char *)pval;
+        if(len > sizeof(long)) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        /* Is it negative? */
+        if(len && (cont[0] & 0x80)) neg = 1;
+        else neg = 0;
+        utmp = 0;
+        for(i = 0; i < len; i++) {
+                utmp <<= 8;
+                if(neg) utmp |= cont[i] ^ 0xff;
+                else utmp |= cont[i];
+        }
+        ltmp = (long)utmp;
+        if(neg) {
+                ltmp++;
+                ltmp = -ltmp;
+        }
+        if(ltmp == it->size) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        memcpy(cp, &ltmp, sizeof(long));
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/asn1/x_x509a.c b/src/lib/libssl/src/crypto/asn1/x_x509a.c
new file mode 100644
index 0000000000..b9987ea968
--- /dev/null
+++ b/src/lib/libssl/src/crypto/asn1/x_x509a.c
@@ -0,0 +1,200 @@
+/* a_x509a.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+
+/* X509_CERT_AUX routines. These are used to encode additional
+ * user modifiable data about a certificate. This data is
+ * appended to the X509 encoding when the *_X509_AUX routines
+ * are used. This means that the "traditional" X509 routines
+ * will simply ignore the extra data. 
+ */
+
+static X509_CERT_AUX *aux_get(X509 *x);
+
+X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a, X509_CERT_AUX *, X509_CERT_AUX_new);
+        
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+
+        M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->trust,
+                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free);
+        M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->reject,
+                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free, 0);
+        M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
+        M_ASN1_D2I_get_opt(ret->keyid, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get_IMP_set_opt_type(X509_ALGOR, ret->other,
+                                        d2i_X509_ALGOR, X509_ALGOR_free, 1);
+
+        M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX);
+}
+
+X509_CERT_AUX *X509_CERT_AUX_new()
+{
+        X509_CERT_AUX *ret = NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, X509_CERT_AUX);
+        ret->trust = NULL;
+        ret->reject = NULL;
+        ret->alias = NULL;
+        ret->keyid = NULL;
+        ret->other = NULL;
+        return(ret);
+        M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW);
+}
+
+void X509_CERT_AUX_free(X509_CERT_AUX *a)
+{
+        if(a == NULL) return;
+        sk_ASN1_OBJECT_pop_free(a->trust, ASN1_OBJECT_free);
+        sk_ASN1_OBJECT_pop_free(a->reject, ASN1_OBJECT_free);
+        ASN1_UTF8STRING_free(a->alias);
+        ASN1_OCTET_STRING_free(a->keyid);
+        sk_X509_ALGOR_pop_free(a->other, X509_ALGOR_free);
+        Free(a);
+}
+
+int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+        M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
+        M_ASN1_I2D_len(a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
+
+        M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
+        M_ASN1_I2D_put(a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+
+        M_ASN1_I2D_finish();
+}
+
+static X509_CERT_AUX *aux_get(X509 *x)
+{
+        if(!x) return NULL;
+        if(!x->aux && !(x->aux = X509_CERT_AUX_new())) return NULL;
+        return x->aux;
+}
+
+int X509_alias_set1(X509 *x, unsigned char *name, int len)
+{
+        X509_CERT_AUX *aux;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0;
+        return ASN1_STRING_set(aux->alias, name, len);
+}
+
+unsigned char *X509_alias_get0(X509 *x, int *len)
+{
+        if(!x->aux || !x->aux->alias) return NULL;
+        if(len) *len = x->aux->alias->length;
+        return x->aux->alias->data;
+}
+
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
+{
+        X509_CERT_AUX *aux;
+        ASN1_OBJECT *objtmp;
+        if(!(objtmp = OBJ_dup(obj))) return 0;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->trust
+                && !(aux->trust = sk_ASN1_OBJECT_new_null())) return 0;
+        return sk_ASN1_OBJECT_push(aux->trust, objtmp);
+}
+
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
+{
+        X509_CERT_AUX *aux;
+        ASN1_OBJECT *objtmp;
+        if(!(objtmp = OBJ_dup(obj))) return 0;
+        if(!(aux = aux_get(x))) return 0;
+        if(!aux->reject
+                && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0;
+        return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+}
+
+void X509_trust_clear(X509 *x)
+{
+        if(x->aux && x->aux->trust) {
+                sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);
+                x->aux->trust = NULL;
+        }
+}
+
+void X509_reject_clear(X509 *x)
+{
+        if(x->aux && x->aux->reject) {
+                sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);
+                x->aux->reject = NULL;
+        }
+}
+
diff --git a/src/lib/libssl/src/crypto/bf/bf_locl.h b/src/lib/libssl/src/crypto/bf/bf_locl.h
new file mode 100644
index 0000000000..05756b5d3b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bf/bf_locl.h
@@ -0,0 +1,219 @@
+/* crypto/bf/bf_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BF_LOCL_H
+#define HEADER_BF_LOCL_H
+#include <openssl/opensslconf.h> /* BF_PTR, BF_PTR2 */
+
+#undef c2l
+#define c2l(c,l)        (l =((unsigned long)(*((c)++)))    , \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#undef c2ln
+#define c2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((unsigned long)(*(--(c))))<<24L; \
+                        case 7: l2|=((unsigned long)(*(--(c))))<<16L; \
+                        case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \
+                        case 5: l2|=((unsigned long)(*(--(c))));     \
+                        case 4: l1 =((unsigned long)(*(--(c))))<<24L; \
+                        case 3: l1|=((unsigned long)(*(--(c))))<<16L; \
+                        case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \
+                        case 1: l1|=((unsigned long)(*(--(c))));     \
+                                } \
+                        }
+
+#undef l2c
+#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)     )&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+                                } \
+                        }
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((unsigned long)(*(--(c))))    ; \
+                        case 7: l2|=((unsigned long)(*(--(c))))<< 8; \
+                        case 6: l2|=((unsigned long)(*(--(c))))<<16; \
+                        case 5: l2|=((unsigned long)(*(--(c))))<<24; \
+                        case 4: l1 =((unsigned long)(*(--(c))))    ; \
+                        case 3: l1|=((unsigned long)(*(--(c))))<< 8; \
+                        case 2: l1|=((unsigned long)(*(--(c))))<<16; \
+                        case 1: l1|=((unsigned long)(*(--(c))))<<24; \
+                                } \
+                        }
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+                                } \
+                        }
+
+#undef n2l
+#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24L, \
+                         l|=((unsigned long)(*((c)++)))<<16L, \
+                         l|=((unsigned long)(*((c)++)))<< 8L, \
+                         l|=((unsigned long)(*((c)++))))
+
+#undef l2n
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* This is actually a big endian algorithm, the most significate byte
+ * is used to lookup array 0 */
+
+#if defined(BF_PTR2)
+
+/*
+ * This is basically a special Intel version. Point is that Intel
+ * doesn't have many registers, but offers a reach choice of addressing
+ * modes. So we spare some registers by directly traversing BF_KEY
+ * structure and hiring the most decorated addressing mode. The code
+ * generated by EGCS is *perfectly* competitive with assembler
+ * implementation!
+ */
+#define BF_ENC(LL,R,KEY,Pi) (\
+        LL^=KEY[Pi], \
+        t=  KEY[BF_ROUNDS+2 +   0 + ((R>>24)&0xFF)], \
+        t+= KEY[BF_ROUNDS+2 + 256 + ((R>>16)&0xFF)], \
+        t^= KEY[BF_ROUNDS+2 + 512 + ((R>>8 )&0xFF)], \
+        t+= KEY[BF_ROUNDS+2 + 768 + ((R    )&0xFF)], \
+        LL^=t \
+        )
+
+#elif defined(BF_PTR)
+
+#ifndef BF_LONG_LOG2
+#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
+#endif
+#define BF_M  (0xFF<<BF_LONG_LOG2)
+#define BF_0  (24-BF_LONG_LOG2)
+#define BF_1  (16-BF_LONG_LOG2)
+#define BF_2  ( 8-BF_LONG_LOG2)
+#define BF_3  BF_LONG_LOG2 /* left shift */
+
+/*
+ * This is normally very good on RISC platforms where normally you
+ * have to explicitely "multiplicate" array index by sizeof(BF_LONG)
+ * in order to caclulate the effective address. This implementation
+ * excuses CPU from this extra work. Power[PC] uses should have most
+ * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
+ * rlwinm. So let'em double-check if their compiler does it.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+        LL^=P, \
+        LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
+                *(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
+                *(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
+                *(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
+        )
+#else
+
+/*
+ * This is a *generic* version. Seem to perform best on platforms that
+ * offer explicit support for extraction of 8-bit nibbles preferably
+ * complemented with "multiplying" of array index by sizeof(BF_LONG).
+ * For the moment of this writing the list comprises Alpha CPU featuring
+ * extbl and s[48]addq instructions.
+ */
+
+#define BF_ENC(LL,R,S,P) ( \
+        LL^=P, \
+        LL^=((( S[       ((int)(R>>24)&0xff)] + \
+                S[0x0100+((int)(R>>16)&0xff)])^ \
+                S[0x0200+((int)(R>> 8)&0xff)])+ \
+                S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
+        )
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/bio/bf_lbuf.c b/src/lib/libssl/src/crypto/bio/bf_lbuf.c
new file mode 100644
index 0000000000..7bcf8ed941
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bio/bf_lbuf.c
@@ -0,0 +1,397 @@
+/* crypto/bio/bf_buff.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+static int linebuffer_write(BIO *h, const char *buf,int num);
+static int linebuffer_read(BIO *h, char *buf, int size);
+static int linebuffer_puts(BIO *h, const char *str);
+static int linebuffer_gets(BIO *h, char *str, int size);
+static long linebuffer_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int linebuffer_new(BIO *h);
+static int linebuffer_free(BIO *data);
+static long linebuffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
+
+/* A 10k maximum should be enough for most purposes */
+#define DEFAULT_LINEBUFFER_SIZE 1024*10
+
+/* #define DEBUG */
+
+static BIO_METHOD methods_linebuffer=
+        {
+        BIO_TYPE_LINEBUFFER,
+        "linebuffer",
+        linebuffer_write,
+        linebuffer_read,
+        linebuffer_puts,
+        linebuffer_gets,
+        linebuffer_ctrl,
+        linebuffer_new,
+        linebuffer_free,
+        linebuffer_callback_ctrl,
+        };
+
+BIO_METHOD *BIO_f_linebuffer(void)
+        {
+        return(&methods_linebuffer);
+        }
+
+typedef struct bio_linebuffer_ctx_struct
+        {
+        char *obuf;             /* the output char array */
+        int obuf_size;          /* how big is the output buffer */
+        int obuf_len;           /* how many bytes are in it */
+        } BIO_LINEBUFFER_CTX;
+
+static int linebuffer_new(BIO *bi)
+        {
+        BIO_LINEBUFFER_CTX *ctx;
+
+        ctx=(BIO_LINEBUFFER_CTX *)OPENSSL_malloc(sizeof(BIO_LINEBUFFER_CTX));
+        if (ctx == NULL) return(0);
+        ctx->obuf=(char *)OPENSSL_malloc(DEFAULT_LINEBUFFER_SIZE);
+        if (ctx->obuf == NULL) { OPENSSL_free(ctx); return(0); }
+        ctx->obuf_size=DEFAULT_LINEBUFFER_SIZE;
+        ctx->obuf_len=0;
+
+        bi->init=1;
+        bi->ptr=(char *)ctx;
+        bi->flags=0;
+        return(1);
+        }
+
+static int linebuffer_free(BIO *a)
+        {
+        BIO_LINEBUFFER_CTX *b;
+
+        if (a == NULL) return(0);
+        b=(BIO_LINEBUFFER_CTX *)a->ptr;
+        if (b->obuf != NULL) OPENSSL_free(b->obuf);
+        OPENSSL_free(a->ptr);
+        a->ptr=NULL;
+        a->init=0;
+        a->flags=0;
+        return(1);
+        }
+        
+static int linebuffer_read(BIO *b, char *out, int outl)
+        {
+        int ret=0;
+ 
+        if (out == NULL) return(0);
+        if (b->next_bio == NULL) return(0);
+        ret=BIO_read(b->next_bio,out,outl);
+        BIO_clear_retry_flags(b);
+        BIO_copy_next_retry(b);
+        return(ret);
+        }
+
+static int linebuffer_write(BIO *b, const char *in, int inl)
+        {
+        int i,num=0,foundnl;
+        BIO_LINEBUFFER_CTX *ctx;
+
+        if ((in == NULL) || (inl <= 0)) return(0);
+        ctx=(BIO_LINEBUFFER_CTX *)b->ptr;
+        if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+        BIO_clear_retry_flags(b);
+
+        do
+                {
+                const char *p;
+
+                for(p = in; p < in + inl && *p != '\n'; p++)
+                        ;
+                if (*p == '\n')
+                        {
+                        p++;
+                        foundnl = 1;
+                        }
+                else
+                        foundnl = 0;
+
+                /* If a NL was found and we already have text in the save
+                   buffer, concatenate them and write */
+                while ((foundnl || p - in > ctx->obuf_size - ctx->obuf_len)
+                        && ctx->obuf_len > 0)
+                        {
+                        int orig_olen = ctx->obuf_len;
+                        
+                        i = ctx->obuf_size - ctx->obuf_len;
+                        if (p - in > 0)
+                                {
+                                if (i >= p - in)
+                                        {
+                                        memcpy(&(ctx->obuf[ctx->obuf_len]),
+                                                in,p - in);
+                                        ctx->obuf_len += p - in;
+                                        inl -= p - in;
+                                        num += p - in;
+                                        in = p;
+                                        }
+                                else
+                                        {
+                                        memcpy(&(ctx->obuf[ctx->obuf_len]),
+                                                in,i);
+                                        ctx->obuf_len += i;
+                                        inl -= i;
+                                        in += i;
+                                        num += i;
+                                        }
+                                }
+
+#ifdef DEBUG
+BIO_write(b->next_bio, "<*<", 3);
+#endif
+                        i=BIO_write(b->next_bio,
+                                ctx->obuf, ctx->obuf_len);
+                        if (i <= 0)
+                                {
+                                ctx->obuf_len = orig_olen;
+                                BIO_copy_next_retry(b);
+
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                                if (i < 0) return((num > 0)?num:i);
+                                if (i == 0) return(num);
+                                }
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                        if (i < ctx->obuf_len)
+                                memmove(ctx->obuf, ctx->obuf + i,
+                                        ctx->obuf_len - i);
+                        ctx->obuf_len-=i;
+                        }
+
+                /* Now that the save buffer is emptied, let's write the input
+                   buffer if a NL was found and there is anything to write. */
+                if ((foundnl || p - in > ctx->obuf_size) && p - in > 0)
+                        {
+#ifdef DEBUG
+BIO_write(b->next_bio, "<*<", 3);
+#endif
+                        i=BIO_write(b->next_bio,in,p - in);
+                        if (i <= 0)
+                                {
+                                BIO_copy_next_retry(b);
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                                if (i < 0) return((num > 0)?num:i);
+                                if (i == 0) return(num);
+                                }
+#ifdef DEBUG
+BIO_write(b->next_bio, ">*>", 3);
+#endif
+                        num+=i;
+                        in+=i;
+                        inl-=i;
+                        }
+                }
+        while(foundnl && inl > 0);
+        /* We've written as much as we can.  The rest of the input buffer, if
+           any, is text that doesn't and with a NL and therefore needs to be
+           saved for the next trip. */
+        if (inl > 0)
+                {
+                memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+                ctx->obuf_len += inl;
+                num += inl;
+                }
+        return num;
+        }
+
+static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
+        {
+        BIO *dbio;
+        BIO_LINEBUFFER_CTX *ctx;
+        long ret=1;
+        char *p;
+        int r;
+        int obs;
+
+        ctx=(BIO_LINEBUFFER_CTX *)b->ptr;
+
+        switch (cmd)
+                {
+        case BIO_CTRL_RESET:
+                ctx->obuf_len=0;
+                if (b->next_bio == NULL) return(0);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_INFO:
+                ret=(long)ctx->obuf_len;
+                break;
+        case BIO_CTRL_WPENDING:
+                ret=(long)ctx->obuf_len;
+                if (ret == 0)
+                        {
+                        if (b->next_bio == NULL) return(0);
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                        }
+                break;
+        case BIO_C_SET_BUFF_SIZE:
+                obs=(int)num;
+                p=ctx->obuf;
+                if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size))
+                        {
+                        p=(char *)OPENSSL_malloc((int)num);
+                        if (p == NULL)
+                                goto malloc_error;
+                        }
+                if (ctx->obuf != p)
+                        {
+                        if (ctx->obuf_len > obs)
+                                {
+                                ctx->obuf_len = obs;
+                                }
+                        memcpy(p, ctx->obuf, ctx->obuf_len);
+                        OPENSSL_free(ctx->obuf);
+                        ctx->obuf=p;
+                        ctx->obuf_size=obs;
+                        }
+                break;
+        case BIO_C_DO_STATE_MACHINE:
+                if (b->next_bio == NULL) return(0);
+                BIO_clear_retry_flags(b);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                BIO_copy_next_retry(b);
+                break;
+
+        case BIO_CTRL_FLUSH:
+                if (b->next_bio == NULL) return(0);
+                if (ctx->obuf_len <= 0)
+                        {
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                        break;
+                        }
+
+                for (;;)
+                        {
+                        BIO_clear_retry_flags(b);
+                        if (ctx->obuf_len > 0)
+                                {
+                                r=BIO_write(b->next_bio,
+                                        ctx->obuf, ctx->obuf_len);
+#if 0
+fprintf(stderr,"FLUSH %3d -> %3d\n",ctx->obuf_len,r);
+#endif
+                                BIO_copy_next_retry(b);
+                                if (r <= 0) return((long)r);
+                                if (r < ctx->obuf_len)
+                                        memmove(ctx->obuf, ctx->obuf + r,
+                                                ctx->obuf_len - r);
+                                ctx->obuf_len-=r;
+                                }
+                        else
+                                {
+                                ctx->obuf_len=0;
+                                ret=1;
+                                break;
+                                }
+                        }
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_DUP:
+                dbio=(BIO *)ptr;
+                if (    !BIO_set_write_buffer_size(dbio,ctx->obuf_size))
+                        ret=0;
+                break;
+        default:
+                if (b->next_bio == NULL) return(0);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+                }
+        return(ret);
+malloc_error:
+        BIOerr(BIO_F_LINEBUFFER_CTRL,ERR_R_MALLOC_FAILURE);
+        return(0);
+        }
+
+static long linebuffer_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
+        {
+        long ret=1;
+
+        if (b->next_bio == NULL) return(0);
+        switch (cmd)
+                {
+        default:
+                ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
+                break;
+                }
+        return(ret);
+        }
+
+static int linebuffer_gets(BIO *b, char *buf, int size)
+        {
+        if (b->next_bio == NULL) return(0);
+        return(BIO_gets(b->next_bio,buf,size));
+        }
+
+static int linebuffer_puts(BIO *b, const char *str)
+        {
+        return(linebuffer_write(b,str,strlen(str)));
+        }
+
diff --git a/src/lib/libssl/src/crypto/bio/bss_bio.c b/src/lib/libssl/src/crypto/bio/bss_bio.c
new file mode 100644
index 0000000000..562e9d8de2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bio/bss_bio.c
@@ -0,0 +1,588 @@
+/* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+
+/* Special method for a BIO where the other endpoint is also a BIO
+ * of this kind, handled by the same thread (i.e. the "peer" is actually
+ * ourselves, wearing a different hat).
+ * Such "BIO pairs" are mainly for using the SSL library with I/O interfaces
+ * for which no specific BIO method is available.
+ * See ssl/ssltest.c for some hints on how this can be used. */
+
+#ifndef BIO_PAIR_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/crypto.h>
+
+static int bio_new(BIO *bio);
+static int bio_free(BIO *bio);
+static int bio_read(BIO *bio, char *buf, int size);
+static int bio_write(BIO *bio, char *buf, int num);
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr);
+static int bio_puts(BIO *bio, char *str);
+
+static int bio_make_pair(BIO *bio1, BIO *bio2);
+static void bio_destroy_pair(BIO *bio);
+
+static BIO_METHOD methods_biop =
+{
+        BIO_TYPE_BIO,
+        "BIO pair",
+        bio_write,
+        bio_read,
+        bio_puts,
+        NULL /* no bio_gets */,
+        bio_ctrl,
+        bio_new,
+        bio_free
+};
+
+BIO_METHOD *BIO_s_bio(void)
+        {
+        return &methods_biop;
+        }
+
+struct bio_bio_st
+{
+        BIO *peer;     /* NULL if buf == NULL.
+                        * If peer != NULL, then peer->ptr is also a bio_bio_st,
+                        * and its "peer" member points back to us.
+                        * peer != NULL iff init != 0 in the BIO. */
+        
+        /* This is for what we write (i.e. reading uses peer's struct): */
+        int closed;     /* valid iff peer != NULL */
+        size_t len;     /* valid iff buf != NULL; 0 if peer == NULL */
+        size_t offset;  /* valid iff buf != NULL; 0 if len == 0 */
+        size_t size;
+        char *buf;      /* "size" elements (if != NULL) */
+
+        size_t request; /* valid iff peer != NULL; 0 if len != 0,
+                         * otherwise set by peer to number of bytes
+                         * it (unsuccesfully) tried to read,
+                         * never more than buffer space (size-len) warrants. */
+};
+
+static int bio_new(BIO *bio)
+        {
+        struct bio_bio_st *b;
+        
+        b = Malloc(sizeof *b);
+        if (b == NULL)
+                return 0;
+
+        b->peer = NULL;
+        b->size = 17*1024; /* enough for one TLS record (just a default) */
+        b->buf = NULL;
+
+        bio->ptr = b;
+        return 1;
+        }
+
+
+static int bio_free(BIO *bio)
+        {
+        struct bio_bio_st *b;
+
+        if (bio == NULL)
+                return 0;
+        b = bio->ptr;
+
+        assert(b != NULL);
+
+        if (b->peer)
+                bio_destroy_pair(bio);
+        
+        if (b->buf != NULL)
+                {
+                Free(b->buf);
+                }
+
+        Free(b);
+
+        return 1;
+        }
+
+
+
+static int bio_read(BIO *bio, char *buf, int size_)
+        {
+        size_t size = size_;
+        size_t rest;
+        struct bio_bio_st *b, *peer_b;
+
+        BIO_clear_retry_flags(bio);
+
+        if (!bio->init)
+                return 0;
+
+        b = bio->ptr;
+        assert(b != NULL);
+        assert(b->peer != NULL);
+        peer_b = b->peer->ptr;
+        assert(peer_b != NULL);
+        assert(peer_b->buf != NULL);
+
+        peer_b->request = 0; /* will be set in "retry_read" situation */
+
+        if (buf == NULL || size == 0)
+                return 0;
+
+        if (peer_b->len == 0)
+                {
+                if (peer_b->closed)
+                        return 0; /* writer has closed, and no data is left */
+                else
+                        {
+                        BIO_set_retry_read(bio); /* buffer is empty */
+                        if (size <= peer_b->size)
+                                peer_b->request = size;
+                        else
+                                /* don't ask for more than the peer can
+                                 * deliver in one write */
+                                peer_b->request = peer_b->size;
+                        return -1;
+                        }
+                }
+
+        /* we can read */
+        if (peer_b->len < size)
+                size = peer_b->len;
+
+        /* now read "size" bytes */
+        
+        rest = size;
+        
+        assert(rest > 0);
+        do /* one or two iterations */
+                {
+                size_t chunk;
+                
+                assert(rest <= peer_b->len);
+                if (peer_b->offset + rest <= peer_b->size)
+                        chunk = rest;
+                else
+                        /* wrap around ring buffer */
+                        chunk = peer_b->size - peer_b->offset;
+                assert(peer_b->offset + chunk <= peer_b->size);
+                
+                memcpy(buf, peer_b->buf + peer_b->offset, chunk);
+                
+                peer_b->len -= chunk;
+                if (peer_b->len)
+                        {
+                        peer_b->offset += chunk;
+                        assert(peer_b->offset <= peer_b->size);
+                        if (peer_b->offset == peer_b->size)
+                                peer_b->offset = 0;
+                        buf += chunk;
+                        }
+                else
+                        {
+                        /* buffer now empty, no need to advance "buf" */
+                        assert(chunk == rest);
+                        peer_b->offset = 0;
+                        }
+                rest -= chunk;
+                }
+        while (rest);
+        
+        return size;
+        }
+
+static int bio_write(BIO *bio, char *buf, int num_)
+        {
+        size_t num = num_;
+        size_t rest;
+        struct bio_bio_st *b;
+
+        BIO_clear_retry_flags(bio);
+
+        if (!bio->init || buf == NULL || num == 0)
+                return 0;
+
+        b = bio->ptr;           
+        assert(b != NULL);
+        assert(b->peer != NULL);
+        assert(b->buf != NULL);
+
+        b->request = 0;
+        if (b->closed)
+                {
+                /* we already closed */
+                BIOerr(BIO_F_BIO_WRITE, BIO_R_BROKEN_PIPE);
+                return -1;
+                }
+
+        assert(b->len <= b->size);
+
+        if (b->len == b->size)
+                {
+                BIO_set_retry_write(bio); /* buffer is full */
+                return -1;
+                }
+
+        /* we can write */
+        if (num > b->size - b->len)
+                num = b->size - b->len;
+        
+        /* now write "num" bytes */
+
+        rest = num;
+        
+        assert(rest > 0);
+        do /* one or two iterations */
+                {
+                size_t write_offset;
+                size_t chunk;
+
+                assert(b->len + rest <= b->size);
+
+                write_offset = b->offset + b->len;
+                if (write_offset >= b->size)
+                        write_offset -= b->size;
+                /* b->buf[write_offset] is the first byte we can write to. */
+
+                if (write_offset + rest <= b->size)
+                        chunk = rest;
+                else
+                        /* wrap around ring buffer */
+                        chunk = b->size - write_offset;
+                
+                memcpy(b->buf + write_offset, buf, chunk);
+                
+                b->len += chunk;
+
+                assert(b->len <= b->size);
+                
+                rest -= chunk;
+                buf += chunk;
+                }
+        while (rest);
+
+        return num;
+        }
+
+
+static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
+        {
+        long ret;
+        struct bio_bio_st *b = bio->ptr;
+        
+        assert(b != NULL);
+
+        switch (cmd)
+                {
+        /* specific CTRL codes */
+
+        case BIO_C_SET_WRITE_BUF_SIZE:
+                if (b->peer)
+                        {
+                        BIOerr(BIO_F_BIO_CTRL, BIO_R_IN_USE);
+                        ret = 0;
+                        }
+                else if (num == 0)
+                        {
+                        BIOerr(BIO_F_BIO_CTRL, BIO_R_INVALID_ARGUMENT);
+                        ret = 0;
+                        }
+                else
+                        {
+                        size_t new_size = num;
+
+                        if (b->size != new_size)
+                                {
+                                if (b->buf) 
+                                        {
+                                        Free(b->buf);
+                                        b->buf = NULL;
+                                        }
+                                b->size = new_size;
+                                }
+                        ret = 1;
+                        }
+                break;
+
+        case BIO_C_GET_WRITE_BUF_SIZE:
+                num = (long) b->size;
+
+        case BIO_C_MAKE_BIO_PAIR:
+                {
+                BIO *other_bio = ptr;
+                
+                if (bio_make_pair(bio, other_bio))
+                        ret = 1;
+                else
+                        ret = 0;
+                }
+                break;
+                
+        case BIO_C_DESTROY_BIO_PAIR:
+                /* Effects both BIOs in the pair -- call just once!
+                 * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
+                bio_destroy_pair(bio);
+                ret = 1;
+                break;
+
+        case BIO_C_GET_WRITE_GUARANTEE:
+                /* How many bytes can the caller feed to the next write
+                 * withouth having to keep any? */
+                if (b->peer == NULL || b->closed)
+                        ret = 0;
+                else
+                        ret = (long) b->size - b->len;
+                break;
+
+        case BIO_C_GET_READ_REQUEST:
+                /* If the peer unsuccesfully tried to read, how many bytes
+                 * were requested?  (As with BIO_CTRL_PENDING, that number
+                 * can usually be treated as boolean.) */
+                ret = (long) b->request;
+                break;
+
+        case BIO_C_SHUTDOWN_WR:
+                /* similar to shutdown(..., SHUT_WR) */
+                b->closed = 1;
+                ret = 1;
+                break;
+
+
+        /* standard CTRL codes follow */
+
+        case BIO_CTRL_RESET:
+                if (b->buf != NULL)
+                        {
+                        b->len = 0;
+                        b->offset = 0;
+                        }
+                ret = 0;
+                break;          
+
+        case BIO_CTRL_GET_CLOSE:
+                ret = bio->shutdown;
+                break;
+
+        case BIO_CTRL_SET_CLOSE:
+                bio->shutdown = (int) num;
+                ret = 1;
+                break;
+
+        case BIO_CTRL_PENDING:
+                if (b->peer != NULL)
+                        {
+                        struct bio_bio_st *peer_b = b->peer->ptr;
+                        
+                        ret = (long) peer_b->len;
+                        }
+                else
+                        ret = 0;
+                break;
+
+        case BIO_CTRL_WPENDING:
+                if (b->buf != NULL)
+                        ret = (long) b->len;
+                else
+                        ret = 0;
+                break;
+
+        case BIO_CTRL_DUP:
+                /* See BIO_dup_chain for circumstances we have to expect. */
+                {
+                BIO *other_bio = ptr;
+                struct bio_bio_st *other_b;
+                
+                assert(other_bio != NULL);
+                other_b = other_bio->ptr;
+                assert(other_b != NULL);
+                
+                assert(other_b->buf == NULL); /* other_bio is always fresh */
+
+                other_b->size = b->size;
+                }
+
+                ret = 1;
+                break;
+
+        case BIO_CTRL_FLUSH:
+                ret = 1;
+                break;
+
+        case BIO_CTRL_EOF:
+                {
+                BIO *other_bio = ptr;
+                
+                if (other_bio)
+                        {
+                        struct bio_bio_st *other_b = other_bio->ptr;
+                        
+                        assert(other_b != NULL);
+                        ret = other_b->len == 0 && other_b->closed;
+                        }
+                else
+                        ret = 1;
+                }
+                break;
+
+        default:
+                ret = 0;
+                }
+        return ret;
+        }
+
+static int bio_puts(BIO *bio, char *str)
+        {
+        return bio_write(bio, str, strlen(str));
+        }
+
+
+static int bio_make_pair(BIO *bio1, BIO *bio2)
+        {
+        struct bio_bio_st *b1, *b2;
+
+        assert(bio1 != NULL);
+        assert(bio2 != NULL);
+
+        b1 = bio1->ptr;
+        b2 = bio2->ptr;
+        
+        if (b1->peer != NULL || b2->peer != NULL)
+                {
+                BIOerr(BIO_F_BIO_MAKE_PAIR, BIO_R_IN_USE);
+                return 0;
+                }
+        
+        if (b1->buf == NULL)
+                {
+                b1->buf = Malloc(b1->size);
+                if (b1->buf == NULL)
+                        {
+                        BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                b1->len = 0;
+                b1->offset = 0;
+                }
+        
+        if (b2->buf == NULL)
+                {
+                b2->buf = Malloc(b2->size);
+                if (b2->buf == NULL)
+                        {
+                        BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                b2->len = 0;
+                b2->offset = 0;
+                }
+        
+        b1->peer = bio2;
+        b1->closed = 0;
+        b1->request = 0;
+        b2->peer = bio1;
+        b2->closed = 0;
+        b2->request = 0;
+
+        bio1->init = 1;
+        bio2->init = 1;
+
+        return 1;
+        }
+
+static void bio_destroy_pair(BIO *bio)
+        {
+        struct bio_bio_st *b = bio->ptr;
+
+        if (b != NULL)
+                {
+                BIO *peer_bio = b->peer;
+
+                if (peer_bio != NULL)
+                        {
+                        struct bio_bio_st *peer_b = peer_bio->ptr;
+
+                        assert(peer_b != NULL);
+                        assert(peer_b->peer == bio);
+
+                        peer_b->peer = NULL;
+                        peer_bio->init = 0;
+                        assert(peer_b->buf != NULL);
+                        peer_b->len = 0;
+                        peer_b->offset = 0;
+                        
+                        b->peer = NULL;
+                        bio->init = 0;
+                        assert(b->buf != NULL);
+                        b->len = 0;
+                        b->offset = 0;
+                        }
+                }
+        }
+ 
+
+/* Exported convenience functions */
+int BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1,
+        BIO **bio2_p, size_t writebuf2)
+         {
+         BIO *bio1 = NULL, *bio2 = NULL;
+         long r;
+         int ret = 0;
+
+         bio1 = BIO_new(BIO_s_bio());
+         if (bio1 == NULL)
+                 goto err;
+         bio2 = BIO_new(BIO_s_bio());
+         if (bio2 == NULL)
+                 goto err;
+
+         if (writebuf1)
+                 {
+                 r = BIO_set_write_buf_size(bio1, writebuf1);
+                 if (!r)
+                         goto err;
+                 }
+         if (writebuf2)
+                 {
+                 r = BIO_set_write_buf_size(bio2, writebuf2);
+                 if (!r)
+                         goto err;
+                 }
+
+         r = BIO_make_bio_pair(bio1, bio2);
+         if (!r)
+                 goto err;
+         ret = 1;
+
+ err:
+         if (ret == 0)
+                 {
+                 if (bio1)
+                         {
+                         BIO_free(bio1);
+                         bio1 = NULL;
+                         }
+                 if (bio2)
+                         {
+                         BIO_free(bio2);
+                         bio2 = NULL;
+                         }
+                 }
+
+         *bio1_p = bio1;
+         *bio2_p = bio2;
+         return ret;
+         }
+
+size_t BIO_ctrl_get_write_guarantee(BIO *bio)
+        {
+        return BIO_ctrl(bio, BIO_C_GET_WRITE_GUARANTEE, 0, NULL);
+        }
+
+size_t BIO_ctrl_get_read_request(BIO *bio)
+        {
+        return BIO_ctrl(bio, BIO_C_GET_READ_REQUEST, 0, NULL);
+        }
diff --git a/src/lib/libssl/src/crypto/bio/bss_log.c b/src/lib/libssl/src/crypto/bio/bss_log.c
new file mode 100644
index 0000000000..db82e757e7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bio/bss_log.c
@@ -0,0 +1,232 @@
+/* crypto/bio/bss_log.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+        Why BIO_s_log?
+
+        BIO_s_log is useful for system daemons (or services under NT).
+        It is one-way BIO, it sends all stuff to syslogd (or event log
+        under NT).
+
+*/
+
+
+#include <stdio.h>
+#include <errno.h>
+
+#ifndef WIN32
+#ifdef __ultrix
+#include <sys/syslog.h>
+#else
+#include <syslog.h>
+#endif
+#endif
+
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#ifndef NO_SYSLOG
+
+
+static int MS_CALLBACK slg_write(BIO *h,char *buf,int num);
+static int MS_CALLBACK slg_puts(BIO *h,char *str);
+static long MS_CALLBACK slg_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int MS_CALLBACK slg_new(BIO *h);
+static int MS_CALLBACK slg_free(BIO *data);
+static int xopenlog(BIO* bp, const char* name, int level);
+static int xcloselog(BIO* bp);
+
+static BIO_METHOD methods_slg=
+        {
+        BIO_TYPE_MEM,"syslog",
+        slg_write,
+        NULL,
+        slg_puts,
+        NULL,
+        slg_ctrl,
+        slg_new,
+        slg_free,
+        };
+
+BIO_METHOD *BIO_s_log(void)
+        {
+        return(&methods_slg);
+        }
+
+static int MS_CALLBACK slg_new(BIO *bi)
+        {
+        bi->init=1;
+        bi->num=0;
+        bi->ptr=NULL;
+#ifndef WIN32
+        xopenlog(bi, "application", LOG_DAEMON);
+#else
+        xopenlog(bi, "application", 0);
+#endif
+        return(1);
+        }
+
+static int MS_CALLBACK slg_free(BIO *a)
+        {
+        if (a == NULL) return(0);
+        xcloselog(a);
+        return(1);
+        }
+        
+static int MS_CALLBACK slg_write(BIO *b, char *in, int inl)
+        {
+        int ret= inl;
+        char* buf= in;
+        char* pp;
+#if defined(WIN32)
+        LPTSTR lpszStrings[1];
+        WORD evtype= EVENTLOG_ERROR_TYPE;
+#else
+        int priority;
+#endif
+
+        if((buf= (char *)Malloc(inl+ 1)) == NULL){
+                return(0);
+        }
+        strncpy(buf, in, inl);
+        buf[inl]= '\0';
+#if defined(WIN32)
+        if(strncmp(buf, "ERR ", 4) == 0){
+                evtype= EVENTLOG_ERROR_TYPE;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "WAR ", 4) == 0){
+                evtype= EVENTLOG_WARNING_TYPE;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "INF ", 4) == 0){
+                evtype= EVENTLOG_INFORMATION_TYPE;
+                pp= buf+ 4;
+        }else{
+                evtype= EVENTLOG_ERROR_TYPE;
+                pp= buf;
+        }
+        lpszStrings[0]= pp;
+
+        if(b->ptr)
+                ReportEvent(b->ptr, evtype, 0, 1024, NULL, 1, 0,
+                                lpszStrings, NULL);
+#else
+        if(strncmp(buf, "ERR ", 4) == 0){
+                priority= LOG_ERR;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "WAR ", 4) == 0){
+                priority= LOG_WARNING;
+                pp= buf+ 4;
+        }else if(strncmp(buf, "INF ", 4) == 0){
+                priority= LOG_INFO;
+                pp= buf+ 4;
+        }else{
+                priority= LOG_ERR;
+                pp= buf;
+        }
+
+        syslog(priority, "%s", pp);
+#endif
+        Free(buf);
+        return(ret);
+        }
+
+static long MS_CALLBACK slg_ctrl(BIO *b, int cmd, long num, char *ptr)
+        {
+        switch (cmd)
+                {
+        case BIO_CTRL_SET:
+                xcloselog(b);
+                xopenlog(b, ptr, num);
+                break;
+        default:
+                break;
+                }
+        return(0);
+        }
+
+static int MS_CALLBACK slg_puts(BIO *bp, char *str)
+        {
+        int n,ret;
+
+        n=strlen(str);
+        ret=slg_write(bp,str,n);
+        return(ret);
+        }
+
+static int xopenlog(BIO* bp, const char* name, int level)
+{
+#if defined(WIN32)
+        if((bp->ptr= (char *)RegisterEventSource(NULL, name)) == NULL){
+                return(0);
+        }
+#else
+        openlog(name, LOG_PID|LOG_CONS, level);
+#endif
+        return(1);
+}
+
+static int xcloselog(BIO* bp)
+{
+#if defined(WIN32)
+        if(bp->ptr)
+                DeregisterEventSource((HANDLE)(bp->ptr));
+        bp->ptr= NULL;
+#else
+        closelog();
+#endif
+        return(1);
+}
+
+#endif
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.s.works b/src/lib/libssl/src/crypto/bn/asm/alpha.s.works
new file mode 100644
index 0000000000..ee6c587809
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.s.works
@@ -0,0 +1,533 @@
+
+ # DEC Alpha assember
+ # The bn_div64 is actually gcc output but the other parts are hand done.
+ # Thanks to tzeruch@ceddec.com for sending me the gcc output for
+ # bn_div64.
+ # I've gone back and re-done most of routines.
+ # The key thing to remeber for the 164 CPU is that while a
+ # multiply operation takes 8 cycles, another one can only be issued
+ # after 4 cycles have elapsed.  I've done modification to help
+ # improve this.  Also, normally, a ld instruction will not be available
+ # for about 3 cycles.
+        .file   1 "bn_asm.c"
+        .set noat
+gcc2_compiled.:
+__gnu_compiled_c:
+        .text
+        .align 3
+        .globl bn_mul_add_words
+        .ent bn_mul_add_words
+bn_mul_add_words:
+bn_mul_add_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+        .align 5
+        subq    $18,4,$18
+        bis     $31,$31,$0
+        blt     $18,$43         # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $20,0($17)      # 1 1
+        ldq     $1,0($16)       # 1 1
+        .align 3
+$42:
+        mulq    $20,$19,$5      # 1 2 1 ######
+        ldq     $21,8($17)      # 2 1
+        ldq     $2,8($16)       # 2 1
+        umulh   $20,$19,$20     # 1 2   ######
+        ldq     $27,16($17)     # 3 1
+        ldq     $3,16($16)      # 3 1
+        mulq    $21,$19,$6      # 2 2 1 ######
+         ldq    $28,24($17)     # 4 1
+        addq    $1,$5,$1        # 1 2 2
+         ldq    $4,24($16)      # 4 1
+        umulh   $21,$19,$21     # 2 2   ######
+         cmpult $1,$5,$22       # 1 2 3 1
+        addq    $20,$22,$20     # 1 3 1
+         addq   $1,$0,$1        # 1 2 3 1
+        mulq    $27,$19,$7      # 3 2 1 ######
+         cmpult $1,$0,$0        # 1 2 3 2
+        addq    $2,$6,$2        # 2 2 2
+         addq   $20,$0,$0       # 1 3 2 
+        cmpult  $2,$6,$23       # 2 2 3 1
+         addq   $21,$23,$21     # 2 3 1
+        umulh   $27,$19,$27     # 3 2   ######
+         addq   $2,$0,$2        # 2 2 3 1
+        cmpult  $2,$0,$0        # 2 2 3 2
+         subq   $18,4,$18
+        mulq    $28,$19,$8      # 4 2 1 ######
+         addq   $21,$0,$0       # 2 3 2 
+        addq    $3,$7,$3        # 3 2 2
+         addq   $16,32,$16
+        cmpult  $3,$7,$24       # 3 2 3 1
+         stq    $1,-32($16)     # 1 2 4
+        umulh   $28,$19,$28     # 4 2   ######
+         addq   $27,$24,$27     # 3 3 1
+        addq    $3,$0,$3        # 3 2 3 1
+         stq    $2,-24($16)     # 2 2 4
+        cmpult  $3,$0,$0        # 3 2 3 2
+         stq    $3,-16($16)     # 3 2 4
+        addq    $4,$8,$4        # 4 2 2
+         addq   $27,$0,$0       # 3 3 2 
+        cmpult  $4,$8,$25       # 4 2 3 1
+         addq   $17,32,$17
+        addq    $28,$25,$28     # 4 3 1
+         addq   $4,$0,$4        # 4 2 3 1
+        cmpult  $4,$0,$0        # 4 2 3 2
+         stq    $4,-8($16)      # 4 2 4
+        addq    $28,$0,$0       # 4 3 2 
+         blt    $18,$43
+
+        ldq     $20,0($17)      # 1 1
+        ldq     $1,0($16)       # 1 1
+
+        br      $42
+
+        .align 4
+$45:
+        ldq     $20,0($17)      # 4 1
+        ldq     $1,0($16)       # 4 1
+        mulq    $20,$19,$5      # 4 2 1
+        subq    $18,1,$18
+        addq    $16,8,$16
+        addq    $17,8,$17
+        umulh   $20,$19,$20     # 4 2
+        addq    $1,$5,$1        # 4 2 2
+        cmpult  $1,$5,$22       # 4 2 3 1
+        addq    $20,$22,$20     # 4 3 1
+        addq    $1,$0,$1        # 4 2 3 1
+        cmpult  $1,$0,$0        # 4 2 3 2
+        addq    $20,$0,$0       # 4 3 2 
+        stq     $1,-8($16)      # 4 2 4
+        bgt     $18,$45
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$43:
+        addq    $18,4,$18
+        bgt     $18,$45         # goto tail code
+        ret     $31,($26),1     # else exit
+
+        .end bn_mul_add_words
+        .align 3
+        .globl bn_mul_words
+        .ent bn_mul_words
+bn_mul_words:
+bn_mul_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+        .align 5
+        subq    $18,4,$18
+        bis     $31,$31,$0
+        blt     $18,$143        # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $20,0($17)      # 1 1
+        .align 3
+$142:
+
+        mulq    $20,$19,$5      # 1 2 1 #####
+         ldq    $21,8($17)      # 2 1
+         ldq    $27,16($17)     # 3 1
+        umulh   $20,$19,$20     # 1 2   #####
+         ldq    $28,24($17)     # 4 1
+        mulq    $21,$19,$6      # 2 2 1 #####
+         addq   $5,$0,$5        # 1 2 3 1
+        subq    $18,4,$18
+         cmpult $5,$0,$0        # 1 2 3 2
+        umulh   $21,$19,$21     # 2 2   #####
+         addq   $20,$0,$0       # 1 3 2 
+        addq    $17,32,$17
+         addq   $6,$0,$6        # 2 2 3 1
+        mulq    $27,$19,$7      # 3 2 1 #####
+         cmpult $6,$0,$0        # 2 2 3 2
+        addq    $21,$0,$0       # 2 3 2 
+         addq   $16,32,$16
+        umulh   $27,$19,$27     # 3 2   #####
+         stq    $5,-32($16)     # 1 2 4
+        mulq    $28,$19,$8      # 4 2 1 #####
+         addq   $7,$0,$7        # 3 2 3 1
+        stq     $6,-24($16)     # 2 2 4
+         cmpult $7,$0,$0        # 3 2 3 2
+        umulh   $28,$19,$28     # 4 2   #####
+         addq   $27,$0,$0       # 3 3 2 
+        stq     $7,-16($16)     # 3 2 4
+         addq   $8,$0,$8        # 4 2 3 1
+        cmpult  $8,$0,$0        # 4 2 3 2
+
+        addq    $28,$0,$0       # 4 3 2 
+
+        stq     $8,-8($16)      # 4 2 4
+
+        blt     $18,$143
+
+        ldq     $20,0($17)      # 1 1
+
+        br      $142
+
+        .align 4
+$145:
+        ldq     $20,0($17)      # 4 1
+        mulq    $20,$19,$5      # 4 2 1
+        subq    $18,1,$18
+        umulh   $20,$19,$20     # 4 2
+        addq    $5,$0,$5        # 4 2 3 1
+         addq   $16,8,$16
+        cmpult  $5,$0,$0        # 4 2 3 2
+         addq   $17,8,$17
+        addq    $20,$0,$0       # 4 3 2 
+        stq     $5,-8($16)      # 4 2 4
+
+        bgt     $18,$145
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$143:
+        addq    $18,4,$18
+        bgt     $18,$145        # goto tail code
+        ret     $31,($26),1     # else exit
+
+        .end bn_mul_words
+        .align 3
+        .globl bn_sqr_words
+        .ent bn_sqr_words
+bn_sqr_words:
+bn_sqr_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $18,4,$18
+        blt     $18,$543        # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $20,0($17)      # 1 1
+        .align 3
+$542:
+        mulq    $20,$20,$5              ######
+         ldq    $21,8($17)      # 1 1
+        subq    $18,4
+        umulh   $20,$20,$1              ######
+        ldq     $27,16($17)     # 1 1
+        mulq    $21,$21,$6              ######
+        ldq     $28,24($17)     # 1 1
+        stq     $5,0($16)       # r[0]
+        umulh   $21,$21,$2              ######
+        stq     $1,8($16)       # r[1]
+        mulq    $27,$27,$7              ######
+        stq     $6,16($16)      # r[0]
+        umulh   $27,$27,$3              ######
+        stq     $2,24($16)      # r[1]
+        mulq    $28,$28,$8              ######
+        stq     $7,32($16)      # r[0]
+        umulh   $28,$28,$4              ######
+        stq     $3,40($16)      # r[1]
+
+        addq    $16,64,$16
+        addq    $17,32,$17
+        stq     $8,-16($16)     # r[0]
+        stq     $4,-8($16)      # r[1]
+
+        blt     $18,$543
+        ldq     $20,0($17)      # 1 1
+        br      $542
+
+$442:
+        ldq     $20,0($17)   # a[0]
+        mulq    $20,$20,$5  # a[0]*w low part       r2
+        addq    $16,16,$16
+        addq    $17,8,$17
+        subq    $18,1,$18
+        umulh   $20,$20,$1  # a[0]*w high part       r3
+        stq     $5,-16($16)   # r[0]
+        stq     $1,-8($16)   # r[1]
+
+        bgt     $18,$442
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$543:
+        addq    $18,4,$18
+        bgt     $18,$442        # goto tail code
+        ret     $31,($26),1     # else exit
+        .end bn_sqr_words
+
+        .align 3
+        .globl bn_add_words
+        .ent bn_add_words
+bn_add_words:
+bn_add_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $19,4,$19
+        bis     $31,$31,$0      # carry = 0
+        blt     $19,$900
+        ldq     $5,0($17)       # a[0]
+        ldq     $1,0($18)       # b[1]
+        .align 3
+$901:
+        addq    $1,$5,$1        # r=a+b;
+         ldq    $6,8($17)       # a[1]
+        cmpult  $1,$5,$22       # did we overflow?
+         ldq    $2,8($18)       # b[1]
+        addq    $1,$0,$1        # c+= overflow
+         ldq    $7,16($17)      # a[2]
+        cmpult  $1,$0,$0        # overflow?
+         ldq    $3,16($18)      # b[2]
+        addq    $0,$22,$0
+         ldq    $8,24($17)      # a[3]
+        addq    $2,$6,$2        # r=a+b;
+         ldq    $4,24($18)      # b[3]
+        cmpult  $2,$6,$23       # did we overflow?
+         addq   $3,$7,$3        # r=a+b;
+        addq    $2,$0,$2        # c+= overflow
+         cmpult $3,$7,$24       # did we overflow?
+        cmpult  $2,$0,$0        # overflow?
+         addq   $4,$8,$4        # r=a+b;
+        addq    $0,$23,$0
+         cmpult $4,$8,$25       # did we overflow?
+        addq    $3,$0,$3        # c+= overflow
+         stq    $1,0($16)       # r[0]=c
+        cmpult  $3,$0,$0        # overflow?
+         stq    $2,8($16)       # r[1]=c
+        addq    $0,$24,$0
+         stq    $3,16($16)      # r[2]=c
+        addq    $4,$0,$4        # c+= overflow
+         subq   $19,4,$19       # loop--
+        cmpult  $4,$0,$0        # overflow?
+         addq   $17,32,$17      # a++
+        addq    $0,$25,$0
+         stq    $4,24($16)      # r[3]=c
+        addq    $18,32,$18      # b++
+         addq   $16,32,$16      # r++
+
+        blt     $19,$900
+         ldq    $5,0($17)       # a[0]
+        ldq     $1,0($18)       # b[1]
+         br     $901
+        .align 4
+$945:
+        ldq     $5,0($17)       # a[0]
+         ldq    $1,0($18)       # b[1]
+        addq    $1,$5,$1        # r=a+b;
+         subq   $19,1,$19       # loop--
+        addq    $1,$0,$1        # c+= overflow
+         addq   $17,8,$17       # a++
+        cmpult  $1,$5,$22       # did we overflow?
+         cmpult $1,$0,$0        # overflow?
+        addq    $18,8,$18       # b++
+         stq    $1,0($16)       # r[0]=c
+        addq    $0,$22,$0
+         addq   $16,8,$16       # r++
+
+        bgt     $19,$945
+        ret     $31,($26),1     # else exit
+
+$900:
+        addq    $19,4,$19
+        bgt     $19,$945        # goto tail code
+        ret     $31,($26),1     # else exit
+        .end bn_add_words
+
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .align 3
+        .globl bn_div64
+        .ent bn_div64
+bn_div64:
+        ldgp $29,0($27)
+bn_div64..ng:
+        lda $30,-48($30)
+        .frame $30,48,$26,0
+        stq $26,0($30)
+        stq $9,8($30)
+        stq $10,16($30)
+        stq $11,24($30)
+        stq $12,32($30)
+        stq $13,40($30)
+        .mask 0x4003e00,-48
+        .prologue 1
+        bis $16,$16,$9
+        bis $17,$17,$10
+        bis $18,$18,$11
+        bis $31,$31,$13
+        bis $31,2,$12
+        bne $11,$119
+        lda $0,-1
+        br $31,$136
+        .align 4
+$119:
+        bis $11,$11,$16
+        jsr $26,BN_num_bits_word
+        ldgp $29,0($26)
+        subq $0,64,$1
+        beq $1,$120
+        bis $31,1,$1
+        sll $1,$0,$1
+        cmpule $9,$1,$1
+        bne $1,$120
+ #      lda $16,_IO_stderr_
+ #      lda $17,$C32
+ #      bis $0,$0,$18
+ #      jsr $26,fprintf
+ #      ldgp $29,0($26)
+        jsr $26,abort
+        ldgp $29,0($26)
+        .align 4
+$120:
+        bis $31,64,$3
+        cmpult $9,$11,$2
+        subq $3,$0,$1
+        addl $1,$31,$0
+        subq $9,$11,$1
+        cmoveq $2,$1,$9
+        beq $0,$122
+        zapnot $0,15,$2
+        subq $3,$0,$1
+        sll $11,$2,$11
+        sll $9,$2,$3
+        srl $10,$1,$1
+        sll $10,$2,$10
+        bis $3,$1,$9
+$122:
+        srl $11,32,$5
+        zapnot $11,15,$6
+        lda $7,-1
+        .align 5
+$123:
+        srl $9,32,$1
+        subq $1,$5,$1
+        bne $1,$126
+        zapnot $7,15,$27
+        br $31,$127
+        .align 4
+$126:
+        bis $9,$9,$24
+        bis $5,$5,$25
+        divqu $24,$25,$27
+$127:
+        srl $10,32,$4
+        .align 5
+$128:
+        mulq $27,$5,$1
+        subq $9,$1,$3
+        zapnot $3,240,$1
+        bne $1,$129
+        mulq $6,$27,$2
+        sll $3,32,$1
+        addq $1,$4,$1
+        cmpule $2,$1,$2
+        bne $2,$129
+        subq $27,1,$27
+        br $31,$128
+        .align 4
+$129:
+        mulq $27,$6,$1
+        mulq $27,$5,$4
+        srl $1,32,$3
+        sll $1,32,$1
+        addq $4,$3,$4
+        cmpult $10,$1,$2
+        subq $10,$1,$10
+        addq $2,$4,$2
+        cmpult $9,$2,$1
+        bis $2,$2,$4
+        beq $1,$134
+        addq $9,$11,$9
+        subq $27,1,$27
+$134:
+        subl $12,1,$12
+        subq $9,$4,$9
+        beq $12,$124
+        sll $27,32,$13
+        sll $9,32,$2
+        srl $10,32,$1
+        sll $10,32,$10
+        bis $2,$1,$9
+        br $31,$123
+        .align 4
+$124:
+        bis $13,$27,$0
+$136:
+        ldq $26,0($30)
+        ldq $9,8($30)
+        ldq $10,16($30)
+        ldq $11,24($30)
+        ldq $12,32($30)
+        ldq $13,40($30)
+        addq $30,48,$30
+        ret $31,($26),1
+        .end bn_div64
+
+        .set noat
+        .text
+        .align 3
+        .globl bn_sub_words
+        .ent bn_sub_words
+bn_sub_words:
+bn_sub_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $19,    4,      $19
+        bis     $31,    $31,    $0
+        blt     $19,    $100
+        ldq     $1,     0($17)
+        ldq     $2,     0($18)
+$101:
+        ldq     $3,     8($17)
+        cmpult  $1,     $2,     $4
+        ldq     $5,     8($18)
+        subq    $1,     $2,     $1
+        ldq     $6,     16($17)
+        cmpult  $1,     $0,     $2
+        ldq     $7,     16($18)
+        subq    $1,     $0,     $23
+        ldq     $8,     24($17)
+        addq    $2,     $4,     $0
+        cmpult  $3,     $5,     $24
+        subq    $3,     $5,     $3
+        ldq     $22,    24($18)
+        cmpult  $3,     $0,     $5
+        subq    $3,     $0,     $25
+        addq    $5,     $24,    $0
+        cmpult  $6,     $7,     $27
+        subq    $6,     $7,     $6
+        stq     $23,    0($16)
+        cmpult  $6,     $0,     $7
+        subq    $6,     $0,     $28
+        addq    $7,     $27,    $0
+        cmpult  $8,     $22,    $21
+        subq    $8,     $22,    $8
+        stq     $25,    8($16)
+        cmpult  $8,     $0,     $22
+        subq    $8,     $0,     $20
+        addq    $22,    $21,    $0
+        stq     $28,    16($16)
+        subq    $19,    4,      $19
+        stq     $20,    24($16)
+        addq    $17,    32,     $17
+        addq    $18,    32,     $18
+        addq    $16,    32,     $16
+        blt     $19,    $100
+        ldq     $1,     0($17)
+        ldq     $2,     0($18)
+        br      $101
+$102:
+        ldq     $1,     0($17)
+        ldq     $2,     0($18)
+        cmpult  $1,     $2,     $27
+        subq    $1,     $2,     $1
+        cmpult  $1,     $0,     $2
+        subq    $1,     $0,     $1
+        stq     $1,     0($16)
+        addq    $2,     $27,    $0
+        addq    $17,    8,      $17
+        addq    $18,    8,      $18
+        addq    $16,    8,      $16
+        subq    $19,    1,      $19
+        bgt     $19,    $102
+        ret     $31,($26),1
+$100:
+        addq    $19,    4,      $19
+        bgt     $19,    $102
+$103:
+        ret     $31,($26),1
+        .end bn_sub_words
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/add.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/add.pl
new file mode 100644
index 0000000000..4dc76e6b69
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/add.pl
@@ -0,0 +1,119 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_add_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+        $count=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &br(&label("finish"));
+        &blt($count,&label("finish"));
+
+        ($a0,$b0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($b0,&QWPw(0,$bp));
+
+##########################################################
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+        ($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+        ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+        ($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+        ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+        ($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);
+        &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+        &add($a1,$b1,$o1);      &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+        &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+        &add($a2,$b2,$o2);      &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+        &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+        &add($cc,$t2,$cc);      &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &add($a3,$b3,$o3);      &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+        &add($o3,$cc,$o3);
+        &cmpult($o3,$cc,$cc);
+        &add($cc,$t3,$cc);      &FR($t3);
+
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+
+        &sub($count,4,$count);  # count-=4
+        &add($ap,4*$QWS,$ap);   # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+        &add($rp,4*$QWS,$rp);   # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+##################################################
+        # Do the last 0..3 words
+
+        ($t0,$o0)=&NR(2);
+        &set_label("last_loop");
+
+        &ld($a0,&QWPw(0,$ap));  # get a
+        &ld($b0,&QWPw(0,$bp));  # get b
+
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);   # will we borrow?
+        &add($o0,$cc,$o0);      # will we borrow?
+        &cmpult($o0,$cc,$cc);   # will we borrow?
+        &add($cc,$t0,$cc);      # add the borrows
+        &st($o0,&QWPw(0,$rp));  # save
+
+        &add($ap,$QWS,$ap);
+        &add($bp,$QWS,$bp);
+        &add($rp,$QWS,$rp);
+        &sub($count,1,$count);
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &FR($o0,$t0,$a0,$b0);
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/div.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/div.pl
new file mode 100644
index 0000000000..7ec144377f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/div.pl
@@ -0,0 +1,144 @@
+#!/usr/local/bin/perl
+
+sub bn_div64
+        {
+        local($data)=<<'EOF';
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .set noreorder
+        .set volatile
+        .align 3
+        .globl bn_div64
+        .ent bn_div64
+bn_div64:
+        ldgp $29,0($27)
+bn_div64..ng:
+        lda $30,-48($30)
+        .frame $30,48,$26,0
+        stq $26,0($30)
+        stq $9,8($30)
+        stq $10,16($30)
+        stq $11,24($30)
+        stq $12,32($30)
+        stq $13,40($30)
+        .mask 0x4003e00,-48
+        .prologue 1
+        bis $16,$16,$9
+        bis $17,$17,$10
+        bis $18,$18,$11
+        bis $31,$31,$13
+        bis $31,2,$12
+        bne $11,$9119
+        lda $0,-1
+        br $31,$9136
+        .align 4
+$9119:
+        bis $11,$11,$16
+        jsr $26,BN_num_bits_word
+        ldgp $29,0($26)
+        subq $0,64,$1
+        beq $1,$9120
+        bis $31,1,$1
+        sll $1,$0,$1
+        cmpule $9,$1,$1
+        bne $1,$9120
+ #      lda $16,_IO_stderr_
+ #      lda $17,$C32
+ #      bis $0,$0,$18
+ #      jsr $26,fprintf
+ #      ldgp $29,0($26)
+        jsr $26,abort
+        ldgp $29,0($26)
+        .align 4
+$9120:
+        bis $31,64,$3
+        cmpult $9,$11,$2
+        subq $3,$0,$1
+        addl $1,$31,$0
+        subq $9,$11,$1
+        cmoveq $2,$1,$9
+        beq $0,$9122
+        zapnot $0,15,$2
+        subq $3,$0,$1
+        sll $11,$2,$11
+        sll $9,$2,$3
+        srl $10,$1,$1
+        sll $10,$2,$10
+        bis $3,$1,$9
+$9122:
+        srl $11,32,$5
+        zapnot $11,15,$6
+        lda $7,-1
+        .align 5
+$9123:
+        srl $9,32,$1
+        subq $1,$5,$1
+        bne $1,$9126
+        zapnot $7,15,$27
+        br $31,$9127
+        .align 4
+$9126:
+        bis $9,$9,$24
+        bis $5,$5,$25
+        divqu $24,$25,$27
+$9127:
+        srl $10,32,$4
+        .align 5
+$9128:
+        mulq $27,$5,$1
+        subq $9,$1,$3
+        zapnot $3,240,$1
+        bne $1,$9129
+        mulq $6,$27,$2
+        sll $3,32,$1
+        addq $1,$4,$1
+        cmpule $2,$1,$2
+        bne $2,$9129
+        subq $27,1,$27
+        br $31,$9128
+        .align 4
+$9129:
+        mulq $27,$6,$1
+        mulq $27,$5,$4
+        srl $1,32,$3
+        sll $1,32,$1
+        addq $4,$3,$4
+        cmpult $10,$1,$2
+        subq $10,$1,$10
+        addq $2,$4,$2
+        cmpult $9,$2,$1
+        bis $2,$2,$4
+        beq $1,$9134
+        addq $9,$11,$9
+        subq $27,1,$27
+$9134:
+        subl $12,1,$12
+        subq $9,$4,$9
+        beq $12,$9124
+        sll $27,32,$13
+        sll $9,32,$2
+        srl $10,32,$1
+        sll $10,32,$10
+        bis $2,$1,$9
+        br $31,$9123
+        .align 4
+$9124:
+        bis $13,$27,$0
+$9136:
+        ldq $26,0($30)
+        ldq $9,8($30)
+        ldq $10,16($30)
+        ldq $11,24($30)
+        ldq $12,32($30)
+        ldq $13,40($30)
+        addq $30,48,$30
+        ret $31,($26),1
+        .end bn_div64
+EOF
+        &asm_add($data);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul.pl
new file mode 100644
index 0000000000..b182bae452
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul.pl
@@ -0,0 +1,116 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+        $word=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &br(&label("finish"));
+        &blt($count,&label("finish"));
+
+        ($a0,$r0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+        ($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+        ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+        ($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+        ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+        ($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);
+        &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+        &add($a1,$b1,$o1);      &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+        &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+        &add($a2,$b2,$o2);      &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+        &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+        &add($cc,$t2,$cc);      &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &add($a3,$b3,$o3);      &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+        &add($o3,$cc,$o3);
+        &cmpult($o3,$cc,$cc);
+        &add($cc,$t3,$cc);      &FR($t3);
+
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+
+        &sub($count,4,$count);  # count-=4
+        &add($ap,4*$QWS,$ap);   # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+        &add($rp,4*$QWS,$rp);   # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+EOF
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+        &mul($a0,$word,($l0)=&NR(1));
+         &add($ap,$QWS,$ap);
+        &muh($a0,$word,($h0)=&NR(1));   &FR($a0);
+        &add($l0,$cc,$l0);
+         &add($rp,$QWS,$rp);
+         &sub($count,1,$count);
+        &cmpult($l0,$cc,$cc);
+        &st($l0,&QWPw(-1,$rp));         &FR($l0);
+        &add($h0,$cc,$cc);              &FR($h0);
+
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_add.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_add.pl
new file mode 100644
index 0000000000..e37f6315fb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_add.pl
@@ -0,0 +1,120 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_add_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+        $word=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &br(&label("finish"));
+        &blt($count,&label("finish"));
+
+        ($a0,$r0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+        ($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+        ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+        ($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+        ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+        ($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);
+        &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+        &add($a1,$b1,$o1);      &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+        &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+        &add($a2,$b2,$o2);      &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+        &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+        &add($cc,$t2,$cc);      &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &add($a3,$b3,$o3);      &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+        &add($o3,$cc,$o3);
+        &cmpult($o3,$cc,$cc);
+        &add($cc,$t3,$cc);      &FR($t3);
+
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+
+        &sub($count,4,$count);  # count-=4
+        &add($ap,4*$QWS,$ap);   # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+        &add($rp,4*$QWS,$rp);   # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+EOF
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+        &ld(($r0)=&NR(1),&QWPw(0,$rp)); # get b
+        &mul($a0,$word,($l0)=&NR(1));
+         &sub($count,1,$count);
+         &add($ap,$QWS,$ap);
+        &muh($a0,$word,($h0)=&NR(1));   &FR($a0);
+        &add($r0,$l0,$r0);
+         &add($rp,$QWS,$rp);
+        &cmpult($r0,$l0,($t0)=&NR(1));  &FR($l0);
+         &add($r0,$cc,$r0);
+        &add($h0,$t0,$h0);              &FR($t0);
+         &cmpult($r0,$cc,$cc);
+        &st($r0,&QWPw(-1,$rp));         &FR($r0);
+         &add($h0,$cc,$cc);             &FR($h0);
+
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.pl
new file mode 100644
index 0000000000..5efd201281
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.pl
@@ -0,0 +1,213 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &add($t1,$h1,$h1);              &FR($t1);
+        &add($c1,$h1,$c1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub bn_mul_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &mul($a[0],$b[0],($r00)=&NR(1));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &muh($a[0],$b[0],($r01)=&NR(1));
+        &FR($ap); &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &FR($bp); &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+        &mul($a[0],$b[1],($r02)=&NR(1));
+
+        ($R,$H1,$H2)=&NR(3);
+
+        &st($r00,&QWPw(0,$rp)); &FR($r00);
+
+        &mov("zero",$R);
+        &mul($a[1],$b[0],($r03)=&NR(1));
+
+        &mov("zero",$H1);
+        &mov("zero",$H0);
+         &add($R,$r01,$R);
+        &muh($a[0],$b[1],($r04)=&NR(1));
+         &cmpult($R,$r01,($t01)=&NR(1));        &FR($r01);
+         &add($R,$r02,$R);
+         &add($H1,$t01,$H1)                     &FR($t01);
+        &muh($a[1],$b[0],($r05)=&NR(1));
+         &cmpult($R,$r02,($t02)=&NR(1));        &FR($r02);
+         &add($R,$r03,$R);
+         &add($H2,$t02,$H2)                     &FR($t02);
+        &mul($a[0],$b[2],($r06)=&NR(1));
+         &cmpult($R,$r03,($t03)=&NR(1));        &FR($r03);
+         &add($H1,$t03,$H1)                     &FR($t03);
+        &st($R,&QWPw(1,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r04,$R);
+        &mov("zero",$H2);
+        &mul($a[1],$b[1],($r07)=&NR(1));
+         &cmpult($R,$r04,($t04)=&NR(1));        &FR($r04);
+         &add($R,$r05,$R);
+         &add($H1,$t04,$H1)                     &FR($t04);
+        &mul($a[2],$b[0],($r08)=&NR(1));
+         &cmpult($R,$r05,($t05)=&NR(1));        &FR($r05);
+         &add($R,$r01,$R);
+         &add($H2,$t05,$H2)                     &FR($t05);
+        &muh($a[0],$b[2],($r09)=&NR(1));
+         &cmpult($R,$r06,($t06)=&NR(1));        &FR($r06);
+         &add($R,$r07,$R);
+         &add($H1,$t06,$H1)                     &FR($t06);
+        &muh($a[1],$b[1],($r10)=&NR(1));
+         &cmpult($R,$r07,($t07)=&NR(1));        &FR($r07);
+         &add($R,$r08,$R);
+         &add($H2,$t07,$H2)                     &FR($t07);
+        &muh($a[2],$b[0],($r11)=&NR(1));
+         &cmpult($R,$r08,($t08)=&NR(1));        &FR($r08);
+         &add($H1,$t08,$H1)                     &FR($t08);
+        &st($R,&QWPw(2,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r09,$R);
+        &mov("zero",$H2);
+        &mul($a[0],$b[3],($r12)=&NR(1));
+         &cmpult($R,$r09,($t09)=&NR(1));        &FR($r09);
+         &add($R,$r10,$R);
+         &add($H1,$t09,$H1)                     &FR($t09);
+        &mul($a[1],$b[2],($r13)=&NR(1));
+         &cmpult($R,$r10,($t10)=&NR(1));        &FR($r10);
+         &add($R,$r11,$R);
+         &add($H1,$t10,$H1)                     &FR($t10);
+        &mul($a[2],$b[1],($r14)=&NR(1));
+         &cmpult($R,$r11,($t11)=&NR(1));        &FR($r11);
+         &add($R,$r12,$R);
+         &add($H1,$t11,$H1)                     &FR($t11);
+        &mul($a[3],$b[0],($r15)=&NR(1));
+         &cmpult($R,$r12,($t12)=&NR(1));        &FR($r12);
+         &add($R,$r13,$R);
+         &add($H1,$t12,$H1)                     &FR($t12);
+        &muh($a[0],$b[3],($r16)=&NR(1));
+         &cmpult($R,$r13,($t13)=&NR(1));        &FR($r13);
+         &add($R,$r14,$R);
+         &add($H1,$t13,$H1)                     &FR($t13);
+        &muh($a[1],$b[2],($r17)=&NR(1));
+         &cmpult($R,$r14,($t14)=&NR(1));        &FR($r14);
+         &add($R,$r15,$R);
+         &add($H1,$t14,$H1)                     &FR($t14);
+        &muh($a[2],$b[1],($r18)=&NR(1));
+         &cmpult($R,$r15,($t15)=&NR(1));        &FR($r15);
+         &add($H1,$t15,$H1)                     &FR($t15);
+        &st($R,&QWPw(3,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r16,$R);
+        &mov("zero",$H2);
+        &muh($a[3],$b[0],($r19)=&NR(1));
+         &cmpult($R,$r16,($t16)=&NR(1));        &FR($r16);
+         &add($R,$r17,$R);
+         &add($H1,$t16,$H1)                     &FR($t16);
+        &mul($a[1],$b[3],($r20)=&NR(1));
+         &cmpult($R,$r17,($t17)=&NR(1));        &FR($r17);
+         &add($R,$r18,$R);
+         &add($H1,$t17,$H1)                     &FR($t17);
+        &mul($a[2],$b[2],($r21)=&NR(1));
+         &cmpult($R,$r18,($t18)=&NR(1));        &FR($r18);
+         &add($R,$r19,$R);
+         &add($H1,$t18,$H1)                     &FR($t18);
+        &mul($a[3],$b[1],($r22)=&NR(1));
+         &cmpult($R,$r19,($t19)=&NR(1));        &FR($r19);
+         &add($R,$r20,$R);
+         &add($H1,$t19,$H1)                     &FR($t19);
+        &muh($a[1],$b[3],($r23)=&NR(1));
+         &cmpult($R,$r20,($t20)=&NR(1));        &FR($r20);
+         &add($R,$r21,$R);
+         &add($H1,$t20,$H1)                     &FR($t20);
+        &muh($a[2],$b[2],($r24)=&NR(1));
+         &cmpult($R,$r21,($t21)=&NR(1));        &FR($r21);
+         &add($R,$r22,$R);
+         &add($H1,$t21,$H1)                     &FR($t21);
+        &muh($a[3],$b[1],($r25)=&NR(1));
+         &cmpult($R,$r22,($t22)=&NR(1));        &FR($r22);
+         &add($H1,$t22,$H1)                     &FR($t22);
+        &st($R,&QWPw(4,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r23,$R);
+        &mov("zero",$H2);
+        &mul($a[2],$b[3],($r26)=&NR(1));
+         &cmpult($R,$r23,($t23)=&NR(1));        &FR($r23);
+         &add($R,$r24,$R);
+         &add($H1,$t23,$H1)                     &FR($t23);
+        &mul($a[3],$b[2],($r27)=&NR(1));
+         &cmpult($R,$r24,($t24)=&NR(1));        &FR($r24);
+         &add($R,$r25,$R);
+         &add($H1,$t24,$H1)                     &FR($t24);
+        &muh($a[2],$b[3],($r28)=&NR(1));
+         &cmpult($R,$r25,($t25)=&NR(1));        &FR($r25);
+         &add($R,$r26,$R);
+         &add($H1,$t25,$H1)                     &FR($t25);
+        &muh($a[3],$b[2],($r29)=&NR(1));
+         &cmpult($R,$r26,($t26)=&NR(1));        &FR($r26);
+         &add($R,$r27,$R);
+         &add($H1,$t26,$H1)                     &FR($t26);
+        &mul($a[3],$b[3],($r30)=&NR(1));
+         &cmpult($R,$r27,($t27)=&NR(1));        &FR($r27);
+         &add($H1,$t27,$H1)                     &FR($t27);
+        &st($R,&QWPw(5,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r28,$R);
+        &mov("zero",$H2);
+        &muh($a[3],$b[3],($r31)=&NR(1));
+         &cmpult($R,$r28,($t28)=&NR(1));        &FR($r28);
+         &add($R,$r29,$R);
+         &add($H1,$t28,$H1)                     &FR($t28);
+        ############
+         &cmpult($R,$r29,($t29)=&NR(1));        &FR($r29);
+         &add($R,$r30,$R);
+         &add($H1,$t29,$H1)                     &FR($t29);
+        ############
+         &cmpult($R,$r30,($t30)=&NR(1));        &FR($r30);
+         &add($H1,$t30,$H1)                     &FR($t30);
+        &st($R,&QWPw(6,$rp));
+        &add($H1,$H2,$R);
+
+         &add($R,$r31,$R);                      &FR($r31);
+        &st($R,&QWPw(7,$rp));
+
+        &FR($R,$H1,$H2);
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.works.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.works.pl
new file mode 100644
index 0000000000..79d86dd25c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c4.works.pl
@@ -0,0 +1,98 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+print STDERR "count=$cnt\n"; $cnt++;
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &add($t1,$h1,$h1);              &FR($t1);
+        &add($c1,$h1,$c1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub bn_mul_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));       &FR($ap);
+        &ld(($b[3])=&NR(1),&QWPw(3,$bp));       &FR($bp);
+
+        ($c0,$c1,$c2)=&NR(3);
+        &mov("zero",$c2);
+        &mul($a[0],$b[0],$c0);
+        &muh($a[0],$b[0],$c1);
+        &st($c0,&QWPw(0,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[3],$c0,$c1,$c2);    &FR($a[0]);
+        &mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[0],$c0,$c1,$c2);    &FR($b[0]);
+        &st($c0,&QWPw(3,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[3],$c0,$c1,$c2);    &FR($a[1]);
+        &mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[1],$c0,$c1,$c2);    &FR($b[1]);
+        &st($c0,&QWPw(4,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[2],$b[3],$c0,$c1,$c2);    &FR($a[2]);
+        &mul_add_c($a[3],$b[2],$c0,$c1,$c2);    &FR($b[2]);
+        &st($c0,&QWPw(5,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[3],$b[3],$c0,$c1,$c2);    &FR($a[3],$b[3]);
+        &st($c0,&QWPw(6,$rp));
+        &st($c1,&QWPw(7,$rp));
+
+        &FR($c0,$c1,$c2);
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c8.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c8.pl
new file mode 100644
index 0000000000..525ca7494b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/mul_c8.pl
@@ -0,0 +1,177 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_comba8
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &stack_push(2);
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &st($reg_s0,&swtmp(0)); &FR($reg_s0);
+        &st($reg_s1,&swtmp(1)); &FR($reg_s1);
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+        &ld(($a[4])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[4])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[5])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[5])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[6])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[6])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[7])=&NR(1),&QWPw(1,$ap));       &FR($ap);
+        &ld(($b[7])=&NR(1),&QWPw(1,$bp));       &FR($bp);
+
+        ($c0,$c1,$c2)=&NR(3);
+        &mov("zero",$c2);
+        &mul($a[0],$b[0],$c0);
+        &muh($a[0],$b[0],$c1);
+        &st($c0,&QWPw(0,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[7],$c0,$c1,$c2);    &FR($a[0]);
+        &mul_add_c($a[1],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[0],$c0,$c1,$c2);    &FR($b[0]);
+        &st($c0,&QWPw(7,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[7],$c0,$c1,$c2);    &FR($a[1]);
+        &mul_add_c($a[2],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[1],$c0,$c1,$c2);    &FR($b[1]);
+        &st($c0,&QWPw(8,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[2],$b[7],$c0,$c1,$c2);    &FR($a[2]);
+        &mul_add_c($a[3],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[2],$c0,$c1,$c2);    &FR($b[2]);
+        &st($c0,&QWPw(9,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[3],$b[7],$c0,$c1,$c2);    &FR($a[3]);
+        &mul_add_c($a[4],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[3],$c0,$c1,$c2);    &FR($b[3]);
+        &st($c0,&QWPw(10,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[4],$b[7],$c0,$c1,$c2);    &FR($a[4]);
+        &mul_add_c($a[5],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[4],$c0,$c1,$c2);    &FR($b[4]);
+        &st($c0,&QWPw(11,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[5],$b[7],$c0,$c1,$c2);    &FR($a[5]);
+        &mul_add_c($a[6],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[5],$c0,$c1,$c2);    &FR($b[5]);
+        &st($c0,&QWPw(12,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[6],$b[7],$c0,$c1,$c2);    &FR($a[6]);
+        &mul_add_c($a[7],$b[6],$c0,$c1,$c2);    &FR($b[6]);
+        &st($c0,&QWPw(13,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[7],$b[7],$c0,$c1,$c2);    &FR($a[7],$b[7]);
+        &st($c0,&QWPw(14,$rp));
+        &st($c1,&QWPw(15,$rp));
+
+        &FR($c0,$c1,$c2);
+
+        &ld($reg_s0,&swtmp(0));
+        &ld($reg_s1,&swtmp(1));
+        &stack_pop(2);
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr.pl
new file mode 100644
index 0000000000..a55b696906
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr.pl
@@ -0,0 +1,113 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(3);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &br(&label("finish"));
+        &blt($count,&label("finish"));
+
+        ($a0,$r0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+        ($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+        ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+        ($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+        ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+        ($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);
+        &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+        &add($a1,$b1,$o1);      &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+        &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+        &add($a2,$b2,$o2);      &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+        &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+        &add($cc,$t2,$cc);      &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &add($a3,$b3,$o3);      &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+        &add($o3,$cc,$o3);
+        &cmpult($o3,$cc,$cc);
+        &add($cc,$t3,$cc);      &FR($t3);
+
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+
+        &sub($count,4,$count);  # count-=4
+        &add($ap,4*$QWS,$ap);   # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+        &add($rp,4*$QWS,$rp);   # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+EOF
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+        &mul($a0,$a0,($l0)=&NR(1));
+         &add($ap,$QWS,$ap);
+         &add($rp,2*$QWS,$rp);
+         &sub($count,1,$count);
+        &muh($a0,$a0,($h0)=&NR(1));     &FR($a0);
+        &st($l0,&QWPw(-2,$rp));         &FR($l0);
+        &st($h0,&QWPw(-1,$rp));         &FR($h0);
+
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c4.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c4.pl
new file mode 100644
index 0000000000..bf33f5b503
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c4.pl
@@ -0,0 +1,109 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub sqr_add_c
+        {
+        local($a,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$a,($l1)=&NR(1));
+        &muh($a,$a,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &add($c1,$h1,$c1);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c1,$t1,$c1);              &FR($t1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub sqr_add_c2
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &cmplt($l1,"zero",($lc1)=&NR(1));
+        &cmplt($h1,"zero",($hc1)=&NR(1));
+        &add($l1,$l1,$l1);
+        &add($h1,$h1,$h1);
+        &add($h1,$lc1,$h1);             &FR($lc1);
+        &add($c2,$hc1,$c2);             &FR($hc1);
+
+        &add($c0,$l1,$c0);
+        &add($c1,$h1,$c1);
+        &cmpult($c0,$l1,($lc1)=&NR(1)); &FR($l1);
+        &cmpult($c1,$h1,($hc1)=&NR(1)); &FR($h1);
+
+        &add($c1,$lc1,$c1);             &FR($lc1);
+        &add($c2,$hc1,$c2);             &FR($hc1);
+        }
+
+
+sub bn_sqr_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(2);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap)); &FR($ap);
+
+        ($c0,$c1,$c2)=&NR(3);
+
+        &mov("zero",$c2);
+        &mul($a[0],$a[0],$c0);
+        &muh($a[0],$a[0],$c1);
+        &st($c0,&QWPw(0,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[0],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[3],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));
+        &st($c1,&QWPw(7,$rp));
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c8.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c8.pl
new file mode 100644
index 0000000000..b4afe085f1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sqr_c8.pl
@@ -0,0 +1,132 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_comba8
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(2);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &ld(($a[4])=&NR(1),&QWPw(4,$ap));
+        &ld(($a[5])=&NR(1),&QWPw(5,$ap));
+        &ld(($a[6])=&NR(1),&QWPw(6,$ap));
+        &ld(($a[7])=&NR(1),&QWPw(7,$ap)); &FR($ap);
+
+        ($c0,$c1,$c2)=&NR(3);
+
+        &mov("zero",$c2);
+        &mul($a[0],$a[0],$c0);
+        &muh($a[0],$a[0],$c1);
+        &st($c0,&QWPw(0,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[1],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[4],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(7,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(8,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[5],$a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[2],$c0,$c1,$c2);
+        &st($c0,&QWPw(9,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[5],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[3],$c0,$c1,$c2);
+        &st($c0,&QWPw(10,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[6],$a[5],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[4],$c0,$c1,$c2);
+        &st($c0,&QWPw(11,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[6],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[5],$c0,$c1,$c2);
+        &st($c0,&QWPw(12,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[7],$a[6],$c0,$c1,$c2);
+        &st($c0,&QWPw(13,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[7],$c0,$c1,$c2);
+        &st($c0,&QWPw(14,$rp));
+        &st($c1,&QWPw(15,$rp));
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha.works/sub.pl b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sub.pl
new file mode 100644
index 0000000000..d998da5c21
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha.works/sub.pl
@@ -0,0 +1,108 @@
+#!/usr/local/bin/perl
+# alpha assember
+
+sub bn_sub_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+        $count=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &blt($count,&label("finish"));
+
+        ($a0,$b0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($b0,&QWPw(0,$bp));
+
+##########################################################
+        &set_label("loop");
+
+        ($a1,$tmp,$b1,$a2,$b2,$a3,$b3,$o0)=&NR(8);
+        &ld($a1,&QWPw(1,$ap));
+         &cmpult($a0,$b0,$tmp); # will we borrow?
+        &ld($b1,&QWPw(1,$bp));
+         &sub($a0,$b0,$a0);             # do the subtract
+        &ld($a2,&QWPw(2,$ap));
+         &cmpult($a0,$cc,$b0);  # will we borrow?
+        &ld($b2,&QWPw(2,$bp));
+         &sub($a0,$cc,$o0);     # will we borrow?
+        &ld($a3,&QWPw(3,$ap));
+         &add($b0,$tmp,$cc); ($t1,$o1)=&NR(2); &FR($tmp);
+
+        &cmpult($a1,$b1,$t1);   # will we borrow?
+         &sub($a1,$b1,$a1);     # do the subtract
+        &ld($b3,&QWPw(3,$bp));
+         &cmpult($a1,$cc,$b1);  # will we borrow?
+        &sub($a1,$cc,$o1);      # will we borrow?
+         &add($b1,$t1,$cc); ($tmp,$o2)=&NR(2); &FR($t1,$a1,$b1);
+        
+        &cmpult($a2,$b2,$tmp);  # will we borrow?
+         &sub($a2,$b2,$a2);             # do the subtract
+        &st($o0,&QWPw(0,$rp));  &FR($o0); # save
+         &cmpult($a2,$cc,$b2);  # will we borrow?
+        &sub($a2,$cc,$o2);      # will we borrow?
+         &add($b2,$tmp,$cc); ($t3,$o3)=&NR(2); &FR($tmp,$a2,$b2);
+
+        &cmpult($a3,$b3,$t3);   # will we borrow?
+         &sub($a3,$b3,$a3);     # do the subtract
+        &st($o1,&QWPw(1,$rp)); &FR($o1);
+         &cmpult($a3,$cc,$b3);  # will we borrow?
+        &sub($a3,$cc,$o3);      # will we borrow?
+         &add($b3,$t3,$cc); &FR($t3,$a3,$b3);
+
+        &st($o2,&QWPw(2,$rp));  &FR($o2);
+         &sub($count,4,$count); # count-=4
+        &st($o3,&QWPw(3,$rp));  &FR($o3);
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+         &add($rp,4*$QWS,$rp);  # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld($a0,&QWPw(0,$ap));  # get a
+         &ld($b0,&QWPw(0,$bp)); # get b
+        &cmpult($a0,$b0,$tmp);  # will we borrow?
+        &sub($a0,$b0,$a0);      # do the subtract
+        &cmpult($a0,$cc,$b0);   # will we borrow?
+        &sub($a0,$cc,$a0);      # will we borrow?
+        &st($a0,&QWPw(0,$rp));  # save
+        &add($b0,$tmp,$cc);     # add the borrows
+
+        &add($ap,$QWS,$ap);
+        &add($bp,$QWS,$bp);
+        &add($rp,$QWS,$rp);
+        &sub($count,1,$count);
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &FR($a0,$b0);
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/add.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/add.pl
new file mode 100644
index 0000000000..13bf516428
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/add.pl
@@ -0,0 +1,118 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_add_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+        $count=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+         &mov("zero",$cc);
+        &blt($count,&label("finish"));
+
+        ($a0,$b0)=&NR(2);
+
+##########################################################
+        &set_label("loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap));
+         &ld(($b0)=&NR(1),&QWPw(0,$bp));
+        &ld(($a1)=&NR(1),&QWPw(1,$ap));
+         &ld(($b1)=&NR(1),&QWPw(1,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+         &ld(($a2)=&NR(1),&QWPw(2,$ap));
+        &cmpult($o0,$b0,$t0);
+         &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+         &ld(($b2)=&NR(1),&QWPw(2,$bp));
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+         &add($a1,$b1,$o1);     &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+         &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+         &ld(($a3)=&NR(1),&QWPw(3,$ap));
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+         &add($a2,$b2,$o2);     &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+         &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+         &ld(($b3)=&NR(1),&QWPw(3,$bp));
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+         &add($cc,$t2,$cc);     &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+         &add($a3,$b3,$o3);     &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+         &add($o3,$cc,$o3);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+         &cmpult($o3,$cc,$cc);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+         &add($cc,$t3,$cc);     &FR($t3);
+
+
+        &sub($count,4,$count);  # count-=4
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+         &add($rp,4*$QWS,$rp);  # count+=4
+
+        ###
+         &bge($count,&label("loop"));
+        ###
+        &br(&label("finish"));
+##################################################
+        # Do the last 0..3 words
+
+        ($t0,$o0)=&NR(2);
+        &set_label("last_loop");
+
+        &ld($a0,&QWPw(0,$ap));  # get a
+         &ld($b0,&QWPw(0,$bp)); # get b
+        &add($ap,$QWS,$ap);
+         &add($bp,$QWS,$bp);
+        &add($a0,$b0,$o0); 
+         &sub($count,1,$count);
+        &cmpult($o0,$b0,$t0);   # will we borrow?
+         &add($o0,$cc,$o0);     # will we borrow?
+        &cmpult($o0,$cc,$cc);   # will we borrow?
+         &add($rp,$QWS,$rp);
+        &st($o0,&QWPw(-1,$rp)); # save
+         &add($cc,$t0,$cc);     # add the borrows
+
+        ###
+         &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+         &bgt($count,&label("last_loop"));
+
+        &FR($o0,$t0,$a0,$b0);
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/div.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/div.pl
new file mode 100644
index 0000000000..e9e680897a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/div.pl
@@ -0,0 +1,144 @@
+#!/usr/local/bin/perl
+
+sub bn_div_words
+        {
+        local($data)=<<'EOF';
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .set noreorder
+        .set volatile
+        .align 3
+        .globl bn_div_words
+        .ent bn_div_words
+bn_div_words
+        ldgp $29,0($27)
+bn_div_words.ng:
+        lda $30,-48($30)
+        .frame $30,48,$26,0
+        stq $26,0($30)
+        stq $9,8($30)
+        stq $10,16($30)
+        stq $11,24($30)
+        stq $12,32($30)
+        stq $13,40($30)
+        .mask 0x4003e00,-48
+        .prologue 1
+        bis $16,$16,$9
+        bis $17,$17,$10
+        bis $18,$18,$11
+        bis $31,$31,$13
+        bis $31,2,$12
+        bne $11,$9119
+        lda $0,-1
+        br $31,$9136
+        .align 4
+$9119:
+        bis $11,$11,$16
+        jsr $26,BN_num_bits_word
+        ldgp $29,0($26)
+        subq $0,64,$1
+        beq $1,$9120
+        bis $31,1,$1
+        sll $1,$0,$1
+        cmpule $9,$1,$1
+        bne $1,$9120
+ #      lda $16,_IO_stderr_
+ #      lda $17,$C32
+ #      bis $0,$0,$18
+ #      jsr $26,fprintf
+ #      ldgp $29,0($26)
+        jsr $26,abort
+        ldgp $29,0($26)
+        .align 4
+$9120:
+        bis $31,64,$3
+        cmpult $9,$11,$2
+        subq $3,$0,$1
+        addl $1,$31,$0
+        subq $9,$11,$1
+        cmoveq $2,$1,$9
+        beq $0,$9122
+        zapnot $0,15,$2
+        subq $3,$0,$1
+        sll $11,$2,$11
+        sll $9,$2,$3
+        srl $10,$1,$1
+        sll $10,$2,$10
+        bis $3,$1,$9
+$9122:
+        srl $11,32,$5
+        zapnot $11,15,$6
+        lda $7,-1
+        .align 5
+$9123:
+        srl $9,32,$1
+        subq $1,$5,$1
+        bne $1,$9126
+        zapnot $7,15,$27
+        br $31,$9127
+        .align 4
+$9126:
+        bis $9,$9,$24
+        bis $5,$5,$25
+        divqu $24,$25,$27
+$9127:
+        srl $10,32,$4
+        .align 5
+$9128:
+        mulq $27,$5,$1
+        subq $9,$1,$3
+        zapnot $3,240,$1
+        bne $1,$9129
+        mulq $6,$27,$2
+        sll $3,32,$1
+        addq $1,$4,$1
+        cmpule $2,$1,$2
+        bne $2,$9129
+        subq $27,1,$27
+        br $31,$9128
+        .align 4
+$9129:
+        mulq $27,$6,$1
+        mulq $27,$5,$4
+        srl $1,32,$3
+        sll $1,32,$1
+        addq $4,$3,$4
+        cmpult $10,$1,$2
+        subq $10,$1,$10
+        addq $2,$4,$2
+        cmpult $9,$2,$1
+        bis $2,$2,$4
+        beq $1,$9134
+        addq $9,$11,$9
+        subq $27,1,$27
+$9134:
+        subl $12,1,$12
+        subq $9,$4,$9
+        beq $12,$9124
+        sll $27,32,$13
+        sll $9,32,$2
+        srl $10,32,$1
+        sll $10,32,$10
+        bis $2,$1,$9
+        br $31,$9123
+        .align 4
+$9124:
+        bis $13,$27,$0
+$9136:
+        ldq $26,0($30)
+        ldq $9,8($30)
+        ldq $10,16($30)
+        ldq $11,24($30)
+        ldq $12,32($30)
+        ldq $13,40($30)
+        addq $30,48,$30
+        ret $31,($26),1
+        .end bn_div_words
+EOF
+        &asm_add($data);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/mul.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/mul.pl
new file mode 100644
index 0000000000..76c926566c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/mul.pl
@@ -0,0 +1,104 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+        $word=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+         &mov("zero",$cc);
+        ###
+         &blt($count,&label("finish"));
+
+        ($a0)=&NR(1); &ld($a0,&QWPw(0,$ap));
+
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+         ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+
+        &muh($a0,$word,($h0)=&NR(1));   &FR($a0);
+         ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+                                                        ### wait 8
+        &mul($a0,$word,($l0)=&NR(1));   &FR($a0);
+                                                        ### wait 8
+        &muh($a1,$word,($h1)=&NR(1));   &FR($a1);
+         &add($l0,$cc,$l0);                             ### wait 8
+        &mul($a1,$word,($l1)=&NR(1));   &FR($a1);
+         &cmpult($l0,$cc,$cc);                          ### wait 8
+        &muh($a2,$word,($h2)=&NR(1));   &FR($a2);
+         &add($h0,$cc,$cc);     &FR($h0);               ### wait 8
+        &mul($a2,$word,($l2)=&NR(1));   &FR($a2);
+         &add($l1,$cc,$l1);                             ### wait 8
+        &st($l0,&QWPw(0,$rp));          &FR($l0);
+         &cmpult($l1,$cc,$cc);                          ### wait 8
+        &muh($a3,$word,($h3)=&NR(1));   &FR($a3);
+         &add($h1,$cc,$cc);             &FR($h1);
+        &mul($a3,$word,($l3)=&NR(1));   &FR($a3);
+         &add($l2,$cc,$l2);
+        &st($l1,&QWPw(1,$rp));          &FR($l1);
+         &cmpult($l2,$cc,$cc);
+        &add($h2,$cc,$cc);              &FR($h2);
+         &sub($count,4,$count); # count-=4
+        &st($l2,&QWPw(2,$rp));          &FR($l2);
+         &add($l3,$cc,$l3);
+        &cmpult($l3,$cc,$cc);
+         &add($bp,4*$QWS,$bp);  # count+=4
+        &add($h3,$cc,$cc);              &FR($h3);
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &st($l3,&QWPw(3,$rp));          &FR($l3);
+         &add($rp,4*$QWS,$rp);  # count+=4
+        ###
+         &blt($count,&label("finish"));
+         ($a0)=&NR(1); &ld($a0,&QWPw(0,$ap));
+        &br(&label("finish"));
+##################################################
+
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+         ###
+        ###
+         ###
+        &muh($a0,$word,($h0)=&NR(1));
+         ### Wait 8 for next mul issue
+        &mul($a0,$word,($l0)=&NR(1)); &FR($a0)
+         &add($ap,$QWS,$ap);
+        ### Loose 12 until result is available
+        &add($rp,$QWS,$rp);
+         &sub($count,1,$count);
+        &add($l0,$cc,$l0);
+         ###
+        &st($l0,&QWPw(-1,$rp));         &FR($l0);
+         &cmpult($l0,$cc,$cc);
+        &add($h0,$cc,$cc);              &FR($h0);
+         &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/mul_add.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_add.pl
new file mode 100644
index 0000000000..0d6df69bc4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_add.pl
@@ -0,0 +1,123 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_add_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+        $word=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+         &mov("zero",$cc);
+        ###
+         &blt($count,&label("finish"));
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap));
+
+$a=<<'EOF';
+##########################################################
+        &set_label("loop");
+
+        &ld(($r0)=&NR(1),&QWPw(0,$rp));
+         &ld(($a1)=&NR(1),&QWPw(1,$ap));
+        &muh($a0,$word,($h0)=&NR(1));
+         &ld(($r1)=&NR(1),&QWPw(1,$rp));
+        &ld(($a2)=&NR(1),&QWPw(2,$ap));
+         ###
+        &mul($a0,$word,($l0)=&NR(1));   &FR($a0);
+         &ld(($r2)=&NR(1),&QWPw(2,$rp));
+        &muh($a1,$word,($h1)=&NR(1));
+         &ld(($a3)=&NR(1),&QWPw(3,$ap));
+        &mul($a1,$word,($l1)=&NR(1));   &FR($a1);
+         &ld(($r3)=&NR(1),&QWPw(3,$rp));
+        &add($r0,$l0,$r0);
+         &add($r1,$l1,$r1);
+        &cmpult($r0,$l0,($t0)=&NR(1));  &FR($l0);
+         &cmpult($r1,$l1,($t1)=&NR(1)); &FR($l1);
+        &muh($a2,$word,($h2)=&NR(1));
+         &add($r0,$cc,$r0);
+        &add($h0,$t0,$h0);              &FR($t0);
+         &cmpult($r0,$cc,$cc);
+        &add($h1,$t1,$h1);              &FR($t1);
+         &add($h0,$cc,$cc);             &FR($h0);
+        &mul($a2,$word,($l2)=&NR(1));   &FR($a2);
+         &add($r1,$cc,$r1);
+        &cmpult($r1,$cc,$cc);
+         &add($r2,$l2,$r2);
+        &add($h1,$cc,$cc);              &FR($h1);
+         &cmpult($r2,$l2,($t2)=&NR(1)); &FR($l2);
+        &muh($a3,$word,($h3)=&NR(1));
+         &add($r2,$cc,$r2);
+        &st($r0,&QWPw(0,$rp)); &FR($r0);
+         &add($h2,$t2,$h2);             &FR($t2);
+        &st($r1,&QWPw(1,$rp)); &FR($r1);
+         &cmpult($r2,$cc,$cc);
+        &mul($a3,$word,($l3)=&NR(1));   &FR($a3);
+         &add($h2,$cc,$cc);             &FR($h2);
+        &st($r2,&QWPw(2,$rp)); &FR($r2);
+         &sub($count,4,$count); # count-=4
+         &add($rp,4*$QWS,$rp);  # count+=4
+        &add($r3,$l3,$r3);
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &cmpult($r3,$l3,($t3)=&NR(1));  &FR($l3);
+         &add($r3,$cc,$r3);
+        &add($h3,$t3,$h3);              &FR($t3);
+         &cmpult($r3,$cc,$cc);
+        &st($r3,&QWPw(-1,$rp)); &FR($r3);
+         &add($h3,$cc,$cc);             &FR($h3);
+
+        ###
+         &blt($count,&label("finish"));
+        &ld(($a0)=&NR(1),&QWPw(0,$ap));
+         &br(&label("loop"));
+EOF
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+         &ld(($r0)=&NR(1),&QWPw(0,$rp));        # get b
+        ###
+         ###
+        &muh($a0,$word,($h0)=&NR(1));   &FR($a0);
+         ### wait 8
+        &mul($a0,$word,($l0)=&NR(1));   &FR($a0);
+         &add($rp,$QWS,$rp);
+        &add($ap,$QWS,$ap);
+         &sub($count,1,$count);
+        ### wait 3 until l0 is available
+        &add($r0,$l0,$r0);
+         ###
+        &cmpult($r0,$l0,($t0)=&NR(1));  &FR($l0);
+         &add($r0,$cc,$r0);
+        &add($h0,$t0,$h0);              &FR($t0);
+         &cmpult($r0,$cc,$cc);
+        &add($h0,$cc,$cc);              &FR($h0);
+
+        &st($r0,&QWPw(-1,$rp));         &FR($r0);
+         &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+         &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.pl
new file mode 100644
index 0000000000..9cc876ded4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.pl
@@ -0,0 +1,215 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+# upto
+
+sub mul_add_c
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &add($t1,$h1,$h1);              &FR($t1);
+        &add($c1,$h1,$c1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub bn_mul_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &mul($a[0],$b[0],($r00)=&NR(1));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &muh($a[0],$b[0],($r01)=&NR(1));
+        &FR($ap); &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &FR($bp); &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+        &mul($a[0],$b[1],($r02)=&NR(1));
+
+        ($R,$H1,$H2)=&NR(3);
+
+        &st($r00,&QWPw(0,$rp)); &FR($r00);
+
+        &mov("zero",$R);
+        &mul($a[1],$b[0],($r03)=&NR(1));
+
+        &mov("zero",$H1);
+        &mov("zero",$H0);
+         &add($R,$r01,$R);
+        &muh($a[0],$b[1],($r04)=&NR(1));
+         &cmpult($R,$r01,($t01)=&NR(1));        &FR($r01);
+         &add($R,$r02,$R);
+         &add($H1,$t01,$H1)                     &FR($t01);
+        &muh($a[1],$b[0],($r05)=&NR(1));
+         &cmpult($R,$r02,($t02)=&NR(1));        &FR($r02);
+         &add($R,$r03,$R);
+         &add($H2,$t02,$H2)                     &FR($t02);
+        &mul($a[0],$b[2],($r06)=&NR(1));
+         &cmpult($R,$r03,($t03)=&NR(1));        &FR($r03);
+         &add($H1,$t03,$H1)                     &FR($t03);
+        &st($R,&QWPw(1,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r04,$R);
+        &mov("zero",$H2);
+        &mul($a[1],$b[1],($r07)=&NR(1));
+         &cmpult($R,$r04,($t04)=&NR(1));        &FR($r04);
+         &add($R,$r05,$R);
+         &add($H1,$t04,$H1)                     &FR($t04);
+        &mul($a[2],$b[0],($r08)=&NR(1));
+         &cmpult($R,$r05,($t05)=&NR(1));        &FR($r05);
+         &add($R,$r01,$R);
+         &add($H2,$t05,$H2)                     &FR($t05);
+        &muh($a[0],$b[2],($r09)=&NR(1));
+         &cmpult($R,$r06,($t06)=&NR(1));        &FR($r06);
+         &add($R,$r07,$R);
+         &add($H1,$t06,$H1)                     &FR($t06);
+        &muh($a[1],$b[1],($r10)=&NR(1));
+         &cmpult($R,$r07,($t07)=&NR(1));        &FR($r07);
+         &add($R,$r08,$R);
+         &add($H2,$t07,$H2)                     &FR($t07);
+        &muh($a[2],$b[0],($r11)=&NR(1));
+         &cmpult($R,$r08,($t08)=&NR(1));        &FR($r08);
+         &add($H1,$t08,$H1)                     &FR($t08);
+        &st($R,&QWPw(2,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r09,$R);
+        &mov("zero",$H2);
+        &mul($a[0],$b[3],($r12)=&NR(1));
+         &cmpult($R,$r09,($t09)=&NR(1));        &FR($r09);
+         &add($R,$r10,$R);
+         &add($H1,$t09,$H1)                     &FR($t09);
+        &mul($a[1],$b[2],($r13)=&NR(1));
+         &cmpult($R,$r10,($t10)=&NR(1));        &FR($r10);
+         &add($R,$r11,$R);
+         &add($H1,$t10,$H1)                     &FR($t10);
+        &mul($a[2],$b[1],($r14)=&NR(1));
+         &cmpult($R,$r11,($t11)=&NR(1));        &FR($r11);
+         &add($R,$r12,$R);
+         &add($H1,$t11,$H1)                     &FR($t11);
+        &mul($a[3],$b[0],($r15)=&NR(1));
+         &cmpult($R,$r12,($t12)=&NR(1));        &FR($r12);
+         &add($R,$r13,$R);
+         &add($H1,$t12,$H1)                     &FR($t12);
+        &muh($a[0],$b[3],($r16)=&NR(1));
+         &cmpult($R,$r13,($t13)=&NR(1));        &FR($r13);
+         &add($R,$r14,$R);
+         &add($H1,$t13,$H1)                     &FR($t13);
+        &muh($a[1],$b[2],($r17)=&NR(1));
+         &cmpult($R,$r14,($t14)=&NR(1));        &FR($r14);
+         &add($R,$r15,$R);
+         &add($H1,$t14,$H1)                     &FR($t14);
+        &muh($a[2],$b[1],($r18)=&NR(1));
+         &cmpult($R,$r15,($t15)=&NR(1));        &FR($r15);
+         &add($H1,$t15,$H1)                     &FR($t15);
+        &st($R,&QWPw(3,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r16,$R);
+        &mov("zero",$H2);
+        &muh($a[3],$b[0],($r19)=&NR(1));
+         &cmpult($R,$r16,($t16)=&NR(1));        &FR($r16);
+         &add($R,$r17,$R);
+         &add($H1,$t16,$H1)                     &FR($t16);
+        &mul($a[1],$b[3],($r20)=&NR(1));
+         &cmpult($R,$r17,($t17)=&NR(1));        &FR($r17);
+         &add($R,$r18,$R);
+         &add($H1,$t17,$H1)                     &FR($t17);
+        &mul($a[2],$b[2],($r21)=&NR(1));
+         &cmpult($R,$r18,($t18)=&NR(1));        &FR($r18);
+         &add($R,$r19,$R);
+         &add($H1,$t18,$H1)                     &FR($t18);
+        &mul($a[3],$b[1],($r22)=&NR(1));
+         &cmpult($R,$r19,($t19)=&NR(1));        &FR($r19);
+         &add($R,$r20,$R);
+         &add($H1,$t19,$H1)                     &FR($t19);
+        &muh($a[1],$b[3],($r23)=&NR(1));
+         &cmpult($R,$r20,($t20)=&NR(1));        &FR($r20);
+         &add($R,$r21,$R);
+         &add($H1,$t20,$H1)                     &FR($t20);
+        &muh($a[2],$b[2],($r24)=&NR(1));
+         &cmpult($R,$r21,($t21)=&NR(1));        &FR($r21);
+         &add($R,$r22,$R);
+         &add($H1,$t21,$H1)                     &FR($t21);
+        &muh($a[3],$b[1],($r25)=&NR(1));
+         &cmpult($R,$r22,($t22)=&NR(1));        &FR($r22);
+         &add($H1,$t22,$H1)                     &FR($t22);
+        &st($R,&QWPw(4,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r23,$R);
+        &mov("zero",$H2);
+        &mul($a[2],$b[3],($r26)=&NR(1));
+         &cmpult($R,$r23,($t23)=&NR(1));        &FR($r23);
+         &add($R,$r24,$R);
+         &add($H1,$t23,$H1)                     &FR($t23);
+        &mul($a[3],$b[2],($r27)=&NR(1));
+         &cmpult($R,$r24,($t24)=&NR(1));        &FR($r24);
+         &add($R,$r25,$R);
+         &add($H1,$t24,$H1)                     &FR($t24);
+        &muh($a[2],$b[3],($r28)=&NR(1));
+         &cmpult($R,$r25,($t25)=&NR(1));        &FR($r25);
+         &add($R,$r26,$R);
+         &add($H1,$t25,$H1)                     &FR($t25);
+        &muh($a[3],$b[2],($r29)=&NR(1));
+         &cmpult($R,$r26,($t26)=&NR(1));        &FR($r26);
+         &add($R,$r27,$R);
+         &add($H1,$t26,$H1)                     &FR($t26);
+        &mul($a[3],$b[3],($r30)=&NR(1));
+         &cmpult($R,$r27,($t27)=&NR(1));        &FR($r27);
+         &add($H1,$t27,$H1)                     &FR($t27);
+        &st($R,&QWPw(5,$rp));
+        &add($H1,$H2,$R);
+
+        &mov("zero",$H1);
+         &add($R,$r28,$R);
+        &mov("zero",$H2);
+        &muh($a[3],$b[3],($r31)=&NR(1));
+         &cmpult($R,$r28,($t28)=&NR(1));        &FR($r28);
+         &add($R,$r29,$R);
+         &add($H1,$t28,$H1)                     &FR($t28);
+        ############
+         &cmpult($R,$r29,($t29)=&NR(1));        &FR($r29);
+         &add($R,$r30,$R);
+         &add($H1,$t29,$H1)                     &FR($t29);
+        ############
+         &cmpult($R,$r30,($t30)=&NR(1));        &FR($r30);
+         &add($H1,$t30,$H1)                     &FR($t30);
+        &st($R,&QWPw(6,$rp));
+        &add($H1,$H2,$R);
+
+         &add($R,$r31,$R);                      &FR($r31);
+        &st($R,&QWPw(7,$rp));
+
+        &FR($R,$H1,$H2);
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.works.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.works.pl
new file mode 100644
index 0000000000..79d86dd25c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c4.works.pl
@@ -0,0 +1,98 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub mul_add_c
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+print STDERR "count=$cnt\n"; $cnt++;
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &add($t1,$h1,$h1);              &FR($t1);
+        &add($c1,$h1,$c1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub bn_mul_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));       &FR($ap);
+        &ld(($b[3])=&NR(1),&QWPw(3,$bp));       &FR($bp);
+
+        ($c0,$c1,$c2)=&NR(3);
+        &mov("zero",$c2);
+        &mul($a[0],$b[0],$c0);
+        &muh($a[0],$b[0],$c1);
+        &st($c0,&QWPw(0,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[3],$c0,$c1,$c2);    &FR($a[0]);
+        &mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[0],$c0,$c1,$c2);    &FR($b[0]);
+        &st($c0,&QWPw(3,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[3],$c0,$c1,$c2);    &FR($a[1]);
+        &mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[1],$c0,$c1,$c2);    &FR($b[1]);
+        &st($c0,&QWPw(4,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[2],$b[3],$c0,$c1,$c2);    &FR($a[2]);
+        &mul_add_c($a[3],$b[2],$c0,$c1,$c2);    &FR($b[2]);
+        &st($c0,&QWPw(5,$rp));                  &FR($c0); ($c0)=&NR($c0);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[3],$b[3],$c0,$c1,$c2);    &FR($a[3],$b[3]);
+        &st($c0,&QWPw(6,$rp));
+        &st($c1,&QWPw(7,$rp));
+
+        &FR($c0,$c1,$c2);
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c8.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c8.pl
new file mode 100644
index 0000000000..525ca7494b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/mul_c8.pl
@@ -0,0 +1,177 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_mul_comba8
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(3);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &stack_push(2);
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($b[0])=&NR(1),&QWPw(0,$bp));
+        &st($reg_s0,&swtmp(0)); &FR($reg_s0);
+        &st($reg_s1,&swtmp(1)); &FR($reg_s1);
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[1])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($b[2])=&NR(1),&QWPw(2,$bp));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &ld(($b[3])=&NR(1),&QWPw(3,$bp));
+        &ld(($a[4])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[4])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[5])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[5])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[6])=&NR(1),&QWPw(1,$ap));
+        &ld(($b[6])=&NR(1),&QWPw(1,$bp));
+        &ld(($a[7])=&NR(1),&QWPw(1,$ap));       &FR($ap);
+        &ld(($b[7])=&NR(1),&QWPw(1,$bp));       &FR($bp);
+
+        ($c0,$c1,$c2)=&NR(3);
+        &mov("zero",$c2);
+        &mul($a[0],$b[0],$c0);
+        &muh($a[0],$b[0],$c1);
+        &st($c0,&QWPw(0,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[1],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[0],$b[7],$c0,$c1,$c2);    &FR($a[0]);
+        &mul_add_c($a[1],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[2],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[1],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[0],$c0,$c1,$c2);    &FR($b[0]);
+        &st($c0,&QWPw(7,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[1],$b[7],$c0,$c1,$c2);    &FR($a[1]);
+        &mul_add_c($a[2],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[3],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[2],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[1],$c0,$c1,$c2);    &FR($b[1]);
+        &st($c0,&QWPw(8,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[2],$b[7],$c0,$c1,$c2);    &FR($a[2]);
+        &mul_add_c($a[3],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[4],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[3],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[2],$c0,$c1,$c2);    &FR($b[2]);
+        &st($c0,&QWPw(9,$rp));                  &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[3],$b[7],$c0,$c1,$c2);    &FR($a[3]);
+        &mul_add_c($a[4],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[5],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[4],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[3],$c0,$c1,$c2);    &FR($b[3]);
+        &st($c0,&QWPw(10,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[4],$b[7],$c0,$c1,$c2);    &FR($a[4]);
+        &mul_add_c($a[5],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[6],$b[5],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[4],$c0,$c1,$c2);    &FR($b[4]);
+        &st($c0,&QWPw(11,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[5],$b[7],$c0,$c1,$c2);    &FR($a[5]);
+        &mul_add_c($a[6],$b[6],$c0,$c1,$c2);
+        &mul_add_c($a[7],$b[5],$c0,$c1,$c2);    &FR($b[5]);
+        &st($c0,&QWPw(12,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[6],$b[7],$c0,$c1,$c2);    &FR($a[6]);
+        &mul_add_c($a[7],$b[6],$c0,$c1,$c2);    &FR($b[6]);
+        &st($c0,&QWPw(13,$rp));                 &FR($c0); ($c0)=&NR(1);
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &mul_add_c($a[7],$b[7],$c0,$c1,$c2);    &FR($a[7],$b[7]);
+        &st($c0,&QWPw(14,$rp));
+        &st($c1,&QWPw(15,$rp));
+
+        &FR($c0,$c1,$c2);
+
+        &ld($reg_s0,&swtmp(0));
+        &ld($reg_s1,&swtmp(1));
+        &stack_pop(2);
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/sqr.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr.pl
new file mode 100644
index 0000000000..a55b696906
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr.pl
@@ -0,0 +1,113 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r,$couny);
+
+        &init_pool(3);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $count=&wparam(2);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &br(&label("finish"));
+        &blt($count,&label("finish"));
+
+        ($a0,$r0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($r0,&QWPw(0,$rp));
+
+$a=<<'EOF';
+##########################################################
+        &set_label("loop");
+
+        ($a1)=&NR(1); &ld($a1,&QWPw(1,$ap));
+        ($b1)=&NR(1); &ld($b1,&QWPw(1,$bp));
+        ($a2)=&NR(1); &ld($a2,&QWPw(2,$ap));
+        ($b2)=&NR(1); &ld($b2,&QWPw(2,$bp));
+        ($a3)=&NR(1); &ld($a3,&QWPw(3,$ap));
+        ($b3)=&NR(1); &ld($b3,&QWPw(3,$bp));
+
+        ($o0,$t0)=&NR(2);
+        &add($a0,$b0,$o0); 
+        &cmpult($o0,$b0,$t0);
+        &add($o0,$cc,$o0);
+        &cmpult($o0,$cc,$cc);
+        &add($cc,$t0,$cc);      &FR($t0);
+
+        ($t1,$o1)=&NR(2);
+
+        &add($a1,$b1,$o1);      &FR($a1);
+        &cmpult($o1,$b1,$t1);   &FR($b1);
+        &add($o1,$cc,$o1);
+        &cmpult($o1,$cc,$cc);
+        &add($cc,$t1,$cc);      &FR($t1);
+
+        ($t2,$o2)=&NR(2);
+
+        &add($a2,$b2,$o2);      &FR($a2);
+        &cmpult($o2,$b2,$t2);   &FR($b2);
+        &add($o2,$cc,$o2);
+        &cmpult($o2,$cc,$cc);
+        &add($cc,$t2,$cc);      &FR($t2);
+
+        ($t3,$o3)=&NR(2);
+
+        &add($a3,$b3,$o3);      &FR($a3);
+        &cmpult($o3,$b3,$t3);   &FR($b3);
+        &add($o3,$cc,$o3);
+        &cmpult($o3,$cc,$cc);
+        &add($cc,$t3,$cc);      &FR($t3);
+
+        &st($o0,&QWPw(0,$rp)); &FR($o0);
+        &st($o1,&QWPw(0,$rp)); &FR($o1);
+        &st($o2,&QWPw(0,$rp)); &FR($o2);
+        &st($o3,&QWPw(0,$rp)); &FR($o3);
+
+        &sub($count,4,$count);  # count-=4
+        &add($ap,4*$QWS,$ap);   # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+        &add($rp,4*$QWS,$rp);   # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+EOF
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld(($a0)=&NR(1),&QWPw(0,$ap)); # get a
+        &mul($a0,$a0,($l0)=&NR(1));
+         &add($ap,$QWS,$ap);
+         &add($rp,2*$QWS,$rp);
+         &sub($count,1,$count);
+        &muh($a0,$a0,($h0)=&NR(1));     &FR($a0);
+        &st($l0,&QWPw(-2,$rp));         &FR($l0);
+        &st($h0,&QWPw(-1,$rp));         &FR($h0);
+
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c4.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c4.pl
new file mode 100644
index 0000000000..bf33f5b503
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c4.pl
@@ -0,0 +1,109 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub sqr_add_c
+        {
+        local($a,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$a,($l1)=&NR(1));
+        &muh($a,$a,($h1)=&NR(1));
+        &add($c0,$l1,$c0);
+        &add($c1,$h1,$c1);
+        &cmpult($c0,$l1,($t1)=&NR(1));  &FR($l1);
+        &cmpult($c1,$h1,($t2)=&NR(1));  &FR($h1);
+        &add($c1,$t1,$c1);              &FR($t1);
+        &add($c2,$t2,$c2);              &FR($t2);
+        }
+
+sub sqr_add_c2
+        {
+        local($a,$b,$c0,$c1,$c2)=@_;
+        local($l1,$h1,$t1,$t2);
+
+        &mul($a,$b,($l1)=&NR(1));
+        &muh($a,$b,($h1)=&NR(1));
+        &cmplt($l1,"zero",($lc1)=&NR(1));
+        &cmplt($h1,"zero",($hc1)=&NR(1));
+        &add($l1,$l1,$l1);
+        &add($h1,$h1,$h1);
+        &add($h1,$lc1,$h1);             &FR($lc1);
+        &add($c2,$hc1,$c2);             &FR($hc1);
+
+        &add($c0,$l1,$c0);
+        &add($c1,$h1,$c1);
+        &cmpult($c0,$l1,($lc1)=&NR(1)); &FR($l1);
+        &cmpult($c1,$h1,($hc1)=&NR(1)); &FR($h1);
+
+        &add($c1,$lc1,$c1);             &FR($lc1);
+        &add($c2,$hc1,$c2);             &FR($hc1);
+        }
+
+
+sub bn_sqr_comba4
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(2);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap)); &FR($ap);
+
+        ($c0,$c1,$c2)=&NR(3);
+
+        &mov("zero",$c2);
+        &mul($a[0],$a[0],$c0);
+        &muh($a[0],$a[0],$c1);
+        &st($c0,&QWPw(0,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[0],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[3],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));
+        &st($c1,&QWPw(7,$rp));
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c8.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c8.pl
new file mode 100644
index 0000000000..b4afe085f1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/sqr_c8.pl
@@ -0,0 +1,132 @@
+#!/usr/local/bin/perl
+# alpha assember 
+
+sub bn_sqr_comba8
+        {
+        local($name)=@_;
+        local(@a,@b,$r,$c0,$c1,$c2);
+
+        $cnt=1;
+        &init_pool(2);
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+
+        &function_begin($name,"");
+
+        &comment("");
+
+        &ld(($a[0])=&NR(1),&QWPw(0,$ap));
+        &ld(($a[1])=&NR(1),&QWPw(1,$ap));
+        &ld(($a[2])=&NR(1),&QWPw(2,$ap));
+        &ld(($a[3])=&NR(1),&QWPw(3,$ap));
+        &ld(($a[4])=&NR(1),&QWPw(4,$ap));
+        &ld(($a[5])=&NR(1),&QWPw(5,$ap));
+        &ld(($a[6])=&NR(1),&QWPw(6,$ap));
+        &ld(($a[7])=&NR(1),&QWPw(7,$ap)); &FR($ap);
+
+        ($c0,$c1,$c2)=&NR(3);
+
+        &mov("zero",$c2);
+        &mul($a[0],$a[0],$c0);
+        &muh($a[0],$a[0],$c1);
+        &st($c0,&QWPw(0,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[1],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(1,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[2],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(2,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[2],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(3,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[3],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(4,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[3],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(5,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[4],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(6,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[4],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[1],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[0],$c0,$c1,$c2);
+        &st($c0,&QWPw(7,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[5],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[2],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[1],$c0,$c1,$c2);
+        &st($c0,&QWPw(8,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[5],$a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[3],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[2],$c0,$c1,$c2);
+        &st($c0,&QWPw(9,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[5],$c0,$c1,$c2);
+        &sqr_add_c2($a[6],$a[4],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[3],$c0,$c1,$c2);
+        &st($c0,&QWPw(10,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[6],$a[5],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[4],$c0,$c1,$c2);
+        &st($c0,&QWPw(11,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[6],$c0,$c1,$c2);
+        &sqr_add_c2($a[7],$a[5],$c0,$c1,$c2);
+        &st($c0,&QWPw(12,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c2($a[7],$a[6],$c0,$c1,$c2);
+        &st($c0,&QWPw(13,$rp));
+        ($c0,$c1,$c2)=($c1,$c2,$c0);
+        &mov("zero",$c2);
+
+        &sqr_add_c($a[7],$c0,$c1,$c2);
+        &st($c0,&QWPw(14,$rp));
+        &st($c1,&QWPw(15,$rp));
+
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/alpha/sub.pl b/src/lib/libssl/src/crypto/bn/asm/alpha/sub.pl
new file mode 100644
index 0000000000..d998da5c21
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/alpha/sub.pl
@@ -0,0 +1,108 @@
+#!/usr/local/bin/perl
+# alpha assember
+
+sub bn_sub_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r);
+
+        &init_pool(4);
+        ($cc)=GR("r0");
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+        $count=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &blt($count,&label("finish"));
+
+        ($a0,$b0)=&NR(2);
+        &ld($a0,&QWPw(0,$ap));
+        &ld($b0,&QWPw(0,$bp));
+
+##########################################################
+        &set_label("loop");
+
+        ($a1,$tmp,$b1,$a2,$b2,$a3,$b3,$o0)=&NR(8);
+        &ld($a1,&QWPw(1,$ap));
+         &cmpult($a0,$b0,$tmp); # will we borrow?
+        &ld($b1,&QWPw(1,$bp));
+         &sub($a0,$b0,$a0);             # do the subtract
+        &ld($a2,&QWPw(2,$ap));
+         &cmpult($a0,$cc,$b0);  # will we borrow?
+        &ld($b2,&QWPw(2,$bp));
+         &sub($a0,$cc,$o0);     # will we borrow?
+        &ld($a3,&QWPw(3,$ap));
+         &add($b0,$tmp,$cc); ($t1,$o1)=&NR(2); &FR($tmp);
+
+        &cmpult($a1,$b1,$t1);   # will we borrow?
+         &sub($a1,$b1,$a1);     # do the subtract
+        &ld($b3,&QWPw(3,$bp));
+         &cmpult($a1,$cc,$b1);  # will we borrow?
+        &sub($a1,$cc,$o1);      # will we borrow?
+         &add($b1,$t1,$cc); ($tmp,$o2)=&NR(2); &FR($t1,$a1,$b1);
+        
+        &cmpult($a2,$b2,$tmp);  # will we borrow?
+         &sub($a2,$b2,$a2);             # do the subtract
+        &st($o0,&QWPw(0,$rp));  &FR($o0); # save
+         &cmpult($a2,$cc,$b2);  # will we borrow?
+        &sub($a2,$cc,$o2);      # will we borrow?
+         &add($b2,$tmp,$cc); ($t3,$o3)=&NR(2); &FR($tmp,$a2,$b2);
+
+        &cmpult($a3,$b3,$t3);   # will we borrow?
+         &sub($a3,$b3,$a3);     # do the subtract
+        &st($o1,&QWPw(1,$rp)); &FR($o1);
+         &cmpult($a3,$cc,$b3);  # will we borrow?
+        &sub($a3,$cc,$o3);      # will we borrow?
+         &add($b3,$t3,$cc); &FR($t3,$a3,$b3);
+
+        &st($o2,&QWPw(2,$rp));  &FR($o2);
+         &sub($count,4,$count); # count-=4
+        &st($o3,&QWPw(3,$rp));  &FR($o3);
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+         &add($rp,4*$QWS,$rp);  # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld($a0,&QWPw(0,$ap));  # get a
+         &ld($b0,&QWPw(0,$bp)); # get b
+        &cmpult($a0,$b0,$tmp);  # will we borrow?
+        &sub($a0,$b0,$a0);      # do the subtract
+        &cmpult($a0,$cc,$b0);   # will we borrow?
+        &sub($a0,$cc,$a0);      # will we borrow?
+        &st($a0,&QWPw(0,$rp));  # save
+        &add($b0,$tmp,$cc);     # add the borrows
+
+        &add($ap,$QWS,$ap);
+        &add($bp,$QWS,$bp);
+        &add($rp,$QWS,$rp);
+        &sub($count,1,$count);
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &FR($a0,$b0);
+        &set_label("end");
+        &function_end($name);
+
+        &fin_pool;
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/bn-alpha.pl b/src/lib/libssl/src/crypto/bn/asm/bn-alpha.pl
new file mode 100644
index 0000000000..302edf2376
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/bn-alpha.pl
@@ -0,0 +1,571 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+$d=&data();
+$d =~ s/CC/0/g;
+$d =~ s/R1/1/g;
+$d =~ s/R2/2/g;
+$d =~ s/R3/3/g;
+$d =~ s/R4/4/g;
+$d =~ s/L1/5/g;
+$d =~ s/L2/6/g;
+$d =~ s/L3/7/g;
+$d =~ s/L4/8/g;
+$d =~ s/O1/22/g;
+$d =~ s/O2/23/g;
+$d =~ s/O3/24/g;
+$d =~ s/O4/25/g;
+$d =~ s/A1/20/g;
+$d =~ s/A2/21/g;
+$d =~ s/A3/27/g;
+$d =~ s/A4/28/g;
+if (0){
+}
+
+print $d;
+
+sub data
+        {
+        local($data)=<<'EOF';
+
+ # DEC Alpha assember
+ # The bn_div_words is actually gcc output but the other parts are hand done.
+ # Thanks to tzeruch@ceddec.com for sending me the gcc output for
+ # bn_div_words.
+ # I've gone back and re-done most of routines.
+ # The key thing to remeber for the 164 CPU is that while a
+ # multiply operation takes 8 cycles, another one can only be issued
+ # after 4 cycles have elapsed.  I've done modification to help
+ # improve this.  Also, normally, a ld instruction will not be available
+ # for about 3 cycles.
+        .file   1 "bn_asm.c"
+        .set noat
+gcc2_compiled.:
+__gnu_compiled_c:
+        .text
+        .align 3
+        .globl bn_mul_add_words
+        .ent bn_mul_add_words
+bn_mul_add_words:
+bn_mul_add_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+        .align 5
+        subq    $18,4,$18
+        bis     $31,$31,$CC
+        blt     $18,$43         # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $A1,0($17)      # 1 1
+        ldq     $R1,0($16)      # 1 1
+        .align 3
+$42:
+        mulq    $A1,$19,$L1     # 1 2 1 ######
+        ldq     $A2,8($17)      # 2 1
+        ldq     $R2,8($16)      # 2 1
+        umulh   $A1,$19,$A1     # 1 2   ######
+        ldq     $A3,16($17)     # 3 1
+        ldq     $R3,16($16)     # 3 1
+        mulq    $A2,$19,$L2     # 2 2 1 ######
+         ldq    $A4,24($17)     # 4 1
+        addq    $R1,$L1,$R1     # 1 2 2
+         ldq    $R4,24($16)     # 4 1
+        umulh   $A2,$19,$A2     # 2 2   ######
+         cmpult $R1,$L1,$O1     # 1 2 3 1
+        addq    $A1,$O1,$A1     # 1 3 1
+         addq   $R1,$CC,$R1     # 1 2 3 1
+        mulq    $A3,$19,$L3     # 3 2 1 ######
+         cmpult $R1,$CC,$CC     # 1 2 3 2
+        addq    $R2,$L2,$R2     # 2 2 2
+         addq   $A1,$CC,$CC     # 1 3 2 
+        cmpult  $R2,$L2,$O2     # 2 2 3 1
+         addq   $A2,$O2,$A2     # 2 3 1
+        umulh   $A3,$19,$A3     # 3 2   ######
+         addq   $R2,$CC,$R2     # 2 2 3 1
+        cmpult  $R2,$CC,$CC     # 2 2 3 2
+         subq   $18,4,$18
+        mulq    $A4,$19,$L4     # 4 2 1 ######
+         addq   $A2,$CC,$CC     # 2 3 2 
+        addq    $R3,$L3,$R3     # 3 2 2
+         addq   $16,32,$16
+        cmpult  $R3,$L3,$O3     # 3 2 3 1
+         stq    $R1,-32($16)    # 1 2 4
+        umulh   $A4,$19,$A4     # 4 2   ######
+         addq   $A3,$O3,$A3     # 3 3 1
+        addq    $R3,$CC,$R3     # 3 2 3 1
+         stq    $R2,-24($16)    # 2 2 4
+        cmpult  $R3,$CC,$CC     # 3 2 3 2
+         stq    $R3,-16($16)    # 3 2 4
+        addq    $R4,$L4,$R4     # 4 2 2
+         addq   $A3,$CC,$CC     # 3 3 2 
+        cmpult  $R4,$L4,$O4     # 4 2 3 1
+         addq   $17,32,$17
+        addq    $A4,$O4,$A4     # 4 3 1
+         addq   $R4,$CC,$R4     # 4 2 3 1
+        cmpult  $R4,$CC,$CC     # 4 2 3 2
+         stq    $R4,-8($16)     # 4 2 4
+        addq    $A4,$CC,$CC     # 4 3 2 
+         blt    $18,$43
+
+        ldq     $A1,0($17)      # 1 1
+        ldq     $R1,0($16)      # 1 1
+
+        br      $42
+
+        .align 4
+$45:
+        ldq     $A1,0($17)      # 4 1
+        ldq     $R1,0($16)      # 4 1
+        mulq    $A1,$19,$L1     # 4 2 1
+        subq    $18,1,$18
+        addq    $16,8,$16
+        addq    $17,8,$17
+        umulh   $A1,$19,$A1     # 4 2
+        addq    $R1,$L1,$R1     # 4 2 2
+        cmpult  $R1,$L1,$O1     # 4 2 3 1
+        addq    $A1,$O1,$A1     # 4 3 1
+        addq    $R1,$CC,$R1     # 4 2 3 1
+        cmpult  $R1,$CC,$CC     # 4 2 3 2
+        addq    $A1,$CC,$CC     # 4 3 2 
+        stq     $R1,-8($16)     # 4 2 4
+        bgt     $18,$45
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$43:
+        addq    $18,4,$18
+        bgt     $18,$45         # goto tail code
+        ret     $31,($26),1     # else exit
+
+        .end bn_mul_add_words
+        .align 3
+        .globl bn_mul_words
+        .ent bn_mul_words
+bn_mul_words:
+bn_mul_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+        .align 5
+        subq    $18,4,$18
+        bis     $31,$31,$CC
+        blt     $18,$143        # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $A1,0($17)      # 1 1
+        .align 3
+$142:
+
+        mulq    $A1,$19,$L1     # 1 2 1 #####
+         ldq    $A2,8($17)      # 2 1
+         ldq    $A3,16($17)     # 3 1
+        umulh   $A1,$19,$A1     # 1 2   #####
+         ldq    $A4,24($17)     # 4 1
+        mulq    $A2,$19,$L2     # 2 2 1 #####
+         addq   $L1,$CC,$L1     # 1 2 3 1
+        subq    $18,4,$18
+         cmpult $L1,$CC,$CC     # 1 2 3 2
+        umulh   $A2,$19,$A2     # 2 2   #####
+         addq   $A1,$CC,$CC     # 1 3 2 
+        addq    $17,32,$17
+         addq   $L2,$CC,$L2     # 2 2 3 1
+        mulq    $A3,$19,$L3     # 3 2 1 #####
+         cmpult $L2,$CC,$CC     # 2 2 3 2
+        addq    $A2,$CC,$CC     # 2 3 2 
+         addq   $16,32,$16
+        umulh   $A3,$19,$A3     # 3 2   #####
+         stq    $L1,-32($16)    # 1 2 4
+        mulq    $A4,$19,$L4     # 4 2 1 #####
+         addq   $L3,$CC,$L3     # 3 2 3 1
+        stq     $L2,-24($16)    # 2 2 4
+         cmpult $L3,$CC,$CC     # 3 2 3 2
+        umulh   $A4,$19,$A4     # 4 2   #####
+         addq   $A3,$CC,$CC     # 3 3 2 
+        stq     $L3,-16($16)    # 3 2 4
+         addq   $L4,$CC,$L4     # 4 2 3 1
+        cmpult  $L4,$CC,$CC     # 4 2 3 2
+
+        addq    $A4,$CC,$CC     # 4 3 2 
+
+        stq     $L4,-8($16)     # 4 2 4
+
+        blt     $18,$143
+
+        ldq     $A1,0($17)      # 1 1
+
+        br      $142
+
+        .align 4
+$145:
+        ldq     $A1,0($17)      # 4 1
+        mulq    $A1,$19,$L1     # 4 2 1
+        subq    $18,1,$18
+        umulh   $A1,$19,$A1     # 4 2
+        addq    $L1,$CC,$L1     # 4 2 3 1
+         addq   $16,8,$16
+        cmpult  $L1,$CC,$CC     # 4 2 3 2
+         addq   $17,8,$17
+        addq    $A1,$CC,$CC     # 4 3 2 
+        stq     $L1,-8($16)     # 4 2 4
+
+        bgt     $18,$145
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$143:
+        addq    $18,4,$18
+        bgt     $18,$145        # goto tail code
+        ret     $31,($26),1     # else exit
+
+        .end bn_mul_words
+        .align 3
+        .globl bn_sqr_words
+        .ent bn_sqr_words
+bn_sqr_words:
+bn_sqr_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $18,4,$18
+        blt     $18,$543        # if we are -1, -2, -3 or -4 goto tail code
+        ldq     $A1,0($17)      # 1 1
+        .align 3
+$542:
+        mulq    $A1,$A1,$L1             ######
+         ldq    $A2,8($17)      # 1 1
+        subq    $18,4
+        umulh   $A1,$A1,$R1             ######
+        ldq     $A3,16($17)     # 1 1
+        mulq    $A2,$A2,$L2             ######
+        ldq     $A4,24($17)     # 1 1
+        stq     $L1,0($16)      # r[0]
+        umulh   $A2,$A2,$R2             ######
+        stq     $R1,8($16)      # r[1]
+        mulq    $A3,$A3,$L3             ######
+        stq     $L2,16($16)     # r[0]
+        umulh   $A3,$A3,$R3             ######
+        stq     $R2,24($16)     # r[1]
+        mulq    $A4,$A4,$L4             ######
+        stq     $L3,32($16)     # r[0]
+        umulh   $A4,$A4,$R4             ######
+        stq     $R3,40($16)     # r[1]
+
+        addq    $16,64,$16
+        addq    $17,32,$17
+        stq     $L4,-16($16)    # r[0]
+        stq     $R4,-8($16)     # r[1]
+
+        blt     $18,$543
+        ldq     $A1,0($17)      # 1 1
+        br      $542
+
+$442:
+        ldq     $A1,0($17)   # a[0]
+        mulq    $A1,$A1,$L1  # a[0]*w low part       r2
+        addq    $16,16,$16
+        addq    $17,8,$17
+        subq    $18,1,$18
+        umulh   $A1,$A1,$R1  # a[0]*w high part       r3
+        stq     $L1,-16($16)   # r[0]
+        stq     $R1,-8($16)   # r[1]
+
+        bgt     $18,$442
+        ret     $31,($26),1     # else exit
+
+        .align 4
+$543:
+        addq    $18,4,$18
+        bgt     $18,$442        # goto tail code
+        ret     $31,($26),1     # else exit
+        .end bn_sqr_words
+
+        .align 3
+        .globl bn_add_words
+        .ent bn_add_words
+bn_add_words:
+bn_add_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $19,4,$19
+        bis     $31,$31,$CC     # carry = 0
+        blt     $19,$900
+        ldq     $L1,0($17)      # a[0]
+        ldq     $R1,0($18)      # b[1]
+        .align 3
+$901:
+        addq    $R1,$L1,$R1     # r=a+b;
+         ldq    $L2,8($17)      # a[1]
+        cmpult  $R1,$L1,$O1     # did we overflow?
+         ldq    $R2,8($18)      # b[1]
+        addq    $R1,$CC,$R1     # c+= overflow
+         ldq    $L3,16($17)     # a[2]
+        cmpult  $R1,$CC,$CC     # overflow?
+         ldq    $R3,16($18)     # b[2]
+        addq    $CC,$O1,$CC
+         ldq    $L4,24($17)     # a[3]
+        addq    $R2,$L2,$R2     # r=a+b;
+         ldq    $R4,24($18)     # b[3]
+        cmpult  $R2,$L2,$O2     # did we overflow?
+         addq   $R3,$L3,$R3     # r=a+b;
+        addq    $R2,$CC,$R2     # c+= overflow
+         cmpult $R3,$L3,$O3     # did we overflow?
+        cmpult  $R2,$CC,$CC     # overflow?
+         addq   $R4,$L4,$R4     # r=a+b;
+        addq    $CC,$O2,$CC
+         cmpult $R4,$L4,$O4     # did we overflow?
+        addq    $R3,$CC,$R3     # c+= overflow
+         stq    $R1,0($16)      # r[0]=c
+        cmpult  $R3,$CC,$CC     # overflow?
+         stq    $R2,8($16)      # r[1]=c
+        addq    $CC,$O3,$CC
+         stq    $R3,16($16)     # r[2]=c
+        addq    $R4,$CC,$R4     # c+= overflow
+         subq   $19,4,$19       # loop--
+        cmpult  $R4,$CC,$CC     # overflow?
+         addq   $17,32,$17      # a++
+        addq    $CC,$O4,$CC
+         stq    $R4,24($16)     # r[3]=c
+        addq    $18,32,$18      # b++
+         addq   $16,32,$16      # r++
+
+        blt     $19,$900
+         ldq    $L1,0($17)      # a[0]
+        ldq     $R1,0($18)      # b[1]
+         br     $901
+        .align 4
+$945:
+        ldq     $L1,0($17)      # a[0]
+         ldq    $R1,0($18)      # b[1]
+        addq    $R1,$L1,$R1     # r=a+b;
+         subq   $19,1,$19       # loop--
+        addq    $R1,$CC,$R1     # c+= overflow
+         addq   $17,8,$17       # a++
+        cmpult  $R1,$L1,$O1     # did we overflow?
+         cmpult $R1,$CC,$CC     # overflow?
+        addq    $18,8,$18       # b++
+         stq    $R1,0($16)      # r[0]=c
+        addq    $CC,$O1,$CC
+         addq   $16,8,$16       # r++
+
+        bgt     $19,$945
+        ret     $31,($26),1     # else exit
+
+$900:
+        addq    $19,4,$19
+        bgt     $19,$945        # goto tail code
+        ret     $31,($26),1     # else exit
+        .end bn_add_words
+
+        .align 3
+        .globl bn_sub_words
+        .ent bn_sub_words
+bn_sub_words:
+bn_sub_words..ng:
+        .frame $30,0,$26,0
+        .prologue 0
+
+        subq    $19,4,$19
+        bis     $31,$31,$CC     # carry = 0
+ br     $800
+        blt     $19,$800
+        ldq     $L1,0($17)      # a[0]
+        ldq     $R1,0($18)      # b[1]
+        .align 3
+$801:
+        addq    $R1,$L1,$R1     # r=a+b;
+         ldq    $L2,8($17)      # a[1]
+        cmpult  $R1,$L1,$O1     # did we overflow?
+         ldq    $R2,8($18)      # b[1]
+        addq    $R1,$CC,$R1     # c+= overflow
+         ldq    $L3,16($17)     # a[2]
+        cmpult  $R1,$CC,$CC     # overflow?
+         ldq    $R3,16($18)     # b[2]
+        addq    $CC,$O1,$CC
+         ldq    $L4,24($17)     # a[3]
+        addq    $R2,$L2,$R2     # r=a+b;
+         ldq    $R4,24($18)     # b[3]
+        cmpult  $R2,$L2,$O2     # did we overflow?
+         addq   $R3,$L3,$R3     # r=a+b;
+        addq    $R2,$CC,$R2     # c+= overflow
+         cmpult $R3,$L3,$O3     # did we overflow?
+        cmpult  $R2,$CC,$CC     # overflow?
+         addq   $R4,$L4,$R4     # r=a+b;
+        addq    $CC,$O2,$CC
+         cmpult $R4,$L4,$O4     # did we overflow?
+        addq    $R3,$CC,$R3     # c+= overflow
+         stq    $R1,0($16)      # r[0]=c
+        cmpult  $R3,$CC,$CC     # overflow?
+         stq    $R2,8($16)      # r[1]=c
+        addq    $CC,$O3,$CC
+         stq    $R3,16($16)     # r[2]=c
+        addq    $R4,$CC,$R4     # c+= overflow
+         subq   $19,4,$19       # loop--
+        cmpult  $R4,$CC,$CC     # overflow?
+         addq   $17,32,$17      # a++
+        addq    $CC,$O4,$CC
+         stq    $R4,24($16)     # r[3]=c
+        addq    $18,32,$18      # b++
+         addq   $16,32,$16      # r++
+
+        blt     $19,$800
+         ldq    $L1,0($17)      # a[0]
+        ldq     $R1,0($18)      # b[1]
+         br     $801
+        .align 4
+$845:
+        ldq     $L1,0($17)      # a[0]
+         ldq    $R1,0($18)      # b[1]
+        cmpult  $L1,$R1,$O1     # will we borrow?
+         subq   $L1,$R1,$R1     # r=a-b;
+        subq    $19,1,$19       # loop--
+         cmpult  $R1,$CC,$O2    # will we borrow?
+        subq    $R1,$CC,$R1     # c+= overflow
+         addq   $17,8,$17       # a++
+        addq    $18,8,$18       # b++
+         stq    $R1,0($16)      # r[0]=c
+        addq    $O2,$O1,$CC
+         addq   $16,8,$16       # r++
+
+        bgt     $19,$845
+        ret     $31,($26),1     # else exit
+
+$800:
+        addq    $19,4,$19
+        bgt     $19,$845        # goto tail code
+        ret     $31,($26),1     # else exit
+        .end bn_sub_words
+
+ #
+ # What follows was taken directly from the C compiler with a few
+ # hacks to redo the lables.
+ #
+.text
+        .align 3
+        .globl bn_div_words
+        .ent bn_div_words
+bn_div_words:
+        ldgp $29,0($27)
+bn_div_words..ng:
+        lda $30,-48($30)
+        .frame $30,48,$26,0
+        stq $26,0($30)
+        stq $9,8($30)
+        stq $10,16($30)
+        stq $11,24($30)
+        stq $12,32($30)
+        stq $13,40($30)
+        .mask 0x4003e00,-48
+        .prologue 1
+        bis $16,$16,$9
+        bis $17,$17,$10
+        bis $18,$18,$11
+        bis $31,$31,$13
+        bis $31,2,$12
+        bne $11,$119
+        lda $0,-1
+        br $31,$136
+        .align 4
+$119:
+        bis $11,$11,$16
+        jsr $26,BN_num_bits_word
+        ldgp $29,0($26)
+        subq $0,64,$1
+        beq $1,$120
+        bis $31,1,$1
+        sll $1,$0,$1
+        cmpule $9,$1,$1
+        bne $1,$120
+ #      lda $16,_IO_stderr_
+ #      lda $17,$C32
+ #      bis $0,$0,$18
+ #      jsr $26,fprintf
+ #      ldgp $29,0($26)
+        jsr $26,abort
+        ldgp $29,0($26)
+        .align 4
+$120:
+        bis $31,64,$3
+        cmpult $9,$11,$2
+        subq $3,$0,$1
+        addl $1,$31,$0
+        subq $9,$11,$1
+        cmoveq $2,$1,$9
+        beq $0,$122
+        zapnot $0,15,$2
+        subq $3,$0,$1
+        sll $11,$2,$11
+        sll $9,$2,$3
+        srl $10,$1,$1
+        sll $10,$2,$10
+        bis $3,$1,$9
+$122:
+        srl $11,32,$5
+        zapnot $11,15,$6
+        lda $7,-1
+        .align 5
+$123:
+        srl $9,32,$1
+        subq $1,$5,$1
+        bne $1,$126
+        zapnot $7,15,$27
+        br $31,$127
+        .align 4
+$126:
+        bis $9,$9,$24
+        bis $5,$5,$25
+        divqu $24,$25,$27
+$127:
+        srl $10,32,$4
+        .align 5
+$128:
+        mulq $27,$5,$1
+        subq $9,$1,$3
+        zapnot $3,240,$1
+        bne $1,$129
+        mulq $6,$27,$2
+        sll $3,32,$1
+        addq $1,$4,$1
+        cmpule $2,$1,$2
+        bne $2,$129
+        subq $27,1,$27
+        br $31,$128
+        .align 4
+$129:
+        mulq $27,$6,$1
+        mulq $27,$5,$4
+        srl $1,32,$3
+        sll $1,32,$1
+        addq $4,$3,$4
+        cmpult $10,$1,$2
+        subq $10,$1,$10
+        addq $2,$4,$2
+        cmpult $9,$2,$1
+        bis $2,$2,$4
+        beq $1,$134
+        addq $9,$11,$9
+        subq $27,1,$27
+$134:
+        subl $12,1,$12
+        subq $9,$4,$9
+        beq $12,$124
+        sll $27,32,$13
+        sll $9,32,$2
+        srl $10,32,$1
+        sll $10,32,$10
+        bis $2,$1,$9
+        br $31,$123
+        .align 4
+$124:
+        bis $13,$27,$0
+$136:
+        ldq $26,0($30)
+        ldq $9,8($30)
+        ldq $10,16($30)
+        ldq $11,24($30)
+        ldq $12,32($30)
+        ldq $13,40($30)
+        addq $30,48,$30
+        ret $31,($26),1
+        .end bn_div_words
+EOF
+        return($data);
+        }
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/ca.pl b/src/lib/libssl/src/crypto/bn/asm/ca.pl
new file mode 100644
index 0000000000..c1ce67a6b4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/ca.pl
@@ -0,0 +1,33 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "alpha.pl";
+require "alpha/mul_add.pl";
+require "alpha/mul.pl";
+require "alpha/sqr.pl";
+require "alpha/add.pl";
+require "alpha/sub.pl";
+require "alpha/mul_c8.pl";
+require "alpha/mul_c4.pl";
+require "alpha/sqr_c4.pl";
+require "alpha/sqr_c8.pl";
+require "alpha/div.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_mul_add_words("bn_mul_add_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+&bn_div_words("bn_div_words");
+&bn_mul_comba8("bn_mul_comba8");
+&bn_mul_comba4("bn_mul_comba4");
+&bn_sqr_comba4("bn_sqr_comba4");
+&bn_sqr_comba8("bn_sqr_comba8");
+
+&asm_finish();
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/co-586.pl b/src/lib/libssl/src/crypto/bn/asm/co-586.pl
new file mode 100644
index 0000000000..5d962cb957
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/co-586.pl
@@ -0,0 +1,286 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
+sub mul_add_c
+        {
+        local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("mul a[$ai]*b[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        &mul("edx");
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # laod next a
+         &mov("eax",&wparam(0)) if $pos > 0;                    # load r[]
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;        # laod next b
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;        # laod next b
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;           # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # laod next a
+        }
+
+sub sqr_add_c
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;              # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # load next b
+        }
+
+sub sqr_add_c2
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$a,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add("eax","eax");
+         ###
+        &adc("edx","edx");
+         ###
+        &adc($c2,0);
+         &add($c0,"eax");
+        &adc($c1,"edx");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;        # load next b
+        &adc($c2,0);
+        &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;               # save r[];
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+         ###
+        }
+
+sub bn_mul_comba
+        {
+        local($name,$num)=@_;
+        local($a,$b,$c0,$c1,$c2);
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($tot,$end);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $b="edi";
+        
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        &push("esi");
+         &mov($a,&wparam(1));
+        &push("edi");
+         &mov($b,&wparam(2));
+        &push("ebp");
+         &push("ebx");
+
+        &xor($c0,$c0);
+         &mov("eax",&DWP(0,$a,"",0));   # load the first word 
+        &xor($c1,$c1);
+         &mov("edx",&DWP(0,$b,"",0));   # load the first second 
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("################## Calculate word $i"); 
+
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($j+1) == $end)
+                                {
+                                $v=1;
+                                $v=2 if (($i+1) == $tot);
+                                }
+                        else
+                                { $v=0; }
+                        if (($j+1) != $end)
+                                {
+                                $na=($ai-1);
+                                $nb=($bi+1);
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+                        &mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                # &mov("eax",&wparam(0));
+                                # &mov(&DWP($i*4,"eax","",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &comment("save r[$i]");
+        # &mov("eax",&wparam(0));
+        &mov(&DWP($i*4,"eax","",0),$c0);
+
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+sub bn_sqr_comba
+        {
+        local($name,$num)=@_;
+        local($r,$a,$c0,$c1,$c2)=@_;
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($b,$tot,$end,$half);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $r="edi";
+
+        &push("esi");
+         &push("edi");
+        &push("ebp");
+         &push("ebx");
+        &mov($r,&wparam(0));
+         &mov($a,&wparam(1));
+        &xor($c0,$c0);
+         &xor($c1,$c1);
+        &mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("############### Calculate word $i");
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($ai-1) < ($bi+1))
+                                {
+                                $v=1;
+                                $v=2 if ($i+1) == $tot;
+                                }
+                        else
+                                { $v=0; }
+                        if (!$v)
+                                {
+                                $na=$ai-1;
+                                $nb=$bi+1;
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+                        if ($ai == $bi)
+                                {
+                                &sqr_add_c($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        else
+                                {
+                                &sqr_add_c2($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                #&mov(&DWP($i*4,$r,"",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                last;
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &mov(&DWP($i*4,$r,"",0),$c0);
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
diff --git a/src/lib/libssl/src/crypto/bn/asm/co-alpha.pl b/src/lib/libssl/src/crypto/bn/asm/co-alpha.pl
new file mode 100644
index 0000000000..67dad3e3d5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/co-alpha.pl
@@ -0,0 +1,116 @@
+#!/usr/local/bin/perl
+# I have this in perl so I can use more usefull register names and then convert
+# them into alpha registers.
+#
+
+push(@INC,"perlasm","../../perlasm");
+require "alpha.pl";
+
+&asm_init($ARGV[0],$0);
+
+print &bn_sub_words("bn_sub_words");
+
+&asm_finish();
+
+sub bn_sub_words
+        {
+        local($name)=@_;
+        local($cc,$a,$b,$r);
+
+        $cc="r0";
+        $a0="r1"; $b0="r5"; $r0="r9";  $tmp="r13";
+        $a1="r2"; $b1="r6"; $r1="r10"; $t1="r14";
+        $a2="r3"; $b2="r7"; $r2="r11";
+        $a3="r4"; $b3="r8"; $r3="r12"; $t3="r15";
+
+        $rp=&wparam(0);
+        $ap=&wparam(1);
+        $bp=&wparam(2);
+        $count=&wparam(3);
+
+        &function_begin($name,"");
+
+        &comment("");
+        &sub($count,4,$count);
+        &mov("zero",$cc);
+        &blt($count,&label("finish"));
+
+        &ld($a0,&QWPw(0,$ap));
+        &ld($b0,&QWPw(0,$bp));
+
+##########################################################
+        &set_label("loop");
+
+        &ld($a1,&QWPw(1,$ap));
+         &cmpult($a0,$b0,$tmp); # will we borrow?
+        &ld($b1,&QWPw(1,$bp));
+         &sub($a0,$b0,$a0);             # do the subtract
+        &ld($a2,&QWPw(2,$ap));
+         &cmpult($a0,$cc,$b0);  # will we borrow?
+        &ld($b2,&QWPw(2,$bp));
+         &sub($a0,$cc,$a0);     # will we borrow?
+        &ld($a3,&QWPw(3,$ap));
+         &add($b0,$tmp,$cc);    # add the borrows
+
+        &cmpult($a1,$b1,$t1);   # will we borrow?
+         &sub($a1,$b1,$a1);     # do the subtract
+        &ld($b3,&QWPw(3,$bp));
+         &cmpult($a1,$cc,$b1);  # will we borrow?
+        &sub($a1,$cc,$a1);      # will we borrow?
+         &add($b1,$t1,$cc);     # add the borrows
+
+        &cmpult($a2,$b2,$tmp);  # will we borrow?
+         &sub($a2,$b2,$a2);             # do the subtract
+        &st($a0,&QWPw(0,$rp));  # save
+         &cmpult($a2,$cc,$b2);  # will we borrow?
+        &sub($a2,$cc,$a2);      # will we borrow?
+         &add($b2,$tmp,$cc);    # add the borrows
+
+        &cmpult($a3,$b3,$t3);   # will we borrow?
+         &sub($a3,$b3,$a3);             # do the subtract
+        &st($a1,&QWPw(1,$rp));  # save
+         &cmpult($a3,$cc,$b3);  # will we borrow?
+        &sub($a3,$cc,$a3);      # will we borrow?
+         &add($b3,$t3,$cc);     # add the borrows
+
+        &st($a2,&QWPw(2,$rp));  # save
+         &sub($count,4,$count); # count-=4
+        &st($a3,&QWPw(3,$rp));  # save
+         &add($ap,4*$QWS,$ap);  # count+=4
+        &add($bp,4*$QWS,$bp);   # count+=4
+         &add($rp,4*$QWS,$rp);  # count+=4
+
+        &blt($count,&label("finish"));
+        &ld($a0,&QWPw(0,$ap));
+         &ld($b0,&QWPw(0,$bp));
+        &br(&label("loop"));
+##################################################
+        # Do the last 0..3 words
+
+        &set_label("last_loop");
+
+        &ld($a0,&QWPw(0,$ap));  # get a
+         &ld($b0,&QWPw(0,$bp)); # get b
+        &cmpult($a0,$b0,$tmp);  # will we borrow?
+        &sub($a0,$b0,$a0);      # do the subtract
+        &cmpult($a0,$cc,$b0);   # will we borrow?
+        &sub($a0,$cc,$a0);      # will we borrow?
+        &st($a0,&QWPw(0,$rp));  # save
+        &add($b0,$tmp,$cc);     # add the borrows
+
+        &add($ap,$QWS,$ap);
+        &add($bp,$QWS,$bp);
+        &add($rp,$QWS,$rp);
+        &sub($count,1,$count);
+        &bgt($count,&label("last_loop"));
+        &function_end_A($name);
+
+######################################################
+        &set_label("finish");
+        &add($count,4,$count);
+        &bgt($count,&label("last_loop"));
+
+        &set_label("end");
+        &function_end($name);
+        }
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/ia64.S b/src/lib/libssl/src/crypto/bn/asm/ia64.S
new file mode 100644
index 0000000000..ae56066310
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/ia64.S
@@ -0,0 +1,1498 @@
+.explicit
+.text
+.ident  "ia64.S, Version 1.1"
+.ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+//
+// ====================================================================
+// Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+// project.
+//
+// Rights for redistribution and usage in source and binary forms are
+// granted according to the OpenSSL license. Warranty of any kind is
+// disclaimed.
+// ====================================================================
+//
+
+// Q.   How much faster does it get?
+// A.   Here is the output from 'openssl speed rsa dsa' for vanilla
+//      0.9.6a compiled with gcc version 2.96 20000731 (Red Hat
+//      Linux 7.1 2.96-81):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0036s   0.0003s    275.3   2999.2
+//      rsa 1024 bits   0.0203s   0.0011s     49.3    894.1
+//      rsa 2048 bits   0.1331s   0.0040s      7.5    250.9
+//      rsa 4096 bits   0.9270s   0.0147s      1.1     68.1
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0035s   0.0043s    288.3    234.8
+//      dsa 1024 bits   0.0111s   0.0135s     90.0     74.2
+//
+//      And here is similar output but for this assembler
+//      implementation:-)
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0021s   0.0001s    549.4   9638.5
+//      rsa 1024 bits   0.0055s   0.0002s    183.8   4481.1
+//      rsa 2048 bits   0.0244s   0.0006s     41.4   1726.3
+//      rsa 4096 bits   0.1295s   0.0018s      7.7    561.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0012s   0.0013s    891.9    756.6
+//      dsa 1024 bits   0.0023s   0.0028s    440.4    376.2
+//      
+//      Yes, you may argue that it's not fair comparison as it's
+//      possible to craft the C implementation with BN_UMULT_HIGH
+//      inline assembler macro. But of course! Here is the output
+//      with the macro:
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0020s   0.0002s    495.0   6561.0
+//      rsa 1024 bits   0.0086s   0.0004s    116.2   2235.7
+//      rsa 2048 bits   0.0519s   0.0015s     19.3    667.3
+//      rsa 4096 bits   0.3464s   0.0053s      2.9    187.7
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0016s   0.0020s    613.1    510.5
+//      dsa 1024 bits   0.0045s   0.0054s    221.0    183.9
+//
+//      My code is still way faster, huh:-) And I believe that even
+//      higher performance can be achieved. Note that as keys get
+//      longer, performance gain is larger. Why? According to the
+//      profiler there is another player in the field, namely
+//      BN_from_montgomery consuming larger and larger portion of CPU
+//      time as keysize decreases. I therefore consider putting effort
+//      to assembler implementation of the following routine:
+//
+//      void bn_mul_add_mont (BN_ULONG *rp,BN_ULONG *np,int nl,BN_ULONG n0)
+//      {
+//      int      i,j;
+//      BN_ULONG v;
+//
+//      for (i=0; i<nl; i++)
+//              {
+//              v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
+//              nrp++;
+//              rp++;
+//              if (((nrp[-1]+=v)&BN_MASK2) < v)
+//                      for (j=0; ((++nrp[j])&BN_MASK2) == 0; j++) ;
+//              }
+//      }
+//
+//      It might as well be beneficial to implement even combaX
+//      variants, as it appears as it can literally unleash the
+//      performance (see comment section to bn_mul_comba8 below).
+//
+//      And finally for your reference the output for 0.9.6a compiled
+//      with SGIcc version 0.01.0-12 (keep in mind that for the moment
+//      of this writing it's not possible to convince SGIcc to use
+//      BN_UMULT_HIGH inline assembler macro, yet the code is fast,
+//      i.e. for a compiler generated one:-):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0022s   0.0002s    452.7   5894.3
+//      rsa 1024 bits   0.0097s   0.0005s    102.7   2002.9
+//      rsa 2048 bits   0.0578s   0.0017s     17.3    600.2
+//      rsa 4096 bits   0.3838s   0.0061s      2.6    164.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0018s   0.0022s    547.3    459.6
+//      dsa 1024 bits   0.0051s   0.0062s    196.6    161.3
+//
+//      Oh! Benchmarks were performed on 733MHz Lion-class Itanium
+//      system running Redhat Linux 7.1 (very special thanks to Ray
+//      McCaffity of Williams Communications for providing an account).
+//
+// Q.   What's the heck with 'rum 1<<5' at the end of every function?
+// A.   Well, by clearing the "upper FP registers written" bit of the
+//      User Mask I want to excuse the kernel from preserving upper
+//      (f32-f128) FP register bank over process context switch, thus
+//      minimizing bus bandwidth consumption during the switch (i.e.
+//      after PKI opration completes and the program is off doing
+//      something else like bulk symmetric encryption). Having said
+//      this, I also want to point out that it might be good idea
+//      to compile the whole toolkit (as well as majority of the
+//      programs for that matter) with -mfixed-range=f32-f127 command
+//      line option. No, it doesn't prevent the compiler from writing
+//      to upper bank, but at least discourages to do so. If you don't
+//      like the idea you have the option to compile the module with
+//      -Drum=nop.m in command line.
+//
+
+#if 1
+//
+// bn_[add|sub]_words routines.
+//
+// Loops are spinning in 2*(n+5) ticks on Itanuim (provided that the
+// data reside in L1 cache, i.e. 2 ticks away). It's possible to
+// compress the epilogue and get down to 2*n+6, but at the cost of
+// scalability (the neat feature of this implementation is that it
+// shall automagically spin in n+5 on "wider" IA-64 implementations:-)
+// I consider that the epilogue is short enough as it is to trade tiny
+// performance loss on Itanium for scalability.
+//
+// BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_add_words#
+.proc   bn_add_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_add_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   add             r39=r37,r34
+        (p19)   cmp.ltu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=-1,r41     // (p20)
+        (p58)   add             r41=1,r41       } // (p20)
+{ .mfb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_add_words_ctop    };;
+.L_bn_add_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_add_words#
+
+//
+// BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_sub_words#
+.proc   bn_sub_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_sub_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_sub_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   sub             r39=r37,r34
+        (p19)   cmp.gtu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=0,r41      // (p20)
+        (p58)   add             r41=-1,r41      } // (p20)
+{ .mbb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.b           0x0
+        br.ctop.sptk    .L_bn_sub_words_ctop    };;
+.L_bn_sub_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sub_words#
+#endif
+
+#if 0
+#define XMA_TEMPTATION
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_words#
+.proc   bn_mul_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_mul_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+#ifdef XMA_TEMPTATION
+{ .mfi; alloc           r2=ar.pfs,4,0,0,0       };;
+#else
+{ .mfi; alloc           r2=ar.pfs,4,4,0,8       };;
+#endif
+{ .mib; mov             r8=r0                   // return value
+        cmp4.le         p6,p0=r34,r0
+(p6)    br.ret.spnt.many        b0              };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
+                                        }
+
+#ifndef XMA_TEMPTATION
+
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             ar.ec=12        };;
+
+// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2
+// cache (i.e. 9 ticks away) as floating point load/store instructions
+// bypass L1 cache and L2 latency is actually best-case scenario for
+// ldf8. The loop is not scalable and shall run in 2*(n+11) even on
+// "wider" IA-64 implementations. It's a trade-off here. n+22 loop
+// would give us ~5% in *overall* performance improvement on "wider"
+// IA-64, but would hurt Itanium for about same because of longer
+// epilogue. As it's a matter of few percents in either case I've
+// chosen to trade the scalability for development time (you can see
+// this very instruction sequence in bn_mul_add_words loop which in
+// turn is scalable).
+.L_bn_mul_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p0)    nop.i           0x0             };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   st8             [r14]=r39,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p49,p53
+(p49)   add             r8=r34,r0
+(p53)   add             r8=r34,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     }
+
+#else   // XMA_TEMPTATION
+
+        setf.sig        f37=r0  // serves as carry at (p18) tick
+        mov             ar.lc=r10
+        mov             ar.ec=5;;
+
+// Most of you examining this code very likely wonder why in the name
+// of Intel the following loop is commented out? Indeed, it looks so
+// neat that you find it hard to believe that it's something wrong
+// with it, right? The catch is that every iteration depends on the
+// result from previous one and the latter isn't available instantly.
+// The loop therefore spins at the latency of xma minus 1, or in other
+// words at 6*(n+4) ticks:-( Compare to the "production" loop above
+// that runs in 2*(n+11) where the low latency problem is worked around
+// by moving the dependency to one-tick latent interger ALU. Note that
+// "distance" between ldf8 and xma is not latency of ldf8, but the
+// *difference* between xma and ldf8 latencies.
+.L_bn_mul_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p18)   xma.hu          f38=f34,f8,f39  }
+{ .mfb; (p20)   stf8            [r32]=f37,8
+        (p18)   xma.lu          f35=f34,f8,f39
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+        getf.sig        r8=f41          // the return value
+
+#endif  // XMA_TEMPTATION
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_words#
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_add_words#
+.proc   bn_mul_add_words#
+.align  64
+//.skip 0       // makes the loop split at 64-byte boundary
+bn_mul_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r34,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
+                                        }
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             r18=r32 // rp copy
+        mov             ar.ec=14        };;
+
+// This loop spins in 3*(n+13) ticks on Itanium and should spin in
+// 2*(n+13) on "wider" IA-64 implementations (to be verified with new
+// µ-architecture manuals as they become available). As usual it's
+// possible to compress the epilogue, down to 10 in this case, at the
+// cost of scalability. Compressed (and therefore non-scalable) loop
+// running at 3*(n+10) would buy you ~10% on Itanium but take ~35%
+// from "wider" IA-64 so let it be scalable! Special attention was
+// paid for having the loop body split at 64-byte boundary. ld8 is
+// scheduled for L1 cache as the data is more than likely there.
+// Indeed, bn_mul_words has put it there a moment ago:-)
+.L_bn_mul_add_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p27)   add             r43=r43,r39     };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   cmp.ltu.unc     p56,p0=r43,r39
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p26)   ld8             r42=[r18],8
+        (p58)   cmp.eq.or       p57,p0=-1,r44
+        (p58)   add             r44=1,r44       }
+{ .mfb; (p29)   st8             [r14]=r45,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_add_words_ctop};;
+.L_bn_mul_add_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p51,p55
+(p51)   add             r8=r36,r0
+(p55)   add             r8=r36,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     };;
+{ .mii;
+(p59)   add             r8=1,r8
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_add_words#
+#endif
+
+#if 1
+//
+// void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
+//
+.global bn_sqr_words#
+.proc   bn_sqr_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary 
+bn_sqr_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,3,0,0,0
+        sxt4            r34=r34         };;
+{ .mii; cmp.le          p6,p0=r34,r0
+        mov             r8=r0           }       // return value
+{ .mfb; nop.f           0x0
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib;
+        mov             pr.rot=1<<16
+        brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
+                                        }
+{ .mii; add             r34=8,r32
+        mov             ar.lc=r10
+        mov             ar.ec=18        };;
+
+// 2*(n+17) on Itanium, (n+17) on "wider" IA-64 implementations. It's
+// possible to compress the epilogue (I'm getting tired to write this
+// comment over and over) and get down to 2*n+16 at the cost of
+// scalability. The decision will very likely be reconsidered after the
+// benchmark program is profiled. I.e. if perfomance gain on Itanium
+// will appear larger than loss on "wider" IA-64, then the loop should
+// be explicitely split and the epilogue compressed.
+.L_bn_sqr_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p25)   xmpy.lu         f42=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r32]=f50,16
+        (p0)    nop.i           0x0
+        (p0)    nop.b           0x0             }
+{ .mfi; (p0)    nop.m           0x0
+        (p25)   xmpy.hu         f52=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r34]=f60,16
+        (p0)    nop.i           0x0
+        br.ctop.sptk    .L_bn_sqr_words_ctop    };;
+.L_bn_sqr_words_cend:
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sqr_words#
+#endif
+
+#if 1
+// Apparently we win nothing by implementing special bn_sqr_comba8.
+// Yes, it is possible to reduce the number of multiplications by
+// almost factor of two, but then the amount of additions would
+// increase by factor of two (as we would have to perform those
+// otherwise performed by xma ourselves). Normally we would trade
+// anyway as multiplications are way more expensive, but not this
+// time... Multiplication kernel is fully pipelined and as we drain
+// one 128-bit multiplication result per clock cycle multiplications
+// are effectively as inexpensive as additions. Special implementation
+// might become of interest for "wider" IA-64 implementation as you'll
+// be able to get through the multiplication phase faster (there won't
+// be any stall issues as discussed in the commentary section below and
+// you therefore will be able to employ all 4 FP units)... But these
+// Itanium days it's simply too hard to justify the effort so I just
+// drop down to bn_mul_comba8 code:-)
+//
+// void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba8#
+.proc   bn_sqr_comba8#
+.align  64
+bn_sqr_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point8   };;
+.endp   bn_sqr_comba8#
+#endif
+
+#if 1
+// I've estimated this routine to run in ~120 ticks, but in reality
+// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
+// cycles consumed for instructions fetch? Or did I misinterpret some
+// clause in Itanium µ-architecture manual? Comments are welcomed and
+// highly appreciated.
+//
+// However! It should be noted that even 160 ticks is darn good result
+// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
+// C version (compiled with gcc with inline assembler). I really
+// kicked compiler's butt here, didn't I? Yeah! This brings us to the
+// following statement. It's damn shame that this routine isn't called
+// very often nowadays! According to the profiler most CPU time is
+// consumed by bn_mul_add_words called from BN_from_montgomery. In
+// order to estimate what we're missing, I've compared the performance
+// of this routine against "traditional" implementation, i.e. against
+// following routine:
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+// {    r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+//      r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+//      r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+//      r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+//      r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+//      r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+//      r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+//      r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+// }
+//
+// The one below is over 8 times faster than the one above:-( Even
+// more reasons to "combafy" bn_mul_add_mont...
+//
+// And yes, this routine really made me wish there were an optimizing
+// assembler! It also feels like it deserves a dedication.
+//
+//      To my wife for being there and to my kids...
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+#define carry3  r34
+.global bn_mul_comba8#
+.proc   bn_mul_comba8#
+.align  64
+bn_mul_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              }
+.L_cheat_entry_point8:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33],32            };;
+
+{ .mmi; ldf8    f120=[r34],32
+        ldf8    f121=[r17],32           }
+{ .mmi; ldf8    f122=[r18],32
+        ldf8    f123=[r19],32           };;
+{ .mmi; ldf8    f124=[r34]
+        ldf8    f125=[r17]              }
+{ .mmi; ldf8    f126=[r18]
+        ldf8    f127=[r19]              }
+
+{ .mmi; ldf8    f33=[r14],32
+        ldf8    f34=[r15],32            }
+{ .mmi; ldf8    f35=[r16],32;;
+        ldf8    f36=[r33]               }
+{ .mmi; ldf8    f37=[r14]
+        ldf8    f38=[r15]               }
+{ .mfi; ldf8    f39=[r16]
+// -------\ Entering multiplier's heaven /-------
+// ------------\                    /------------
+// -----------------\          /-----------------
+// ----------------------\/----------------------
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };; // (*)
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;
+{ .mfi;         xma.hu  f81=f32,f124,f0         }
+{ .mfi;         xma.lu  f80=f32,f124,f0         };;
+{ .mfi;         xma.hu  f91=f32,f125,f0         }
+{ .mfi;         xma.lu  f90=f32,f125,f0         };;
+{ .mfi;         xma.hu  f101=f32,f126,f0        }
+{ .mfi;         xma.lu  f100=f32,f126,f0        };;
+{ .mfi;         xma.hu  f111=f32,f127,f0        }
+{ .mfi;         xma.lu  f110=f32,f127,f0        };;//
+// (*)  You can argue that splitting at every second bundle would
+//      prevent "wider" IA-64 implementations from achieving the peak
+//      performance. Well, not really... The catch is that if you
+//      intend to keep 4 FP units busy by splitting at every fourth
+//      bundle and thus perform these 16 multiplications in 4 ticks,
+//      the first bundle *below* would stall because the result from
+//      the first xma bundle *above* won't be available for another 3
+//      ticks (if not more, being an optimist, I assume that "wider"
+//      implementation will have same latency:-). This stall will hold
+//      you back and the performance would be as if every second bundle
+//      were split *anyway*...
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;
+{ .mfi;         xma.hu  f82=f33,f124,f81        }
+{ .mfi;         xma.lu  f81=f33,f124,f81        };;
+{ .mfi;         xma.hu  f92=f33,f125,f91        }
+{ .mfi;         xma.lu  f91=f33,f125,f91        };;
+{ .mfi;         xma.hu  f102=f33,f126,f101      }
+{ .mfi;         xma.lu  f101=f33,f126,f101      };;
+{ .mfi;         xma.hu  f112=f33,f127,f111      }
+{ .mfi;         xma.lu  f111=f33,f127,f111      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi;         xma.lu  f62=f34,f122,f62
+        mov             carry1=0                };;
+{ .mfi; cmp.ltu         p6,p0=r25,r24
+                xma.hu  f73=f34,f123,f72        }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f83=f34,f124,f82
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f82=f34,f124,f82        };;
+{ .mfi;         xma.hu  f93=f34,f125,f92        }
+{ .mfi;         xma.lu  f92=f34,f125,f92        };;
+{ .mfi;         xma.hu  f103=f34,f126,f102      }
+{ .mfi;         xma.lu  f102=f34,f126,f102      };;
+{ .mfi;         xma.hu  f113=f34,f127,f112      }
+{ .mfi;         xma.lu  f112=f34,f127,f112      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+        add             r17=r17,r16             }
+{ .mfi;         xma.lu  f43=f35,f120,f43        };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53        }
+{ .mfi; mov             carry2=0
+                xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi; add             r18=r18,r17
+                xma.lu  f63=f35,f122,f63        };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+{ .mfi;
+                xma.hu  f84=f35,f124,f83
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,carry1
+                xma.lu  f83=f35,f124,f83        };;
+{ .mfi; st8             [r32]=r18,16
+                xma.hu  f94=f35,f125,f93
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f93=f35,f125,f93        };;
+{ .mfi;         xma.hu  f104=f35,f126,f103      }
+{ .mfi;         xma.lu  f103=f35,f126,f103      };;
+{ .mfi;         xma.hu  f114=f35,f127,f113      }
+{ .mfi; mov             carry1=0
+                xma.lu  f113=f35,f127,f113
+        add             r25=r25,r24             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r27=f43
+                xma.hu  f45=f36,f120,f44
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f44=f36,f120,f44        
+        add             r26=r26,r25             };;
+{ .mfi; getf.sig        r16=f80
+                xma.hu  f55=f36,f121,f54
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f54=f36,f121,f54        };;
+{ .mfi; getf.sig        r17=f71
+                xma.hu  f65=f36,f122,f64
+        cmp.ltu         p6,p0=r26,r25           }
+{ .mfi;         xma.lu  f64=f36,f122,f64
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r18=f62
+                xma.hu  f75=f36,f123,f74
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f74=f36,f123,f74
+        add             r27=r27,carry2          };;
+{ .mfi; getf.sig        r19=f53
+                xma.hu  f85=f36,f124,f84
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f84=f36,f124,f84
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+                xma.hu  f95=f36,f125,f94
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f94=f36,f125,f94        };;
+{ .mfi;         xma.hu  f105=f36,f126,f104      }
+{ .mfi; mov             carry2=0
+                xma.lu  f104=f36,f126,f104
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f115=f36,f127,f114
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f114=f36,f127,f114
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r20=f44
+                xma.hu  f46=f37,f120,f45
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f45=f37,f120,f45
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f90
+                xma.hu  f56=f37,f121,f55        }
+{ .mfi;         xma.lu  f55=f37,f121,f55        };;
+{ .mfi; getf.sig        r25=f81
+                xma.hu  f66=f37,f122,f65
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f65=f37,f122,f65
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r26=f72
+                xma.hu  f76=f37,f123,f75
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f75=f37,f123,f75
+        add             r20=r20,carry1          };;
+{ .mfi; getf.sig        r27=f63
+                xma.hu  f86=f37,f124,f85
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f85=f37,f124,f85
+        cmp.ltu         p7,p0=r20,carry1        };;
+{ .mfi; getf.sig        r28=f54
+                xma.hu  f96=f37,f125,f95
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r20,16
+                xma.lu  f95=f37,f125,f95        };;
+{ .mfi;         xma.hu  f106=f37,f126,f105      }
+{ .mfi; mov             carry1=0
+                xma.lu  f105=f37,f126,f105
+        add             r25=r25,r24             };;
+{ .mfi;         xma.hu  f116=f37,f127,f115
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f115=f37,f127,f115
+        add             r26=r26,r25             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r29=f45
+                xma.hu  f47=f38,f120,f46
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r26,r25
+                xma.lu  f46=f38,f120,f46
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r16=f100
+                xma.hu  f57=f38,f121,f56
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f56=f38,f121,f56
+        add             r28=r28,r27             };;
+{ .mfi; getf.sig        r17=f91
+                xma.hu  f67=f38,f122,f66
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r28,r27
+                xma.lu  f66=f38,f122,f66
+        add             r29=r29,r28             };;
+{ .mfi; getf.sig        r18=f82
+                xma.hu  f77=f38,f123,f76
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r29,r28
+                xma.lu  f76=f38,f123,f76
+        add             r29=r29,carry2          };;
+{ .mfi; getf.sig        r19=f73
+                xma.hu  f87=f38,f124,f86
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f86=f38,f124,f86
+        cmp.ltu         p6,p0=r29,carry2        };;
+{ .mfi; getf.sig        r20=f64
+                xma.hu  f97=f38,f125,f96
+(p6)    add             carry1=1,carry1         }
+{ .mfi; st8             [r33]=r29,16
+                xma.lu  f96=f38,f125,f96        };;
+{ .mfi; getf.sig        r21=f55
+                xma.hu  f107=f38,f126,f106      }
+{ .mfi; mov             carry2=0
+                xma.lu  f106=f38,f126,f106
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f117=f38,f127,f116
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f116=f38,f127,f116
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r22=f46
+                xma.hu  f48=f39,f120,f47
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f47=f39,f120,f47
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f110
+                xma.hu  f58=f39,f121,f57
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f57=f39,f121,f57
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r25=f101
+                xma.hu  f68=f39,f122,f67
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f67=f39,f122,f67
+        add             r21=r21,r20             };;
+{ .mfi; getf.sig        r26=f92
+                xma.hu  f78=f39,f123,f77
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r21,r20
+                xma.lu  f77=f39,f123,f77
+        add             r22=r22,r21             };;
+{ .mfi; getf.sig        r27=f83
+                xma.hu  f88=f39,f124,f87
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r22,r21
+                xma.lu  f87=f39,f124,f87
+        add             r22=r22,carry1          };;
+{ .mfi; getf.sig        r28=f74
+                xma.hu  f98=f39,f125,f97
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f97=f39,f125,f97
+        cmp.ltu         p7,p0=r22,carry1        };;
+{ .mfi; getf.sig        r29=f65
+                xma.hu  f108=f39,f126,f107
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r22,16
+                xma.lu  f107=f39,f126,f107      };;
+{ .mfi; getf.sig        r30=f56
+                xma.hu  f118=f39,f127,f117      }
+{ .mfi;         xma.lu  f117=f39,f127,f117      };;//
+//-------------------------------------------------//
+// Leaving muliplier's heaven... Quite a ride, huh?
+
+{ .mii; getf.sig        r31=f47
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f111
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f102        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mii;         getf.sig        r18=f93
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mii;         getf.sig        r19=f84
+                cmp.ltu         p7,p0=r17,r16   }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r20=f75
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r31=r31,r30             };;
+{ .mfb;         getf.sig        r21=f66         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,r30
+        add             r31=r31,carry2          };;
+{ .mfb;         getf.sig        r22=f57         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,carry2        };;
+{ .mfb;         getf.sig        r23=f48         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     }
+{ .mii;
+(p6)    add             carry1=1,carry1         }
+{ .mfb; st8             [r33]=r31,16            };;
+
+{ .mfb; getf.sig        r24=f112                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r22=r22,r21     };;
+{ .mfb; getf.sig        r25=f103                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r22,r21
+                add             r23=r23,r22     };;
+{ .mfb; getf.sig        r26=f94                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r23,r22
+                add             r23=r23,carry1  };;
+{ .mfb; getf.sig        r27=f85                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r23,carry1};;
+{ .mii; getf.sig        r28=f76
+        add             r25=r25,r24
+        mov             carry1=0                }
+{ .mii;         st8             [r32]=r23,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 };;
+
+{ .mfb; nop.m   0x0                             }
+{ .mii; getf.sig        r29=f67
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb; getf.sig        r30=f58                 }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r16=f113        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r17=f104        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mfb;         getf.sig        r18=f95         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r19=f86
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r30=r30,carry2          };;
+{ .mii;         getf.sig        r20=f77
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,carry2        };;
+{ .mfb;         getf.sig        r21=f68         }
+{ .mii; st8             [r33]=r30,16
+(p6)    add             carry1=1,carry1         };;
+
+{ .mfb; getf.sig        r24=f114                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f105                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     };;
+{ .mfb; getf.sig        r26=f96                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     };;
+{ .mfb; getf.sig        r27=f87                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r21=r21,carry1  };;
+{ .mib; getf.sig        r28=f78                 
+        add             r25=r25,r24             }
+{ .mib; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r21,carry1};;
+{ .mii;         st8             [r32]=r21,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 }
+
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r16=f115        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r17=f106        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r18=f97         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r28=r28,carry2          };;
+{ .mib;         getf.sig        r19=f88
+                add             r17=r17,r16     }
+{ .mib;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,carry2        };;
+{ .mii; st8             [r33]=r28,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mfb; getf.sig        r24=f116                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f107                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mfb; getf.sig        r26=f98                 }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mfb; add             r25=r25,r24             };;
+
+{ .mfb;         getf.sig        r16=f117        }
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f108        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mfb;         add             r17=r17,r16     };;
+{ .mfb; getf.sig        r24=f118                }
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17
+        (p7)    add             carry2=1,carry2 };;
+{ .mfb; add             r24=r24,carry2          };;
+{ .mib; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba8#
+#undef  carry3
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+// It's possible to make it faster (see comment to bn_sqr_comba8), but
+// I reckon it doesn't worth the effort. Basically because the routine
+// (actually both of them) practically never called... So I just play
+// same trick as with bn_sqr_comba8.
+//
+// void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba4#
+.proc   bn_sqr_comba4#
+.align  64
+bn_sqr_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point4   };;
+.endp   bn_sqr_comba4#
+#endif
+
+#if 1
+// Runs in ~115 cycles and ~4.5 times faster than C. Well, whatever...
+//
+// void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+.global bn_mul_comba4#
+.proc   bn_mul_comba4#
+.align  64
+bn_mul_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              };;
+.L_cheat_entry_point4:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33]               }
+
+{ .mmi; ldf8    f120=[r34]
+        ldf8    f121=[r17]              };;
+{ .mmi; ldf8    f122=[r18]
+        ldf8    f123=[r19]              }
+
+{ .mmi; ldf8    f33=[r14]
+        ldf8    f34=[r15]               }
+{ .mfi; ldf8    f35=[r16]
+
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };;
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;//
+// Major stall takes place here, and 3 more places below. Result from
+// first xma is not available for another 3 ticks.
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi; mov             carry1=0
+                xma.lu  f62=f34,f122,f62        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f73=f34,f123,f72
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+(p6)    add             carry1=1,carry1         }
+{ .mfi; add             r17=r17,r16
+                xma.lu  f43=f35,f120,f43
+        mov             carry2=0                };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        add             r18=r18,r17             }
+{ .mfi;         xma.lu  f63=f35,f122,f63
+(p7)    add             carry2=1,carry2         };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+        cmp.ltu         p7,p0=r18,r17           }
+{ .mfi;         xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+//-------------------------------------------------//
+{ .mii; st8             [r32]=r18,16
+(p7)    add             carry2=1,carry2
+        cmp.ltu         p7,p0=r18,carry1        };;
+
+{ .mfi; getf.sig        r27=f43 // last major stall
+(p7)    add             carry2=1,carry2         };;
+{ .mii;         getf.sig        r16=f71
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r17=f62 
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r27=r27,carry2          };;
+{ .mii;         getf.sig        r18=f53
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         getf.sig        r19=f44
+                add             r17=r17,r16
+                mov             carry2=0        };;
+{ .mii; getf.sig        r24=f72
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mii; getf.sig        r25=f63
+        (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mii; getf.sig        r26=f54
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f73
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mii;         getf.sig        r17=f64
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii; getf.sig        r24=f74
+                add             r17=r17,r16     
+                mov             carry2=0        };;
+{ .mii;         cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17,16
+        (p7)    add             carry2=1,carry2 };;
+
+{ .mii; add             r24=r24,carry2          };;
+{ .mii; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba4#
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+//
+// BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+//
+// In the nutshell it's a port of my MIPS III/IV implementation.
+//
+#define AT      r14
+#define H       r16
+#define HH      r20
+#define L       r17
+#define D       r18
+#define DH      r22
+#define I       r21
+
+#if 0
+// Some preprocessors (most notably HP-UX) apper to be allergic to
+// macros enclosed to parenthesis as these three will be.
+#define cont    p16
+#define break   p0      // p20
+#define equ     p24
+#else
+cont=p16
+break=p0
+equ=p24
+#endif
+
+.global abort#
+.global bn_div_words#
+.proc   bn_div_words#
+.align  64
+bn_div_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+        .save   b0,r3
+{ .mii; alloc           r2=ar.pfs,3,5,0,8
+        mov             r3=b0
+        mov             r10=pr          };;
+{ .mmb; cmp.eq          p6,p0=r34,r0
+        mov             r8=-1
+(p6)    br.ret.spnt.many        b0      };;
+
+        .body
+{ .mii; mov             H=r32           // save h
+        mov             ar.ec=0         // don't rotate at exit
+        mov             pr.rot=0        }
+{ .mii; mov             L=r33           // save l
+        mov             r36=r0          };;
+
+.L_divw_shift:  // -vv- note signed comparison
+{ .mfi; (p0)    cmp.lt          p16,p0=r0,r34   // d
+        (p0)    shladd          r33=r34,1,r0    }
+{ .mfb; (p0)    add             r35=1,r36
+        (p0)    nop.f           0x0
+(p16)   br.wtop.dpnt            .L_divw_shift   };;
+
+{ .mii; mov             D=r34
+        shr.u           DH=r34,32
+        sub             r35=64,r36              };;
+{ .mii; setf.sig        f7=DH
+        shr.u           AT=H,r35
+        mov             I=r36                   };;
+{ .mib; cmp.ne          p6,p0=r0,AT
+        shl             H=H,r36
+(p6)    br.call.spnt.clr        b0=abort        };;     // overflow, die...
+
+{ .mfi; fcvt.xuf.s1     f7=f7
+        shr.u           AT=L,r35                };;
+{ .mii; shl             L=L,r36
+        or              H=H,AT                  };;
+
+{ .mii; nop.m           0x0
+        cmp.leu         p6,p0=D,H;;
+(p6)    sub             H=H,D                   }
+
+{ .mlx; setf.sig        f14=D
+        movl            AT=0xffffffff           };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_1st_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_1st_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub             H=H,r35
+        shl             r8=r33,32
+        shl             L=L,32                  };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_2nd_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_2nd_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub     H=H,r35
+        or      r8=r8,r33
+        mov     ar.pfs=r2               };;
+{ .mii; shr.u   r9=H,I                  // remainder if anybody wants it
+        mov     pr=r10,-1               }
+{ .mfb; br.ret.sptk.many        b0      };;
+
+// Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
+// procedure.
+//
+// inputs:      f6 = (double)a, f7 = (double)b
+// output:      f8 = (int)(a/b)
+// clobbered:   f8,f9,f10,f11,pred
+pred=p15
+// This procedure is essentially Intel code and therefore is
+// copyrighted to Intel Corporation (I suppose...). It's sligtly
+// modified for specific needs.
+.align  32
+.skip   16
+.L_udiv64_32_b6:
+        frcpa.s1        f8,pred=f6,f7;;         // [0]  y0 = 1 / b
+
+(pred)  fnma.s1         f9=f7,f8,f1             // [5]  e0 = 1 - b * y0
+(pred)  fmpy.s1         f10=f6,f8;;             // [5]  q0 = a * y0
+(pred)  fmpy.s1         f11=f9,f9               // [10] e1 = e0 * e0
+(pred)  fma.s1          f10=f9,f10,f10;;        // [10] q1 = q0 + e0 * q0
+(pred)  fma.s1          f8=f9,f8,f8     //;;    // [15] y1 = y0 + e0 * y0
+(pred)  fma.s1          f9=f11,f10,f10;;        // [15] q2 = q1 + e1 * q1
+(pred)  fma.s1          f8=f11,f8,f8    //;;    // [20] y2 = y1 + e1 * y1
+(pred)  fnma.s1         f10=f7,f9,f6;;          // [20] r2 = a - b * q2
+(pred)  fma.s1          f8=f10,f8,f9;;          // [25] q3 = q2 + r2 * y2
+
+        fcvt.fxu.trunc.s1       f8=f8           // [30] q = trunc(q3)
+        br.ret.sptk.many        b6;;
+.endp   bn_div_words#
+#endif
diff --git a/src/lib/libssl/src/crypto/bn/asm/mips1.s b/src/lib/libssl/src/crypto/bn/asm/mips1.s
new file mode 100644
index 0000000000..44fa1254c7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/mips1.s
@@ -0,0 +1,539 @@
+/* This assember is for R2000/R3000 machines, or higher ones that do
+ * no want to do any 64 bit arithmatic.
+ * Make sure that the SSLeay bignum library is compiled with 
+ * THIRTY_TWO_BIT set.
+ * This must either be compiled with the system CC, or, if you use GNU gas,
+ * cc -E mips1.s|gas -o mips1.o
+ */
+        .set    reorder
+        .set    noat
+
+#define R1      $1
+#define CC      $2
+#define R2      $3
+#define R3      $8
+#define R4      $9
+#define L1      $10
+#define L2      $11
+#define L3      $12
+#define L4      $13
+#define H1      $14
+#define H2      $15
+#define H3      $24
+#define H4      $25
+
+#define P1      $4
+#define P2      $5
+#define P3      $6
+#define P4      $7
+
+        .align  2
+        .ent    bn_mul_add_words
+        .globl  bn_mul_add_words
+.text
+bn_mul_add_words:
+        .frame  $sp,0,$31
+        .mask   0x00000000,0
+        .fmask  0x00000000,0
+
+        #blt    P3,4,$lab34
+        
+        subu    R1,P3,4
+        move    CC,$0
+        bltz    R1,$lab34
+$lab2:  
+        lw      R1,0(P1)
+         lw     L1,0(P2)
+        lw      R2,4(P1)
+         lw     L2,4(P2)
+        lw      R3,8(P1)
+         lw     L3,8(P2)
+        lw      R4,12(P1)
+         lw     L4,12(P2)
+        multu   L1,P4
+         addu   R1,R1,CC
+        mflo    L1
+         sltu   CC,R1,CC
+        addu    R1,R1,L1
+         mfhi   H1
+        sltu    L1,R1,L1
+         sw     R1,0(P1)
+        addu    CC,CC,L1
+         multu  L2,P4
+        addu    CC,H1,CC
+        mflo    L2
+         addu   R2,R2,CC
+        sltu    CC,R2,CC
+         mfhi   H2
+        addu    R2,R2,L2
+         addu   P2,P2,16
+        sltu    L2,R2,L2
+         sw     R2,4(P1)
+        addu    CC,CC,L2
+         multu  L3,P4
+        addu    CC,H2,CC
+        mflo    L3
+         addu   R3,R3,CC
+        sltu    CC,R3,CC
+         mfhi   H3
+        addu    R3,R3,L3
+         addu   P1,P1,16
+        sltu    L3,R3,L3
+         sw     R3,-8(P1)
+        addu    CC,CC,L3
+         multu  L4,P4
+        addu    CC,H3,CC
+        mflo    L4
+         addu   R4,R4,CC
+        sltu    CC,R4,CC
+         mfhi   H4
+        addu    R4,R4,L4
+         subu   P3,P3,4
+        sltu    L4,R4,L4
+        addu    CC,CC,L4
+        addu    CC,H4,CC
+
+        subu    R1,P3,4
+        sw      R4,-4(P1)       # delay slot
+        bgez    R1,$lab2
+
+        bleu    P3,0,$lab3
+        .align  2
+$lab33: 
+        lw      L1,0(P2)
+         lw     R1,0(P1)
+        multu   L1,P4
+         addu   R1,R1,CC
+        sltu    CC,R1,CC
+         addu   P1,P1,4
+        mflo    L1
+         mfhi   H1
+        addu    R1,R1,L1
+         addu   P2,P2,4
+        sltu    L1,R1,L1
+         subu   P3,P3,1
+        addu    CC,CC,L1
+         sw     R1,-4(P1)
+        addu    CC,H1,CC
+         bgtz   P3,$lab33
+        j       $31
+        .align  2
+$lab3:
+        j       $31
+        .align  2
+$lab34:
+        bgt     P3,0,$lab33
+        j       $31
+        .end    bn_mul_add_words
+
+        .align  2
+        # Program Unit: bn_mul_words
+        .ent    bn_mul_words
+        .globl  bn_mul_words
+.text
+bn_mul_words:
+        .frame  $sp,0,$31
+        .mask   0x00000000,0
+        .fmask  0x00000000,0
+        
+        subu    P3,P3,4
+        move    CC,$0
+        bltz    P3,$lab45
+$lab44: 
+        lw      L1,0(P2)
+         lw     L2,4(P2)
+        lw      L3,8(P2)
+         lw     L4,12(P2)
+        multu   L1,P4
+         subu   P3,P3,4
+        mflo    L1
+         mfhi   H1
+        addu    L1,L1,CC
+         multu  L2,P4
+        sltu    CC,L1,CC
+         sw     L1,0(P1)
+        addu    CC,H1,CC
+         mflo   L2
+        mfhi    H2
+         addu   L2,L2,CC
+        multu   L3,P4
+         sltu   CC,L2,CC
+        sw      L2,4(P1)
+         addu   CC,H2,CC
+        mflo    L3
+         mfhi   H3
+        addu    L3,L3,CC
+         multu  L4,P4
+        sltu    CC,L3,CC
+         sw     L3,8(P1)
+        addu    CC,H3,CC
+         mflo   L4
+        mfhi    H4
+         addu   L4,L4,CC
+        addu    P1,P1,16
+         sltu   CC,L4,CC
+        addu    P2,P2,16
+         addu   CC,H4,CC
+        sw      L4,-4(P1)
+
+        bgez    P3,$lab44
+        b       $lab45
+$lab46:
+        lw      L1,0(P2)
+         addu   P1,P1,4
+        multu   L1,P4
+         addu   P2,P2,4
+        mflo    L1
+         mfhi   H1
+        addu    L1,L1,CC
+         subu   P3,P3,1
+        sltu    CC,L1,CC
+         sw     L1,-4(P1)
+        addu    CC,H1,CC
+         bgtz   P3,$lab46
+        j       $31
+$lab45:
+        addu    P3,P3,4
+        bgtz    P3,$lab46
+        j       $31
+        .align  2
+        .end    bn_mul_words
+
+        # Program Unit: bn_sqr_words
+        .ent    bn_sqr_words
+        .globl  bn_sqr_words
+.text
+bn_sqr_words:
+        .frame  $sp,0,$31
+        .mask   0x00000000,0
+        .fmask  0x00000000,0
+        
+        subu    P3,P3,4
+        bltz    P3,$lab55
+$lab54:
+        lw      L1,0(P2)
+         lw     L2,4(P2)
+        lw      L3,8(P2)
+         lw     L4,12(P2)
+
+        multu   L1,L1
+         subu   P3,P3,4
+        mflo    L1
+         mfhi   H1
+        sw      L1,0(P1)
+         sw     H1,4(P1)
+
+        multu   L2,L2
+         addu   P1,P1,32
+        mflo    L2
+         mfhi   H2
+        sw      L2,-24(P1)
+         sw     H2,-20(P1)
+
+        multu   L3,L3
+         addu   P2,P2,16
+        mflo    L3
+         mfhi   H3
+        sw      L3,-16(P1)
+         sw     H3,-12(P1)
+
+        multu   L4,L4
+
+        mflo    L4
+         mfhi   H4
+        sw      L4,-8(P1)
+         sw     H4,-4(P1)
+
+        bgtz    P3,$lab54
+        b       $lab55
+$lab56: 
+        lw      L1,0(P2)
+        addu    P1,P1,8
+        multu   L1,L1
+        addu    P2,P2,4
+        subu    P3,P3,1
+        mflo    L1
+        mfhi    H1
+        sw      L1,-8(P1)
+        sw      H1,-4(P1)
+
+        bgtz    P3,$lab56
+        j       $31
+$lab55:
+        addu    P3,P3,4
+        bgtz    P3,$lab56
+        j       $31
+        .align  2
+        .end    bn_sqr_words
+
+        # Program Unit: bn_add_words
+        .ent    bn_add_words
+        .globl  bn_add_words
+.text
+bn_add_words:    # 0x590
+        .frame  $sp,0,$31
+        .mask   0x00000000,0
+        .fmask  0x00000000,0
+        
+        subu    P4,P4,4
+        move    CC,$0
+        bltz    P4,$lab65
+$lab64: 
+        lw      L1,0(P2)
+        lw      R1,0(P3)
+        lw      L2,4(P2)
+        lw      R2,4(P3)
+
+        addu    L1,L1,CC
+         lw     L3,8(P2)
+        sltu    CC,L1,CC
+         addu   L1,L1,R1
+        sltu    R1,L1,R1
+         lw     R3,8(P3)
+        addu    CC,CC,R1
+         lw     L4,12(P2)
+
+        addu    L2,L2,CC
+         lw     R4,12(P3)
+        sltu    CC,L2,CC
+         addu   L2,L2,R2
+        sltu    R2,L2,R2
+         sw     L1,0(P1)
+        addu    CC,CC,R2
+         addu   P1,P1,16
+        addu    L3,L3,CC
+         sw     L2,-12(P1)
+ 
+        sltu    CC,L3,CC
+         addu   L3,L3,R3
+        sltu    R3,L3,R3
+         addu   P2,P2,16
+        addu    CC,CC,R3
+
+        addu    L4,L4,CC
+         addu   P3,P3,16
+        sltu    CC,L4,CC
+         addu   L4,L4,R4
+        subu    P4,P4,4
+         sltu   R4,L4,R4
+        sw      L3,-8(P1)
+         addu   CC,CC,R4
+        sw      L4,-4(P1)
+
+        bgtz    P4,$lab64
+        b       $lab65
+$lab66:
+        lw      L1,0(P2)
+         lw     R1,0(P3)
+        addu    L1,L1,CC
+         addu   P1,P1,4
+        sltu    CC,L1,CC
+         addu   P2,P2,4
+        addu    P3,P3,4
+         addu   L1,L1,R1
+        subu    P4,P4,1
+         sltu   R1,L1,R1
+        sw      L1,-4(P1)
+         addu   CC,CC,R1
+
+        bgtz    P4,$lab66
+        j       $31
+$lab65:
+        addu    P4,P4,4
+        bgtz    P4,$lab66
+        j       $31
+        .end    bn_add_words
+
+        # Program Unit: bn_div64
+        .set    at
+        .set    reorder
+        .text   
+        .align  2
+        .globl  bn_div64
+ # 321          {
+        .ent    bn_div64 2
+bn_div64:
+        subu    $sp, 64
+        sw      $31, 56($sp)
+        sw      $16, 48($sp)
+        .mask   0x80010000, -56
+        .frame  $sp, 64, $31
+        move    $9, $4
+        move    $12, $5
+        move    $16, $6
+ # 322          BN_ULONG dh,dl,q,ret=0,th,tl,t;
+        move    $31, $0
+ # 323          int i,count=2;
+        li      $13, 2
+ # 324  
+ # 325          if (d == 0) return(BN_MASK2);
+        bne     $16, 0, $80
+        li      $2, -1
+        b       $93
+$80:
+ # 326  
+ # 327          i=BN_num_bits_word(d);
+        move    $4, $16
+        sw      $31, 16($sp)
+        sw      $9, 24($sp)
+        sw      $12, 32($sp)
+        sw      $13, 40($sp)
+        .livereg        0x800ff0e,0xfff
+        jal     BN_num_bits_word
+        li      $4, 32
+        lw      $31, 16($sp)
+        lw      $9, 24($sp)
+        lw      $12, 32($sp)
+        lw      $13, 40($sp)
+        move    $3, $2
+ # 328          if ((i != BN_BITS2) && (h > (BN_ULONG)1<<i))
+        beq     $2, $4, $81
+        li      $14, 1
+        sll     $15, $14, $2
+        bleu    $9, $15, $81
+ # 329                  {
+ # 330  #if !defined(NO_STDIO) && !defined(WIN16)
+ # 331                  fprintf(stderr,"Division would overflow (%d)\n",i);
+ # 332  #endif
+ # 333                  abort();
+        sw      $3, 8($sp)
+        sw      $9, 24($sp)
+        sw      $12, 32($sp)
+        sw      $13, 40($sp)
+        sw      $31, 26($sp)
+        .livereg        0xff0e,0xfff
+        jal     abort
+        lw      $3, 8($sp)
+        li      $4, 32
+        lw      $9, 24($sp)
+        lw      $12, 32($sp)
+        lw      $13, 40($sp)
+        lw      $31, 26($sp)
+ # 334                  }
+$81:
+ # 335          i=BN_BITS2-i;
+        subu    $3, $4, $3
+ # 336          if (h >= d) h-=d;
+        bltu    $9, $16, $82
+        subu    $9, $9, $16
+$82:
+ # 337  
+ # 338          if (i)
+        beq     $3, 0, $83
+ # 339                  {
+ # 340                  d<<=i;
+        sll     $16, $16, $3
+ # 341                  h=(h<<i)|(l>>(BN_BITS2-i));
+        sll     $24, $9, $3
+        subu    $25, $4, $3
+        srl     $14, $12, $25
+        or      $9, $24, $14
+ # 342                  l<<=i;
+        sll     $12, $12, $3
+ # 343                  }
+$83:
+ # 344          dh=(d&BN_MASK2h)>>BN_BITS4;
+ # 345          dl=(d&BN_MASK2l);
+        and     $8, $16, -65536
+        srl     $8, $8, 16
+        and     $10, $16, 65535
+        li      $6, -65536
+$84:
+ # 346          for (;;)
+ # 347                  {
+ # 348                  if ((h>>BN_BITS4) == dh)
+        srl     $15, $9, 16
+        bne     $8, $15, $85
+ # 349                          q=BN_MASK2l;
+        li      $5, 65535
+        b       $86
+$85:
+ # 350                  else
+ # 351                          q=h/dh;
+        divu    $5, $9, $8
+$86:
+ # 352  
+ # 353                  for (;;)
+ # 354                          {
+ # 355                          t=(h-q*dh);
+        mul     $4, $5, $8
+        subu    $2, $9, $4
+        move    $3, $2
+ # 356                          if ((t&BN_MASK2h) ||
+ # 357                                  ((dl*q) <= (
+ # 358                                          (t<<BN_BITS4)+
+ # 359                                          ((l&BN_MASK2h)>>BN_BITS4))))
+        and     $25, $2, $6
+        bne     $25, $0, $87
+        mul     $24, $10, $5
+        sll     $14, $3, 16
+        and     $15, $12, $6
+        srl     $25, $15, 16
+        addu    $15, $14, $25
+        bgtu    $24, $15, $88
+$87:
+ # 360                                  break;
+        mul     $3, $10, $5
+        b       $89
+$88:
+ # 361                          q--;
+        addu    $5, $5, -1
+ # 362                          }
+        b       $86
+$89:
+ # 363                  th=q*dh;
+ # 364                  tl=q*dl;
+ # 365                  t=(tl>>BN_BITS4);
+ # 366                  tl=(tl<<BN_BITS4)&BN_MASK2h;
+        sll     $14, $3, 16
+        and     $2, $14, $6
+        move    $11, $2
+ # 367                  th+=t;
+        srl     $25, $3, 16
+        addu    $7, $4, $25
+ # 368  
+ # 369                  if (l < tl) th++;
+        bgeu    $12, $2, $90
+        addu    $7, $7, 1
+$90:
+ # 370                  l-=tl;
+        subu    $12, $12, $11
+ # 371                  if (h < th)
+        bgeu    $9, $7, $91
+ # 372                          {
+ # 373                          h+=d;
+        addu    $9, $9, $16
+ # 374                          q--;
+        addu    $5, $5, -1
+ # 375                          }
+$91:
+ # 376                  h-=th;
+        subu    $9, $9, $7
+ # 377  
+ # 378                  if (--count == 0) break;
+        addu    $13, $13, -1
+        beq     $13, 0, $92
+ # 379  
+ # 380                  ret=q<<BN_BITS4;
+        sll     $31, $5, 16
+ # 381                  h=((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2;
+        sll     $24, $9, 16
+        srl     $15, $12, 16
+        or      $9, $24, $15
+ # 382                  l=(l&BN_MASK2l)<<BN_BITS4;
+        and     $12, $12, 65535
+        sll     $12, $12, 16
+ # 383                  }
+        b       $84
+$92:
+ # 384          ret|=q;
+        or      $31, $31, $5
+ # 385          return(ret);
+        move    $2, $31
+$93:
+        lw      $16, 48($sp)
+        lw      $31, 56($sp)
+        addu    $sp, 64
+        j       $31
+        .end    bn_div64
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/mips3.s b/src/lib/libssl/src/crypto/bn/asm/mips3.s
new file mode 100644
index 0000000000..191345d920
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/mips3.s
@@ -0,0 +1,2138 @@
+.rdata
+.asciiz "mips3.s, Version 1.0"
+.asciiz "MIPS III/IV ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to the OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * The module is designed to work with either of the "new" MIPS ABI(5),
+ * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under
+ * IRIX 5.x not only because it doesn't support new ABIs but also
+ * because 5.x kernels put R4x00 CPU into 32-bit mode and all those
+ * 64-bit instructions (daddu, dmultu, etc.) found below gonna only
+ * cause illegal instruction exception:-(
+ *
+ * In addition the code depends on preprocessor flags set up by MIPSpro
+ * compiler driver (either as or cc) and therefore (probably?) can't be
+ * compiled by the GNU assembler. GNU C driver manages fine though...
+ * I mean as long as -mmips-as is specified or is the default option,
+ * because then it simply invokes /usr/bin/as which in turn takes
+ * perfect care of the preprocessor definitions. Another neat feature
+ * offered by the MIPSpro assembler is an optimization pass. This gave
+ * me the opportunity to have the code looking more regular as all those
+ * architecture dependent instruction rescheduling details were left to
+ * the assembler. Cool, huh?
+ *
+ * Performance improvement is astonishing! 'apps/openssl speed rsa dsa'
+ * goes way over 3 times faster!
+ *
+ *                                      <appro@fy.chalmers.se>
+ */
+#include <asm.h>
+#include <regdef.h>
+
+#if _MIPS_ISA>=4
+#define MOVNZ(cond,dst,src)     \
+        movn    dst,src,cond
+#else
+#define MOVNZ(cond,dst,src)     \
+        .set    noreorder;      \
+        bnezl   cond,.+8;       \
+        move    dst,src;        \
+        .set    reorder
+#endif
+
+.text
+
+.set    noat
+.set    reorder
+
+#define MINUS4  v1
+
+.align  5
+LEAF(bn_mul_add_words)
+        .set    noreorder
+        bgtzl   a2,.L_bn_mul_add_words_proceed
+        ld      t0,0(a1)
+        jr      ra
+        move    v0,zero
+        .set    reorder
+
+.L_bn_mul_add_words_proceed:
+        li      MINUS4,-4
+        and     ta0,a2,MINUS4
+        move    v0,zero
+        beqz    ta0,.L_bn_mul_add_words_tail
+
+.L_bn_mul_add_words_loop:
+        dmultu  t0,a3
+        ld      t1,0(a0)
+        ld      t2,8(a1)
+        ld      t3,8(a0)
+        ld      ta0,16(a1)
+        ld      ta1,16(a0)
+        daddu   t1,v0
+        sltu    v0,t1,v0        /* All manuals say it "compares 32-bit
+                                 * values", but it seems to work fine
+                                 * even on 64-bit registers. */
+        mflo    AT
+        mfhi    t0
+        daddu   t1,AT
+        daddu   v0,t0
+        sltu    AT,t1,AT
+        sd      t1,0(a0)
+        daddu   v0,AT
+
+        dmultu  t2,a3
+        ld      ta2,24(a1)
+        ld      ta3,24(a0)
+        daddu   t3,v0
+        sltu    v0,t3,v0
+        mflo    AT
+        mfhi    t2
+        daddu   t3,AT
+        daddu   v0,t2
+        sltu    AT,t3,AT
+        sd      t3,8(a0)
+        daddu   v0,AT
+
+        dmultu  ta0,a3
+        subu    a2,4
+        PTR_ADD a0,32
+        PTR_ADD a1,32
+        daddu   ta1,v0
+        sltu    v0,ta1,v0
+        mflo    AT
+        mfhi    ta0
+        daddu   ta1,AT
+        daddu   v0,ta0
+        sltu    AT,ta1,AT
+        sd      ta1,-16(a0)
+        daddu   v0,AT
+
+
+        dmultu  ta2,a3
+        and     ta0,a2,MINUS4
+        daddu   ta3,v0
+        sltu    v0,ta3,v0
+        mflo    AT
+        mfhi    ta2
+        daddu   ta3,AT
+        daddu   v0,ta2
+        sltu    AT,ta3,AT
+        sd      ta3,-8(a0)
+        daddu   v0,AT
+        .set    noreorder
+        bgtzl   ta0,.L_bn_mul_add_words_loop
+        ld      t0,0(a1)
+
+        bnezl   a2,.L_bn_mul_add_words_tail
+        ld      t0,0(a1)
+        .set    reorder
+
+.L_bn_mul_add_words_return:
+        jr      ra
+
+.L_bn_mul_add_words_tail:
+        dmultu  t0,a3
+        ld      t1,0(a0)
+        subu    a2,1
+        daddu   t1,v0
+        sltu    v0,t1,v0
+        mflo    AT
+        mfhi    t0
+        daddu   t1,AT
+        daddu   v0,t0
+        sltu    AT,t1,AT
+        sd      t1,0(a0)
+        daddu   v0,AT
+        beqz    a2,.L_bn_mul_add_words_return
+
+        ld      t0,8(a1)
+        dmultu  t0,a3
+        ld      t1,8(a0)
+        subu    a2,1
+        daddu   t1,v0
+        sltu    v0,t1,v0
+        mflo    AT
+        mfhi    t0
+        daddu   t1,AT
+        daddu   v0,t0
+        sltu    AT,t1,AT
+        sd      t1,8(a0)
+        daddu   v0,AT
+        beqz    a2,.L_bn_mul_add_words_return
+
+        ld      t0,16(a1)
+        dmultu  t0,a3
+        ld      t1,16(a0)
+        daddu   t1,v0
+        sltu    v0,t1,v0
+        mflo    AT
+        mfhi    t0
+        daddu   t1,AT
+        daddu   v0,t0
+        sltu    AT,t1,AT
+        sd      t1,16(a0)
+        daddu   v0,AT
+        jr      ra
+END(bn_mul_add_words)
+
+.align  5
+LEAF(bn_mul_words)
+        .set    noreorder
+        bgtzl   a2,.L_bn_mul_words_proceed
+        ld      t0,0(a1)
+        jr      ra
+        move    v0,zero
+        .set    reorder
+
+.L_bn_mul_words_proceed:
+        li      MINUS4,-4
+        and     ta0,a2,MINUS4
+        move    v0,zero
+        beqz    ta0,.L_bn_mul_words_tail
+
+.L_bn_mul_words_loop:
+        dmultu  t0,a3
+        ld      t2,8(a1)
+        ld      ta0,16(a1)
+        ld      ta2,24(a1)
+        mflo    AT
+        mfhi    t0
+        daddu   v0,AT
+        sltu    t1,v0,AT
+        sd      v0,0(a0)
+        daddu   v0,t1,t0
+
+        dmultu  t2,a3
+        subu    a2,4
+        PTR_ADD a0,32
+        PTR_ADD a1,32
+        mflo    AT
+        mfhi    t2
+        daddu   v0,AT
+        sltu    t3,v0,AT
+        sd      v0,-24(a0)
+        daddu   v0,t3,t2
+
+        dmultu  ta0,a3
+        mflo    AT
+        mfhi    ta0
+        daddu   v0,AT
+        sltu    ta1,v0,AT
+        sd      v0,-16(a0)
+        daddu   v0,ta1,ta0
+
+
+        dmultu  ta2,a3
+        and     ta0,a2,MINUS4
+        mflo    AT
+        mfhi    ta2
+        daddu   v0,AT
+        sltu    ta3,v0,AT
+        sd      v0,-8(a0)
+        daddu   v0,ta3,ta2
+        .set    noreorder
+        bgtzl   ta0,.L_bn_mul_words_loop
+        ld      t0,0(a1)
+
+        bnezl   a2,.L_bn_mul_words_tail
+        ld      t0,0(a1)
+        .set    reorder
+
+.L_bn_mul_words_return:
+        jr      ra
+
+.L_bn_mul_words_tail:
+        dmultu  t0,a3
+        subu    a2,1
+        mflo    AT
+        mfhi    t0
+        daddu   v0,AT
+        sltu    t1,v0,AT
+        sd      v0,0(a0)
+        daddu   v0,t1,t0
+        beqz    a2,.L_bn_mul_words_return
+
+        ld      t0,8(a1)
+        dmultu  t0,a3
+        subu    a2,1
+        mflo    AT
+        mfhi    t0
+        daddu   v0,AT
+        sltu    t1,v0,AT
+        sd      v0,8(a0)
+        daddu   v0,t1,t0
+        beqz    a2,.L_bn_mul_words_return
+
+        ld      t0,16(a1)
+        dmultu  t0,a3
+        mflo    AT
+        mfhi    t0
+        daddu   v0,AT
+        sltu    t1,v0,AT
+        sd      v0,16(a0)
+        daddu   v0,t1,t0
+        jr      ra
+END(bn_mul_words)
+
+.align  5
+LEAF(bn_sqr_words)
+        .set    noreorder
+        bgtzl   a2,.L_bn_sqr_words_proceed
+        ld      t0,0(a1)
+        jr      ra
+        move    v0,zero
+        .set    reorder
+
+.L_bn_sqr_words_proceed:
+        li      MINUS4,-4
+        and     ta0,a2,MINUS4
+        move    v0,zero
+        beqz    ta0,.L_bn_sqr_words_tail
+
+.L_bn_sqr_words_loop:
+        dmultu  t0,t0
+        ld      t2,8(a1)
+        ld      ta0,16(a1)
+        ld      ta2,24(a1)
+        mflo    t1
+        mfhi    t0
+        sd      t1,0(a0)
+        sd      t0,8(a0)
+
+        dmultu  t2,t2
+        subu    a2,4
+        PTR_ADD a0,64
+        PTR_ADD a1,32
+        mflo    t3
+        mfhi    t2
+        sd      t3,-48(a0)
+        sd      t2,-40(a0)
+
+        dmultu  ta0,ta0
+        mflo    ta1
+        mfhi    ta0
+        sd      ta1,-32(a0)
+        sd      ta0,-24(a0)
+
+
+        dmultu  ta2,ta2
+        and     ta0,a2,MINUS4
+        mflo    ta3
+        mfhi    ta2
+        sd      ta3,-16(a0)
+        sd      ta2,-8(a0)
+
+        .set    noreorder
+        bgtzl   ta0,.L_bn_sqr_words_loop
+        ld      t0,0(a1)
+
+        bnezl   a2,.L_bn_sqr_words_tail
+        ld      t0,0(a1)
+        .set    reorder
+
+.L_bn_sqr_words_return:
+        move    v0,zero
+        jr      ra
+
+.L_bn_sqr_words_tail:
+        dmultu  t0,t0
+        subu    a2,1
+        mflo    t1
+        mfhi    t0
+        sd      t1,0(a0)
+        sd      t0,8(a0)
+        beqz    a2,.L_bn_sqr_words_return
+
+        ld      t0,8(a1)
+        dmultu  t0,t0
+        subu    a2,1
+        mflo    t1
+        mfhi    t0
+        sd      t1,16(a0)
+        sd      t0,24(a0)
+        beqz    a2,.L_bn_sqr_words_return
+
+        ld      t0,16(a1)
+        dmultu  t0,t0
+        mflo    t1
+        mfhi    t0
+        sd      t1,32(a0)
+        sd      t0,40(a0)
+        jr      ra
+END(bn_sqr_words)
+
+.align  5
+LEAF(bn_add_words)
+        .set    noreorder
+        bgtzl   a3,.L_bn_add_words_proceed
+        ld      t0,0(a1)
+        jr      ra
+        move    v0,zero
+        .set    reorder
+
+.L_bn_add_words_proceed:
+        li      MINUS4,-4
+        and     AT,a3,MINUS4
+        move    v0,zero
+        beqz    AT,.L_bn_add_words_tail
+
+.L_bn_add_words_loop:
+        ld      ta0,0(a2)
+        ld      t1,8(a1)
+        ld      ta1,8(a2)
+        ld      t2,16(a1)
+        ld      ta2,16(a2)
+        ld      t3,24(a1)
+        ld      ta3,24(a2)
+        daddu   ta0,t0
+        subu    a3,4
+        sltu    t8,ta0,t0
+        daddu   t0,ta0,v0
+        PTR_ADD a0,32
+        sltu    v0,t0,ta0
+        sd      t0,-32(a0)
+        daddu   v0,t8
+
+        daddu   ta1,t1
+        PTR_ADD a1,32
+        sltu    t9,ta1,t1
+        daddu   t1,ta1,v0
+        PTR_ADD a2,32
+        sltu    v0,t1,ta1
+        sd      t1,-24(a0)
+        daddu   v0,t9
+
+        daddu   ta2,t2
+        and     AT,a3,MINUS4
+        sltu    t8,ta2,t2
+        daddu   t2,ta2,v0
+        sltu    v0,t2,ta2
+        sd      t2,-16(a0)
+        daddu   v0,t8
+        
+        daddu   ta3,t3
+        sltu    t9,ta3,t3
+        daddu   t3,ta3,v0
+        sltu    v0,t3,ta3
+        sd      t3,-8(a0)
+        daddu   v0,t9
+        
+        .set    noreorder
+        bgtzl   AT,.L_bn_add_words_loop
+        ld      t0,0(a1)
+
+        bnezl   a3,.L_bn_add_words_tail
+        ld      t0,0(a1)
+        .set    reorder
+
+.L_bn_add_words_return:
+        jr      ra
+
+.L_bn_add_words_tail:
+        ld      ta0,0(a2)
+        daddu   ta0,t0
+        subu    a3,1
+        sltu    t8,ta0,t0
+        daddu   t0,ta0,v0
+        sltu    v0,t0,ta0
+        sd      t0,0(a0)
+        daddu   v0,t8
+        beqz    a3,.L_bn_add_words_return
+
+        ld      t1,8(a1)
+        ld      ta1,8(a2)
+        daddu   ta1,t1
+        subu    a3,1
+        sltu    t9,ta1,t1
+        daddu   t1,ta1,v0
+        sltu    v0,t1,ta1
+        sd      t1,8(a0)
+        daddu   v0,t9
+        beqz    a3,.L_bn_add_words_return
+
+        ld      t2,16(a1)
+        ld      ta2,16(a2)
+        daddu   ta2,t2
+        sltu    t8,ta2,t2
+        daddu   t2,ta2,v0
+        sltu    v0,t2,ta2
+        sd      t2,16(a0)
+        daddu   v0,t8
+        jr      ra
+END(bn_add_words)
+
+.align  5
+LEAF(bn_sub_words)
+        .set    noreorder
+        bgtzl   a3,.L_bn_sub_words_proceed
+        ld      t0,0(a1)
+        jr      ra
+        move    v0,zero
+        .set    reorder
+
+.L_bn_sub_words_proceed:
+        li      MINUS4,-4
+        and     AT,a3,MINUS4
+        move    v0,zero
+        beqz    AT,.L_bn_sub_words_tail
+
+.L_bn_sub_words_loop:
+        ld      ta0,0(a2)
+        ld      t1,8(a1)
+        ld      ta1,8(a2)
+        ld      t2,16(a1)
+        ld      ta2,16(a2)
+        ld      t3,24(a1)
+        ld      ta3,24(a2)
+        sltu    t8,t0,ta0
+        dsubu   t0,ta0
+        subu    a3,4
+        dsubu   ta0,t0,v0
+        and     AT,a3,MINUS4
+        sd      ta0,0(a0)
+        MOVNZ   (t0,v0,t8)
+
+        sltu    t9,t1,ta1
+        dsubu   t1,ta1
+        PTR_ADD a0,32
+        dsubu   ta1,t1,v0
+        PTR_ADD a1,32
+        sd      ta1,-24(a0)
+        MOVNZ   (t1,v0,t9)
+
+
+        sltu    t8,t2,ta2
+        dsubu   t2,ta2
+        dsubu   ta2,t2,v0
+        PTR_ADD a2,32
+        sd      ta2,-16(a0)
+        MOVNZ   (t2,v0,t8)
+
+        sltu    t9,t3,ta3
+        dsubu   t3,ta3
+        dsubu   ta3,t3,v0
+        sd      ta3,-8(a0)
+        MOVNZ   (t3,v0,t9)
+
+        .set    noreorder
+        bgtzl   AT,.L_bn_sub_words_loop
+        ld      t0,0(a1)
+
+        bnezl   a3,.L_bn_sub_words_tail
+        ld      t0,0(a1)
+        .set    reorder
+
+.L_bn_sub_words_return:
+        jr      ra
+
+.L_bn_sub_words_tail:
+        ld      ta0,0(a2)
+        subu    a3,1
+        sltu    t8,t0,ta0
+        dsubu   t0,ta0
+        dsubu   ta0,t0,v0
+        MOVNZ   (t0,v0,t8)
+        sd      ta0,0(a0)
+        beqz    a3,.L_bn_sub_words_return
+
+        ld      t1,8(a1)
+        subu    a3,1
+        ld      ta1,8(a2)
+        sltu    t9,t1,ta1
+        dsubu   t1,ta1
+        dsubu   ta1,t1,v0
+        MOVNZ   (t1,v0,t9)
+        sd      ta1,8(a0)
+        beqz    a3,.L_bn_sub_words_return
+
+        ld      t2,16(a1)
+        ld      ta2,16(a2)
+        sltu    t8,t2,ta2
+        dsubu   t2,ta2
+        dsubu   ta2,t2,v0
+        MOVNZ   (t2,v0,t8)
+        sd      ta2,16(a0)
+        jr      ra
+END(bn_sub_words)
+
+#undef  MINUS4
+
+.align  5
+LEAF(bn_div_words)
+        .set    noreorder
+        bnezl   a2,.L_bn_div_words_proceed
+        move    v1,zero
+        jr      ra
+        li      v0,-1           /* I'd rather signal div-by-zero
+                                 * which can be done with 'break 7' */
+
+.L_bn_div_words_proceed:
+        bltz    a2,.L_bn_div_words_body
+        move    t9,v1
+        dsll    a2,1
+        bgtz    a2,.-4
+        addu    t9,1
+
+        .set    reorder
+        negu    t1,t9
+        li      t2,-1
+        dsll    t2,t1
+        and     t2,a0
+        dsrl    AT,a1,t1
+        .set    noreorder
+        bnezl   t2,.+8
+        break   6               /* signal overflow */
+        .set    reorder
+        dsll    a0,t9
+        dsll    a1,t9
+        or      a0,AT
+
+#define QT      ta0
+#define HH      ta1
+#define DH      v1
+.L_bn_div_words_body:
+        dsrl    DH,a2,32
+        sgeu    AT,a0,a2
+        .set    noreorder
+        bnezl   AT,.+8
+        dsubu   a0,a2
+        .set    reorder
+
+        li      QT,-1
+        dsrl    HH,a0,32
+        dsrl    QT,32   /* q=0xffffffff */
+        beq     DH,HH,.L_bn_div_words_skip_div1
+        ddivu   zero,a0,DH
+        mflo    QT
+.L_bn_div_words_skip_div1:
+        dmultu  a2,QT
+        dsll    t3,a0,32
+        dsrl    AT,a1,32
+        or      t3,AT
+        mflo    t0
+        mfhi    t1
+.L_bn_div_words_inner_loop1:
+        sltu    t2,t3,t0
+        seq     t8,HH,t1
+        sltu    AT,HH,t1
+        and     t2,t8
+        or      AT,t2
+        .set    noreorder
+        beqz    AT,.L_bn_div_words_inner_loop1_done
+        sltu    t2,t0,a2
+        .set    reorder
+        dsubu   QT,1
+        dsubu   t0,a2
+        dsubu   t1,t2
+        b       .L_bn_div_words_inner_loop1
+.L_bn_div_words_inner_loop1_done:       
+
+        dsll    a1,32
+        dsubu   a0,t3,t0
+        dsll    v0,QT,32
+
+        li      QT,-1
+        dsrl    HH,a0,32
+        dsrl    QT,32   /* q=0xffffffff */
+        beq     DH,HH,.L_bn_div_words_skip_div2
+        ddivu   zero,a0,DH
+        mflo    QT
+.L_bn_div_words_skip_div2:
+        dmultu  a2,QT
+        dsll    t3,a0,32
+        dsrl    AT,a1,32
+        or      t3,AT
+        mflo    t0
+        mfhi    t1
+.L_bn_div_words_inner_loop2:
+        sltu    t2,t3,t0
+        seq     t8,HH,t1
+        sltu    AT,HH,t1
+        and     t2,t8
+        or      AT,t2
+        .set    noreorder
+        beqz    AT,.L_bn_div_words_inner_loop2_done
+        sltu    t2,t0,a2
+        .set    reorder
+        dsubu   QT,1
+        dsubu   t0,a2
+        dsubu   t1,t2
+        b       .L_bn_div_words_inner_loop2
+.L_bn_div_words_inner_loop2_done:       
+
+        dsubu   a0,t3,t0
+        or      v0,QT
+        dsrl    v1,a0,t9        /* v1 contains remainder if anybody wants it */
+        dsrl    a2,t9           /* restore a2 */
+        jr      ra
+#undef  HH
+#undef  DH
+#undef  QT
+END(bn_div_words)
+
+.align 5
+LEAF(bn_div_3_words)
+        .set    reorder
+        move    a3,a0           /* we know that bn_div_words doesn't
+                                 * touch a3, ta2, ta3 and preserves a2
+                                 * so that we can save two arguments
+                                 * and return address in registers
+                                 * instead of stack:-)
+                                 */
+        ld      a0,(a3)
+        move    ta2,a2
+        move    a2,a1
+        ld      a1,-8(a3)
+        move    ta3,ra
+        move    v1,zero
+        li      v0,-1
+        beq     a0,a2,.L_bn_div_3_words_skip_div
+        jal     bn_div_words
+        move    ra,ta3
+.L_bn_div_3_words_skip_div:
+        dmultu  ta2,v0
+        ld      t2,-16(a3)
+        mflo    t0
+        mfhi    t1
+.L_bn_div_3_words_inner_loop:
+        sgeu    AT,t2,t0
+        seq     t9,t1,v1
+        sltu    t8,t1,v1
+        and     AT,t9
+        or      AT,t8
+        bnez    AT,.L_bn_div_3_words_inner_loop_done
+        daddu   v1,a2
+        sltu    t3,t0,ta2
+        sltu    AT,v1,a2
+        dsubu   v0,1
+        dsubu   t0,ta2
+        dsubu   t1,t3
+        beqz    AT,.L_bn_div_3_words_inner_loop
+.L_bn_div_3_words_inner_loop_done:
+        jr      ra
+END(bn_div_3_words)
+
+#define a_0     t0
+#define a_1     t1
+#define a_2     t2
+#define a_3     t3
+#define b_0     ta0
+#define b_1     ta1
+#define b_2     ta2
+#define b_3     ta3
+
+#define a_4     s0
+#define a_5     s2
+#define a_6     s4
+#define a_7     a1      /* once we load a[7] we don't need a anymore */
+#define b_4     s1
+#define b_5     s3
+#define b_6     s5
+#define b_7     a2      /* once we load b[7] we don't need b anymore */
+
+#define t_1     t8
+#define t_2     t9
+
+#define c_1     v0
+#define c_2     v1
+#define c_3     a3
+
+#define FRAME_SIZE      48
+
+.align  5
+LEAF(bn_mul_comba8)
+        .set    noreorder
+        PTR_SUB sp,FRAME_SIZE
+        .frame  sp,64,ra
+        .set    reorder
+        ld      a_0,0(a1)       /* If compiled with -mips3 option on
+                                 * R5000 box assembler barks on this
+                                 * line with "shouldn't have mult/div
+                                 * as last instruction in bb (R10K
+                                 * bug)" warning. If anybody out there
+                                 * has a clue about how to circumvent
+                                 * this do send me a note.
+                                 *              <appro@fy.chalmers.se>
+                                 */
+        ld      b_0,0(a2)
+        ld      a_1,8(a1)
+        ld      a_2,16(a1)
+        ld      a_3,24(a1)
+        ld      b_1,8(a2)
+        ld      b_2,16(a2)
+        ld      b_3,24(a2)
+        dmultu  a_0,b_0         /* mul_add_c(a[0],b[0],c1,c2,c3); */
+        sd      s0,0(sp)
+        sd      s1,8(sp)
+        sd      s2,16(sp)
+        sd      s3,24(sp)
+        sd      s4,32(sp)
+        sd      s5,40(sp)
+        mflo    c_1
+        mfhi    c_2
+
+        dmultu  a_0,b_1         /* mul_add_c(a[0],b[1],c2,c3,c1); */
+        ld      a_4,32(a1)
+        ld      a_5,40(a1)
+        ld      a_6,48(a1)
+        ld      a_7,56(a1)
+        ld      b_4,32(a2)
+        ld      b_5,40(a2)
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   c_3,t_2,AT
+        dmultu  a_1,b_0         /* mul_add_c(a[1],b[0],c2,c3,c1); */
+        ld      b_6,48(a2)
+        ld      b_7,56(a2)
+        sd      c_1,0(a0)       /* r[0]=c1; */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,8(a0)       /* r[1]=c2; */
+
+        dmultu  a_2,b_0         /* mul_add_c(a[2],b[0],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_1,b_1         /* mul_add_c(a[1],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_0,b_2         /* mul_add_c(a[0],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,16(a0)      /* r[2]=c3; */
+
+        dmultu  a_0,b_3         /* mul_add_c(a[0],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        dmultu  a_1,b_2         /* mul_add_c(a[1],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_2,b_1         /* mul_add_c(a[2],b[1],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_3,b_0         /* mul_add_c(a[3],b[0],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,24(a0)      /* r[3]=c1; */
+
+        dmultu  a_4,b_0         /* mul_add_c(a[4],b[0],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        dmultu  a_3,b_1         /* mul_add_c(a[3],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_2,b_2         /* mul_add_c(a[2],b[2],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_1,b_3         /* mul_add_c(a[1],b[3],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_0,b_4         /* mul_add_c(a[0],b[4],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,32(a0)      /* r[4]=c2; */
+
+        dmultu  a_0,b_5         /* mul_add_c(a[0],b[5],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_1,b_4         /* mul_add_c(a[1],b[4],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_2,b_3         /* mul_add_c(a[2],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_3,b_2         /* mul_add_c(a[3],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_4,b_1         /* mul_add_c(a[4],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_5,b_0         /* mul_add_c(a[5],b[0],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,40(a0)      /* r[5]=c3; */
+
+        dmultu  a_6,b_0         /* mul_add_c(a[6],b[0],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        dmultu  a_5,b_1         /* mul_add_c(a[5],b[1],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_4,b_2         /* mul_add_c(a[4],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_3,b_3         /* mul_add_c(a[3],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_2,b_4         /* mul_add_c(a[2],b[4],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_1,b_5         /* mul_add_c(a[1],b[5],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_0,b_6         /* mul_add_c(a[0],b[6],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,48(a0)      /* r[6]=c1; */
+
+        dmultu  a_0,b_7         /* mul_add_c(a[0],b[7],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        dmultu  a_1,b_6         /* mul_add_c(a[1],b[6],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_2,b_5         /* mul_add_c(a[2],b[5],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_3,b_4         /* mul_add_c(a[3],b[4],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_4,b_3         /* mul_add_c(a[4],b[3],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_5,b_2         /* mul_add_c(a[5],b[2],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_6,b_1         /* mul_add_c(a[6],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_7,b_0         /* mul_add_c(a[7],b[0],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,56(a0)      /* r[7]=c2; */
+
+        dmultu  a_7,b_1         /* mul_add_c(a[7],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_6,b_2         /* mul_add_c(a[6],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_5,b_3         /* mul_add_c(a[5],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_4,b_4         /* mul_add_c(a[4],b[4],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_3,b_5         /* mul_add_c(a[3],b[5],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_2,b_6         /* mul_add_c(a[2],b[6],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_1,b_7         /* mul_add_c(a[1],b[7],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,64(a0)      /* r[8]=c3; */
+
+        dmultu  a_2,b_7         /* mul_add_c(a[2],b[7],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        dmultu  a_3,b_6         /* mul_add_c(a[3],b[6],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_4,b_5         /* mul_add_c(a[4],b[5],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_5,b_4         /* mul_add_c(a[5],b[4],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_6,b_3         /* mul_add_c(a[6],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_7,b_2         /* mul_add_c(a[7],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,72(a0)      /* r[9]=c1; */
+
+        dmultu  a_7,b_3         /* mul_add_c(a[7],b[3],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        dmultu  a_6,b_4         /* mul_add_c(a[6],b[4],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_5,b_5         /* mul_add_c(a[5],b[5],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_4,b_6         /* mul_add_c(a[4],b[6],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_3,b_7         /* mul_add_c(a[3],b[7],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,80(a0)      /* r[10]=c2; */
+
+        dmultu  a_4,b_7         /* mul_add_c(a[4],b[7],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_5,b_6         /* mul_add_c(a[5],b[6],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_6,b_5         /* mul_add_c(a[6],b[5],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_7,b_4         /* mul_add_c(a[7],b[4],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,88(a0)      /* r[11]=c3; */
+
+        dmultu  a_7,b_5         /* mul_add_c(a[7],b[5],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        dmultu  a_6,b_6         /* mul_add_c(a[6],b[6],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_5,b_7         /* mul_add_c(a[5],b[7],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,96(a0)      /* r[12]=c1; */
+
+        dmultu  a_6,b_7         /* mul_add_c(a[6],b[7],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        dmultu  a_7,b_6         /* mul_add_c(a[7],b[6],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,104(a0)     /* r[13]=c2; */
+
+        dmultu  a_7,b_7         /* mul_add_c(a[7],b[7],c3,c1,c2); */
+        ld      s0,0(sp)
+        ld      s1,8(sp)
+        ld      s2,16(sp)
+        ld      s3,24(sp)
+        ld      s4,32(sp)
+        ld      s5,40(sp)
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sd      c_3,112(a0)     /* r[14]=c3; */
+        sd      c_1,120(a0)     /* r[15]=c1; */
+
+        PTR_ADD sp,FRAME_SIZE
+
+        jr      ra
+END(bn_mul_comba8)
+
+.align  5
+LEAF(bn_mul_comba4)
+        .set    reorder
+        ld      a_0,0(a1)
+        ld      b_0,0(a2)
+        ld      a_1,8(a1)
+        ld      a_2,16(a1)
+        dmultu  a_0,b_0         /* mul_add_c(a[0],b[0],c1,c2,c3); */
+        ld      a_3,24(a1)
+        ld      b_1,8(a2)
+        ld      b_2,16(a2)
+        ld      b_3,24(a2)
+        mflo    c_1
+        mfhi    c_2
+        sd      c_1,0(a0)
+
+        dmultu  a_0,b_1         /* mul_add_c(a[0],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   c_3,t_2,AT
+        dmultu  a_1,b_0         /* mul_add_c(a[1],b[0],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,8(a0)
+
+        dmultu  a_2,b_0         /* mul_add_c(a[2],b[0],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_1,b_1         /* mul_add_c(a[1],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_0,b_2         /* mul_add_c(a[0],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,16(a0)
+
+        dmultu  a_0,b_3         /* mul_add_c(a[0],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        dmultu  a_1,b_2         /* mul_add_c(a[1],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_2,b_1         /* mul_add_c(a[2],b[1],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_3,b_0         /* mul_add_c(a[3],b[0],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,24(a0)
+
+        dmultu  a_3,b_1         /* mul_add_c(a[3],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        dmultu  a_2,b_2         /* mul_add_c(a[2],b[2],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_1,b_3         /* mul_add_c(a[1],b[3],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,32(a0)
+
+        dmultu  a_2,b_3         /* mul_add_c(a[2],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        dmultu  a_3,b_2         /* mul_add_c(a[3],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        sd      c_3,40(a0)
+
+        dmultu  a_3,b_3         /* mul_add_c(a[3],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sd      c_1,48(a0)
+        sd      c_2,56(a0)
+
+        jr      ra
+END(bn_mul_comba4)
+
+#undef  a_4
+#undef  a_5
+#undef  a_6
+#undef  a_7
+#define a_4     b_0
+#define a_5     b_1
+#define a_6     b_2
+#define a_7     b_3
+
+.align  5
+LEAF(bn_sqr_comba8)
+        .set    reorder
+        ld      a_0,0(a1)
+        ld      a_1,8(a1)
+        ld      a_2,16(a1)
+        ld      a_3,24(a1)
+
+        dmultu  a_0,a_0         /* mul_add_c(a[0],b[0],c1,c2,c3); */
+        ld      a_4,32(a1)
+        ld      a_5,40(a1)
+        ld      a_6,48(a1)
+        ld      a_7,56(a1)
+        mflo    c_1
+        mfhi    c_2
+        sd      c_1,0(a0)
+
+        dmultu  a_0,a_1         /* mul_add_c2(a[0],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   c_3,t_2,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,8(a0)
+
+        dmultu  a_2,a_0         /* mul_add_c2(a[2],b[0],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_1,a_1         /* mul_add_c(a[1],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,16(a0)
+
+        dmultu  a_0,a_3         /* mul_add_c2(a[0],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_1,a_2         /* mul_add_c2(a[1],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,24(a0)
+
+        dmultu  a_4,a_0         /* mul_add_c2(a[4],b[0],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_3,a_1         /* mul_add_c2(a[3],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        sltu    AT,c_3,a2
+        daddu   c_1,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_2,a_2         /* mul_add_c(a[2],b[2],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,32(a0)
+
+        dmultu  a_0,a_5         /* mul_add_c2(a[0],b[5],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_1,a_4         /* mul_add_c2(a[1],b[4],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        sltu    AT,c_1,a2
+        daddu   c_2,AT
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_2,a_3         /* mul_add_c2(a[2],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        sltu    AT,c_1,a2
+        daddu   c_2,AT
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,40(a0)
+
+        dmultu  a_6,a_0         /* mul_add_c2(a[6],b[0],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_5,a_1         /* mul_add_c2(a[5],b[1],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_4,a_2         /* mul_add_c2(a[4],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_3,a_3         /* mul_add_c(a[3],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,48(a0)
+
+        dmultu  a_0,a_7         /* mul_add_c2(a[0],b[7],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_1,a_6         /* mul_add_c2(a[1],b[6],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        sltu    AT,c_3,a2
+        daddu   c_1,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_2,a_5         /* mul_add_c2(a[2],b[5],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        sltu    AT,c_3,a2
+        daddu   c_1,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_3,a_4         /* mul_add_c2(a[3],b[4],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        sltu    AT,c_3,a2
+        daddu   c_1,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,56(a0)
+
+        dmultu  a_7,a_1         /* mul_add_c2(a[7],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_6,a_2         /* mul_add_c2(a[6],b[2],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        sltu    AT,c_1,a2
+        daddu   c_2,AT
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_5,a_3         /* mul_add_c2(a[5],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        sltu    AT,c_1,a2
+        daddu   c_2,AT
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        dmultu  a_4,a_4         /* mul_add_c(a[4],b[4],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,64(a0)
+
+        dmultu  a_2,a_7         /* mul_add_c2(a[2],b[7],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_3,a_6         /* mul_add_c2(a[3],b[6],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        dmultu  a_4,a_5         /* mul_add_c2(a[4],b[5],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,72(a0)
+
+        dmultu  a_7,a_3         /* mul_add_c2(a[7],b[3],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_6,a_4         /* mul_add_c2(a[6],b[4],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        sltu    AT,c_3,a2
+        daddu   c_1,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        dmultu  a_5,a_5         /* mul_add_c(a[5],b[5],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,80(a0)
+
+        dmultu  a_4,a_7         /* mul_add_c2(a[4],b[7],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_5,a_6         /* mul_add_c2(a[5],b[6],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        sltu    AT,c_1,a2
+        daddu   c_2,AT
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,88(a0)
+
+        dmultu  a_7,a_5         /* mul_add_c2(a[7],b[5],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_6,a_6         /* mul_add_c(a[6],b[6],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,96(a0)
+
+        dmultu  a_6,a_7         /* mul_add_c2(a[6],b[7],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,104(a0)
+
+        dmultu  a_7,a_7         /* mul_add_c(a[7],b[7],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sd      c_3,112(a0)
+        sd      c_1,120(a0)
+
+        jr      ra
+END(bn_sqr_comba8)
+
+.align  5
+LEAF(bn_sqr_comba4)
+        .set    reorder
+        ld      a_0,0(a1)
+        ld      a_1,8(a1)
+        ld      a_2,16(a1)
+        ld      a_3,24(a1)
+        dmultu  a_0,a_0         /* mul_add_c(a[0],b[0],c1,c2,c3); */
+        mflo    c_1
+        mfhi    c_2
+        sd      c_1,0(a0)
+
+        dmultu  a_0,a_1         /* mul_add_c2(a[0],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   c_3,t_2,AT
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        sd      c_2,8(a0)
+
+        dmultu  a_2,a_0         /* mul_add_c2(a[2],b[0],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        dmultu  a_1,a_1         /* mul_add_c(a[1],b[1],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    AT,c_1,t_2
+        daddu   c_2,AT
+        sd      c_3,16(a0)
+
+        dmultu  a_0,a_3         /* mul_add_c2(a[0],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    c_3,c_2,t_2
+        dmultu  a_1,a_2         /* mul_add_c(a2[1],b[2],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   a2,t_2,AT
+        daddu   c_2,a2
+        sltu    AT,c_2,a2
+        daddu   c_3,AT
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sltu    AT,c_2,t_2
+        daddu   c_3,AT
+        sd      c_1,24(a0)
+
+        dmultu  a_3,a_1         /* mul_add_c2(a[3],b[1],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   a2,t_2,AT
+        daddu   c_3,a2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    c_1,c_3,t_2
+        dmultu  a_2,a_2         /* mul_add_c(a[2],b[2],c2,c3,c1); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_2,t_1
+        sltu    AT,c_2,t_1
+        daddu   t_2,AT
+        daddu   c_3,t_2
+        sltu    AT,c_3,t_2
+        daddu   c_1,AT
+        sd      c_2,32(a0)
+
+        dmultu  a_2,a_3         /* mul_add_c2(a[2],b[3],c3,c1,c2); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   a2,t_2,AT
+        daddu   c_1,a2
+        daddu   c_3,t_1
+        sltu    AT,c_3,t_1
+        daddu   t_2,AT
+        daddu   c_1,t_2
+        sltu    c_2,c_1,t_2
+        sd      c_3,40(a0)
+
+        dmultu  a_3,a_3         /* mul_add_c(a[3],b[3],c1,c2,c3); */
+        mflo    t_1
+        mfhi    t_2
+        daddu   c_1,t_1
+        sltu    AT,c_1,t_1
+        daddu   t_2,AT
+        daddu   c_2,t_2
+        sd      c_1,48(a0)
+        sd      c_2,56(a0)
+
+        jr      ra
+END(bn_sqr_comba4)
diff --git a/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s b/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s
new file mode 100644
index 0000000000..54b6606252
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/pa-risc2W.s
@@ -0,0 +1,1605 @@
+;
+; PA-RISC 64-bit implementation of bn_asm code
+;
+; This code is approximately 2x faster than the C version
+; for RSA/DSA.
+;
+; See http://devresource.hp.com/  for more details on the PA-RISC
+; architecture.  Also see the book "PA-RISC 2.0 Architecture"
+; by Gerry Kane for information on the instruction set architecture.
+;
+; Code written by Chris Ruemmler (with some help from the HP C
+; compiler).
+;
+; The code compiles with HP's assembler
+;
+
+        .level  2.0W
+        .space  $TEXT$
+        .subspa $CODE$,QUAD=0,ALIGN=8,ACCESS=0x2c,CODE_ONLY
+
+;
+; Global Register definitions used for the routines.
+;
+; Some information about HP's runtime architecture for 64-bits.
+;
+; "Caller save" means the calling function must save the register
+; if it wants the register to be preserved.
+; "Callee save" means if a function uses the register, it must save
+; the value before using it.
+;
+; For the floating point registers 
+;
+;    "caller save" registers: fr4-fr11, fr22-fr31
+;    "callee save" registers: fr12-fr21
+;    "special" registers: fr0-fr3 (status and exception registers)
+;
+; For the integer registers
+;     value zero             :  r0
+;     "caller save" registers: r1,r19-r26
+;     "callee save" registers: r3-r18
+;     return register        :  r2  (rp)
+;     return values          ; r28  (ret0,ret1)
+;     Stack pointer          ; r30  (sp) 
+;     global data pointer    ; r27  (dp)
+;     argument pointer       ; r29  (ap)
+;     millicode return ptr   ; r31  (also a caller save register)
+
+
+;
+; Arguments to the routines
+;
+r_ptr       .reg %r26
+a_ptr       .reg %r25
+b_ptr       .reg %r24
+num         .reg %r24
+w           .reg %r23
+n           .reg %r23
+
+
+;
+; Globals used in some routines
+;
+
+top_overflow .reg %r29
+high_mask    .reg %r22    ; value 0xffffffff80000000L
+
+
+;------------------------------------------------------------------------------
+;
+; bn_mul_add_words
+;
+;BN_ULONG bn_mul_add_words(BN_ULONG *r_ptr, BN_ULONG *a_ptr, 
+;                                                               int num, BN_ULONG w)
+;
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = num
+; arg3 = w
+;
+; Local register definitions
+;
+
+fm1          .reg %fr22
+fm           .reg %fr23
+ht_temp      .reg %fr24
+ht_temp_1    .reg %fr25
+lt_temp      .reg %fr26
+lt_temp_1    .reg %fr27
+fm1_1        .reg %fr28
+fm_1         .reg %fr29
+
+fw_h         .reg %fr7L
+fw_l         .reg %fr7R
+fw           .reg %fr7
+
+fht_0        .reg %fr8L
+flt_0        .reg %fr8R
+t_float_0    .reg %fr8
+
+fht_1        .reg %fr9L
+flt_1        .reg %fr9R
+t_float_1    .reg %fr9
+
+tmp_0        .reg %r31
+tmp_1        .reg %r21
+m_0          .reg %r20 
+m_1          .reg %r19 
+ht_0         .reg %r1  
+ht_1         .reg %r3
+lt_0         .reg %r4
+lt_1         .reg %r5
+m1_0         .reg %r6 
+m1_1         .reg %r7 
+rp_val       .reg %r8
+rp_val_1     .reg %r9
+
+bn_mul_add_words
+        .export bn_mul_add_words,entry,NO_RELOCATION,LONG_RETURN
+        .proc
+        .callinfo frame=128
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+        NOP                         ; Needed to make the loop 16-byte aligned
+        NOP                         ; Needed to make the loop 16-byte aligned
+
+    STD     %r5,16(%sp)         ; save r5  
+    STD     %r6,24(%sp)         ; save r6  
+    STD     %r7,32(%sp)         ; save r7  
+    STD     %r8,40(%sp)         ; save r8  
+
+    STD     %r9,48(%sp)         ; save r9  
+    COPY    %r0,%ret0           ; return 0 by default
+    DEPDI,Z 1,31,1,top_overflow ; top_overflow = 1 << 32    
+        STD     w,56(%sp)           ; store w on stack
+
+    CMPIB,>= 0,num,bn_mul_add_words_exit  ; if (num <= 0) then exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; The loop is unrolled twice, so if there is only 1 number
+    ; then go straight to the cleanup code.
+        ;
+        CMPIB,= 1,num,bn_mul_add_words_single_top
+        FLDD    -72(%sp),fw     ; load up w into fp register fw (fw_h/fw_l)
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+        ; PA-RISC 2.0 chips have two fully pipelined multipliers, thus
+    ; two 32-bit mutiplies can be issued per cycle.
+    ; 
+bn_mul_add_words_unroll2
+
+    FLDD    0(a_ptr),t_float_0       ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    FLDD    8(a_ptr),t_float_1       ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    LDD     0(r_ptr),rp_val          ; rp[0]
+    LDD     8(r_ptr),rp_val_1        ; rp[1]
+
+    XMPYU   fht_0,fw_l,fm1           ; m1[0] = fht_0*fw_l
+    XMPYU   fht_1,fw_l,fm1_1         ; m1[1] = fht_1*fw_l
+    FSTD    fm1,-16(%sp)             ; -16(sp) = m1[0]
+    FSTD    fm1_1,-48(%sp)           ; -48(sp) = m1[1]
+
+    XMPYU   flt_0,fw_h,fm            ; m[0] = flt_0*fw_h
+    XMPYU   flt_1,fw_h,fm_1          ; m[1] = flt_1*fw_h
+    FSTD    fm,-8(%sp)               ; -8(sp) = m[0]
+    FSTD    fm_1,-40(%sp)            ; -40(sp) = m[1]
+
+    XMPYU   fht_0,fw_h,ht_temp       ; ht_temp   = fht_0*fw_h
+    XMPYU   fht_1,fw_h,ht_temp_1     ; ht_temp_1 = fht_1*fw_h
+    FSTD    ht_temp,-24(%sp)         ; -24(sp)   = ht_temp
+    FSTD    ht_temp_1,-56(%sp)       ; -56(sp)   = ht_temp_1
+
+    XMPYU   flt_0,fw_l,lt_temp       ; lt_temp = lt*fw_l
+    XMPYU   flt_1,fw_l,lt_temp_1     ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)         ; -32(sp) = lt_temp 
+    FSTD    lt_temp_1,-64(%sp)       ; -64(sp) = lt_temp_1 
+
+    LDD     -8(%sp),m_0              ; m[0] 
+    LDD     -40(%sp),m_1             ; m[1]
+    LDD     -16(%sp),m1_0            ; m1[0]
+    LDD     -48(%sp),m1_1            ; m1[1]
+
+    LDD     -24(%sp),ht_0            ; ht[0]
+    LDD     -56(%sp),ht_1            ; ht[1]
+    ADD,L   m1_0,m_0,tmp_0           ; tmp_0 = m[0] + m1[0]; 
+    ADD,L   m1_1,m_1,tmp_1           ; tmp_1 = m[1] + m1[1]; 
+
+    LDD     -32(%sp),lt_0            
+    LDD     -64(%sp),lt_1            
+    CMPCLR,*>>= tmp_0,m1_0, %r0      ; if (m[0] < m1[0])
+    ADD,L   ht_0,top_overflow,ht_0   ; ht[0] += (1<<32)
+
+    CMPCLR,*>>= tmp_1,m1_1,%r0       ; if (m[1] < m1[1])
+    ADD,L   ht_1,top_overflow,ht_1   ; ht[1] += (1<<32)
+    EXTRD,U tmp_0,31,32,m_0          ; m[0]>>32  
+    DEPD,Z  tmp_0,31,32,m1_0         ; m1[0] = m[0]<<32 
+
+    EXTRD,U tmp_1,31,32,m_1          ; m[1]>>32  
+    DEPD,Z  tmp_1,31,32,m1_1         ; m1[1] = m[1]<<32 
+    ADD,L   ht_0,m_0,ht_0            ; ht[0]+= (m[0]>>32)
+    ADD,L   ht_1,m_1,ht_1            ; ht[1]+= (m[1]>>32)
+
+    ADD     lt_0,m1_0,lt_0           ; lt[0] = lt[0]+m1[0];
+        ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+    ADD     lt_1,m1_1,lt_1           ; lt[1] = lt[1]+m1[1];
+    ADD,DC  ht_1,%r0,ht_1            ; ht[1]++
+
+    ADD    %ret0,lt_0,lt_0           ; lt[0] = lt[0] + c;
+        ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+    ADD     lt_0,rp_val,lt_0         ; lt[0] = lt[0]+rp[0]
+    ADD,DC  ht_0,%r0,ht_0            ; ht[0]++
+
+        LDO    -2(num),num               ; num = num - 2;
+    ADD     ht_0,lt_1,lt_1           ; lt[1] = lt[1] + ht_0 (c);
+    ADD,DC  ht_1,%r0,ht_1            ; ht[1]++
+    STD     lt_0,0(r_ptr)            ; rp[0] = lt[0]
+
+    ADD     lt_1,rp_val_1,lt_1       ; lt[1] = lt[1]+rp[1]
+    ADD,DC  ht_1,%r0,%ret0           ; ht[1]++
+    LDO     16(a_ptr),a_ptr          ; a_ptr += 2
+
+    STD     lt_1,8(r_ptr)            ; rp[1] = lt[1]
+        CMPIB,<= 2,num,bn_mul_add_words_unroll2 ; go again if more to do
+    LDO     16(r_ptr),r_ptr          ; r_ptr += 2
+
+    CMPIB,=,N 0,num,bn_mul_add_words_exit ; are we done, or cleanup last one
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_mul_add_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    LDD     0(r_ptr),rp_val           ; rp[0]
+    LDO     8(a_ptr),a_ptr            ; a_ptr++
+    XMPYU   fht_0,fw_l,fm1            ; m1 = ht*fw_l
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = ht*fw_h
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+
+    LDD     -8(%sp),m_0               
+    LDD    -16(%sp),m1_0              ; m1 = temp1 
+    ADD,L   m_0,m1_0,tmp_0            ; tmp_0 = m + m1; 
+    LDD     -24(%sp),ht_0             
+    LDD     -32(%sp),lt_0             
+
+    CMPCLR,*>>= tmp_0,m1_0,%r0        ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,tmp_0           ; tmp_0 = lt+m1;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+    ADD     %ret0,tmp_0,lt_0          ; lt = lt + c;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+    ADD     lt_0,rp_val,lt_0          ; lt = lt+rp[0]
+    ADD,DC  ht_0,%r0,%ret0            ; ht++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+
+bn_mul_add_words_exit
+    .EXIT
+    LDD     -80(%sp),%r9              ; restore r9  
+    LDD     -88(%sp),%r8              ; restore r8  
+    LDD     -96(%sp),%r7              ; restore r7  
+    LDD     -104(%sp),%r6             ; restore r6  
+    LDD     -112(%sp),%r5             ; restore r5  
+    LDD     -120(%sp),%r4             ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3             ; restore r3
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+;
+; arg0 = rp
+; arg1 = ap
+; arg2 = num
+; arg3 = w
+
+bn_mul_words
+        .proc
+        .callinfo frame=128
+    .entry
+        .EXPORT bn_mul_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+    STD     %r5,16(%sp)         ; save r5  
+    STD     %r6,24(%sp)         ; save r6  
+
+    STD     %r7,32(%sp)         ; save r7  
+    COPY    %r0,%ret0           ; return 0 by default
+    DEPDI,Z 1,31,1,top_overflow ; top_overflow = 1 << 32    
+        STD     w,56(%sp)           ; w on stack
+
+    CMPIB,>= 0,num,bn_mul_words_exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; See if only 1 word to do, thus just do cleanup
+        ;
+        CMPIB,= 1,num,bn_mul_words_single_top
+        FLDD    -72(%sp),fw     ; load up w into fp register fw (fw_h/fw_l)
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+        ; PA-RISC 2.0 chips have two fully pipelined multipliers, thus
+    ; two 32-bit mutiplies can be issued per cycle.
+    ; 
+bn_mul_words_unroll2
+
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    FLDD    8(a_ptr),t_float_1        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+    XMPYU   fht_0,fw_l,fm1            ; m1[0] = fht_0*fw_l
+    XMPYU   fht_1,fw_l,fm1_1          ; m1[1] = ht*fw_l
+
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    FSTD    fm1_1,-48(%sp)            ; -48(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    XMPYU   flt_1,fw_h,fm_1           ; m = lt*fw_h
+
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    FSTD    fm_1,-40(%sp)             ; -40(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = fht_0*fw_h
+    XMPYU   fht_1,fw_h,ht_temp_1      ; ht_temp = ht*fw_h
+
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    FSTD    ht_temp_1,-56(%sp)        ; -56(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    XMPYU   flt_1,fw_l,lt_temp_1      ; lt_temp = lt*fw_l
+
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+    FSTD    lt_temp_1,-64(%sp)        ; -64(sp) = lt 
+    LDD     -8(%sp),m_0               
+    LDD     -40(%sp),m_1              
+
+    LDD    -16(%sp),m1_0              
+    LDD    -48(%sp),m1_1              
+    LDD     -24(%sp),ht_0             
+    LDD     -56(%sp),ht_1             
+
+    ADD,L   m1_0,m_0,tmp_0            ; tmp_0 = m + m1; 
+    ADD,L   m1_1,m_1,tmp_1            ; tmp_1 = m + m1; 
+    LDD     -32(%sp),lt_0             
+    LDD     -64(%sp),lt_1             
+
+    CMPCLR,*>>= tmp_0,m1_0, %r0       ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+    CMPCLR,*>>= tmp_1,m1_1,%r0        ; if (m < m1)
+    ADD,L   ht_1,top_overflow,ht_1    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+    EXTRD,U tmp_1,31,32,m_1           ; m>>32  
+    DEPD,Z  tmp_1,31,32,m1_1          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD,L   ht_1,m_1,ht_1             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,lt_0            ; lt = lt+m1;
+        ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     lt_1,m1_1,lt_1            ; lt = lt+m1;
+    ADD,DC  ht_1,%r0,ht_1             ; ht++
+    ADD    %ret0,lt_0,lt_0            ; lt = lt + c (ret0);
+        ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     ht_0,lt_1,lt_1            ; lt = lt + c (ht_0)
+    ADD,DC  ht_1,%r0,ht_1             ; ht++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+    STD     lt_1,8(r_ptr)             ; rp[1] = lt
+
+        COPY    ht_1,%ret0                ; carry = ht
+        LDO    -2(num),num                ; num = num - 2;
+    LDO     16(a_ptr),a_ptr           ; ap += 2
+        CMPIB,<= 2,num,bn_mul_words_unroll2
+    LDO     16(r_ptr),r_ptr           ; rp++
+
+    CMPIB,=,N 0,num,bn_mul_words_exit ; are we done?
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_mul_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+
+    XMPYU   fht_0,fw_l,fm1            ; m1 = ht*fw_l
+    FSTD    fm1,-16(%sp)              ; -16(sp) = m1
+    XMPYU   flt_0,fw_h,fm             ; m = lt*fw_h
+    FSTD    fm,-8(%sp)                ; -8(sp) = m
+    XMPYU   fht_0,fw_h,ht_temp        ; ht_temp = ht*fw_h
+    FSTD    ht_temp,-24(%sp)          ; -24(sp) = ht
+    XMPYU   flt_0,fw_l,lt_temp        ; lt_temp = lt*fw_l
+    FSTD    lt_temp,-32(%sp)          ; -32(sp) = lt 
+
+    LDD     -8(%sp),m_0               
+    LDD    -16(%sp),m1_0              
+    ADD,L   m_0,m1_0,tmp_0            ; tmp_0 = m + m1; 
+    LDD     -24(%sp),ht_0             
+    LDD     -32(%sp),lt_0             
+
+    CMPCLR,*>>= tmp_0,m1_0,%r0        ; if (m < m1)
+    ADD,L   ht_0,top_overflow,ht_0    ; ht += (1<<32)
+
+    EXTRD,U tmp_0,31,32,m_0           ; m>>32  
+    DEPD,Z  tmp_0,31,32,m1_0          ; m1 = m<<32 
+
+    ADD,L   ht_0,m_0,ht_0             ; ht+= (m>>32)
+    ADD     lt_0,m1_0,lt_0            ; lt= lt+m1;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    ADD     %ret0,lt_0,lt_0           ; lt = lt + c;
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    COPY    ht_0,%ret0                ; copy carry
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+
+bn_mul_words_exit
+    .EXIT
+    LDD     -96(%sp),%r7              ; restore r7  
+    LDD     -104(%sp),%r6             ; restore r6  
+    LDD     -112(%sp),%r5             ; restore r5  
+    LDD     -120(%sp),%r4             ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3             ; restore r3
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
+;
+; arg0 = rp
+; arg1 = ap
+; arg2 = num
+;
+
+bn_sqr_words
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3  
+    STD     %r4,8(%sp)          ; save r4  
+        NOP
+    STD     %r5,16(%sp)         ; save r5  
+
+    CMPIB,>= 0,num,bn_sqr_words_exit
+        LDO     128(%sp),%sp       ; bump stack
+
+        ;
+        ; If only 1, the goto straight to cleanup
+        ;
+        CMPIB,= 1,num,bn_sqr_words_single_top
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+
+bn_sqr_words_unroll2
+    FLDD    0(a_ptr),t_float_0        ; a[0]
+    FLDD    8(a_ptr),t_float_1        ; a[1]
+    XMPYU   fht_0,flt_0,fm            ; m[0]
+    XMPYU   fht_1,flt_1,fm_1          ; m[1]
+
+    FSTD    fm,-24(%sp)               ; store m[0]
+    FSTD    fm_1,-56(%sp)             ; store m[1]
+    XMPYU   flt_0,flt_0,lt_temp       ; lt[0]
+    XMPYU   flt_1,flt_1,lt_temp_1     ; lt[1]
+
+    FSTD    lt_temp,-16(%sp)          ; store lt[0]
+    FSTD    lt_temp_1,-48(%sp)        ; store lt[1]
+    XMPYU   fht_0,fht_0,ht_temp       ; ht[0]
+    XMPYU   fht_1,fht_1,ht_temp_1     ; ht[1]
+
+    FSTD    ht_temp,-8(%sp)           ; store ht[0]
+    FSTD    ht_temp_1,-40(%sp)        ; store ht[1]
+    LDD     -24(%sp),m_0             
+    LDD     -56(%sp),m_1              
+
+    AND     m_0,high_mask,tmp_0       ; m[0] & Mask
+    AND     m_1,high_mask,tmp_1       ; m[1] & Mask
+    DEPD,Z  m_0,30,31,m_0             ; m[0] << 32+1
+    DEPD,Z  m_1,30,31,m_1             ; m[1] << 32+1
+
+    LDD     -16(%sp),lt_0        
+    LDD     -48(%sp),lt_1        
+    EXTRD,U tmp_0,32,33,tmp_0         ; tmp_0 = m[0]&Mask >> 32-1
+    EXTRD,U tmp_1,32,33,tmp_1         ; tmp_1 = m[1]&Mask >> 32-1
+
+    LDD     -8(%sp),ht_0            
+    LDD     -40(%sp),ht_1           
+    ADD,L   ht_0,tmp_0,ht_0           ; ht[0] += tmp_0
+    ADD,L   ht_1,tmp_1,ht_1           ; ht[1] += tmp_1
+
+    ADD     lt_0,m_0,lt_0             ; lt = lt+m
+    ADD,DC  ht_0,%r0,ht_0             ; ht[0]++
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt[0]
+    STD     ht_0,8(r_ptr)             ; rp[1] = ht[1]
+
+    ADD     lt_1,m_1,lt_1             ; lt = lt+m
+    ADD,DC  ht_1,%r0,ht_1             ; ht[1]++
+    STD     lt_1,16(r_ptr)            ; rp[2] = lt[1]
+    STD     ht_1,24(r_ptr)            ; rp[3] = ht[1]
+
+        LDO    -2(num),num                ; num = num - 2;
+    LDO     16(a_ptr),a_ptr           ; ap += 2
+        CMPIB,<= 2,num,bn_sqr_words_unroll2
+    LDO     32(r_ptr),r_ptr           ; rp += 4
+
+    CMPIB,=,N 0,num,bn_sqr_words_exit ; are we done?
+
+        ;
+        ; Top of loop aligned on 64-byte boundary
+        ;
+bn_sqr_words_single_top
+    FLDD    0(a_ptr),t_float_0        ; load up 64-bit value (fr8L) ht(L)/lt(R)
+
+    XMPYU   fht_0,flt_0,fm            ; m
+    FSTD    fm,-24(%sp)               ; store m
+
+    XMPYU   flt_0,flt_0,lt_temp       ; lt
+    FSTD    lt_temp,-16(%sp)          ; store lt
+
+    XMPYU   fht_0,fht_0,ht_temp       ; ht
+    FSTD    ht_temp,-8(%sp)           ; store ht
+
+    LDD     -24(%sp),m_0              ; load m
+    AND     m_0,high_mask,tmp_0       ; m & Mask
+    DEPD,Z  m_0,30,31,m_0             ; m << 32+1
+    LDD     -16(%sp),lt_0             ; lt
+
+    LDD     -8(%sp),ht_0              ; ht
+    EXTRD,U tmp_0,32,33,tmp_0         ; tmp_0 = m&Mask >> 32-1
+    ADD     m_0,lt_0,lt_0             ; lt = lt+m
+    ADD,L   ht_0,tmp_0,ht_0           ; ht += tmp_0
+    ADD,DC  ht_0,%r0,ht_0             ; ht++
+
+    STD     lt_0,0(r_ptr)             ; rp[0] = lt
+    STD     ht_0,8(r_ptr)             ; rp[1] = ht
+
+bn_sqr_words_exit
+    .EXIT
+    LDD     -112(%sp),%r5       ; restore r5  
+    LDD     -120(%sp),%r4       ; restore r4  
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3 
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+;
+; arg0 = rp 
+; arg1 = ap
+; arg2 = bp 
+; arg3 = n
+
+t  .reg %r22
+b  .reg %r21
+l  .reg %r20
+
+bn_add_words
+        .proc
+    .entry
+        .callinfo
+        .EXPORT bn_add_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .align 64
+
+    CMPIB,>= 0,n,bn_add_words_exit
+    COPY    %r0,%ret0           ; return 0 by default
+
+        ;
+        ; If 2 or more numbers do the loop
+        ;
+        CMPIB,= 1,n,bn_add_words_single_top
+        NOP
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+bn_add_words_unroll2
+        LDD     0(a_ptr),t
+        LDD     0(b_ptr),b
+        ADD     t,%ret0,t                    ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0                ; set c to carry
+        ADD     t,b,l                        ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0              ; c+= carry
+        STD     l,0(r_ptr)
+
+        LDD     8(a_ptr),t
+        LDD     8(b_ptr),b
+        ADD     t,%ret0,t                     ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0                 ; set c to carry
+        ADD     t,b,l                         ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0               ; c+= carry
+        STD     l,8(r_ptr)
+
+        LDO     -2(n),n
+        LDO     16(a_ptr),a_ptr
+        LDO     16(b_ptr),b_ptr
+
+        CMPIB,<= 2,n,bn_add_words_unroll2
+        LDO     16(r_ptr),r_ptr
+
+    CMPIB,=,N 0,n,bn_add_words_exit ; are we done?
+
+bn_add_words_single_top
+        LDD     0(a_ptr),t
+        LDD     0(b_ptr),b
+
+        ADD     t,%ret0,t                 ; t = t+c;
+        ADD,DC  %r0,%r0,%ret0             ; set c to carry (could use CMPCLR??)
+        ADD     t,b,l                     ; l = t + b[0]
+        ADD,DC  %ret0,%r0,%ret0           ; c+= carry
+        STD     l,0(r_ptr)
+
+bn_add_words_exit
+    .EXIT
+    BVE     (%rp)
+        NOP
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+;BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+;
+; arg0 = rp 
+; arg1 = ap
+; arg2 = bp 
+; arg3 = n
+
+t1       .reg %r22
+t2       .reg %r21
+sub_tmp1 .reg %r20
+sub_tmp2 .reg %r19
+
+
+bn_sub_words
+        .proc
+        .callinfo 
+        .EXPORT bn_sub_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    CMPIB,>=  0,n,bn_sub_words_exit
+    COPY    %r0,%ret0           ; return 0 by default
+
+        ;
+        ; If 2 or more numbers do the loop
+        ;
+        CMPIB,= 1,n,bn_sub_words_single_top
+        NOP
+
+        ;
+        ; This loop is unrolled 2 times (64-byte aligned as well)
+        ;
+bn_sub_words_unroll2
+        LDD     0(a_ptr),t1
+        LDD     0(b_ptr),t2
+        SUB     t1,t2,sub_tmp1           ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1  ; t3 = t3- c; 
+
+        CMPCLR,*>> t1,t2,sub_tmp2        ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+        STD     sub_tmp1,0(r_ptr)
+
+        LDD     8(a_ptr),t1
+        LDD     8(b_ptr),t2
+        SUB     t1,t2,sub_tmp1            ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1   ; t3 = t3- c; 
+        CMPCLR,*>> t1,t2,sub_tmp2         ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+        STD     sub_tmp1,8(r_ptr)
+
+        LDO     -2(n),n
+        LDO     16(a_ptr),a_ptr
+        LDO     16(b_ptr),b_ptr
+
+        CMPIB,<= 2,n,bn_sub_words_unroll2
+        LDO     16(r_ptr),r_ptr
+
+    CMPIB,=,N 0,n,bn_sub_words_exit ; are we done?
+
+bn_sub_words_single_top
+        LDD     0(a_ptr),t1
+        LDD     0(b_ptr),t2
+        SUB     t1,t2,sub_tmp1            ; t3 = t1-t2; 
+        SUB     sub_tmp1,%ret0,sub_tmp1   ; t3 = t3- c; 
+        CMPCLR,*>> t1,t2,sub_tmp2         ; clear if t1 > t2
+        LDO      1(%r0),sub_tmp2
+        
+        CMPCLR,*= t1,t2,%r0
+        COPY    sub_tmp2,%ret0
+
+        STD     sub_tmp1,0(r_ptr)
+
+bn_sub_words_exit
+    .EXIT
+    BVE     (%rp)
+        NOP
+        .PROCEND        ;in=23,24,25,26,29;out=28;
+
+;------------------------------------------------------------------------------
+;
+; unsigned long bn_div_words(unsigned long h, unsigned long l, unsigned long d)
+;
+; arg0 = h
+; arg1 = l
+; arg2 = d
+;
+; This is mainly just modified assembly from the compiler, thus the
+; lack of variable names.
+;
+;------------------------------------------------------------------------------
+bn_div_words
+        .proc
+        .callinfo CALLER,FRAME=272,ENTRY_GR=%r10,SAVE_RP,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_div_words,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+        .IMPORT BN_num_bits_word,CODE,NO_RELOCATION
+        .IMPORT __iob,DATA
+        .IMPORT fprintf,CODE,NO_RELOCATION
+        .IMPORT abort,CODE,NO_RELOCATION
+        .IMPORT $$div2U,MILLICODE
+    .entry
+    STD     %r2,-16(%r30)   
+    STD,MA  %r3,352(%r30)   
+    STD     %r4,-344(%r30)  
+    STD     %r5,-336(%r30)  
+    STD     %r6,-328(%r30)  
+    STD     %r7,-320(%r30)  
+    STD     %r8,-312(%r30)  
+    STD     %r9,-304(%r30)  
+    STD     %r10,-296(%r30)
+
+    STD     %r27,-288(%r30)             ; save gp
+
+    COPY    %r24,%r3           ; save d 
+    COPY    %r26,%r4           ; save h (high 64-bits)
+    LDO      -1(%r0),%ret0     ; return -1 by default   
+
+    CMPB,*=  %r0,%arg2,$D3     ; if (d == 0)
+    COPY    %r25,%r5           ; save l (low 64-bits)
+
+    LDO     -48(%r30),%r29     ; create ap 
+    .CALL   ;in=26,29;out=28;
+    B,L     BN_num_bits_word,%r2 
+    COPY    %r3,%r26        
+    LDD     -288(%r30),%r27    ; restore gp 
+    LDI     64,%r21 
+
+    CMPB,=  %r21,%ret0,$00000012   ;if (i == 64) (forward) 
+    COPY    %ret0,%r24             ; i   
+    MTSARCM %r24    
+    DEPDI,Z -1,%sar,1,%r29  
+    CMPB,*<<,N %r29,%r4,bn_div_err_case ; if (h > 1<<i) (forward) 
+
+$00000012
+    SUBI    64,%r24,%r31                       ; i = 64 - i;
+    CMPCLR,*<< %r4,%r3,%r0                     ; if (h >= d)
+    SUB     %r4,%r3,%r4                        ; h -= d
+    CMPB,=  %r31,%r0,$0000001A                 ; if (i)
+    COPY    %r0,%r10                           ; ret = 0
+    MTSARCM %r31                               ; i to shift
+    DEPD,Z  %r3,%sar,64,%r3                    ; d <<= i;
+    SUBI    64,%r31,%r19                       ; 64 - i; redundent
+    MTSAR   %r19                               ; (64 -i) to shift
+    SHRPD   %r4,%r5,%sar,%r4                   ; l>> (64-i)
+    MTSARCM %r31                               ; i to shift
+    DEPD,Z  %r5,%sar,64,%r5                    ; l <<= i;
+
+$0000001A
+    DEPDI,Z -1,31,32,%r19                      
+    EXTRD,U %r3,31,32,%r6                      ; dh=(d&0xfff)>>32
+    EXTRD,U %r3,63,32,%r8                      ; dl = d&0xffffff
+    LDO     2(%r0),%r9
+    STD    %r3,-280(%r30)                      ; "d" to stack
+
+$0000001C
+    DEPDI,Z -1,63,32,%r29                      ; 
+    EXTRD,U %r4,31,32,%r31                     ; h >> 32
+    CMPB,*=,N  %r31,%r6,$D2                    ; if ((h>>32) != dh)(forward) div
+    COPY    %r4,%r26       
+    EXTRD,U %r4,31,32,%r25 
+    COPY    %r6,%r24      
+    .CALL   ;in=23,24,25,26;out=20,21,22,28,29; (MILLICALL)
+    B,L     $$div2U,%r2     
+    EXTRD,U %r6,31,32,%r23  
+    DEPD    %r28,31,32,%r29 
+$D2
+    STD     %r29,-272(%r30)                   ; q
+    AND     %r5,%r19,%r24                   ; t & 0xffffffff00000000;
+    EXTRD,U %r24,31,32,%r24                 ; ??? 
+    FLDD    -272(%r30),%fr7                 ; q
+    FLDD    -280(%r30),%fr8                 ; d
+    XMPYU   %fr8L,%fr7L,%fr10  
+    FSTD    %fr10,-256(%r30)   
+    XMPYU   %fr8L,%fr7R,%fr22  
+    FSTD    %fr22,-264(%r30)   
+    XMPYU   %fr8R,%fr7L,%fr11 
+    XMPYU   %fr8R,%fr7R,%fr23
+    FSTD    %fr11,-232(%r30)
+    FSTD    %fr23,-240(%r30)
+    LDD     -256(%r30),%r28
+    DEPD,Z  %r28,31,32,%r2 
+    LDD     -264(%r30),%r20
+    ADD,L   %r20,%r2,%r31   
+    LDD     -232(%r30),%r22 
+    DEPD,Z  %r22,31,32,%r22 
+    LDD     -240(%r30),%r21 
+    B       $00000024       ; enter loop  
+    ADD,L   %r21,%r22,%r23 
+
+$0000002A
+    LDO     -1(%r29),%r29   
+    SUB     %r23,%r8,%r23   
+$00000024
+    SUB     %r4,%r31,%r25   
+    AND     %r25,%r19,%r26  
+    CMPB,*<>,N      %r0,%r26,$00000046  ; (forward)
+    DEPD,Z  %r25,31,32,%r20 
+    OR      %r20,%r24,%r21  
+    CMPB,*<<,N  %r21,%r23,$0000002A ;(backward) 
+    SUB     %r31,%r6,%r31   
+;-------------Break path---------------------
+
+$00000046
+    DEPD,Z  %r23,31,32,%r25              ;tl
+    EXTRD,U %r23,31,32,%r26              ;t
+    AND     %r25,%r19,%r24               ;tl = (tl<<32)&0xfffffff0000000L
+    ADD,L   %r31,%r26,%r31               ;th += t; 
+    CMPCLR,*>>=     %r5,%r24,%r0         ;if (l<tl)
+    LDO     1(%r31),%r31                 ; th++;
+    CMPB,*<<=,N     %r31,%r4,$00000036   ;if (n < th) (forward)
+    LDO     -1(%r29),%r29                ;q--; 
+    ADD,L   %r4,%r3,%r4                  ;h += d;
+$00000036
+    ADDIB,=,N       -1,%r9,$D1 ;if (--count == 0) break (forward) 
+    SUB     %r5,%r24,%r28                ; l -= tl;
+    SUB     %r4,%r31,%r24                ; h -= th;
+    SHRPD   %r24,%r28,32,%r4             ; h = ((h<<32)|(l>>32));
+    DEPD,Z  %r29,31,32,%r10              ; ret = q<<32
+    b      $0000001C
+    DEPD,Z  %r28,31,32,%r5               ; l = l << 32 
+
+$D1
+    OR      %r10,%r29,%r28           ; ret |= q
+$D3
+    LDD     -368(%r30),%r2  
+$D0
+    LDD     -296(%r30),%r10 
+    LDD     -304(%r30),%r9  
+    LDD     -312(%r30),%r8  
+    LDD     -320(%r30),%r7  
+    LDD     -328(%r30),%r6  
+    LDD     -336(%r30),%r5  
+    LDD     -344(%r30),%r4  
+    BVE     (%r2)   
+        .EXIT
+    LDD,MB  -352(%r30),%r3 
+
+bn_div_err_case
+    MFIA    %r6     
+    ADDIL   L'bn_div_words-bn_div_err_case,%r6,%r1 
+    LDO     R'bn_div_words-bn_div_err_case(%r1),%r6  
+    ADDIL   LT'__iob,%r27,%r1       
+    LDD     RT'__iob(%r1),%r26      
+    ADDIL   L'C$4-bn_div_words,%r6,%r1    
+    LDO     R'C$4-bn_div_words(%r1),%r25  
+    LDO     64(%r26),%r26   
+    .CALL           ;in=24,25,26,29;out=28;
+    B,L     fprintf,%r2    
+    LDO     -48(%r30),%r29 
+    LDD     -288(%r30),%r27
+    .CALL           ;in=29;
+    B,L     abort,%r2      
+    LDO     -48(%r30),%r29 
+    LDD     -288(%r30),%r27
+    B       $D0         
+    LDD     -368(%r30),%r2  
+        .PROCEND        ;in=24,25,26,29;out=28;
+
+;----------------------------------------------------------------------------
+;
+; Registers to hold 64-bit values to manipulate.  The "L" part
+; of the register corresponds to the upper 32-bits, while the "R"
+; part corresponds to the lower 32-bits
+; 
+; Note, that when using b6 and b7, the code must save these before
+; using them because they are callee save registers 
+; 
+;
+; Floating point registers to use to save values that
+; are manipulated.  These don't collide with ftemp1-6 and
+; are all caller save registers
+;
+a0        .reg %fr22
+a0L       .reg %fr22L
+a0R       .reg %fr22R
+
+a1        .reg %fr23
+a1L       .reg %fr23L
+a1R       .reg %fr23R
+
+a2        .reg %fr24
+a2L       .reg %fr24L
+a2R       .reg %fr24R
+
+a3        .reg %fr25
+a3L       .reg %fr25L
+a3R       .reg %fr25R
+
+a4        .reg %fr26
+a4L       .reg %fr26L
+a4R       .reg %fr26R
+
+a5        .reg %fr27
+a5L       .reg %fr27L
+a5R       .reg %fr27R
+
+a6        .reg %fr28
+a6L       .reg %fr28L
+a6R       .reg %fr28R
+
+a7        .reg %fr29
+a7L       .reg %fr29L
+a7R       .reg %fr29R
+
+b0        .reg %fr30
+b0L       .reg %fr30L
+b0R       .reg %fr30R
+
+b1        .reg %fr31
+b1L       .reg %fr31L
+b1R       .reg %fr31R
+
+;
+; Temporary floating point variables, these are all caller save
+; registers
+;
+ftemp1    .reg %fr4
+ftemp2    .reg %fr5
+ftemp3    .reg %fr6
+ftemp4    .reg %fr7
+
+;
+; The B set of registers when used.
+;
+
+b2        .reg %fr8
+b2L       .reg %fr8L
+b2R       .reg %fr8R
+
+b3        .reg %fr9
+b3L       .reg %fr9L
+b3R       .reg %fr9R
+
+b4        .reg %fr10
+b4L       .reg %fr10L
+b4R       .reg %fr10R
+
+b5        .reg %fr11
+b5L       .reg %fr11L
+b5R       .reg %fr11R
+
+b6        .reg %fr12
+b6L       .reg %fr12L
+b6R       .reg %fr12R
+
+b7        .reg %fr13
+b7L       .reg %fr13L
+b7R       .reg %fr13R
+
+c1           .reg %r21   ; only reg
+temp1        .reg %r20   ; only reg
+temp2        .reg %r19   ; only reg
+temp3        .reg %r31   ; only reg
+
+m1           .reg %r28   
+c2           .reg %r23   
+high_one     .reg %r1
+ht           .reg %r6
+lt           .reg %r5
+m            .reg %r4
+c3           .reg %r3
+
+SQR_ADD_C  .macro  A0L,A0R,C1,C2,C3
+    XMPYU   A0L,A0R,ftemp1       ; m
+    FSTD    ftemp1,-24(%sp)      ; store m
+
+    XMPYU   A0R,A0R,ftemp2       ; lt
+    FSTD    ftemp2,-16(%sp)      ; store lt
+
+    XMPYU   A0L,A0L,ftemp3       ; ht
+    FSTD    ftemp3,-8(%sp)       ; store ht
+
+    LDD     -24(%sp),m           ; load m
+    AND     m,high_mask,temp2    ; m & Mask
+    DEPD,Z  m,30,31,temp3        ; m << 32+1
+    LDD     -16(%sp),lt          ; lt
+
+    LDD     -8(%sp),ht           ; ht
+    EXTRD,U temp2,32,33,temp1    ; temp1 = m&Mask >> 32-1
+    ADD     temp3,lt,lt          ; lt = lt+m
+    ADD,L   ht,temp1,ht          ; ht += temp1
+    ADD,DC  ht,%r0,ht            ; ht++
+
+    ADD     C1,lt,C1             ; c1=c1+lt
+    ADD,DC  ht,%r0,ht            ; ht++
+
+    ADD     C2,ht,C2             ; c2=c2+ht
+    ADD,DC  C3,%r0,C3            ; c3++
+.endm
+
+SQR_ADD_C2 .macro  A0L,A0R,A1L,A1R,C1,C2,C3
+    XMPYU   A0L,A1R,ftemp1          ; m1 = bl*ht
+    FSTD    ftemp1,-16(%sp)         ;
+    XMPYU   A0R,A1L,ftemp2          ; m = bh*lt
+    FSTD    ftemp2,-8(%sp)          ;
+    XMPYU   A0R,A1R,ftemp3          ; lt = bl*lt
+    FSTD    ftemp3,-32(%sp)
+    XMPYU   A0L,A1L,ftemp4          ; ht = bh*ht
+    FSTD    ftemp4,-24(%sp)         ;
+
+    LDD     -8(%sp),m               ; r21 = m
+    LDD     -16(%sp),m1             ; r19 = m1
+    ADD,L   m,m1,m                  ; m+m1
+
+    DEPD,Z  m,31,32,temp3           ; (m+m1<<32)
+    LDD     -24(%sp),ht             ; r24 = ht
+
+    CMPCLR,*>>= m,m1,%r0            ; if (m < m1)
+    ADD,L   ht,high_one,ht          ; ht+=high_one
+
+    EXTRD,U m,31,32,temp1           ; m >> 32
+    LDD     -32(%sp),lt             ; lt
+    ADD,L   ht,temp1,ht             ; ht+= m>>32
+    ADD     lt,temp3,lt             ; lt = lt+m1
+    ADD,DC  ht,%r0,ht               ; ht++
+
+    ADD     ht,ht,ht                ; ht=ht+ht;
+    ADD,DC  C3,%r0,C3               ; add in carry (c3++)
+
+    ADD     lt,lt,lt                ; lt=lt+lt;
+    ADD,DC  ht,%r0,ht               ; add in carry (ht++)
+
+    ADD     C1,lt,C1                ; c1=c1+lt
+    ADD,DC,*NUV ht,%r0,ht           ; add in carry (ht++)
+    LDO     1(C3),C3              ; bump c3 if overflow,nullify otherwise
+
+    ADD     C2,ht,C2                ; c2 = c2 + ht
+    ADD,DC  C3,%r0,C3             ; add in carry (c3++)
+.endm
+
+;
+;void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+; arg0 = r_ptr
+; arg1 = a_ptr
+;
+
+bn_sqr_comba8
+        .PROC
+        .CALLINFO FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_comba8,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .ENTRY
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD     0(a_ptr),a0       
+    FLDD     8(a_ptr),a1       
+    FLDD    16(a_ptr),a2       
+    FLDD    24(a_ptr),a3       
+    FLDD    32(a_ptr),a4       
+    FLDD    40(a_ptr),a5       
+    FLDD    48(a_ptr),a6       
+    FLDD    56(a_ptr),a7       
+
+        SQR_ADD_C a0L,a0R,c1,c2,c3
+        STD     c1,0(r_ptr)          ; r[0] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a1L,a1R,a0L,a0R,c2,c3,c1
+        STD     c2,8(r_ptr)          ; r[1] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a2L,a2R,a0L,a0R,c3,c1,c2
+        STD     c3,16(r_ptr)            ; r[2] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a3L,a3R,a0L,a0R,c1,c2,c3
+        SQR_ADD_C2 a2L,a2R,a1L,a1R,c1,c2,c3
+        STD     c1,24(r_ptr)           ; r[3] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a3L,a3R,a1L,a1R,c2,c3,c1
+        SQR_ADD_C2 a4L,a4R,a0L,a0R,c2,c3,c1
+        STD     c2,32(r_ptr)          ; r[4] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a5L,a5R,a0L,a0R,c3,c1,c2
+        SQR_ADD_C2 a4L,a4R,a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a3L,a3R,a2L,a2R,c3,c1,c2
+        STD     c3,40(r_ptr)          ; r[5] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C a3L,a3R,c1,c2,c3
+        SQR_ADD_C2 a4L,a4R,a2L,a2R,c1,c2,c3
+        SQR_ADD_C2 a5L,a5R,a1L,a1R,c1,c2,c3
+        SQR_ADD_C2 a6L,a6R,a0L,a0R,c1,c2,c3
+        STD     c1,48(r_ptr)          ; r[6] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a7L,a7R,a0L,a0R,c2,c3,c1
+        SQR_ADD_C2 a6L,a6R,a1L,a1R,c2,c3,c1
+        SQR_ADD_C2 a5L,a5R,a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a4L,a4R,a3L,a3R,c2,c3,c1
+        STD     c2,56(r_ptr)          ; r[7] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a4L,a4R,c3,c1,c2
+        SQR_ADD_C2 a5L,a5R,a3L,a3R,c3,c1,c2
+        SQR_ADD_C2 a6L,a6R,a2L,a2R,c3,c1,c2
+        SQR_ADD_C2 a7L,a7R,a1L,a1R,c3,c1,c2
+        STD     c3,64(r_ptr)          ; r[8] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a7L,a7R,a2L,a2R,c1,c2,c3
+        SQR_ADD_C2 a6L,a6R,a3L,a3R,c1,c2,c3
+        SQR_ADD_C2 a5L,a5R,a4L,a4R,c1,c2,c3
+        STD     c1,72(r_ptr)          ; r[9] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a5L,a5R,c2,c3,c1
+        SQR_ADD_C2 a6L,a6R,a4L,a4R,c2,c3,c1
+        SQR_ADD_C2 a7L,a7R,a3L,a3R,c2,c3,c1
+        STD     c2,80(r_ptr)          ; r[10] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a7L,a7R,a4L,a4R,c3,c1,c2
+        SQR_ADD_C2 a6L,a6R,a5L,a5R,c3,c1,c2
+        STD     c3,88(r_ptr)          ; r[11] = c3;
+        COPY    %r0,c3
+        
+        SQR_ADD_C a6L,a6R,c1,c2,c3
+        SQR_ADD_C2 a7L,a7R,a5L,a5R,c1,c2,c3
+        STD     c1,96(r_ptr)          ; r[12] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a7L,a7R,a6L,a6R,c2,c3,c1
+        STD     c2,104(r_ptr)         ; r[13] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a7L,a7R,c3,c1,c2
+        STD     c3, 112(r_ptr)       ; r[14] = c3
+        STD     c1, 120(r_ptr)       ; r[15] = c1
+
+    .EXIT
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+;-----------------------------------------------------------------------------
+;
+;void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+; arg0 = r_ptr
+; arg1 = a_ptr
+;
+
+bn_sqr_comba4
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_sqr_comba4,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z -1,32,33,high_mask   ; Create Mask 0xffffffff80000000L
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD     0(a_ptr),a0       
+    FLDD     8(a_ptr),a1       
+    FLDD    16(a_ptr),a2       
+    FLDD    24(a_ptr),a3       
+    FLDD    32(a_ptr),a4       
+    FLDD    40(a_ptr),a5       
+    FLDD    48(a_ptr),a6       
+    FLDD    56(a_ptr),a7       
+
+        SQR_ADD_C a0L,a0R,c1,c2,c3
+
+        STD     c1,0(r_ptr)          ; r[0] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C2 a1L,a1R,a0L,a0R,c2,c3,c1
+
+        STD     c2,8(r_ptr)          ; r[1] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C a1L,a1R,c3,c1,c2
+        SQR_ADD_C2 a2L,a2R,a0L,a0R,c3,c1,c2
+
+        STD     c3,16(r_ptr)            ; r[2] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C2 a3L,a3R,a0L,a0R,c1,c2,c3
+        SQR_ADD_C2 a2L,a2R,a1L,a1R,c1,c2,c3
+
+        STD     c1,24(r_ptr)           ; r[3] = c1;
+        COPY    %r0,c1
+
+        SQR_ADD_C a2L,a2R,c2,c3,c1
+        SQR_ADD_C2 a3L,a3R,a1L,a1R,c2,c3,c1
+
+        STD     c2,32(r_ptr)           ; r[4] = c2;
+        COPY    %r0,c2
+
+        SQR_ADD_C2 a3L,a3R,a2L,a2R,c3,c1,c2
+        STD     c3,40(r_ptr)           ; r[5] = c3;
+        COPY    %r0,c3
+
+        SQR_ADD_C a3L,a3R,c1,c2,c3
+        STD     c1,48(r_ptr)           ; r[6] = c1;
+        STD     c2,56(r_ptr)           ; r[7] = c2;
+
+    .EXIT
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+
+;---------------------------------------------------------------------------
+
+MUL_ADD_C  .macro  A0L,A0R,B0L,B0R,C1,C2,C3
+    XMPYU   A0L,B0R,ftemp1        ; m1 = bl*ht
+    FSTD    ftemp1,-16(%sp)       ;
+    XMPYU   A0R,B0L,ftemp2        ; m = bh*lt
+    FSTD    ftemp2,-8(%sp)        ;
+    XMPYU   A0R,B0R,ftemp3        ; lt = bl*lt
+    FSTD    ftemp3,-32(%sp)
+    XMPYU   A0L,B0L,ftemp4        ; ht = bh*ht
+    FSTD    ftemp4,-24(%sp)       ;
+
+    LDD     -8(%sp),m             ; r21 = m
+    LDD     -16(%sp),m1           ; r19 = m1
+    ADD,L   m,m1,m                ; m+m1
+
+    DEPD,Z  m,31,32,temp3         ; (m+m1<<32)
+    LDD     -24(%sp),ht           ; r24 = ht
+
+    CMPCLR,*>>= m,m1,%r0          ; if (m < m1)
+    ADD,L   ht,high_one,ht        ; ht+=high_one
+
+    EXTRD,U m,31,32,temp1         ; m >> 32
+    LDD     -32(%sp),lt           ; lt
+    ADD,L   ht,temp1,ht           ; ht+= m>>32
+    ADD     lt,temp3,lt           ; lt = lt+m1
+    ADD,DC  ht,%r0,ht             ; ht++
+
+    ADD     C1,lt,C1              ; c1=c1+lt
+    ADD,DC  ht,%r0,ht             ; bump c3 if overflow,nullify otherwise
+
+    ADD     C2,ht,C2              ; c2 = c2 + ht
+    ADD,DC  C3,%r0,C3             ; add in carry (c3++)
+.endm
+
+
+;
+;void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = b_ptr
+;
+
+bn_mul_comba8
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_mul_comba8,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+    FSTD    %fr12,32(%sp)       ; save r6
+    FSTD    %fr13,40(%sp)       ; save r7
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD      0(a_ptr),a0       
+    FLDD      8(a_ptr),a1       
+    FLDD     16(a_ptr),a2       
+    FLDD     24(a_ptr),a3       
+    FLDD     32(a_ptr),a4       
+    FLDD     40(a_ptr),a5       
+    FLDD     48(a_ptr),a6       
+    FLDD     56(a_ptr),a7       
+
+    FLDD      0(b_ptr),b0       
+    FLDD      8(b_ptr),b1       
+    FLDD     16(b_ptr),b2       
+    FLDD     24(b_ptr),b3       
+    FLDD     32(b_ptr),b4       
+    FLDD     40(b_ptr),b5       
+    FLDD     48(b_ptr),b6       
+    FLDD     56(b_ptr),b7       
+
+        MUL_ADD_C a0L,a0R,b0L,b0R,c1,c2,c3
+        STD       c1,0(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a0L,a0R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b0L,b0R,c2,c3,c1
+        STD       c2,8(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b0L,b0R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a0L,a0R,b2L,b2R,c3,c1,c2
+        STD       c3,16(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a0L,a0R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b0L,b0R,c1,c2,c3
+        STD       c1,24(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a4L,a4R,b0L,b0R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a0L,a0R,b4L,b4R,c2,c3,c1
+        STD       c2,32(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a0L,a0R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b4L,b4R,c3,c1,c2
+        MUL_ADD_C a2L,a2R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b2L,b2R,c3,c1,c2
+        MUL_ADD_C a4L,a4R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b0L,b0R,c3,c1,c2
+        STD       c3,40(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a6L,a6R,b0L,b0R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a4L,a4R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b4L,b4R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a0L,a0R,b6L,b6R,c1,c2,c3
+        STD       c1,48(r_ptr)
+        COPY      %r0,c1
+        
+        MUL_ADD_C a0L,a0R,b7L,b7R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b6L,b6R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b5L,b5R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b4L,b4R,c2,c3,c1
+        MUL_ADD_C a4L,a4R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a5L,a5R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a6L,a6R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a7L,a7R,b0L,b0R,c2,c3,c1
+        STD       c2,56(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a7L,a7R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a6L,a6R,b2L,b2R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a4L,a4R,b4L,b4R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a2L,a2R,b6L,b6R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b7L,b7R,c3,c1,c2
+        STD       c3,64(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a2L,a2R,b7L,b7R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b6L,b6R,c1,c2,c3
+        MUL_ADD_C a4L,a4R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b4L,b4R,c1,c2,c3
+        MUL_ADD_C a6L,a6R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a7L,a7R,b2L,b2R,c1,c2,c3
+        STD       c1,72(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a7L,a7R,b3L,b3R,c2,c3,c1
+        MUL_ADD_C a6L,a6R,b4L,b4R,c2,c3,c1
+        MUL_ADD_C a5L,a5R,b5L,b5R,c2,c3,c1
+        MUL_ADD_C a4L,a4R,b6L,b6R,c2,c3,c1
+        MUL_ADD_C a3L,a3R,b7L,b7R,c2,c3,c1
+        STD       c2,80(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a4L,a4R,b7L,b7R,c3,c1,c2
+        MUL_ADD_C a5L,a5R,b6L,b6R,c3,c1,c2
+        MUL_ADD_C a6L,a6R,b5L,b5R,c3,c1,c2
+        MUL_ADD_C a7L,a7R,b4L,b4R,c3,c1,c2
+        STD       c3,88(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a7L,a7R,b5L,b5R,c1,c2,c3
+        MUL_ADD_C a6L,a6R,b6L,b6R,c1,c2,c3
+        MUL_ADD_C a5L,a5R,b7L,b7R,c1,c2,c3
+        STD       c1,96(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a6L,a6R,b7L,b7R,c2,c3,c1
+        MUL_ADD_C a7L,a7R,b6L,b6R,c2,c3,c1
+        STD       c2,104(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a7L,a7R,b7L,b7R,c3,c1,c2
+        STD       c3,112(r_ptr)
+        STD       c1,120(r_ptr)
+
+    .EXIT
+    FLDD    -88(%sp),%fr13 
+    FLDD    -96(%sp),%fr12 
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+;-----------------------------------------------------------------------------
+;
+;void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+; arg0 = r_ptr
+; arg1 = a_ptr
+; arg2 = b_ptr
+;
+
+bn_mul_comba4
+        .proc
+        .callinfo FRAME=128,ENTRY_GR=%r3,ARGS_SAVED,ORDERING_AWARE
+        .EXPORT bn_mul_comba4,ENTRY,PRIV_LEV=3,NO_RELOCATION,LONG_RETURN
+    .entry
+        .align 64
+
+    STD     %r3,0(%sp)          ; save r3
+    STD     %r4,8(%sp)          ; save r4
+    STD     %r5,16(%sp)         ; save r5
+    STD     %r6,24(%sp)         ; save r6
+    FSTD    %fr12,32(%sp)       ; save r6
+    FSTD    %fr13,40(%sp)       ; save r7
+
+        ;
+        ; Zero out carries
+        ;
+        COPY     %r0,c1
+        COPY     %r0,c2
+        COPY     %r0,c3
+
+        LDO      128(%sp),%sp       ; bump stack
+    DEPDI,Z  1,31,1,high_one     ; Create Value  1 << 32
+
+        ;
+        ; Load up all of the values we are going to use
+        ;
+    FLDD      0(a_ptr),a0       
+    FLDD      8(a_ptr),a1       
+    FLDD     16(a_ptr),a2       
+    FLDD     24(a_ptr),a3       
+
+    FLDD      0(b_ptr),b0       
+    FLDD      8(b_ptr),b1       
+    FLDD     16(b_ptr),b2       
+    FLDD     24(b_ptr),b3       
+
+        MUL_ADD_C a0L,a0R,b0L,b0R,c1,c2,c3
+        STD       c1,0(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a0L,a0R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b0L,b0R,c2,c3,c1
+        STD       c2,8(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b0L,b0R,c3,c1,c2
+        MUL_ADD_C a1L,a1R,b1L,b1R,c3,c1,c2
+        MUL_ADD_C a0L,a0R,b2L,b2R,c3,c1,c2
+        STD       c3,16(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a0L,a0R,b3L,b3R,c1,c2,c3
+        MUL_ADD_C a1L,a1R,b2L,b2R,c1,c2,c3
+        MUL_ADD_C a2L,a2R,b1L,b1R,c1,c2,c3
+        MUL_ADD_C a3L,a3R,b0L,b0R,c1,c2,c3
+        STD       c1,24(r_ptr)
+        COPY      %r0,c1
+
+        MUL_ADD_C a3L,a3R,b1L,b1R,c2,c3,c1
+        MUL_ADD_C a2L,a2R,b2L,b2R,c2,c3,c1
+        MUL_ADD_C a1L,a1R,b3L,b3R,c2,c3,c1
+        STD       c2,32(r_ptr)
+        COPY      %r0,c2
+
+        MUL_ADD_C a2L,a2R,b3L,b3R,c3,c1,c2
+        MUL_ADD_C a3L,a3R,b2L,b2R,c3,c1,c2
+        STD       c3,40(r_ptr)
+        COPY      %r0,c3
+
+        MUL_ADD_C a3L,a3R,b3L,b3R,c1,c2,c3
+        STD       c1,48(r_ptr)
+        STD       c2,56(r_ptr)
+
+    .EXIT
+    FLDD    -88(%sp),%fr13 
+    FLDD    -96(%sp),%fr12 
+    LDD     -104(%sp),%r6        ; restore r6
+    LDD     -112(%sp),%r5        ; restore r5
+    LDD     -120(%sp),%r4        ; restore r4
+    BVE     (%rp)
+    LDD,MB  -128(%sp),%r3
+
+        .PROCEND        
+
+
+        .SPACE  $TEXT$
+        .SUBSPA $CODE$
+        .SPACE  $PRIVATE$,SORT=16
+        .IMPORT $global$,DATA
+        .SPACE  $TEXT$
+        .SUBSPA $CODE$
+        .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16
+C$4
+        .ALIGN  8
+        .STRINGZ        "Division would overflow (%d)\n"
+        .END
diff --git a/src/lib/libssl/src/crypto/bn/asm/sparcv8.S b/src/lib/libssl/src/crypto/bn/asm/sparcv8.S
new file mode 100644
index 0000000000..88c5dc480a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/sparcv8.S
@@ -0,0 +1,1458 @@
+.ident  "sparcv8.s, Version 1.4"
+.ident  "SPARC v8 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in SuperSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * See bn_asm.sparc.v8plus.S for more details.
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.1  - new loop unrolling model(*);
+ * 1.2  - made gas friendly;
+ * 1.3  - fixed problem with /usr/ccs/lib/cpp;
+ * 1.4  - some retunes;
+ *
+ * (*)  see bn_asm.sparc.v8plus.S for details
+ */
+
+.section        ".text",#alloc,#execinstr
+.file           "bn_asm.sparc.v8.S"
+
+.align  32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+        cmp     %o2,0
+        bg,a    .L_bn_mul_add_words_proceed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_add_words_proceed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_mul_add_words_tail
+        clr     %o5
+
+.L_bn_mul_add_words_loop:
+        ld      [%o0],%o4
+        ld      [%o1+4],%g3
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0]
+        addx    %g1,0,%o5
+
+        ld      [%o0+4],%o4
+        ld      [%o1+8],%g2
+        umul    %o3,%g3,%g3
+        dec     4,%o2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g3,%o4
+        st      %o4,[%o0+4]
+        addx    %g1,0,%o5
+
+        ld      [%o0+8],%o4
+        ld      [%o1+12],%g3
+        umul    %o3,%g2,%g2
+        inc     16,%o1
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0+8]
+        addx    %g1,0,%o5
+
+        ld      [%o0+12],%o4
+        umul    %o3,%g3,%g3
+        inc     16,%o0
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g3,%o4
+        st      %o4,[%o0-4]
+        addx    %g1,0,%o5
+        andcc   %o2,-4,%g0
+        bnz,a   .L_bn_mul_add_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        bnz,a   .L_bn_mul_add_words_tail
+        ld      [%o1],%g2
+.L_bn_mul_add_words_return:
+        retl
+        mov     %o5,%o0
+        nop
+
+.L_bn_mul_add_words_tail:
+        ld      [%o0],%o4
+        umul    %o3,%g2,%g2
+        addcc   %o4,%o5,%o4
+        rd      %y,%g1
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_add_words_return
+        st      %o4,[%o0]
+
+        ld      [%o1+4],%g2
+        ld      [%o0+4],%o4
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_add_words_return
+        st      %o4,[%o0+4]
+
+        ld      [%o1+8],%g2
+        ld      [%o0+8],%o4
+        umul    %o3,%g2,%g2
+        rd      %y,%g1
+        addcc   %o4,%o5,%o4
+        addx    %g1,0,%g1
+        addcc   %o4,%g2,%o4
+        st      %o4,[%o0+8]
+        retl
+        addx    %g1,0,%o0
+
+.type   bn_mul_add_words,#function
+.size   bn_mul_add_words,(.-bn_mul_add_words)
+
+.align  32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+        cmp     %o2,0
+        bg,a    .L_bn_mul_words_proceeed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_words_proceeed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_mul_words_tail
+        clr     %o5
+
+.L_bn_mul_words_loop:
+        ld      [%o1+4],%g3
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        st      %g2,[%o0]
+
+        ld      [%o1+8],%g2
+        umul    %o3,%g3,%g3
+        addcc   %g3,%o5,%g3
+        rd      %y,%g1
+        dec     4,%o2
+        addx    %g1,0,%o5
+        st      %g3,[%o0+4]
+
+        ld      [%o1+12],%g3
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        inc     16,%o1
+        st      %g2,[%o0+8]
+        addx    %g1,0,%o5
+
+        umul    %o3,%g3,%g3
+        addcc   %g3,%o5,%g3
+        rd      %y,%g1
+        inc     16,%o0
+        addx    %g1,0,%o5
+        st      %g3,[%o0-4]
+        andcc   %o2,-4,%g0
+        nop
+        bnz,a   .L_bn_mul_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        bnz,a   .L_bn_mul_words_tail
+        ld      [%o1],%g2
+.L_bn_mul_words_return:
+        retl
+        mov     %o5,%o0
+        nop
+
+.L_bn_mul_words_tail:
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_words_return
+        st      %g2,[%o0]
+        nop
+
+        ld      [%o1+4],%g2
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        addx    %g1,0,%o5
+        deccc   %o2
+        bz      .L_bn_mul_words_return
+        st      %g2,[%o0+4]
+
+        ld      [%o1+8],%g2
+        umul    %o3,%g2,%g2
+        addcc   %g2,%o5,%g2
+        rd      %y,%g1
+        st      %g2,[%o0+8]
+        retl
+        addx    %g1,0,%o0
+
+.type   bn_mul_words,#function
+.size   bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+        cmp     %o2,0
+        bg,a    .L_bn_sqr_words_proceeed
+        ld      [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_proceeed:
+        andcc   %o2,-4,%g0
+        bz      .L_bn_sqr_words_tail
+        clr     %o5
+
+.L_bn_sqr_words_loop:
+        ld      [%o1+4],%g3
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0]
+        rd      %y,%o5
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%g2
+        umul    %g3,%g3,%o4
+        dec     4,%o2
+        st      %o4,[%o0+8]
+        rd      %y,%o5
+        st      %o5,[%o0+12]
+        nop
+
+        ld      [%o1+12],%g3
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+16]
+        rd      %y,%o5
+        inc     16,%o1
+        st      %o5,[%o0+20]
+
+        umul    %g3,%g3,%o4
+        inc     32,%o0
+        st      %o4,[%o0-8]
+        rd      %y,%o5
+        st      %o5,[%o0-4]
+        andcc   %o2,-4,%g2
+        bnz,a   .L_bn_sqr_words_loop
+        ld      [%o1],%g2
+
+        tst     %o2
+        nop
+        bnz,a   .L_bn_sqr_words_tail
+        ld      [%o1],%g2
+.L_bn_sqr_words_return:
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_tail:
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0]
+        deccc   %o2
+        rd      %y,%o5
+        bz      .L_bn_sqr_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+4],%g2
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+8]
+        deccc   %o2
+        rd      %y,%o5
+        nop
+        bz      .L_bn_sqr_words_return
+        st      %o5,[%o0+12]
+
+        ld      [%o1+8],%g2
+        umul    %g2,%g2,%o4
+        st      %o4,[%o0+16]
+        rd      %y,%o5
+        st      %o5,[%o0+20]
+        retl
+        clr     %o0
+
+.type   bn_sqr_words,#function
+.size   bn_sqr_words,(.-bn_sqr_words)
+
+.align  32
+
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+        wr      %o0,%y
+        udiv    %o1,%o2,%o0
+        retl
+        nop
+
+.type   bn_div_words,#function
+.size   bn_div_words,(.-bn_div_words)
+
+.align  32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+        cmp     %o3,0
+        bg,a    .L_bn_add_words_proceed
+        ld      [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_add_words_proceed:
+        andcc   %o3,-4,%g0
+        bz      .L_bn_add_words_tail
+        clr     %g1
+        ba      .L_bn_add_words_warn_loop
+        addcc   %g0,0,%g0       ! clear carry flag
+
+.L_bn_add_words_loop:
+        ld      [%o1],%o4
+.L_bn_add_words_warn_loop:
+        ld      [%o2],%o5
+        ld      [%o1+4],%g3
+        ld      [%o2+4],%g4
+        dec     4,%o3
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0]
+
+        ld      [%o1+8],%o4
+        ld      [%o2+8],%o5
+        inc     16,%o1
+        addxcc  %g3,%g4,%g3
+        st      %g3,[%o0+4]
+        
+        ld      [%o1-4],%g3
+        ld      [%o2+12],%g4
+        inc     16,%o2
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0+8]
+
+        inc     16,%o0
+        addxcc  %g3,%g4,%g3
+        st      %g3,[%o0-4]
+        addx    %g0,0,%g1
+        andcc   %o3,-4,%g0
+        bnz,a   .L_bn_add_words_loop
+        addcc   %g1,-1,%g0
+
+        tst     %o3
+        bnz,a   .L_bn_add_words_tail
+        ld      [%o1],%o4
+.L_bn_add_words_return:
+        retl
+        mov     %g1,%o0
+
+.L_bn_add_words_tail:
+        addcc   %g1,-1,%g0
+        ld      [%o2],%o5
+        addxcc  %o5,%o4,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_add_words_return
+        st      %o5,[%o0]
+
+        ld      [%o1+4],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+4],%o5
+        addxcc  %o5,%o4,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_add_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+8],%o5
+        addxcc  %o5,%o4,%o5
+        st      %o5,[%o0+8]
+        retl
+        addx    %g0,0,%o0
+
+.type   bn_add_words,#function
+.size   bn_add_words,(.-bn_add_words)
+
+.align  32
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+        cmp     %o3,0
+        bg,a    .L_bn_sub_words_proceed
+        ld      [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_sub_words_proceed:
+        andcc   %o3,-4,%g0
+        bz      .L_bn_sub_words_tail
+        clr     %g1
+        ba      .L_bn_sub_words_warm_loop
+        addcc   %g0,0,%g0       ! clear carry flag
+
+.L_bn_sub_words_loop:
+        ld      [%o1],%o4
+.L_bn_sub_words_warm_loop:
+        ld      [%o2],%o5
+        ld      [%o1+4],%g3
+        ld      [%o2+4],%g4
+        dec     4,%o3
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0]
+
+        ld      [%o1+8],%o4
+        ld      [%o2+8],%o5
+        inc     16,%o1
+        subxcc  %g3,%g4,%g4
+        st      %g4,[%o0+4]
+        
+        ld      [%o1-4],%g3
+        ld      [%o2+12],%g4
+        inc     16,%o2
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0+8]
+
+        inc     16,%o0
+        subxcc  %g3,%g4,%g4
+        st      %g4,[%o0-4]
+        addx    %g0,0,%g1
+        andcc   %o3,-4,%g0
+        bnz,a   .L_bn_sub_words_loop
+        addcc   %g1,-1,%g0
+
+        tst     %o3
+        nop
+        bnz,a   .L_bn_sub_words_tail
+        ld      [%o1],%o4
+.L_bn_sub_words_return:
+        retl
+        mov     %g1,%o0
+
+.L_bn_sub_words_tail:
+        addcc   %g1,-1,%g0
+        ld      [%o2],%o5
+        subxcc  %o4,%o5,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_sub_words_return
+        st      %o5,[%o0]
+        nop
+
+        ld      [%o1+4],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+4],%o5
+        subxcc  %o4,%o5,%o5
+        addx    %g0,0,%g1
+        deccc   %o3
+        bz      .L_bn_sub_words_return
+        st      %o5,[%o0+4]
+
+        ld      [%o1+8],%o4
+        addcc   %g1,-1,%g0
+        ld      [%o2+8],%o5
+        subxcc  %o4,%o5,%o5
+        st      %o5,[%o0+8]
+        retl
+        addx    %g0,0,%o0
+
+.type   bn_sub_words,#function
+.size   bn_sub_words,(.-bn_sub_words)
+
+#define FRAME_SIZE      -96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1     %o0
+#define t_2     %o1
+#define c_1     %o2
+#define c_2     %o3
+#define c_3     %o4
+
+#define ap(I)   [%i1+4*I]
+#define bp(I)   [%i2+4*I]
+#define rp(I)   [%i0+4*I]
+
+#define a_0     %l0
+#define a_1     %l1
+#define a_2     %l2
+#define a_3     %l3
+#define a_4     %l4
+#define a_5     %l5
+#define a_6     %l6
+#define a_7     %l7
+
+#define b_0     %i3
+#define b_1     %i4
+#define b_2     %i5
+#define b_3     %o5
+#define b_4     %g1
+#define b_5     %g2
+#define b_6     %g3
+#define b_7     %g4
+
+.align  32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      bp(0),b_0
+        umul    a_0,b_0,c_1     !=!mul_add_c(a[0],b[0],c1,c2,c3);
+        ld      bp(1),b_1
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        umul    a_0,b_1,t_1     !=!mul_add_c(a[0],b[1],c2,c3,c1);
+        ld      ap(1),a_1
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        ld      ap(2),a_2
+        umul    a_1,b_0,t_1     !mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(1)       !r[1]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        ld      bp(2),b_2
+        umul    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        ld      bp(3),b_3
+        addx    c_2,%g0,c_2     !=
+        umul    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_1,b_2,t_1     !=!mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        ld      ap(3),a_3
+        umul    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        ld      ap(4),a_4
+        umul    a_3,b_0,t_1     !mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_4,b_0,t_1     !mul_add_c(a[4],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_2,b_2,t_1     !=!mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        ld      bp(4),b_4
+        umul    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        ld      bp(5),b_5
+        umul    a_0,b_4,t_1     !=!mul_add_c(a[0],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_0,b_5,t_1     !mul_add_c(a[0],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_1,b_4,t_1     !mul_add_c(a[1],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_2,b_3,t_1     !=!mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        ld      ap(5),a_5
+        umul    a_4,b_1,t_1     !mul_add_c(a[4],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        ld      ap(6),a_6
+        addx    c_2,%g0,c_2     !=
+        umul    a_5,b_0,t_1     !mul_add_c(a[5],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(5)       !r[5]=c3;
+
+        umul    a_6,b_0,t_1     !mul_add_c(a[6],b[0],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_5,b_1,t_1     !=!mul_add_c(a[5],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,b_2,t_1     !mul_add_c(a[4],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        umul    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_2,b_4,t_1     !mul_add_c(a[2],b[4],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        ld      bp(6),b_6
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,b_5,t_1     !mul_add_c(a[1],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        ld      bp(7),b_7
+        umul    a_0,b_6,t_1     !mul_add_c(a[0],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        st      c_1,rp(6)       !r[6]=c1;
+        addx    c_3,%g0,c_3     !=
+
+        umul    a_0,b_7,t_1     !mul_add_c(a[0],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        umul    a_1,b_6,t_1     !mul_add_c(a[1],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_2,b_5,t_1     !mul_add_c(a[2],b[5],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_3,b_4,t_1     !=!mul_add_c(a[3],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_4,b_3,t_1     !mul_add_c(a[4],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_5,b_2,t_1     !mul_add_c(a[5],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        ld      ap(7),a_7
+        umul    a_6,b_1,t_1     !=!mul_add_c(a[6],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_7,b_0,t_1     !mul_add_c(a[7],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        st      c_2,rp(7)       !r[7]=c2;
+
+        umul    a_7,b_1,t_1     !mul_add_c(a[7],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_6,b_2,t_1     !=!mul_add_c(a[6],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_5,b_3,t_1     !mul_add_c(a[5],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        umul    a_4,b_4,t_1     !mul_add_c(a[4],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_3,b_5,t_1     !mul_add_c(a[3],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_2,b_6,t_1     !=!mul_add_c(a[2],b[6],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_1,b_7,t_1     !mul_add_c(a[1],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !
+        addx    c_2,%g0,c_2
+        st      c_3,rp(8)       !r[8]=c3;
+
+        umul    a_2,b_7,t_1     !mul_add_c(a[2],b[7],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        umul    a_3,b_6,t_1     !=!mul_add_c(a[3],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,b_5,t_1     !mul_add_c(a[4],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        umul    a_5,b_4,t_1     !mul_add_c(a[5],b[4],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_6,b_3,t_1     !mul_add_c(a[6],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_7,b_2,t_1     !=!mul_add_c(a[7],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(9)       !r[9]=c1;
+
+        umul    a_7,b_3,t_1     !mul_add_c(a[7],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_6,b_4,t_1     !mul_add_c(a[6],b[4],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_5,b_5,t_1     !=!mul_add_c(a[5],b[5],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        umul    a_4,b_6,t_1     !mul_add_c(a[4],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,b_7,t_1     !mul_add_c(a[3],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(10)      !r[10]=c2;
+
+        umul    a_4,b_7,t_1     !=!mul_add_c(a[4],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        umul    a_5,b_6,t_1     !mul_add_c(a[5],b[6],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        umul    a_6,b_5,t_1     !mul_add_c(a[6],b[5],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_7,b_4,t_1     !mul_add_c(a[7],b[4],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(11)      !r[11]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_7,b_5,t_1     !mul_add_c(a[7],b[5],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        umul    a_6,b_6,t_1     !mul_add_c(a[6],b[6],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2          !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_5,b_7,t_1     !mul_add_c(a[5],b[7],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        st      c_1,rp(12)      !r[12]=c1;
+        addx    c_3,%g0,c_3     !=
+
+        umul    a_6,b_7,t_1     !mul_add_c(a[6],b[7],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    %g0,%g0,c_1
+        umul    a_7,b_6,t_1     !mul_add_c(a[7],b[6],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(13)      !r[13]=c2;
+
+        umul    a_7,b_7,t_1     !=!mul_add_c(a[7],b[7],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        nop                     !=
+        st      c_3,rp(14)      !r[14]=c3;
+        st      c_1,rp(15)      !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba8,#function
+.size   bn_mul_comba8,(.-bn_mul_comba8)
+
+.align  32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      bp(0),b_0
+        umul    a_0,b_0,c_1     !=!mul_add_c(a[0],b[0],c1,c2,c3);
+        ld      bp(1),b_1
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        umul    a_0,b_1,t_1     !=!mul_add_c(a[0],b[1],c2,c3,c1);
+        ld      ap(1),a_1
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1
+        ld      ap(2),a_2
+        umul    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(1)       !r[1]=c2;
+
+        umul    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        ld      bp(2),b_2
+        umul    a_1,b_1,t_1     !=!mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      bp(3),b_3
+        umul    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,b_3,t_1     !=!mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3     !=
+        umul    a_1,b_2,t_1     !mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        ld      ap(3),a_3
+        umul    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_3,b_0,t_1     !=!mul_add_c(a[3],b[0],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        umul    a_2,b_2,t_1     !mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        umul    a_1,b_3,t_1     !=!mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        umul    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(5)       !r[5]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        st      c_1,rp(6)       !r[6]=c1;
+        st      c_2,rp(7)       !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba4,#function
+.size   bn_mul_comba4,(.-bn_mul_comba4)
+
+.align  32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        ld      ap(1),a_1
+        umul    a_0,a_0,c_1     !=!sqr_add_c(a,0,c1,c2,c3);
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        ld      ap(2),a_2
+        umul    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1     !=
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(1)       !r[1]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      ap(3),a_3
+        umul    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        st      c_3,rp(2)       !r[2]=c3;
+
+        umul    a_0,a_3,t_1     !=!sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3     !=
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        ld      ap(4),a_4
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_4,a_0,t_1     !sqr_add_c2(a,4,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        ld      ap(5),a_5
+        umul    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(4)       !r[4]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_0,a_5,t_1     !sqr_add_c2(a,5,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        umul    a_1,a_4,t_1     !sqr_add_c2(a,4,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        ld      ap(6),a_6
+        umul    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        st      c_3,rp(5)       !r[5]=c3;
+
+        umul    a_6,a_0,t_1     !sqr_add_c2(a,6,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_5,a_1,t_1     !sqr_add_c2(a,5,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        umul    a_4,a_2,t_1     !sqr_add_c2(a,4,2,c1,c2,c3);
+        addcc   c_1,t_1,c_1     !=
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1     !=
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3
+        ld      ap(7),a_7
+        umul    a_3,a_3,t_1     !=!sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(6)       !r[6]=c1;
+
+        umul    a_0,a_7,t_1     !sqr_add_c2(a,7,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_1,a_6,t_1     !sqr_add_c2(a,6,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_2,a_5,t_1     !sqr_add_c2(a,5,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_3,a_4,t_1     !sqr_add_c2(a,4,3,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        st      c_2,rp(7)       !r[7]=c2;
+
+        umul    a_7,a_1,t_1     !sqr_add_c2(a,7,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_6,a_2,t_1     !sqr_add_c2(a,6,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_5,a_3,t_1     !sqr_add_c2(a,5,3,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        addcc   c_3,t_1,c_3     !=
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_4,a_4,t_1     !sqr_add_c(a,4,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(8)       !r[8]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_2,a_7,t_1     !sqr_add_c2(a,7,2,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_3,a_6,t_1     !sqr_add_c2(a,6,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_4,a_5,t_1     !sqr_add_c2(a,5,4,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(9)       !r[9]=c1;
+
+        umul    a_7,a_3,t_1     !sqr_add_c2(a,7,3,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_6,a_4,t_1     !sqr_add_c2(a,6,4,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_5,a_5,t_1     !sqr_add_c(a,5,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(10)      !r[10]=c2;
+
+        umul    a_4,a_7,t_1     !=!sqr_add_c2(a,7,4,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2
+        umul    a_5,a_6,t_1     !=!sqr_add_c2(a,6,5,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    c_2,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(11)      !r[11]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_7,a_5,t_1     !sqr_add_c2(a,7,5,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_6,a_6,t_1     !sqr_add_c(a,6,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        st      c_1,rp(12)      !r[12]=c1;
+
+        umul    a_6,a_7,t_1     !sqr_add_c2(a,7,6,c2,c3,c1);
+        addcc   c_2,t_1,c_2     !=
+        rd      %y,t_2
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2     !=
+        addxcc  c_3,t_2,c_3
+        st      c_2,rp(13)      !r[13]=c2;
+        addx    c_1,%g0,c_1     !=
+
+        umul    a_7,a_7,t_1     !sqr_add_c(a,7,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1     !=
+        st      c_3,rp(14)      !r[14]=c3;
+        st      c_1,rp(15)      !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba8,#function
+.size   bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align  32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        ld      ap(0),a_0
+        umul    a_0,a_0,c_1     !sqr_add_c(a,0,c1,c2,c3);
+        ld      ap(1),a_1       !=
+        rd      %y,c_2
+        st      c_1,rp(0)       !r[0]=c1;
+
+        ld      ap(2),a_2
+        umul    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2
+        addxcc  %g0,t_2,c_3
+        addx    %g0,%g0,c_1     !=
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1     !=
+        st      c_2,rp(1)       !r[1]=c2;
+
+        umul    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2          !=
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1     !=
+        addx    c_2,%g0,c_2
+        ld      ap(3),a_3
+        umul    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_3,t_1,c_3     !=
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(2)       !r[2]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    %g0,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        umul    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        addx    c_3,%g0,c_3
+        addcc   c_1,t_1,c_1
+        addxcc  c_2,t_2,c_2
+        addx    c_3,%g0,c_3     !=
+        st      c_1,rp(3)       !r[3]=c1;
+
+        umul    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    %g0,%g0,c_1
+        addcc   c_2,t_1,c_2
+        addxcc  c_3,t_2,c_3     !=
+        addx    c_1,%g0,c_1
+        umul    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_2,t_1,c_2
+        rd      %y,t_2          !=
+        addxcc  c_3,t_2,c_3
+        addx    c_1,%g0,c_1
+        st      c_2,rp(4)       !r[4]=c2;
+
+        umul    a_2,a_3,t_1     !=!sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_3,t_1,c_3
+        rd      %y,t_2
+        addxcc  c_1,t_2,c_1
+        addx    %g0,%g0,c_2     !=
+        addcc   c_3,t_1,c_3
+        addxcc  c_1,t_2,c_1
+        st      c_3,rp(5)       !r[5]=c3;
+        addx    c_2,%g0,c_2     !=
+
+        umul    a_3,a_3,t_1     !sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_1,t_1,c_1
+        rd      %y,t_2
+        addxcc  c_2,t_2,c_2     !=
+        st      c_1,rp(6)       !r[6]=c1;
+        st      c_2,rp(7)       !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba4,#function
+.size   bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align  32
diff --git a/src/lib/libssl/src/crypto/bn/asm/sparcv8plus.S b/src/lib/libssl/src/crypto/bn/asm/sparcv8plus.S
new file mode 100644
index 0000000000..0074dfdb75
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/sparcv8plus.S
@@ -0,0 +1,1535 @@
+.ident  "sparcv8plus.s, Version 1.4"
+.ident  "SPARC v9 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+/*
+ * ====================================================================
+ * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+ * project.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted according to the OpenSSL license. Warranty of any kind is
+ * disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contributon to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is
+ * a drop-in UltraSPARC ISA replacement for crypto/bn/bn_asm.c
+ * module. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * Questions-n-answers.
+ *
+ * Q. How to compile?
+ * A. With SC4.x/SC5.x:
+ *
+ *      cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    and with gcc:
+ *
+ *      gcc -mcpu=ultrasparc -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *
+ *    or if above fails (it does if you have gas installed):
+ *
+ *      gcc -E bn_asm.sparc.v8plus.S | as -xarch=v8plus /dev/fd/0 -o bn_asm.o
+ *
+ *    Quick-n-dirty way to fuse the module into the library.
+ *    Provided that the library is already configured and built
+ *    (in 0.9.2 case with no-asm option):
+ *
+ *      # cd crypto/bn
+ *      # cp /some/place/bn_asm.sparc.v8plus.S .
+ *      # cc -xarch=v8plus -c bn_asm.sparc.v8plus.S -o bn_asm.o
+ *      # make
+ *      # cd ../..
+ *      # make; make test
+ *
+ *    Quick-n-dirty way to get rid of it:
+ *
+ *      # cd crypto/bn
+ *      # touch bn_asm.c
+ *      # make
+ *      # cd ../..
+ *      # make; make test
+ *
+ * Q. V8plus achitecture? What kind of beast is that?
+ * A. Well, it's rather a programming model than an architecture...
+ *    It's actually v9-compliant, i.e. *any* UltraSPARC, CPU under
+ *    special conditions, namely when kernel doesn't preserve upper
+ *    32 bits of otherwise 64-bit registers during a context switch.
+ *
+ * Q. Why just UltraSPARC? What about SuperSPARC?
+ * A. Original release did target UltraSPARC only. Now SuperSPARC
+ *    version is provided along. Both version share bn_*comba[48]
+ *    implementations (see comment later in code for explanation).
+ *    But what's so special about this UltraSPARC implementation?
+ *    Why didn't I let compiler do the job? Trouble is that most of
+ *    available compilers (well, SC5.0 is the only exception) don't
+ *    attempt to take advantage of UltraSPARC's 64-bitness under
+ *    32-bit kernels even though it's perfectly possible (see next
+ *    question).
+ *
+ * Q. 64-bit registers under 32-bit kernels? Didn't you just say it
+ *    doesn't work?
+ * A. You can't adress *all* registers as 64-bit wide:-( The catch is
+ *    that you actually may rely upon %o0-%o5 and %g1-%g4 being fully
+ *    preserved if you're in a leaf function, i.e. such never calling
+ *    any other functions. All functions in this module are leaf and
+ *    10 registers is a handful. And as a matter of fact none-"comba"
+ *    routines don't require even that much and I could even afford to
+ *    not allocate own stack frame for 'em:-)
+ *
+ * Q. What about 64-bit kernels?
+ * A. What about 'em? Just kidding:-) Pure 64-bit version is currently
+ *    under evaluation and development...
+ *
+ * Q. What about shared libraries?
+ * A. What about 'em? Kidding again:-) Code does *not* contain any
+ *    code position dependencies and it's safe to include it into
+ *    shared library as is.
+ *
+ * Q. How much faster does it go?
+ * A. Do you have a good benchmark? In either case below is what I
+ *    experience with crypto/bn/expspeed.c test program:
+ *
+ *      v8plus module on U10/300MHz against bn_asm.c compiled with:
+ *
+ *      cc-5.0 -xarch=v8plus -xO5 -xdepend      +7-12%
+ *      cc-4.2 -xarch=v8plus -xO5 -xdepend      +25-35%
+ *      egcs-1.1.2 -mcpu=ultrasparc -O3         +35-45%
+ *
+ *      v8 module on SS10/60MHz against bn_asm.c compiled with:
+ *
+ *      cc-5.0 -xarch=v8 -xO5 -xdepend          +7-10%
+ *      cc-4.2 -xarch=v8 -xO5 -xdepend          +10%
+ *      egcs-1.1.2 -mv8 -O3                     +35-45%
+ *
+ *    As you can see it's damn hard to beat the new Sun C compiler
+ *    and it's in first place GNU C users who will appreciate this
+ *    assembler implementation:-)       
+ */
+
+/*
+ * Revision history.
+ *
+ * 1.0  - initial release;
+ * 1.1  - new loop unrolling model(*);
+ *      - some more fine tuning;
+ * 1.2  - made gas friendly;
+ *      - updates to documentation concerning v9;
+ *      - new performance comparison matrix;
+ * 1.3  - fixed problem with /usr/ccs/lib/cpp;
+ * 1.4  - native V9 bn_*_comba[48] implementation (15% more efficient)
+ *        resulting in slight overall performance kick;
+ *      - some retunes;
+ *      - support for GNU as added;
+ *
+ * (*)  Originally unrolled loop looked like this:
+ *          for (;;) {
+ *              op(p+0); if (--n==0) break;
+ *              op(p+1); if (--n==0) break;
+ *              op(p+2); if (--n==0) break;
+ *              op(p+3); if (--n==0) break;
+ *              p+=4;
+ *          }
+ *      I unroll according to following:
+ *          while (n&~3) {
+ *              op(p+0); op(p+1); op(p+2); op(p+3);
+ *              p+=4; n=-4;
+ *          }
+ *          if (n) {
+ *              op(p+0); if (--n==0) return;
+ *              op(p+2); if (--n==0) return;
+ *              op(p+3); return;
+ *          }
+ */
+
+/*
+ * GNU assembler can't stand stuw:-(
+ */
+#define stuw st
+
+.section        ".text",#alloc,#execinstr
+.file           "bn_asm.sparc.v8plus.S"
+
+.align  32
+
+.global bn_mul_add_words
+/*
+ * BN_ULONG bn_mul_add_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_add_words:
+        brgz,a  %o2,.L_bn_mul_add_words_proceed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_add_words_proceed:
+        srl     %o3,%g0,%o3     ! clruw %o3
+        andcc   %o2,-4,%g0
+        bz,pn   %icc,.L_bn_mul_add_words_tail
+        clr     %o5
+
+.L_bn_mul_add_words_loop:       ! wow! 32 aligned!
+        lduw    [%o0],%g1
+        lduw    [%o1+4],%g3
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        nop
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+4],%g1
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g3,%g3
+        add     %g1,%o5,%o4
+        dec     4,%o2
+        add     %o4,%g3,%o4
+        stuw    %o4,[%o0+4]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+8],%g1
+        lduw    [%o1+12],%g3
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        inc     16,%o1
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+
+        lduw    [%o0+12],%g1
+        mulx    %o3,%g3,%g3
+        add     %g1,%o5,%o4
+        inc     16,%o0
+        add     %o4,%g3,%o4
+        andcc   %o2,-4,%g0
+        stuw    %o4,[%o0-4]
+        srlx    %o4,32,%o5
+        bnz,a,pt        %icc,.L_bn_mul_add_words_loop
+        lduw    [%o1],%g2
+
+        brnz,a,pn       %o2,.L_bn_mul_add_words_tail
+        lduw    [%o1],%g2
+.L_bn_mul_add_words_return:
+        retl
+        mov     %o5,%o0
+
+.L_bn_mul_add_words_tail:
+        lduw    [%o0],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        dec     %o2
+        add     %o4,%g2,%o4
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_add_words_return
+        stuw    %o4,[%o0]
+
+        lduw    [%o1+4],%g2
+        lduw    [%o0+4],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        dec     %o2
+        add     %o4,%g2,%o4
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_add_words_return
+        stuw    %o4,[%o0+4]
+
+        lduw    [%o1+8],%g2
+        lduw    [%o0+8],%g1
+        mulx    %o3,%g2,%g2
+        add     %g1,%o5,%o4
+        add     %o4,%g2,%o4
+        stuw    %o4,[%o0+8]
+        retl
+        srlx    %o4,32,%o0
+
+.type   bn_mul_add_words,#function
+.size   bn_mul_add_words,(.-bn_mul_add_words)
+
+.align  32
+
+.global bn_mul_words
+/*
+ * BN_ULONG bn_mul_words(rp,ap,num,w)
+ * BN_ULONG *rp,*ap;
+ * int num;
+ * BN_ULONG w;
+ */
+bn_mul_words:
+        brgz,a  %o2,.L_bn_mul_words_proceeed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_mul_words_proceeed:
+        srl     %o3,%g0,%o3     ! clruw %o3
+        andcc   %o2,-4,%g0
+        bz,pn   %icc,.L_bn_mul_words_tail
+        clr     %o5
+
+.L_bn_mul_words_loop:           ! wow! 32 aligned!
+        lduw    [%o1+4],%g3
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        nop
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g3,%g3
+        add     %g3,%o5,%o4
+        dec     4,%o2
+        stuw    %o4,[%o0+4]
+        srlx    %o4,32,%o5
+
+        lduw    [%o1+12],%g3
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        inc     16,%o1
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+
+        mulx    %o3,%g3,%g3
+        add     %g3,%o5,%o4
+        inc     16,%o0
+        stuw    %o4,[%o0-4]
+        srlx    %o4,32,%o5
+        andcc   %o2,-4,%g0
+        bnz,a,pt        %icc,.L_bn_mul_words_loop
+        lduw    [%o1],%g2
+        nop
+        nop
+
+        brnz,a,pn       %o2,.L_bn_mul_words_tail
+        lduw    [%o1],%g2
+.L_bn_mul_words_return:
+        retl
+        mov     %o5,%o0
+
+.L_bn_mul_words_tail:
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        dec     %o2
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_words_return
+        stuw    %o4,[%o0]
+
+        lduw    [%o1+4],%g2
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        dec     %o2
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_mul_words_return
+        stuw    %o4,[%o0+4]
+
+        lduw    [%o1+8],%g2
+        mulx    %o3,%g2,%g2
+        add     %g2,%o5,%o4
+        stuw    %o4,[%o0+8]
+        retl
+        srlx    %o4,32,%o0
+
+.type   bn_mul_words,#function
+.size   bn_mul_words,(.-bn_mul_words)
+
+.align  32
+.global bn_sqr_words
+/*
+ * void bn_sqr_words(r,a,n)
+ * BN_ULONG *r,*a;
+ * int n;
+ */
+bn_sqr_words:
+        brgz,a  %o2,.L_bn_sqr_words_proceeed
+        lduw    [%o1],%g2
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_proceeed:
+        andcc   %o2,-4,%g0
+        nop
+        bz,pn   %icc,.L_bn_sqr_words_tail
+        nop
+
+.L_bn_sqr_words_loop:           ! wow! 32 aligned!
+        lduw    [%o1+4],%g3
+        mulx    %g2,%g2,%o4
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+        stuw    %o5,[%o0+4]
+        nop
+
+        lduw    [%o1+8],%g2
+        mulx    %g3,%g3,%o4
+        dec     4,%o2
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+        stuw    %o5,[%o0+12]
+
+        lduw    [%o1+12],%g3
+        mulx    %g2,%g2,%o4
+        srlx    %o4,32,%o5
+        stuw    %o4,[%o0+16]
+        inc     16,%o1
+        stuw    %o5,[%o0+20]
+
+        mulx    %g3,%g3,%o4
+        inc     32,%o0
+        stuw    %o4,[%o0-8]
+        srlx    %o4,32,%o5
+        andcc   %o2,-4,%g2
+        stuw    %o5,[%o0-4]
+        bnz,a,pt        %icc,.L_bn_sqr_words_loop
+        lduw    [%o1],%g2
+        nop
+
+        brnz,a,pn       %o2,.L_bn_sqr_words_tail
+        lduw    [%o1],%g2
+.L_bn_sqr_words_return:
+        retl
+        clr     %o0
+
+.L_bn_sqr_words_tail:
+        mulx    %g2,%g2,%o4
+        dec     %o2
+        stuw    %o4,[%o0]
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_sqr_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+4],%g2
+        mulx    %g2,%g2,%o4
+        dec     %o2
+        stuw    %o4,[%o0+8]
+        srlx    %o4,32,%o5
+        brz,pt  %o2,.L_bn_sqr_words_return
+        stuw    %o5,[%o0+12]
+
+        lduw    [%o1+8],%g2
+        mulx    %g2,%g2,%o4
+        srlx    %o4,32,%o5
+        stuw    %o4,[%o0+16]
+        stuw    %o5,[%o0+20]
+        retl
+        clr     %o0
+
+.type   bn_sqr_words,#function
+.size   bn_sqr_words,(.-bn_sqr_words)
+
+.align  32
+.global bn_div_words
+/*
+ * BN_ULONG bn_div_words(h,l,d)
+ * BN_ULONG h,l,d;
+ */
+bn_div_words:
+        sllx    %o0,32,%o0
+        or      %o0,%o1,%o0
+        udivx   %o0,%o2,%o0
+        retl
+        srl     %o0,%g0,%o0     ! clruw %o0
+
+.type   bn_div_words,#function
+.size   bn_div_words,(.-bn_div_words)
+
+.align  32
+
+.global bn_add_words
+/*
+ * BN_ULONG bn_add_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_add_words:
+        brgz,a  %o3,.L_bn_add_words_proceed
+        lduw    [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_add_words_proceed:
+        andcc   %o3,-4,%g0
+        bz,pn   %icc,.L_bn_add_words_tail
+        addcc   %g0,0,%g0       ! clear carry flag
+        nop
+
+.L_bn_add_words_loop:           ! wow! 32 aligned!
+        dec     4,%o3
+        lduw    [%o2],%o5
+        lduw    [%o1+4],%g1
+        lduw    [%o2+4],%g2
+        lduw    [%o1+8],%g3
+        lduw    [%o2+8],%g4
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+12],%o4
+        lduw    [%o2+12],%o5
+        inc     16,%o1
+        addccc  %g1,%g2,%g1
+        stuw    %g1,[%o0+4]
+        
+        inc     16,%o2
+        addccc  %g3,%g4,%g3
+        stuw    %g3,[%o0+8]
+
+        inc     16,%o0
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0-4]
+        and     %o3,-4,%g1
+        brnz,a,pt       %g1,.L_bn_add_words_loop
+        lduw    [%o1],%o4
+
+        brnz,a,pn       %o3,.L_bn_add_words_tail
+        lduw    [%o1],%o4
+.L_bn_add_words_return:
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+        nop
+
+.L_bn_add_words_tail:
+        lduw    [%o2],%o5
+        dec     %o3
+        addccc  %o5,%o4,%o5
+        brz,pt  %o3,.L_bn_add_words_return
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+4],%o4
+        lduw    [%o2+4],%o5
+        dec     %o3
+        addccc  %o5,%o4,%o5
+        brz,pt  %o3,.L_bn_add_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+8],%o4
+        lduw    [%o2+8],%o5
+        addccc  %o5,%o4,%o5
+        stuw    %o5,[%o0+8]
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+
+.type   bn_add_words,#function
+.size   bn_add_words,(.-bn_add_words)
+
+.global bn_sub_words
+/*
+ * BN_ULONG bn_sub_words(rp,ap,bp,n)
+ * BN_ULONG *rp,*ap,*bp;
+ * int n;
+ */
+bn_sub_words:
+        brgz,a  %o3,.L_bn_sub_words_proceed
+        lduw    [%o1],%o4
+        retl
+        clr     %o0
+
+.L_bn_sub_words_proceed:
+        andcc   %o3,-4,%g0
+        bz,pn   %icc,.L_bn_sub_words_tail
+        addcc   %g0,0,%g0       ! clear carry flag
+        nop
+
+.L_bn_sub_words_loop:           ! wow! 32 aligned!
+        dec     4,%o3
+        lduw    [%o2],%o5
+        lduw    [%o1+4],%g1
+        lduw    [%o2+4],%g2
+        lduw    [%o1+8],%g3
+        lduw    [%o2+8],%g4
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+12],%o4
+        lduw    [%o2+12],%o5
+        inc     16,%o1
+        subccc  %g1,%g2,%g2
+        stuw    %g2,[%o0+4]
+
+        inc     16,%o2
+        subccc  %g3,%g4,%g4
+        stuw    %g4,[%o0+8]
+
+        inc     16,%o0
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0-4]
+        and     %o3,-4,%g1
+        brnz,a,pt       %g1,.L_bn_sub_words_loop
+        lduw    [%o1],%o4
+
+        brnz,a,pn       %o3,.L_bn_sub_words_tail
+        lduw    [%o1],%o4
+.L_bn_sub_words_return:
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+        nop
+
+.L_bn_sub_words_tail:           ! wow! 32 aligned!
+        lduw    [%o2],%o5
+        dec     %o3
+        subccc  %o4,%o5,%o5
+        brz,pt  %o3,.L_bn_sub_words_return
+        stuw    %o5,[%o0]
+
+        lduw    [%o1+4],%o4
+        lduw    [%o2+4],%o5
+        dec     %o3
+        subccc  %o4,%o5,%o5
+        brz,pt  %o3,.L_bn_sub_words_return
+        stuw    %o5,[%o0+4]
+
+        lduw    [%o1+8],%o4
+        lduw    [%o2+8],%o5
+        subccc  %o4,%o5,%o5
+        stuw    %o5,[%o0+8]
+        clr     %o0
+        retl
+        movcs   %icc,1,%o0
+
+.type   bn_sub_words,#function
+.size   bn_sub_words,(.-bn_sub_words)
+
+/*
+ * Code below depends on the fact that upper parts of the %l0-%l7
+ * and %i0-%i7 are zeroed by kernel after context switch. In
+ * previous versions this comment stated that "the trouble is that
+ * it's not feasible to implement the mumbo-jumbo in less V9
+ * instructions:-(" which apparently isn't true thanks to
+ * 'bcs,a %xcc,.+8; inc %rd' pair. But the performance improvement
+ * results not from the shorter code, but from elimination of
+ * multicycle none-pairable 'rd %y,%rd' instructions.
+ *
+ *                                                      Andy.
+ */
+
+#define FRAME_SIZE      -96
+
+/*
+ * Here is register usage map for *all* routines below.
+ */
+#define t_1     %o0
+#define t_2     %o1
+#define c_12    %o2
+#define c_3     %o3
+
+#define ap(I)   [%i1+4*I]
+#define bp(I)   [%i2+4*I]
+#define rp(I)   [%i0+4*I]
+
+#define a_0     %l0
+#define a_1     %l1
+#define a_2     %l2
+#define a_3     %l3
+#define a_4     %l4
+#define a_5     %l5
+#define a_6     %l6
+#define a_7     %l7
+
+#define b_0     %i3
+#define b_1     %i4
+#define b_2     %i5
+#define b_3     %o4
+#define b_4     %o5
+#define b_5     %o7
+#define b_6     %g1
+#define b_7     %g4
+
+.align  32
+.global bn_mul_comba8
+/*
+ * void bn_mul_comba8(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    bp(0),b_0       !=
+        lduw    bp(1),b_1
+        mulx    a_0,b_0,t_1     !mul_add_c(a[0],b[0],c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !=!r[0]=c1;
+
+        lduw    ap(1),a_1
+        mulx    a_0,b_1,t_1     !mul_add_c(a[0],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(2),a_2
+        mulx    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(2),b_2       !=
+        mulx    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(3),b_3
+        mulx    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_2,t_1     !=!mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(4),a_4
+        mulx    a_3,b_0,t_1     !=!mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,b_0,t_1     !mul_add_c(a[4],b[0],c2,c3,c1);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_1,t_1     !=!mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_2,t_1     !=!mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(4),b_4       !=
+        mulx    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(5),b_5
+        mulx    a_0,b_4,t_1     !mul_add_c(a[0],b[4],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_5,t_1     !mul_add_c(a[0],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_4,t_1     !mul_add_c(a[1],b[4],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(5),a_5
+        mulx    a_4,b_1,t_1     !mul_add_c(a[4],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(6),a_6
+        mulx    a_5,b_0,t_1     !=!mul_add_c(a[5],b[0],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,b_0,t_1     !mul_add_c(a[6],b[0],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,b_1,t_1     !=!mul_add_c(a[5],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,b_2,t_1     !=!mul_add_c(a[4],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_3,t_1     !=!mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_4,t_1     !=!mul_add_c(a[2],b[4],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(6),b_6       !=
+        mulx    a_1,b_5,t_1     !mul_add_c(a[1],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(7),b_7
+        mulx    a_0,b_6,t_1     !mul_add_c(a[0],b[6],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_7,t_1     !mul_add_c(a[0],b[7],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_6,t_1     !mul_add_c(a[1],b[6],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_2,b_5,t_1     !mul_add_c(a[2],b[5],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_4,t_1     !mul_add_c(a[3],b[4],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_3,t_1     !mul_add_c(a[4],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_2,t_1     !mul_add_c(a[5],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(7),a_7
+        mulx    a_6,b_1,t_1     !=!mul_add_c(a[6],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_7,b_0,t_1     !=!mul_add_c(a[7],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(7)       !r[7]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,b_1,t_1     !=!mul_add_c(a[7],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_6,b_2,t_1     !mul_add_c(a[6],b[2],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_5,b_3,t_1     !mul_add_c(a[5],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_4,b_4,t_1     !mul_add_c(a[4],b[4],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_3,b_5,t_1     !mul_add_c(a[3],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_2,b_6,t_1     !mul_add_c(a[2],b[6],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_1,b_7,t_1     !mul_add_c(a[1],b[7],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(8)       !r[8]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_7,t_1     !=!mul_add_c(a[2],b[7],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        mulx    a_3,b_6,t_1     !mul_add_c(a[3],b[6],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_5,t_1     !mul_add_c(a[4],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_4,t_1     !mul_add_c(a[5],b[4],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_3,t_1     !mul_add_c(a[6],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_2,t_1     !mul_add_c(a[7],b[2],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(9)       !r[9]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_3,t_1     !mul_add_c(a[7],b[3],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_4,t_1     !mul_add_c(a[6],b[4],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_5,t_1     !mul_add_c(a[5],b[5],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_4,b_6,t_1     !mul_add_c(a[4],b[6],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_3,b_7,t_1     !mul_add_c(a[3],b[7],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(10)      !r[10]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_4,b_7,t_1     !mul_add_c(a[4],b[7],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_6,t_1     !mul_add_c(a[5],b[6],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_5,t_1     !mul_add_c(a[6],b[5],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_4,t_1     !mul_add_c(a[7],b[4],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(11)      !r[11]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_5,t_1     !mul_add_c(a[7],b[5],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_6,b_6,t_1     !mul_add_c(a[6],b[6],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_5,b_7,t_1     !mul_add_c(a[5],b[7],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(12)      !r[12]=c1;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_6,b_7,t_1     !mul_add_c(a[6],b[7],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_7,b_6,t_1     !mul_add_c(a[7],b[6],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        st      t_1,rp(13)      !r[13]=c2;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_7,b_7,t_1     !mul_add_c(a[7],b[7],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(14)      !r[14]=c3;
+        stuw    c_12,rp(15)     !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0     !=
+
+.type   bn_mul_comba8,#function
+.size   bn_mul_comba8,(.-bn_mul_comba8)
+
+.align  32
+
+.global bn_mul_comba4
+/*
+ * void bn_mul_comba4(r,a,b)
+ * BN_ULONG *r,*a,*b;
+ */
+bn_mul_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        lduw    ap(0),a_0
+        mov     1,t_2
+        lduw    bp(0),b_0
+        sllx    t_2,32,t_2      !=
+        lduw    bp(1),b_1
+        mulx    a_0,b_0,t_1     !mul_add_c(a[0],b[0],c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !=!r[0]=c1;
+
+        lduw    ap(1),a_1
+        mulx    a_0,b_1,t_1     !mul_add_c(a[0],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(2),a_2
+        mulx    a_1,b_0,t_1     !=!mul_add_c(a[1],b[0],c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_0,t_1     !mul_add_c(a[2],b[0],c3,c1,c2);
+        addcc   c_12,t_1,c_12   !=
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    bp(2),b_2       !=
+        mulx    a_1,b_1,t_1     !mul_add_c(a[1],b[1],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3     !=
+        lduw    bp(3),b_3
+        mulx    a_0,b_2,t_1     !mul_add_c(a[0],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12   !=
+
+        mulx    a_0,b_3,t_1     !mul_add_c(a[0],b[3],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        mulx    a_1,b_2,t_1     !mul_add_c(a[1],b[2],c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8        !=
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_2,b_1,t_1     !mul_add_c(a[2],b[1],c1,c2,c3);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_0,t_1     !mul_add_c(a[3],b[0],c1,c2,c3);!=
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(3)       !=!r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,b_1,t_1     !mul_add_c(a[3],b[1],c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,b_2,t_1     !mul_add_c(a[2],b[2],c2,c3,c1);
+        addcc   c_12,t_1,c_12   !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,b_3,t_1     !mul_add_c(a[1],b[3],c2,c3,c1);
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !=!r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,b_3,t_1     !mul_add_c(a[2],b[3],c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3             !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,b_2,t_1     !mul_add_c(a[3],b[2],c3,c1,c2);
+        addcc   c_12,t_1,t_1    !=
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !=!r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,b_3,t_1     !mul_add_c(a[3],b[3],c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12     !=
+        stuw    t_1,rp(6)       !r[6]=c1;
+        stuw    c_12,rp(7)      !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_mul_comba4,#function
+.size   bn_mul_comba4,(.-bn_mul_comba4)
+
+.align  32
+
+.global bn_sqr_comba8
+bn_sqr_comba8:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    ap(1),a_1
+        mulx    a_0,a_0,t_1     !sqr_add_c(a,0,c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !r[0]=c1;
+
+        lduw    ap(2),a_2
+        mulx    a_0,a_1,t_1     !=!sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(4),a_4
+        mulx    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        st      t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,a_0,t_1     !sqr_add_c2(a,4,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(5),a_5
+        mulx    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_5,t_1     !sqr_add_c2(a,5,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_4,t_1     !sqr_add_c2(a,4,1,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(6),a_6
+        mulx    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,a_0,t_1     !sqr_add_c2(a,6,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_1,t_1     !sqr_add_c2(a,5,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_2,t_1     !sqr_add_c2(a,4,2,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(7),a_7
+        mulx    a_3,a_3,t_1     !=!sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_7,t_1     !sqr_add_c2(a,7,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_6,t_1     !sqr_add_c2(a,6,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,a_5,t_1     !sqr_add_c2(a,5,2,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_4,t_1     !sqr_add_c2(a,4,3,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(7)       !r[7]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_1,t_1     !sqr_add_c2(a,7,1,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_2,t_1     !sqr_add_c2(a,6,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_3,t_1     !sqr_add_c2(a,5,3,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_4,t_1     !sqr_add_c(a,4,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(8)       !r[8]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_7,t_1     !sqr_add_c2(a,7,2,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_3,a_6,t_1     !sqr_add_c2(a,6,3,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_4,a_5,t_1     !sqr_add_c2(a,5,4,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(9)       !r[9]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_3,t_1     !sqr_add_c2(a,7,3,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_4,t_1     !sqr_add_c2(a,6,4,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_5,t_1     !sqr_add_c(a,5,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(10)      !r[10]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_4,a_7,t_1     !sqr_add_c2(a,7,4,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_5,a_6,t_1     !sqr_add_c2(a,6,5,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(11)      !r[11]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_5,t_1     !sqr_add_c2(a,7,5,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_6,a_6,t_1     !sqr_add_c(a,6,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(12)      !r[12]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_6,a_7,t_1     !sqr_add_c2(a,7,6,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(13)      !r[13]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_7,a_7,t_1     !sqr_add_c(a,7,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(14)      !r[14]=c3;
+        stuw    c_12,rp(15)     !r[15]=c1;
+
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba8,#function
+.size   bn_sqr_comba8,(.-bn_sqr_comba8)
+
+.align  32
+
+.global bn_sqr_comba4
+/*
+ * void bn_sqr_comba4(r,a)
+ * BN_ULONG *r,*a;
+ */
+bn_sqr_comba4:
+        save    %sp,FRAME_SIZE,%sp
+        mov     1,t_2
+        lduw    ap(0),a_0
+        sllx    t_2,32,t_2
+        lduw    ap(1),a_1
+        mulx    a_0,a_0,t_1     !sqr_add_c(a,0,c1,c2,c3);
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(0)       !r[0]=c1;
+
+        lduw    ap(2),a_2
+        mulx    a_0,a_1,t_1     !sqr_add_c2(a,1,0,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(1)       !r[1]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_0,t_1     !sqr_add_c2(a,2,0,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        lduw    ap(3),a_3
+        mulx    a_1,a_1,t_1     !sqr_add_c(a,1,c3,c1,c2);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(2)       !r[2]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_0,a_3,t_1     !sqr_add_c2(a,3,0,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_1,a_2,t_1     !sqr_add_c2(a,2,1,c1,c2,c3);
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(3)       !r[3]=c1;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,a_1,t_1     !sqr_add_c2(a,3,1,c2,c3,c1);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,c_12
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        mulx    a_2,a_2,t_1     !sqr_add_c(a,2,c2,c3,c1);
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(4)       !r[4]=c2;
+        or      c_12,c_3,c_12
+
+        mulx    a_2,a_3,t_1     !sqr_add_c2(a,3,2,c3,c1,c2);
+        addcc   c_12,t_1,c_12
+        clr     c_3
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        addcc   c_12,t_1,t_1
+        bcs,a   %xcc,.+8
+        add     c_3,t_2,c_3
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(5)       !r[5]=c3;
+        or      c_12,c_3,c_12
+
+        mulx    a_3,a_3,t_1     !sqr_add_c(a,3,c1,c2,c3);
+        addcc   c_12,t_1,t_1
+        srlx    t_1,32,c_12
+        stuw    t_1,rp(6)       !r[6]=c1;
+        stuw    c_12,rp(7)      !r[7]=c2;
+        
+        ret
+        restore %g0,%g0,%o0
+
+.type   bn_sqr_comba4,#function
+.size   bn_sqr_comba4,(.-bn_sqr_comba4)
+
+.align  32
diff --git a/src/lib/libssl/src/crypto/bn/asm/vms.mar b/src/lib/libssl/src/crypto/bn/asm/vms.mar
new file mode 100644
index 0000000000..ac9d57d7b0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/vms.mar
@@ -0,0 +1,6695 @@
+        .title  vax_bn_mul_add_word  unsigned multiply & add, 32*32+32+32=>64
+;
+; w.j.m. 15-jan-1999
+;
+; it's magic ...
+;
+; ULONG bn_mul_add_words(ULONG r[],ULONG a[],int n,ULONG w) {
+;       ULONG c = 0;
+;       int i;
+;       for(i = 0; i < n; i++) <c,r[i]> := r[i] + c + a[i] * w ;
+;       return c;
+; }
+
+r=4 ;(AP)
+a=8 ;(AP)
+n=12 ;(AP)      n       by value (input)
+w=16 ;(AP)      w       by value (input)
+
+
+        .psect  code,nowrt
+
+.entry  bn_mul_add_words,^m<r2,r3,r4,r5,r6>
+
+        moval   @r(ap),r2
+        moval   @a(ap),r3
+        movl    n(ap),r4        ; assumed >0 by C code
+        movl    w(ap),r5
+        clrl    r6              ; c
+
+0$:
+        emul    r5,(r3),(r2),r0         ; w, a[], r[] considered signed
+
+        ; fixup for "negative" r[]
+        tstl    (r2)
+        bgeq    10$
+        incl    r1
+10$:
+
+        ; add in c
+        addl2   r6,r0
+        adwc    #0,r1
+
+        ; combined fixup for "negative" w, a[]
+        tstl    r5
+        bgeq    20$
+        addl2   (r3),r1
+20$:
+        tstl    (r3)
+        bgeq    30$
+        addl2   r5,r1
+30$:
+
+        movl    r0,(r2)+                ; store lo result in r[] & advance
+        addl    #4,r3                   ; advance a[]
+        movl    r1,r6                   ; store hi result => c
+
+        sobgtr  r4,0$
+
+        movl    r6,r0                   ; return c
+        ret
+
+        .title  vax_bn_mul_word  unsigned multiply & add, 32*32+32=>64
+;
+; w.j.m. 15-jan-1999
+;
+; it's magic ...
+;
+; ULONG bn_mul_words(ULONG r[],ULONG a[],int n,ULONG w) {
+;       ULONG c = 0;
+;       int i;
+;       for(i = 0; i < num; i++) <c,r[i]> := a[i] * w + c ;
+;       return(c);
+; }
+
+r=4 ;(AP)
+a=8 ;(AP)
+n=12 ;(AP)      n       by value (input)
+w=16 ;(AP)      w       by value (input)
+
+
+        .psect  code,nowrt
+
+.entry  bn_mul_words,^m<r2,r3,r4,r5,r6>
+
+        moval   @r(ap),r2       ; r2 -> r[]
+        moval   @a(ap),r3       ; r3 -> a[]
+        movl    n(ap),r4        ; r4 = loop count (assumed >0 by C code)
+        movl    w(ap),r5        ; r5 = w
+        clrl    r6              ; r6 = c
+
+0$:
+        ; <r1,r0> := w * a[] + c
+        emul    r5,(r3),r6,r0           ; w, a[], c considered signed
+
+        ; fixup for "negative" c
+        tstl    r6                      ; c
+        bgeq    10$
+        incl    r1
+10$:
+
+        ; combined fixup for "negative" w, a[]
+        tstl    r5                      ; w
+        bgeq    20$
+        addl2   (r3),r1                 ; a[]
+20$:
+        tstl    (r3)                    ; a[]
+        bgeq    30$
+        addl2   r5,r1                   ; w
+30$:
+
+        movl    r0,(r2)+                ; store lo result in r[] & advance
+        addl    #4,r3                   ; advance a[]
+        movl    r1,r6                   ; store hi result => c
+
+        sobgtr  r4,0$
+
+        movl    r6,r0                   ; return c
+        ret
+
+        .title  vax_bn_sqr_words  unsigned square, 32*32=>64
+;
+; w.j.m. 15-jan-1999
+;
+; it's magic ...
+;
+; void bn_sqr_words(ULONG r[],ULONG a[],int n) {
+;       int i;
+;       for(i = 0; i < n; i++) <r[2*i+1],r[2*i]> := a[i] * a[i] ;
+; }
+
+r=4 ;(AP)
+a=8 ;(AP)
+n=12 ;(AP)      n       by value (input)
+
+
+        .psect  code,nowrt
+
+.entry  bn_sqr_words,^m<r2,r3,r4,r5>
+
+        moval   @r(ap),r2       ; r2 -> r[]
+        moval   @a(ap),r3       ; r3 -> a[]
+        movl    n(ap),r4        ; r4 = n (assumed >0 by C code)
+
+0$:
+        movl    (r3)+,r5                ; r5 = a[] & advance
+
+        ; <r1,r0> := a[] * a[]
+        emul    r5,r5,#0,r0             ; a[] considered signed
+
+        ; fixup for "negative" a[]
+        tstl    r5                      ; a[]
+        bgeq    30$
+        addl2   r5,r1                   ; a[]
+        addl2   r5,r1                   ; a[]
+30$:
+
+        movl    r0,(r2)+                ; store lo result in r[] & advance
+        movl    r1,(r2)+                ; store hi result in r[] & advance
+
+        sobgtr  r4,0$
+
+        movl    #1,r0                   ; return SS$_NORMAL
+        ret
+
+        .title  (generated)
+
+        .psect  code,nowrt
+
+.entry  BN_DIV_WORDS,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10>
+        subl2   #4,sp
+
+        clrl    r9
+        movl    #2,r8
+
+        tstl    12(ap)
+        bneq    noname.2
+        mnegl   #1,r10
+        brw     noname.3
+        tstl    r0
+        nop     
+noname.2:
+
+        pushl   12(ap)
+        calls   #1,BN_NUM_BITS_WORD
+        movl    r0,r7
+
+        cmpl    r7,#32
+        beql    noname.4
+        ashl    r7,#1,r2
+        cmpl    4(ap),r2
+        blequ   noname.4
+
+        pushl   r7
+        calls   #1,BN_DIV_WORDS_ABORT
+noname.4:
+
+        subl3   r7,#32,r7
+
+        movl    12(ap),r2
+        cmpl    4(ap),r2
+        blssu   noname.5
+        subl2   r2,4(ap)
+noname.5:
+
+        tstl    r7
+        beql    noname.6
+
+        ashl    r7,r2,12(ap)
+
+        ashl    r7,4(ap),r4
+        subl3   r7,#32,r3
+        subl3   r3,#32,r2
+        extzv   r3,r2,8(ap),r2
+        bisl3   r4,r2,4(ap)
+
+        ashl    r7,8(ap),8(ap)
+noname.6:
+
+        bicl3   #65535,12(ap),r2
+        extzv   #16,#16,r2,r5
+
+        bicl3   #-65536,12(ap),r6
+
+noname.7:
+
+        moval   4(ap),r2
+        movzwl  2(r2),r0
+        cmpl    r0,r5
+        bneq    noname.8
+
+        movzwl  #65535,r4
+        brb     noname.9
+noname.8:
+
+        clrl    r1
+        movl    (r2),r0
+        movl    r5,r2
+        bgeq    vcg.1
+        cmpl    r2,r0
+        bgtru   vcg.2
+        incl    r1
+        brb     vcg.2
+        nop     
+vcg.1:
+        ediv    r2,r0,r1,r0
+vcg.2:
+        movl    r1,r4
+noname.9:
+
+noname.10:
+
+        mull3   r5,r4,r0
+        subl3   r0,4(ap),r3
+
+        bicl3   #65535,r3,r0
+        bneq    noname.13
+        mull3   r6,r4,r2
+        ashl    #16,r3,r1
+        bicl3   #65535,8(ap),r0
+        extzv   #16,#16,r0,r0
+        addl2   r0,r1
+        cmpl    r2,r1
+        bgtru   noname.12
+noname.11:
+
+        brb     noname.13
+        nop     
+noname.12:
+
+        decl    r4
+        brb     noname.10
+noname.13:
+
+        mull3   r5,r4,r1
+
+        mull3   r6,r4,r0
+
+        extzv   #16,#16,r0,r3
+
+        ashl    #16,r0,r2
+        bicl3   #65535,r2,r0
+
+        addl2   r3,r1
+
+        moval   8(ap),r3
+        cmpl    (r3),r0
+        bgequ   noname.15
+        incl    r1
+noname.15:
+
+        subl2   r0,(r3)
+
+        cmpl    4(ap),r1
+        bgequ   noname.16
+
+        addl2   12(ap),4(ap)
+
+        decl    r4
+noname.16:
+
+        subl2   r1,4(ap)
+
+        decl    r8
+        beql    noname.18
+noname.17:
+
+        ashl    #16,r4,r9
+
+        ashl    #16,4(ap),r2
+        movzwl  2(r3),r0
+        bisl2   r0,r2
+        bicl3   #0,r2,4(ap)
+
+        bicl3   #-65536,(r3),r0
+        ashl    #16,r0,(r3)
+        brw     noname.7
+        nop     
+noname.18:
+
+        bisl2   r4,r9
+
+        movl    r9,r10
+
+noname.3:
+        movl    r10,r0
+        ret     
+        tstl    r0
+
+
+        .psect  code,nowrt
+
+.entry  BN_ADD_WORDS,^m<r2,r3,r4,r5,r6,r7>
+
+        tstl    16(ap)
+        bgtr    noname.21
+        clrl    r7
+        brw     noname.22
+noname.21:
+
+        clrl    r4
+
+        tstl    r0
+noname.23:
+
+        movl    8(ap),r6
+        addl3   r4,(r6),r2
+
+        bicl2   #0,r2
+
+        clrl    r0
+        cmpl    r2,r4
+        bgequ   vcg.3
+        incl    r0
+vcg.3:
+        movl    r0,r4
+
+        movl    12(ap),r5
+        addl3   (r5),r2,r1
+        bicl2   #0,r1
+
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.4
+        incl    r0
+vcg.4:
+        addl2   r0,r4
+
+        movl    4(ap),r3
+        movl    r1,(r3)
+
+        decl    16(ap)
+        bgtr    gen.1
+        brw     noname.25
+gen.1:
+noname.24:
+
+        addl3   r4,4(r6),r2
+
+        bicl2   #0,r2
+
+        clrl    r0
+        cmpl    r2,r4
+        bgequ   vcg.5
+        incl    r0
+vcg.5:
+        movl    r0,r4
+
+        addl3   4(r5),r2,r1
+        bicl2   #0,r1
+
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.6
+        incl    r0
+vcg.6:
+        addl2   r0,r4
+
+        movl    r1,4(r3)
+
+        decl    16(ap)
+        bleq    noname.25
+noname.26:
+
+        addl3   r4,8(r6),r2
+
+        bicl2   #0,r2
+
+        clrl    r0
+        cmpl    r2,r4
+        bgequ   vcg.7
+        incl    r0
+vcg.7:
+        movl    r0,r4
+
+        addl3   8(r5),r2,r1
+        bicl2   #0,r1
+
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.8
+        incl    r0
+vcg.8:
+        addl2   r0,r4
+
+        movl    r1,8(r3)
+
+        decl    16(ap)
+        bleq    noname.25
+noname.27:
+
+        addl3   r4,12(r6),r2
+
+        bicl2   #0,r2
+
+        clrl    r0
+        cmpl    r2,r4
+        bgequ   vcg.9
+        incl    r0
+vcg.9:
+        movl    r0,r4
+
+        addl3   12(r5),r2,r1
+        bicl2   #0,r1
+
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.10
+        incl    r0
+vcg.10:
+        addl2   r0,r4
+
+        movl    r1,12(r3)
+
+        decl    16(ap)
+        bleq    noname.25
+noname.28:
+
+        addl3   #16,r6,8(ap)
+
+        addl3   #16,r5,12(ap)
+
+        addl3   #16,r3,4(ap)
+        brw     noname.23
+        tstl    r0
+noname.25:
+
+        movl    r4,r7
+
+noname.22:
+        movl    r7,r0
+        ret     
+        nop     
+
+
+
+;r=4 ;(AP)
+;a=8 ;(AP)
+;b=12 ;(AP)
+;n=16 ;(AP)     n       by value (input)
+
+        .psect  code,nowrt
+
+.entry  BN_SUB_WORDS,^m<r2,r3,r4,r5,r6,r7>
+
+        clrl    r6
+
+        tstl    16(ap)
+        bgtr    noname.31
+        clrl    r7
+        brw     noname.32
+        tstl    r0
+noname.31:
+
+noname.33:
+
+        movl    8(ap),r5
+        movl    (r5),r1
+        movl    12(ap),r4
+        movl    (r4),r2
+
+        movl    4(ap),r3
+        subl3   r2,r1,r0
+        subl2   r6,r0
+        bicl3   #0,r0,(r3)
+
+        cmpl    r1,r2
+        beql    noname.34
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.11
+        incl    r0
+vcg.11:
+        movl    r0,r6
+noname.34:
+
+        decl    16(ap)
+        bgtr    gen.2
+        brw     noname.36
+gen.2:
+noname.35:
+
+        movl    4(r5),r2
+        movl    4(r4),r1
+
+        subl3   r1,r2,r0
+        subl2   r6,r0
+        bicl3   #0,r0,4(r3)
+
+        cmpl    r2,r1
+        beql    noname.37
+        clrl    r0
+        cmpl    r2,r1
+        bgequ   vcg.12
+        incl    r0
+vcg.12:
+        movl    r0,r6
+noname.37:
+
+        decl    16(ap)
+        bleq    noname.36
+noname.38:
+
+        movl    8(r5),r1
+        movl    8(r4),r2
+
+        subl3   r2,r1,r0
+        subl2   r6,r0
+        bicl3   #0,r0,8(r3)
+
+        cmpl    r1,r2
+        beql    noname.39
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.13
+        incl    r0
+vcg.13:
+        movl    r0,r6
+noname.39:
+
+        decl    16(ap)
+        bleq    noname.36
+noname.40:
+
+        movl    12(r5),r1
+        movl    12(r4),r2
+
+        subl3   r2,r1,r0
+        subl2   r6,r0
+        bicl3   #0,r0,12(r3)
+
+        cmpl    r1,r2
+        beql    noname.41
+        clrl    r0
+        cmpl    r1,r2
+        bgequ   vcg.14
+        incl    r0
+vcg.14:
+        movl    r0,r6
+noname.41:
+
+        decl    16(ap)
+        bleq    noname.36
+noname.42:
+
+        addl3   #16,r5,8(ap)
+
+        addl3   #16,r4,12(ap)
+
+        addl3   #16,r3,4(ap)
+        brw     noname.33
+        tstl    r0
+noname.36:
+
+        movl    r6,r7
+
+noname.32:
+        movl    r7,r0
+        ret     
+        nop     
+
+
+
+;r=4 ;(AP)
+;a=8 ;(AP)
+;b=12 ;(AP)
+;n=16 ;(AP)     n       by value (input)
+
+        .psect  code,nowrt
+
+.entry  BN_MUL_COMBA8,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+        movab   -924(sp),sp
+        clrq    r8
+
+        clrl    r10
+
+        movl    8(ap),r6
+        movzwl  2(r6),r3
+        movl    12(ap),r7
+        bicl3   #-65536,(r7),r2
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-12(fp)
+        bicl3   #-65536,r3,-16(fp)
+        mull3   r0,-12(fp),-4(fp)
+        mull2   r2,-12(fp)
+        mull3   r2,-16(fp),-8(fp)
+        mull2   r0,-16(fp)
+        addl3   -4(fp),-8(fp),r0
+        bicl3   #0,r0,-4(fp)
+        cmpl    -4(fp),-8(fp)
+        bgequ   noname.45
+        addl2   #65536,-16(fp)
+noname.45:
+        movzwl  -2(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-16(fp)
+        bicl3   #-65536,-4(fp),r0
+        ashl    #16,r0,-8(fp)
+        addl3   -8(fp),-12(fp),r0
+        bicl3   #0,r0,-12(fp)
+        cmpl    -12(fp),-8(fp)
+        bgequ   noname.46
+        incl    -16(fp)
+noname.46:
+        movl    -12(fp),r1
+        movl    -16(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.47
+        incl    r2
+noname.47:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.48
+        incl    r10
+noname.48:
+
+        movl    4(ap),r11
+        movl    r9,(r11)
+
+        clrl    r9
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-28(fp)
+        bicl3   #-65536,r2,-32(fp)
+        mull3   r0,-28(fp),-20(fp)
+        mull2   r3,-28(fp)
+        mull3   r3,-32(fp),-24(fp)
+        mull2   r0,-32(fp)
+        addl3   -20(fp),-24(fp),r0
+        bicl3   #0,r0,-20(fp)
+        cmpl    -20(fp),-24(fp)
+        bgequ   noname.49
+        addl2   #65536,-32(fp)
+noname.49:
+        movzwl  -18(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-32(fp)
+        bicl3   #-65536,-20(fp),r0
+        ashl    #16,r0,-24(fp)
+        addl3   -24(fp),-28(fp),r0
+        bicl3   #0,r0,-28(fp)
+        cmpl    -28(fp),-24(fp)
+        bgequ   noname.50
+        incl    -32(fp)
+noname.50:
+        movl    -28(fp),r1
+        movl    -32(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.51
+        incl    r2
+noname.51:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.52
+        incl    r9
+noname.52:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-44(fp)
+        bicl3   #-65536,r2,-48(fp)
+        mull3   r0,-44(fp),-36(fp)
+        mull2   r3,-44(fp)
+        mull3   r3,-48(fp),-40(fp)
+        mull2   r0,-48(fp)
+        addl3   -36(fp),-40(fp),r0
+        bicl3   #0,r0,-36(fp)
+        cmpl    -36(fp),-40(fp)
+        bgequ   noname.53
+        addl2   #65536,-48(fp)
+noname.53:
+        movzwl  -34(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-48(fp)
+        bicl3   #-65536,-36(fp),r0
+        ashl    #16,r0,-40(fp)
+        addl3   -40(fp),-44(fp),r0
+        bicl3   #0,r0,-44(fp)
+        cmpl    -44(fp),-40(fp)
+        bgequ   noname.54
+        incl    -48(fp)
+noname.54:
+        movl    -44(fp),r1
+        movl    -48(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.55
+        incl    r2
+noname.55:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.56
+        incl    r9
+noname.56:
+
+        movl    r8,4(r11)
+
+        clrl    r8
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-60(fp)
+        bicl3   #-65536,r2,-64(fp)
+        mull3   r0,-60(fp),-52(fp)
+        mull2   r3,-60(fp)
+        mull3   r3,-64(fp),-56(fp)
+        mull2   r0,-64(fp)
+        addl3   -52(fp),-56(fp),r0
+        bicl3   #0,r0,-52(fp)
+        cmpl    -52(fp),-56(fp)
+        bgequ   noname.57
+        addl2   #65536,-64(fp)
+noname.57:
+        movzwl  -50(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-64(fp)
+        bicl3   #-65536,-52(fp),r0
+        ashl    #16,r0,-56(fp)
+        addl3   -56(fp),-60(fp),r0
+        bicl3   #0,r0,-60(fp)
+        cmpl    -60(fp),-56(fp)
+        bgequ   noname.58
+        incl    -64(fp)
+noname.58:
+        movl    -60(fp),r1
+        movl    -64(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.59
+        incl    r2
+noname.59:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.60
+        incl    r8
+noname.60:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-76(fp)
+        bicl3   #-65536,r2,-80(fp)
+        mull3   r0,-76(fp),-68(fp)
+        mull2   r3,-76(fp)
+        mull3   r3,-80(fp),-72(fp)
+        mull2   r0,-80(fp)
+        addl3   -68(fp),-72(fp),r0
+        bicl3   #0,r0,-68(fp)
+        cmpl    -68(fp),-72(fp)
+        bgequ   noname.61
+        addl2   #65536,-80(fp)
+noname.61:
+        movzwl  -66(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-80(fp)
+        bicl3   #-65536,-68(fp),r0
+        ashl    #16,r0,-72(fp)
+        addl3   -72(fp),-76(fp),r0
+        bicl3   #0,r0,-76(fp)
+        cmpl    -76(fp),-72(fp)
+        bgequ   noname.62
+        incl    -80(fp)
+noname.62:
+        movl    -76(fp),r1
+        movl    -80(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.63
+        incl    r2
+noname.63:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.64
+        incl    r8
+noname.64:
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-92(fp)
+        bicl3   #-65536,r2,-96(fp)
+        mull3   r0,-92(fp),-84(fp)
+        mull2   r3,-92(fp)
+        mull3   r3,-96(fp),-88(fp)
+        mull2   r0,-96(fp)
+        addl3   -84(fp),-88(fp),r0
+        bicl3   #0,r0,-84(fp)
+        cmpl    -84(fp),-88(fp)
+        bgequ   noname.65
+        addl2   #65536,-96(fp)
+noname.65:
+        movzwl  -82(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-96(fp)
+        bicl3   #-65536,-84(fp),r0
+        ashl    #16,r0,-88(fp)
+        addl3   -88(fp),-92(fp),r0
+        bicl3   #0,r0,-92(fp)
+        cmpl    -92(fp),-88(fp)
+        bgequ   noname.66
+        incl    -96(fp)
+noname.66:
+        movl    -92(fp),r1
+        movl    -96(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.67
+        incl    r2
+noname.67:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.68
+        incl    r8
+noname.68:
+
+        movl    r10,8(r11)
+
+        clrl    r10
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-108(fp)
+        bicl3   #-65536,r2,-112(fp)
+        mull3   r0,-108(fp),-100(fp)
+        mull2   r3,-108(fp)
+        mull3   r3,-112(fp),-104(fp)
+        mull2   r0,-112(fp)
+        addl3   -100(fp),-104(fp),r0
+        bicl3   #0,r0,-100(fp)
+        cmpl    -100(fp),-104(fp)
+        bgequ   noname.69
+        addl2   #65536,-112(fp)
+noname.69:
+        movzwl  -98(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-112(fp)
+        bicl3   #-65536,-100(fp),r0
+        ashl    #16,r0,-104(fp)
+        addl3   -104(fp),-108(fp),r0
+        bicl3   #0,r0,-108(fp)
+        cmpl    -108(fp),-104(fp)
+        bgequ   noname.70
+        incl    -112(fp)
+noname.70:
+        movl    -108(fp),r1
+        movl    -112(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.71
+        incl    r2
+noname.71:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.72
+        incl    r10
+noname.72:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-124(fp)
+        bicl3   #-65536,r2,-128(fp)
+        mull3   r0,-124(fp),-116(fp)
+        mull2   r3,-124(fp)
+        mull3   r3,-128(fp),-120(fp)
+        mull2   r0,-128(fp)
+        addl3   -116(fp),-120(fp),r0
+        bicl3   #0,r0,-116(fp)
+        cmpl    -116(fp),-120(fp)
+        bgequ   noname.73
+        addl2   #65536,-128(fp)
+noname.73:
+        movzwl  -114(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-128(fp)
+        bicl3   #-65536,-116(fp),r0
+        ashl    #16,r0,-120(fp)
+        addl3   -120(fp),-124(fp),r0
+        bicl3   #0,r0,-124(fp)
+        cmpl    -124(fp),-120(fp)
+        bgequ   noname.74
+        incl    -128(fp)
+noname.74:
+        movl    -124(fp),r1
+        movl    -128(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.75
+        incl    r2
+noname.75:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.76
+        incl    r10
+noname.76:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-140(fp)
+        bicl3   #-65536,r2,-144(fp)
+        mull3   r0,-140(fp),-132(fp)
+        mull2   r3,-140(fp)
+        mull3   r3,-144(fp),-136(fp)
+        mull2   r0,-144(fp)
+        addl3   -132(fp),-136(fp),r0
+        bicl3   #0,r0,-132(fp)
+        cmpl    -132(fp),-136(fp)
+        bgequ   noname.77
+        addl2   #65536,-144(fp)
+noname.77:
+        movzwl  -130(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-144(fp)
+        bicl3   #-65536,-132(fp),r0
+        ashl    #16,r0,-136(fp)
+        addl3   -136(fp),-140(fp),r0
+        bicl3   #0,r0,-140(fp)
+        cmpl    -140(fp),-136(fp)
+        bgequ   noname.78
+        incl    -144(fp)
+noname.78:
+        movl    -140(fp),r1
+        movl    -144(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.79
+        incl    r2
+noname.79:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.80
+        incl    r10
+noname.80:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-156(fp)
+        bicl3   #-65536,r2,-160(fp)
+        mull3   r0,-156(fp),-148(fp)
+        mull2   r3,-156(fp)
+        mull3   r3,-160(fp),-152(fp)
+        mull2   r0,-160(fp)
+        addl3   -148(fp),-152(fp),r0
+        bicl3   #0,r0,-148(fp)
+        cmpl    -148(fp),-152(fp)
+        bgequ   noname.81
+        addl2   #65536,-160(fp)
+noname.81:
+        movzwl  -146(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-160(fp)
+        bicl3   #-65536,-148(fp),r0
+        ashl    #16,r0,-152(fp)
+        addl3   -152(fp),-156(fp),r0
+        bicl3   #0,r0,-156(fp)
+        cmpl    -156(fp),-152(fp)
+        bgequ   noname.82
+        incl    -160(fp)
+noname.82:
+        movl    -156(fp),r1
+        movl    -160(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.83
+        incl    r2
+noname.83:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.84
+        incl    r10
+noname.84:
+
+        movl    r9,12(r11)
+
+        clrl    r9
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-172(fp)
+        bicl3   #-65536,r2,-176(fp)
+        mull3   r0,-172(fp),-164(fp)
+        mull2   r3,-172(fp)
+        mull3   r3,-176(fp),-168(fp)
+        mull2   r0,-176(fp)
+        addl3   -164(fp),-168(fp),r0
+        bicl3   #0,r0,-164(fp)
+        cmpl    -164(fp),-168(fp)
+        bgequ   noname.85
+        addl2   #65536,-176(fp)
+noname.85:
+        movzwl  -162(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-176(fp)
+        bicl3   #-65536,-164(fp),r0
+        ashl    #16,r0,-168(fp)
+        addl3   -168(fp),-172(fp),r0
+        bicl3   #0,r0,-172(fp)
+        cmpl    -172(fp),-168(fp)
+        bgequ   noname.86
+        incl    -176(fp)
+noname.86:
+        movl    -172(fp),r1
+        movl    -176(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.87
+        incl    r2
+noname.87:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.88
+        incl    r9
+noname.88:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-188(fp)
+        bicl3   #-65536,r2,-192(fp)
+        mull3   r0,-188(fp),-180(fp)
+        mull2   r3,-188(fp)
+        mull3   r3,-192(fp),-184(fp)
+        mull2   r0,-192(fp)
+        addl3   -180(fp),-184(fp),r0
+        bicl3   #0,r0,-180(fp)
+        cmpl    -180(fp),-184(fp)
+        bgequ   noname.89
+        addl2   #65536,-192(fp)
+noname.89:
+        movzwl  -178(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-192(fp)
+        bicl3   #-65536,-180(fp),r0
+        ashl    #16,r0,-184(fp)
+        addl3   -184(fp),-188(fp),r0
+        bicl3   #0,r0,-188(fp)
+        cmpl    -188(fp),-184(fp)
+        bgequ   noname.90
+        incl    -192(fp)
+noname.90:
+        movl    -188(fp),r1
+        movl    -192(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.91
+        incl    r2
+noname.91:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.92
+        incl    r9
+noname.92:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-204(fp)
+        bicl3   #-65536,r2,-208(fp)
+        mull3   r0,-204(fp),-196(fp)
+        mull2   r3,-204(fp)
+        mull3   r3,-208(fp),-200(fp)
+        mull2   r0,-208(fp)
+        addl3   -196(fp),-200(fp),r0
+        bicl3   #0,r0,-196(fp)
+        cmpl    -196(fp),-200(fp)
+        bgequ   noname.93
+        addl2   #65536,-208(fp)
+noname.93:
+        movzwl  -194(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-208(fp)
+        bicl3   #-65536,-196(fp),r0
+        ashl    #16,r0,-200(fp)
+        addl3   -200(fp),-204(fp),r0
+        bicl3   #0,r0,-204(fp)
+        cmpl    -204(fp),-200(fp)
+        bgequ   noname.94
+        incl    -208(fp)
+noname.94:
+        movl    -204(fp),r1
+        movl    -208(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.95
+        incl    r2
+noname.95:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.96
+        incl    r9
+noname.96:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-220(fp)
+        bicl3   #-65536,r2,-224(fp)
+        mull3   r0,-220(fp),-212(fp)
+        mull2   r3,-220(fp)
+        mull3   r3,-224(fp),-216(fp)
+        mull2   r0,-224(fp)
+        addl3   -212(fp),-216(fp),r0
+        bicl3   #0,r0,-212(fp)
+        cmpl    -212(fp),-216(fp)
+        bgequ   noname.97
+        addl2   #65536,-224(fp)
+noname.97:
+        movzwl  -210(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-224(fp)
+        bicl3   #-65536,-212(fp),r0
+        ashl    #16,r0,-216(fp)
+        addl3   -216(fp),-220(fp),r0
+        bicl3   #0,r0,-220(fp)
+        cmpl    -220(fp),-216(fp)
+        bgequ   noname.98
+        incl    -224(fp)
+noname.98:
+        movl    -220(fp),r1
+        movl    -224(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.99
+        incl    r2
+noname.99:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.100
+        incl    r9
+noname.100:
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-236(fp)
+        bicl3   #-65536,r2,-240(fp)
+        mull3   r0,-236(fp),-228(fp)
+        mull2   r3,-236(fp)
+        mull3   r3,-240(fp),-232(fp)
+        mull2   r0,-240(fp)
+        addl3   -228(fp),-232(fp),r0
+        bicl3   #0,r0,-228(fp)
+        cmpl    -228(fp),-232(fp)
+        bgequ   noname.101
+        addl2   #65536,-240(fp)
+noname.101:
+        movzwl  -226(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-240(fp)
+        bicl3   #-65536,-228(fp),r0
+        ashl    #16,r0,-232(fp)
+        addl3   -232(fp),-236(fp),r0
+        bicl3   #0,r0,-236(fp)
+        cmpl    -236(fp),-232(fp)
+        bgequ   noname.102
+        incl    -240(fp)
+noname.102:
+        movl    -236(fp),r1
+        movl    -240(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.103
+        incl    r2
+noname.103:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.104
+        incl    r9
+noname.104:
+
+        movl    r8,16(r11)
+
+        clrl    r8
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,20(r7),r3
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-252(fp)
+        bicl3   #-65536,r2,-256(fp)
+        mull3   r0,-252(fp),-244(fp)
+        mull2   r3,-252(fp)
+        mull3   r3,-256(fp),-248(fp)
+        mull2   r0,-256(fp)
+        addl3   -244(fp),-248(fp),r0
+        bicl3   #0,r0,-244(fp)
+        cmpl    -244(fp),-248(fp)
+        bgequ   noname.105
+        addl2   #65536,-256(fp)
+noname.105:
+        movzwl  -242(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-256(fp)
+        bicl3   #-65536,-244(fp),r0
+        ashl    #16,r0,-248(fp)
+        addl3   -248(fp),-252(fp),r0
+        bicl3   #0,r0,-252(fp)
+        cmpl    -252(fp),-248(fp)
+        bgequ   noname.106
+        incl    -256(fp)
+noname.106:
+        movl    -252(fp),r1
+        movl    -256(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.107
+        incl    r2
+noname.107:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.108
+        incl    r8
+noname.108:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-268(fp)
+        bicl3   #-65536,r2,-272(fp)
+        mull3   r0,-268(fp),-260(fp)
+        mull2   r3,-268(fp)
+        mull3   r3,-272(fp),-264(fp)
+        mull2   r0,-272(fp)
+        addl3   -260(fp),-264(fp),r0
+        bicl3   #0,r0,-260(fp)
+        cmpl    -260(fp),-264(fp)
+        bgequ   noname.109
+        addl2   #65536,-272(fp)
+noname.109:
+        movzwl  -258(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-272(fp)
+        bicl3   #-65536,-260(fp),r0
+        ashl    #16,r0,-264(fp)
+        addl3   -264(fp),-268(fp),r0
+        bicl3   #0,r0,-268(fp)
+        cmpl    -268(fp),-264(fp)
+        bgequ   noname.110
+        incl    -272(fp)
+noname.110:
+        movl    -268(fp),r1
+        movl    -272(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.111
+        incl    r2
+noname.111:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.112
+        incl    r8
+noname.112:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-284(fp)
+        bicl3   #-65536,r2,-288(fp)
+        mull3   r0,-284(fp),-276(fp)
+        mull2   r3,-284(fp)
+        mull3   r3,-288(fp),-280(fp)
+        mull2   r0,-288(fp)
+        addl3   -276(fp),-280(fp),r0
+        bicl3   #0,r0,-276(fp)
+        cmpl    -276(fp),-280(fp)
+        bgequ   noname.113
+        addl2   #65536,-288(fp)
+noname.113:
+        movzwl  -274(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-288(fp)
+        bicl3   #-65536,-276(fp),r0
+        ashl    #16,r0,-280(fp)
+        addl3   -280(fp),-284(fp),r0
+        bicl3   #0,r0,-284(fp)
+        cmpl    -284(fp),-280(fp)
+        bgequ   noname.114
+        incl    -288(fp)
+noname.114:
+        movl    -284(fp),r1
+        movl    -288(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.115
+        incl    r2
+noname.115:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.116
+        incl    r8
+noname.116:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-300(fp)
+        bicl3   #-65536,r2,-304(fp)
+        mull3   r0,-300(fp),-292(fp)
+        mull2   r3,-300(fp)
+        mull3   r3,-304(fp),-296(fp)
+        mull2   r0,-304(fp)
+        addl3   -292(fp),-296(fp),r0
+        bicl3   #0,r0,-292(fp)
+        cmpl    -292(fp),-296(fp)
+        bgequ   noname.117
+        addl2   #65536,-304(fp)
+noname.117:
+        movzwl  -290(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-304(fp)
+        bicl3   #-65536,-292(fp),r0
+        ashl    #16,r0,-296(fp)
+        addl3   -296(fp),-300(fp),r0
+        bicl3   #0,r0,-300(fp)
+        cmpl    -300(fp),-296(fp)
+        bgequ   noname.118
+        incl    -304(fp)
+noname.118:
+        movl    -300(fp),r1
+        movl    -304(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.119
+        incl    r2
+noname.119:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.120
+        incl    r8
+noname.120:
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-316(fp)
+        bicl3   #-65536,r2,-320(fp)
+        mull3   r0,-316(fp),-308(fp)
+        mull2   r3,-316(fp)
+        mull3   r3,-320(fp),-312(fp)
+        mull2   r0,-320(fp)
+        addl3   -308(fp),-312(fp),r0
+        bicl3   #0,r0,-308(fp)
+        cmpl    -308(fp),-312(fp)
+        bgequ   noname.121
+        addl2   #65536,-320(fp)
+noname.121:
+        movzwl  -306(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-320(fp)
+        bicl3   #-65536,-308(fp),r0
+        ashl    #16,r0,-312(fp)
+        addl3   -312(fp),-316(fp),r0
+        bicl3   #0,r0,-316(fp)
+        cmpl    -316(fp),-312(fp)
+        bgequ   noname.122
+        incl    -320(fp)
+noname.122:
+        movl    -316(fp),r1
+        movl    -320(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.123
+        incl    r2
+
+noname.123:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.124
+        incl    r8
+noname.124:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-332(fp)
+        bicl3   #-65536,r2,-336(fp)
+        mull3   r0,-332(fp),-324(fp)
+        mull2   r3,-332(fp)
+        mull3   r3,-336(fp),-328(fp)
+        mull2   r0,-336(fp)
+        addl3   -324(fp),-328(fp),r0
+        bicl3   #0,r0,-324(fp)
+        cmpl    -324(fp),-328(fp)
+        bgequ   noname.125
+        addl2   #65536,-336(fp)
+noname.125:
+        movzwl  -322(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-336(fp)
+        bicl3   #-65536,-324(fp),r0
+        ashl    #16,r0,-328(fp)
+        addl3   -328(fp),-332(fp),r0
+        bicl3   #0,r0,-332(fp)
+        cmpl    -332(fp),-328(fp)
+        bgequ   noname.126
+        incl    -336(fp)
+noname.126:
+        movl    -332(fp),r1
+        movl    -336(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.127
+        incl    r2
+noname.127:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.128
+        incl    r8
+noname.128:
+
+        movl    r10,20(r11)
+
+        clrl    r10
+
+        movzwl  26(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,24(r6),-348(fp)
+        bicl3   #-65536,r2,-352(fp)
+        mull3   r0,-348(fp),-340(fp)
+        mull2   r3,-348(fp)
+        mull3   r3,-352(fp),-344(fp)
+        mull2   r0,-352(fp)
+        addl3   -340(fp),-344(fp),r0
+        bicl3   #0,r0,-340(fp)
+        cmpl    -340(fp),-344(fp)
+        bgequ   noname.129
+        addl2   #65536,-352(fp)
+noname.129:
+        movzwl  -338(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-352(fp)
+        bicl3   #-65536,-340(fp),r0
+        ashl    #16,r0,-344(fp)
+        addl3   -344(fp),-348(fp),r0
+        bicl3   #0,r0,-348(fp)
+        cmpl    -348(fp),-344(fp)
+        bgequ   noname.130
+        incl    -352(fp)
+noname.130:
+        movl    -348(fp),r1
+        movl    -352(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.131
+        incl    r2
+noname.131:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.132
+        incl    r10
+noname.132:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-364(fp)
+        bicl3   #-65536,r2,-368(fp)
+        mull3   r0,-364(fp),-356(fp)
+        mull2   r3,-364(fp)
+        mull3   r3,-368(fp),-360(fp)
+        mull2   r0,-368(fp)
+        addl3   -356(fp),-360(fp),r0
+        bicl3   #0,r0,-356(fp)
+        cmpl    -356(fp),-360(fp)
+        bgequ   noname.133
+        addl2   #65536,-368(fp)
+noname.133:
+        movzwl  -354(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-368(fp)
+        bicl3   #-65536,-356(fp),r0
+        ashl    #16,r0,-360(fp)
+        addl3   -360(fp),-364(fp),r0
+        bicl3   #0,r0,-364(fp)
+        cmpl    -364(fp),-360(fp)
+        bgequ   noname.134
+        incl    -368(fp)
+noname.134:
+        movl    -364(fp),r1
+        movl    -368(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.135
+        incl    r2
+noname.135:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.136
+        incl    r10
+noname.136:
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-380(fp)
+        bicl3   #-65536,r2,-384(fp)
+        mull3   r0,-380(fp),-372(fp)
+        mull2   r3,-380(fp)
+        mull3   r3,-384(fp),-376(fp)
+        mull2   r0,-384(fp)
+        addl3   -372(fp),-376(fp),r0
+        bicl3   #0,r0,-372(fp)
+        cmpl    -372(fp),-376(fp)
+        bgequ   noname.137
+        addl2   #65536,-384(fp)
+noname.137:
+        movzwl  -370(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-384(fp)
+        bicl3   #-65536,-372(fp),r0
+        ashl    #16,r0,-376(fp)
+        addl3   -376(fp),-380(fp),r0
+        bicl3   #0,r0,-380(fp)
+        cmpl    -380(fp),-376(fp)
+        bgequ   noname.138
+        incl    -384(fp)
+noname.138:
+        movl    -380(fp),r1
+        movl    -384(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.139
+        incl    r2
+noname.139:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.140
+        incl    r10
+noname.140:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-396(fp)
+        bicl3   #-65536,r2,-400(fp)
+        mull3   r0,-396(fp),-388(fp)
+        mull2   r3,-396(fp)
+        mull3   r3,-400(fp),-392(fp)
+        mull2   r0,-400(fp)
+        addl3   -388(fp),-392(fp),r0
+        bicl3   #0,r0,-388(fp)
+        cmpl    -388(fp),-392(fp)
+        bgequ   noname.141
+        addl2   #65536,-400(fp)
+noname.141:
+        movzwl  -386(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-400(fp)
+        bicl3   #-65536,-388(fp),r0
+        ashl    #16,r0,-392(fp)
+        addl3   -392(fp),-396(fp),r0
+        bicl3   #0,r0,-396(fp)
+        cmpl    -396(fp),-392(fp)
+        bgequ   noname.142
+        incl    -400(fp)
+noname.142:
+        movl    -396(fp),r1
+        movl    -400(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.143
+        incl    r2
+noname.143:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.144
+        incl    r10
+noname.144:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-412(fp)
+        bicl3   #-65536,r2,-416(fp)
+        mull3   r0,-412(fp),-404(fp)
+        mull2   r3,-412(fp)
+        mull3   r3,-416(fp),-408(fp)
+        mull2   r0,-416(fp)
+        addl3   -404(fp),-408(fp),r0
+        bicl3   #0,r0,-404(fp)
+        cmpl    -404(fp),-408(fp)
+        bgequ   noname.145
+        addl2   #65536,-416(fp)
+noname.145:
+        movzwl  -402(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-416(fp)
+        bicl3   #-65536,-404(fp),r0
+        ashl    #16,r0,-408(fp)
+        addl3   -408(fp),-412(fp),r0
+        bicl3   #0,r0,-412(fp)
+        cmpl    -412(fp),-408(fp)
+        bgequ   noname.146
+        incl    -416(fp)
+noname.146:
+        movl    -412(fp),r1
+        movl    -416(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.147
+        incl    r2
+noname.147:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.148
+        incl    r10
+noname.148:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,20(r7),r3
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-428(fp)
+        bicl3   #-65536,r2,-432(fp)
+        mull3   r0,-428(fp),-420(fp)
+        mull2   r3,-428(fp)
+        mull3   r3,-432(fp),-424(fp)
+        mull2   r0,-432(fp)
+        addl3   -420(fp),-424(fp),r0
+        bicl3   #0,r0,-420(fp)
+        cmpl    -420(fp),-424(fp)
+        bgequ   noname.149
+        addl2   #65536,-432(fp)
+noname.149:
+        movzwl  -418(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-432(fp)
+        bicl3   #-65536,-420(fp),r0
+        ashl    #16,r0,-424(fp)
+        addl3   -424(fp),-428(fp),r0
+        bicl3   #0,r0,-428(fp)
+        cmpl    -428(fp),-424(fp)
+        bgequ   noname.150
+        incl    -432(fp)
+noname.150:
+        movl    -428(fp),r1
+        movl    -432(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.151
+        incl    r2
+noname.151:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.152
+        incl    r10
+noname.152:
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-444(fp)
+        bicl3   #-65536,r2,-448(fp)
+        mull3   r0,-444(fp),-436(fp)
+        mull2   r3,-444(fp)
+        mull3   r3,-448(fp),-440(fp)
+        mull2   r0,-448(fp)
+        addl3   -436(fp),-440(fp),r0
+        bicl3   #0,r0,-436(fp)
+        cmpl    -436(fp),-440(fp)
+        bgequ   noname.153
+        addl2   #65536,-448(fp)
+noname.153:
+        movzwl  -434(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-448(fp)
+        bicl3   #-65536,-436(fp),r0
+        ashl    #16,r0,-440(fp)
+        addl3   -440(fp),-444(fp),r0
+        bicl3   #0,r0,-444(fp)
+        cmpl    -444(fp),-440(fp)
+        bgequ   noname.154
+        incl    -448(fp)
+noname.154:
+        movl    -444(fp),r1
+        movl    -448(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.155
+        incl    r2
+noname.155:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.156
+        incl    r10
+noname.156:
+
+        movl    r9,24(r11)
+
+        clrl    r9
+
+        movzwl  2(r6),r2
+        bicl3   #-65536,28(r7),r3
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,(r6),-460(fp)
+        bicl3   #-65536,r2,-464(fp)
+        mull3   r0,-460(fp),-452(fp)
+        mull2   r3,-460(fp)
+        mull3   r3,-464(fp),-456(fp)
+        mull2   r0,-464(fp)
+        addl3   -452(fp),-456(fp),r0
+        bicl3   #0,r0,-452(fp)
+        cmpl    -452(fp),-456(fp)
+        bgequ   noname.157
+        addl2   #65536,-464(fp)
+noname.157:
+        movzwl  -450(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-464(fp)
+        bicl3   #-65536,-452(fp),r0
+        ashl    #16,r0,-456(fp)
+        addl3   -456(fp),-460(fp),r0
+        bicl3   #0,r0,-460(fp)
+        cmpl    -460(fp),-456(fp)
+        bgequ   noname.158
+        incl    -464(fp)
+noname.158:
+        movl    -460(fp),r1
+        movl    -464(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.159
+        incl    r2
+noname.159:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.160
+        incl    r9
+noname.160:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-476(fp)
+        bicl3   #-65536,r2,-480(fp)
+        mull3   r0,-476(fp),-468(fp)
+        mull2   r3,-476(fp)
+        mull3   r3,-480(fp),-472(fp)
+        mull2   r0,-480(fp)
+        addl3   -468(fp),-472(fp),r0
+        bicl3   #0,r0,-468(fp)
+        cmpl    -468(fp),-472(fp)
+        bgequ   noname.161
+        addl2   #65536,-480(fp)
+noname.161:
+        movzwl  -466(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-480(fp)
+        bicl3   #-65536,-468(fp),r0
+        ashl    #16,r0,-472(fp)
+        addl3   -472(fp),-476(fp),r0
+        bicl3   #0,r0,-476(fp)
+        cmpl    -476(fp),-472(fp)
+        bgequ   noname.162
+        incl    -480(fp)
+noname.162:
+        movl    -476(fp),r1
+        movl    -480(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.163
+        incl    r2
+noname.163:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.164
+        incl    r9
+noname.164:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,20(r7),r3
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-492(fp)
+        bicl3   #-65536,r2,-496(fp)
+        mull3   r0,-492(fp),-484(fp)
+        mull2   r3,-492(fp)
+        mull3   r3,-496(fp),-488(fp)
+        mull2   r0,-496(fp)
+        addl3   -484(fp),-488(fp),r0
+        bicl3   #0,r0,-484(fp)
+        cmpl    -484(fp),-488(fp)
+        bgequ   noname.165
+        addl2   #65536,-496(fp)
+noname.165:
+        movzwl  -482(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-496(fp)
+        bicl3   #-65536,-484(fp),r0
+        ashl    #16,r0,-488(fp)
+        addl3   -488(fp),-492(fp),r0
+        bicl3   #0,r0,-492(fp)
+        cmpl    -492(fp),-488(fp)
+        bgequ   noname.166
+        incl    -496(fp)
+noname.166:
+        movl    -492(fp),r1
+        movl    -496(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.167
+        incl    r2
+noname.167:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.168
+        incl    r9
+noname.168:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-508(fp)
+        bicl3   #-65536,r2,-512(fp)
+        mull3   r0,-508(fp),-500(fp)
+        mull2   r3,-508(fp)
+        mull3   r3,-512(fp),-504(fp)
+        mull2   r0,-512(fp)
+        addl3   -500(fp),-504(fp),r0
+        bicl3   #0,r0,-500(fp)
+        cmpl    -500(fp),-504(fp)
+        bgequ   noname.169
+        addl2   #65536,-512(fp)
+noname.169:
+        movzwl  -498(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-512(fp)
+        bicl3   #-65536,-500(fp),r0
+        ashl    #16,r0,-504(fp)
+        addl3   -504(fp),-508(fp),r0
+        bicl3   #0,r0,-508(fp)
+        cmpl    -508(fp),-504(fp)
+        bgequ   noname.170
+        incl    -512(fp)
+noname.170:
+        movl    -508(fp),r1
+        movl    -512(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.171
+        incl    r2
+noname.171:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.172
+        incl    r9
+noname.172:
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-524(fp)
+        bicl3   #-65536,r2,-528(fp)
+        mull3   r0,-524(fp),-516(fp)
+        mull2   r3,-524(fp)
+        mull3   r3,-528(fp),-520(fp)
+        mull2   r0,-528(fp)
+        addl3   -516(fp),-520(fp),r0
+        bicl3   #0,r0,-516(fp)
+        cmpl    -516(fp),-520(fp)
+        bgequ   noname.173
+        addl2   #65536,-528(fp)
+noname.173:
+        movzwl  -514(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-528(fp)
+        bicl3   #-65536,-516(fp),r0
+        ashl    #16,r0,-520(fp)
+        addl3   -520(fp),-524(fp),r0
+        bicl3   #0,r0,-524(fp)
+        cmpl    -524(fp),-520(fp)
+        bgequ   noname.174
+        incl    -528(fp)
+noname.174:
+        movl    -524(fp),r1
+        movl    -528(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.175
+        incl    r2
+noname.175:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.176
+        incl    r9
+noname.176:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-540(fp)
+        bicl3   #-65536,r2,-544(fp)
+        mull3   r0,-540(fp),-532(fp)
+        mull2   r3,-540(fp)
+        mull3   r3,-544(fp),-536(fp)
+        mull2   r0,-544(fp)
+        addl3   -532(fp),-536(fp),r0
+        bicl3   #0,r0,-532(fp)
+        cmpl    -532(fp),-536(fp)
+        bgequ   noname.177
+        addl2   #65536,-544(fp)
+noname.177:
+        movzwl  -530(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-544(fp)
+        bicl3   #-65536,-532(fp),r0
+        ashl    #16,r0,-536(fp)
+        addl3   -536(fp),-540(fp),r0
+        bicl3   #0,r0,-540(fp)
+        cmpl    -540(fp),-536(fp)
+        bgequ   noname.178
+        incl    -544(fp)
+noname.178:
+        movl    -540(fp),r1
+        movl    -544(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.179
+        incl    r2
+noname.179:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.180
+        incl    r9
+noname.180:
+
+        movzwl  26(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,24(r6),-556(fp)
+        bicl3   #-65536,r2,-560(fp)
+        mull3   r0,-556(fp),-548(fp)
+        mull2   r3,-556(fp)
+        mull3   r3,-560(fp),-552(fp)
+        mull2   r0,-560(fp)
+        addl3   -548(fp),-552(fp),r0
+        bicl3   #0,r0,-548(fp)
+        cmpl    -548(fp),-552(fp)
+        bgequ   noname.181
+        addl2   #65536,-560(fp)
+noname.181:
+        movzwl  -546(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-560(fp)
+        bicl3   #-65536,-548(fp),r0
+        ashl    #16,r0,-552(fp)
+        addl3   -552(fp),-556(fp),r0
+        bicl3   #0,r0,-556(fp)
+        cmpl    -556(fp),-552(fp)
+        bgequ   noname.182
+        incl    -560(fp)
+noname.182:
+        movl    -556(fp),r1
+        movl    -560(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.183
+        incl    r2
+noname.183:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.184
+        incl    r9
+noname.184:
+
+        movzwl  30(r6),r2
+        bicl3   #-65536,(r7),r3
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,28(r6),-572(fp)
+        bicl3   #-65536,r2,-576(fp)
+        mull3   r0,-572(fp),-564(fp)
+        mull2   r3,-572(fp)
+        mull3   r3,-576(fp),-568(fp)
+        mull2   r0,-576(fp)
+        addl3   -564(fp),-568(fp),r0
+        bicl3   #0,r0,-564(fp)
+        cmpl    -564(fp),-568(fp)
+        bgequ   noname.185
+        addl2   #65536,-576(fp)
+noname.185:
+        movzwl  -562(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-576(fp)
+        bicl3   #-65536,-564(fp),r0
+        ashl    #16,r0,-568(fp)
+        addl3   -568(fp),-572(fp),r0
+        bicl3   #0,r0,-572(fp)
+        cmpl    -572(fp),-568(fp)
+        bgequ   noname.186
+        incl    -576(fp)
+noname.186:
+        movl    -572(fp),r1
+        movl    -576(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.187
+        incl    r2
+noname.187:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.188
+        incl    r9
+noname.188:
+
+        movl    r8,28(r11)
+
+        clrl    r8
+
+        movzwl  30(r6),r2
+        bicl3   #-65536,4(r7),r3
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,28(r6),-588(fp)
+        bicl3   #-65536,r2,-592(fp)
+        mull3   r0,-588(fp),-580(fp)
+        mull2   r3,-588(fp)
+        mull3   r3,-592(fp),-584(fp)
+        mull2   r0,-592(fp)
+        addl3   -580(fp),-584(fp),r0
+        bicl3   #0,r0,-580(fp)
+        cmpl    -580(fp),-584(fp)
+        bgequ   noname.189
+        addl2   #65536,-592(fp)
+noname.189:
+        movzwl  -578(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-592(fp)
+        bicl3   #-65536,-580(fp),r0
+        ashl    #16,r0,-584(fp)
+        addl3   -584(fp),-588(fp),r0
+        bicl3   #0,r0,-588(fp)
+        cmpl    -588(fp),-584(fp)
+        bgequ   noname.190
+        incl    -592(fp)
+noname.190:
+        movl    -588(fp),r1
+        movl    -592(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.191
+        incl    r2
+noname.191:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.192
+        incl    r8
+noname.192:
+
+        movzwl  26(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,24(r6),-604(fp)
+        bicl3   #-65536,r2,-608(fp)
+        mull3   r0,-604(fp),-596(fp)
+        mull2   r3,-604(fp)
+        mull3   r3,-608(fp),-600(fp)
+        mull2   r0,-608(fp)
+        addl3   -596(fp),-600(fp),r0
+        bicl3   #0,r0,-596(fp)
+        cmpl    -596(fp),-600(fp)
+        bgequ   noname.193
+        addl2   #65536,-608(fp)
+noname.193:
+        movzwl  -594(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-608(fp)
+        bicl3   #-65536,-596(fp),r0
+        ashl    #16,r0,-600(fp)
+        addl3   -600(fp),-604(fp),r0
+        bicl3   #0,r0,-604(fp)
+        cmpl    -604(fp),-600(fp)
+        bgequ   noname.194
+        incl    -608(fp)
+noname.194:
+        movl    -604(fp),r1
+        movl    -608(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.195
+        incl    r2
+noname.195:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.196
+        incl    r8
+noname.196:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-620(fp)
+        bicl3   #-65536,r2,-624(fp)
+        mull3   r0,-620(fp),-612(fp)
+        mull2   r3,-620(fp)
+        mull3   r3,-624(fp),-616(fp)
+        mull2   r0,-624(fp)
+        addl3   -612(fp),-616(fp),r0
+        bicl3   #0,r0,-612(fp)
+        cmpl    -612(fp),-616(fp)
+        bgequ   noname.197
+        addl2   #65536,-624(fp)
+noname.197:
+        movzwl  -610(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-624(fp)
+        bicl3   #-65536,-612(fp),r0
+        ashl    #16,r0,-616(fp)
+        addl3   -616(fp),-620(fp),r0
+        bicl3   #0,r0,-620(fp)
+        cmpl    -620(fp),-616(fp)
+        bgequ   noname.198
+        incl    -624(fp)
+noname.198:
+        movl    -620(fp),r1
+        movl    -624(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.199
+        incl    r2
+noname.199:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.200
+        incl    r8
+noname.200:
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-636(fp)
+        bicl3   #-65536,r2,-640(fp)
+        mull3   r0,-636(fp),-628(fp)
+        mull2   r3,-636(fp)
+        mull3   r3,-640(fp),-632(fp)
+        mull2   r0,-640(fp)
+        addl3   -628(fp),-632(fp),r0
+        bicl3   #0,r0,-628(fp)
+        cmpl    -628(fp),-632(fp)
+        bgequ   noname.201
+        addl2   #65536,-640(fp)
+noname.201:
+        movzwl  -626(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-640(fp)
+        bicl3   #-65536,-628(fp),r0
+        ashl    #16,r0,-632(fp)
+        addl3   -632(fp),-636(fp),r0
+        bicl3   #0,r0,-636(fp)
+        cmpl    -636(fp),-632(fp)
+        bgequ   noname.202
+        incl    -640(fp)
+noname.202:
+        movl    -636(fp),r1
+        movl    -640(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.203
+        incl    r2
+noname.203:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.204
+        incl    r8
+noname.204:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,20(r7),r3
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-652(fp)
+        bicl3   #-65536,r2,-656(fp)
+        mull3   r0,-652(fp),-644(fp)
+        mull2   r3,-652(fp)
+        mull3   r3,-656(fp),-648(fp)
+        mull2   r0,-656(fp)
+        addl3   -644(fp),-648(fp),r0
+        bicl3   #0,r0,-644(fp)
+        cmpl    -644(fp),-648(fp)
+        bgequ   noname.205
+        addl2   #65536,-656(fp)
+noname.205:
+        movzwl  -642(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-656(fp)
+        bicl3   #-65536,-644(fp),r0
+        ashl    #16,r0,-648(fp)
+        addl3   -648(fp),-652(fp),r0
+        bicl3   #0,r0,-652(fp)
+        cmpl    -652(fp),-648(fp)
+        bgequ   noname.206
+        incl    -656(fp)
+noname.206:
+        movl    -652(fp),r1
+        movl    -656(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.207
+        incl    r2
+noname.207:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.208
+        incl    r8
+noname.208:
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-668(fp)
+        bicl3   #-65536,r2,-672(fp)
+        mull3   r0,-668(fp),-660(fp)
+        mull2   r3,-668(fp)
+        mull3   r3,-672(fp),-664(fp)
+        mull2   r0,-672(fp)
+        addl3   -660(fp),-664(fp),r0
+        bicl3   #0,r0,-660(fp)
+        cmpl    -660(fp),-664(fp)
+        bgequ   noname.209
+        addl2   #65536,-672(fp)
+noname.209:
+        movzwl  -658(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-672(fp)
+        bicl3   #-65536,-660(fp),r0
+        ashl    #16,r0,-664(fp)
+        addl3   -664(fp),-668(fp),r0
+        bicl3   #0,r0,-668(fp)
+        cmpl    -668(fp),-664(fp)
+        bgequ   noname.210
+        incl    -672(fp)
+noname.210:
+        movl    -668(fp),r1
+        movl    -672(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.211
+        incl    r2
+noname.211:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.212
+        incl    r8
+noname.212:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,28(r7),r3
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-684(fp)
+        bicl3   #-65536,r2,-688(fp)
+        mull3   r0,-684(fp),-676(fp)
+        mull2   r3,-684(fp)
+        mull3   r3,-688(fp),-680(fp)
+        mull2   r0,-688(fp)
+        addl3   -676(fp),-680(fp),r0
+        bicl3   #0,r0,-676(fp)
+        cmpl    -676(fp),-680(fp)
+        bgequ   noname.213
+        addl2   #65536,-688(fp)
+noname.213:
+        movzwl  -674(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-688(fp)
+        bicl3   #-65536,-676(fp),r0
+        ashl    #16,r0,-680(fp)
+        addl3   -680(fp),-684(fp),r0
+        bicl3   #0,r0,-684(fp)
+        cmpl    -684(fp),-680(fp)
+        bgequ   noname.214
+        incl    -688(fp)
+noname.214:
+        movl    -684(fp),r1
+        movl    -688(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.215
+        incl    r2
+noname.215:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.216
+        incl    r8
+noname.216:
+
+        movl    r10,32(r11)
+
+        clrl    r10
+
+        movzwl  10(r6),r2
+        bicl3   #-65536,28(r7),r3
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r6),-700(fp)
+        bicl3   #-65536,r2,-704(fp)
+        mull3   r0,-700(fp),-692(fp)
+        mull2   r3,-700(fp)
+        mull3   r3,-704(fp),-696(fp)
+        mull2   r0,-704(fp)
+        addl3   -692(fp),-696(fp),r0
+        bicl3   #0,r0,-692(fp)
+        cmpl    -692(fp),-696(fp)
+        bgequ   noname.217
+        addl2   #65536,-704(fp)
+noname.217:
+        movzwl  -690(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-704(fp)
+        bicl3   #-65536,-692(fp),r0
+        ashl    #16,r0,-696(fp)
+        addl3   -696(fp),-700(fp),r0
+        bicl3   #0,r0,-700(fp)
+        cmpl    -700(fp),-696(fp)
+        bgequ   noname.218
+        incl    -704(fp)
+noname.218:
+        movl    -700(fp),r1
+        movl    -704(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.219
+        incl    r2
+noname.219:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.220
+        incl    r10
+noname.220:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-716(fp)
+        bicl3   #-65536,r2,-720(fp)
+        mull3   r0,-716(fp),-708(fp)
+        mull2   r3,-716(fp)
+        mull3   r3,-720(fp),-712(fp)
+        mull2   r0,-720(fp)
+        addl3   -708(fp),-712(fp),r0
+        bicl3   #0,r0,-708(fp)
+        cmpl    -708(fp),-712(fp)
+        bgequ   noname.221
+        addl2   #65536,-720(fp)
+noname.221:
+        movzwl  -706(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-720(fp)
+        bicl3   #-65536,-708(fp),r0
+        ashl    #16,r0,-712(fp)
+        addl3   -712(fp),-716(fp),r0
+        bicl3   #0,r0,-716(fp)
+        cmpl    -716(fp),-712(fp)
+        bgequ   noname.222
+        incl    -720(fp)
+noname.222:
+        movl    -716(fp),r1
+        movl    -720(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.223
+        incl    r2
+noname.223:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.224
+        incl    r10
+noname.224:
+
+        movzwl  18(r6),r2
+        bicl3   #-65536,20(r7),r3
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r6),-732(fp)
+        bicl3   #-65536,r2,-736(fp)
+        mull3   r0,-732(fp),-724(fp)
+        mull2   r3,-732(fp)
+        mull3   r3,-736(fp),-728(fp)
+        mull2   r0,-736(fp)
+        addl3   -724(fp),-728(fp),r0
+        bicl3   #0,r0,-724(fp)
+        cmpl    -724(fp),-728(fp)
+        bgequ   noname.225
+        addl2   #65536,-736(fp)
+noname.225:
+        movzwl  -722(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-736(fp)
+        bicl3   #-65536,-724(fp),r0
+        ashl    #16,r0,-728(fp)
+        addl3   -728(fp),-732(fp),r0
+        bicl3   #0,r0,-732(fp)
+        cmpl    -732(fp),-728(fp)
+        bgequ   noname.226
+        incl    -736(fp)
+noname.226:
+        movl    -732(fp),r1
+        movl    -736(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.227
+        incl    r2
+noname.227:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.228
+        incl    r10
+noname.228:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,16(r7),r3
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-748(fp)
+        bicl3   #-65536,r2,-752(fp)
+        mull3   r0,-748(fp),-740(fp)
+        mull2   r3,-748(fp)
+        mull3   r3,-752(fp),-744(fp)
+        mull2   r0,-752(fp)
+        addl3   -740(fp),-744(fp),r0
+        bicl3   #0,r0,-740(fp)
+        cmpl    -740(fp),-744(fp)
+        bgequ   noname.229
+        addl2   #65536,-752(fp)
+noname.229:
+        movzwl  -738(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-752(fp)
+        bicl3   #-65536,-740(fp),r0
+        ashl    #16,r0,-744(fp)
+        addl3   -744(fp),-748(fp),r0
+        bicl3   #0,r0,-748(fp)
+        cmpl    -748(fp),-744(fp)
+        bgequ   noname.230
+        incl    -752(fp)
+noname.230:
+        movl    -748(fp),r1
+        movl    -752(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.231
+        incl    r2
+noname.231:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.232
+        incl    r10
+noname.232:
+
+        movzwl  26(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,24(r6),-764(fp)
+        bicl3   #-65536,r2,-768(fp)
+        mull3   r0,-764(fp),-756(fp)
+        mull2   r3,-764(fp)
+        mull3   r3,-768(fp),-760(fp)
+        mull2   r0,-768(fp)
+        addl3   -756(fp),-760(fp),r0
+        bicl3   #0,r0,-756(fp)
+        cmpl    -756(fp),-760(fp)
+        bgequ   noname.233
+        addl2   #65536,-768(fp)
+noname.233:
+        movzwl  -754(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-768(fp)
+        bicl3   #-65536,-756(fp),r0
+        ashl    #16,r0,-760(fp)
+        addl3   -760(fp),-764(fp),r0
+        bicl3   #0,r0,-764(fp)
+        cmpl    -764(fp),-760(fp)
+        bgequ   noname.234
+        incl    -768(fp)
+noname.234:
+        movl    -764(fp),r1
+        movl    -768(fp),r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.235
+        incl    r2
+noname.235:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.236
+        incl    r10
+noname.236:
+
+        bicl3   #-65536,28(r6),r3
+        movzwl  30(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r7),r2
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-772(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-776(fp)
+        mull2   r0,r4
+        addl3   -772(fp),-776(fp),r0
+        bicl3   #0,r0,-772(fp)
+        cmpl    -772(fp),-776(fp)
+        bgequ   noname.237
+        addl2   #65536,r4
+noname.237:
+        movzwl  -770(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-772(fp),r0
+        ashl    #16,r0,-776(fp)
+        addl2   -776(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-776(fp)
+        bgequ   noname.238
+        incl    r4
+noname.238:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.239
+        incl    r2
+noname.239:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.240
+        incl    r10
+noname.240:
+
+        movl    r9,36(r11)
+
+        clrl    r9
+
+        bicl3   #-65536,28(r6),r3
+        movzwl  30(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r7),r2
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-780(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-784(fp)
+        mull2   r0,r4
+        addl3   -780(fp),-784(fp),r0
+        bicl3   #0,r0,-780(fp)
+        cmpl    -780(fp),-784(fp)
+        bgequ   noname.241
+        addl2   #65536,r4
+noname.241:
+        movzwl  -778(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-780(fp),r0
+        ashl    #16,r0,-784(fp)
+        addl2   -784(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-784(fp)
+        bgequ   noname.242
+        incl    r4
+noname.242:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.243
+        incl    r2
+noname.243:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.244
+        incl    r9
+noname.244:
+
+        bicl3   #-65536,24(r6),r3
+        movzwl  26(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r7),r2
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-788(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-792(fp)
+        mull2   r0,r4
+        addl3   -788(fp),-792(fp),r0
+        bicl3   #0,r0,-788(fp)
+        cmpl    -788(fp),-792(fp)
+        bgequ   noname.245
+        addl2   #65536,r4
+noname.245:
+        movzwl  -786(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-788(fp),r0
+        ashl    #16,r0,-792(fp)
+        addl2   -792(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-792(fp)
+        bgequ   noname.246
+        incl    r4
+noname.246:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.247
+        incl    r2
+noname.247:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.248
+        incl    r9
+noname.248:
+
+        bicl3   #-65536,20(r6),r3
+        movzwl  22(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r7),r2
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-796(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-800(fp)
+        mull2   r0,r4
+        addl3   -796(fp),-800(fp),r0
+        bicl3   #0,r0,-796(fp)
+        cmpl    -796(fp),-800(fp)
+        bgequ   noname.249
+        addl2   #65536,r4
+noname.249:
+        movzwl  -794(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-796(fp),r0
+        ashl    #16,r0,-800(fp)
+        addl2   -800(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-800(fp)
+        bgequ   noname.250
+        incl    r4
+noname.250:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.251
+        incl    r2
+noname.251:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.252
+        incl    r9
+noname.252:
+
+        bicl3   #-65536,16(r6),r3
+        movzwl  18(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,24(r7),r2
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-804(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-808(fp)
+        mull2   r0,r4
+        addl3   -804(fp),-808(fp),r0
+        bicl3   #0,r0,-804(fp)
+        cmpl    -804(fp),-808(fp)
+        bgequ   noname.253
+        addl2   #65536,r4
+noname.253:
+        movzwl  -802(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-804(fp),r0
+        ashl    #16,r0,-808(fp)
+        addl2   -808(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-808(fp)
+        bgequ   noname.254
+        incl    r4
+noname.254:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.255
+        incl    r2
+noname.255:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.256
+        incl    r9
+noname.256:
+
+        bicl3   #-65536,12(r6),r3
+        movzwl  14(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,28(r7),r2
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-812(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-816(fp)
+        mull2   r0,r4
+        addl3   -812(fp),-816(fp),r0
+        bicl3   #0,r0,-812(fp)
+        cmpl    -812(fp),-816(fp)
+        bgequ   noname.257
+        addl2   #65536,r4
+noname.257:
+        movzwl  -810(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-812(fp),r0
+        ashl    #16,r0,-816(fp)
+        addl2   -816(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-816(fp)
+        bgequ   noname.258
+        incl    r4
+noname.258:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.259
+        incl    r2
+noname.259:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.260
+        incl    r9
+noname.260:
+
+        movl    r8,40(r11)
+
+        clrl    r8
+
+        bicl3   #-65536,16(r6),r3
+        movzwl  18(r6),r2
+        bicl3   #-65536,28(r7),r1
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r4
+        bicl3   #-65536,r2,-828(fp)
+        mull3   r0,r4,-820(fp)
+        mull2   r1,r4
+        mull3   r1,-828(fp),-824(fp)
+        mull2   r0,-828(fp)
+        addl3   -820(fp),-824(fp),r0
+        bicl3   #0,r0,-820(fp)
+        cmpl    -820(fp),-824(fp)
+        bgequ   noname.261
+        addl2   #65536,-828(fp)
+noname.261:
+        movzwl  -818(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-828(fp)
+        bicl3   #-65536,-820(fp),r0
+        ashl    #16,r0,-824(fp)
+        addl2   -824(fp),r4
+        bicl2   #0,r4
+        cmpl    r4,-824(fp)
+        bgequ   noname.262
+        incl    -828(fp)
+noname.262:
+        movl    r4,r1
+        movl    -828(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.263
+        incl    r2
+noname.263:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.264
+        incl    r8
+noname.264:
+
+        movzwl  22(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,20(r6),-840(fp)
+        bicl3   #-65536,r2,-844(fp)
+        mull3   r0,-840(fp),-832(fp)
+        mull2   r3,-840(fp)
+        mull3   r3,-844(fp),-836(fp)
+        mull2   r0,-844(fp)
+        addl3   -832(fp),-836(fp),r0
+        bicl3   #0,r0,-832(fp)
+        cmpl    -832(fp),-836(fp)
+        bgequ   noname.265
+        addl2   #65536,-844(fp)
+noname.265:
+        movzwl  -830(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-844(fp)
+        bicl3   #-65536,-832(fp),r0
+        ashl    #16,r0,-836(fp)
+        addl3   -836(fp),-840(fp),r0
+        bicl3   #0,r0,-840(fp)
+        cmpl    -840(fp),-836(fp)
+        bgequ   noname.266
+        incl    -844(fp)
+noname.266:
+        movl    -840(fp),r1
+        movl    -844(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.267
+        incl    r2
+noname.267:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.268
+        incl    r8
+noname.268:
+
+        bicl3   #-65536,24(r6),r3
+        movzwl  26(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r7),r2
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-848(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-852(fp)
+        mull2   r0,r4
+        addl3   -848(fp),-852(fp),r0
+        bicl3   #0,r0,-848(fp)
+        cmpl    -848(fp),-852(fp)
+        bgequ   noname.269
+        addl2   #65536,r4
+noname.269:
+        movzwl  -846(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-848(fp),r0
+        ashl    #16,r0,-852(fp)
+        addl2   -852(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-852(fp)
+        bgequ   noname.270
+        incl    r4
+noname.270:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.271
+        incl    r2
+noname.271:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.272
+        incl    r8
+noname.272:
+
+        bicl3   #-65536,28(r6),r3
+        movzwl  30(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r7),r2
+        movzwl  18(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-856(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-860(fp)
+        mull2   r0,r4
+        addl3   -856(fp),-860(fp),r0
+        bicl3   #0,r0,-856(fp)
+        cmpl    -856(fp),-860(fp)
+        bgequ   noname.273
+        addl2   #65536,r4
+noname.273:
+        movzwl  -854(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-856(fp),r0
+        ashl    #16,r0,-860(fp)
+        addl2   -860(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-860(fp)
+        bgequ   noname.274
+        incl    r4
+noname.274:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.275
+        incl    r2
+noname.275:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.276
+        incl    r8
+noname.276:
+
+        movl    r10,44(r11)
+
+        clrl    r10
+
+        bicl3   #-65536,28(r6),r3
+        movzwl  30(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r7),r2
+        movzwl  22(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-864(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-868(fp)
+        mull2   r0,r4
+        addl3   -864(fp),-868(fp),r0
+        bicl3   #0,r0,-864(fp)
+        cmpl    -864(fp),-868(fp)
+        bgequ   noname.277
+        addl2   #65536,r4
+noname.277:
+        movzwl  -862(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-864(fp),r0
+        ashl    #16,r0,-868(fp)
+        addl2   -868(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-868(fp)
+        bgequ   noname.278
+        incl    r4
+noname.278:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.279
+        incl    r2
+noname.279:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.280
+        incl    r10
+noname.280:
+
+        bicl3   #-65536,24(r6),r3
+        movzwl  26(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,24(r7),r2
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-872(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-876(fp)
+        mull2   r0,r4
+        addl3   -872(fp),-876(fp),r0
+        bicl3   #0,r0,-872(fp)
+        cmpl    -872(fp),-876(fp)
+        bgequ   noname.281
+        addl2   #65536,r4
+noname.281:
+        movzwl  -870(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-872(fp),r0
+        ashl    #16,r0,-876(fp)
+        addl2   -876(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-876(fp)
+        bgequ   noname.282
+        incl    r4
+noname.282:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.283
+        incl    r2
+noname.283:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.284
+        incl    r10
+noname.284:
+
+        bicl3   #-65536,20(r6),r3
+        movzwl  22(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,28(r7),r2
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-880(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-884(fp)
+        mull2   r0,r4
+        addl3   -880(fp),-884(fp),r0
+        bicl3   #0,r0,-880(fp)
+        cmpl    -880(fp),-884(fp)
+        bgequ   noname.285
+        addl2   #65536,r4
+noname.285:
+        movzwl  -878(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-880(fp),r0
+        ashl    #16,r0,-884(fp)
+        addl2   -884(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-884(fp)
+        bgequ   noname.286
+        incl    r4
+noname.286:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.287
+        incl    r2
+noname.287:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.288
+        incl    r10
+noname.288:
+
+        movl    r9,48(r11)
+
+        clrl    r9
+
+        bicl3   #-65536,24(r6),r3
+        movzwl  26(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,28(r7),r2
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-888(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-892(fp)
+        mull2   r0,r4
+        addl3   -888(fp),-892(fp),r0
+        bicl3   #0,r0,-888(fp)
+        cmpl    -888(fp),-892(fp)
+        bgequ   noname.289
+        addl2   #65536,r4
+noname.289:
+        movzwl  -886(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-888(fp),r0
+        ashl    #16,r0,-892(fp)
+        addl2   -892(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-892(fp)
+        bgequ   noname.290
+        incl    r4
+noname.290:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.291
+        incl    r2
+noname.291:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.292
+        incl    r9
+noname.292:
+
+        movzwl  30(r6),r2
+        bicl3   #-65536,24(r7),r3
+        movzwl  26(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,28(r6),-904(fp)
+        bicl3   #-65536,r2,-908(fp)
+        mull3   r0,-904(fp),-896(fp)
+        mull2   r3,-904(fp)
+        mull3   r3,-908(fp),-900(fp)
+        mull2   r0,-908(fp)
+        addl3   -896(fp),-900(fp),r0
+        bicl3   #0,r0,-896(fp)
+        cmpl    -896(fp),-900(fp)
+        bgequ   noname.293
+        addl2   #65536,-908(fp)
+noname.293:
+        movzwl  -894(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-908(fp)
+        bicl3   #-65536,-896(fp),r0
+        ashl    #16,r0,-900(fp)
+        addl3   -900(fp),-904(fp),r0
+        bicl3   #0,r0,-904(fp)
+        cmpl    -904(fp),-900(fp)
+        bgequ   noname.294
+        incl    -908(fp)
+noname.294:
+        movl    -904(fp),r1
+        movl    -908(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.295
+        incl    r2
+noname.295:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.296
+        incl    r9
+noname.296:
+
+        movl    r8,52(r11)
+
+        clrl    r8
+
+        movzwl  30(r6),r2
+        bicl3   #-65536,28(r7),r3
+        movzwl  30(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,28(r6),-920(fp)
+        bicl3   #-65536,r2,-924(fp)
+        mull3   r0,-920(fp),-912(fp)
+        mull2   r3,-920(fp)
+        mull3   r3,-924(fp),-916(fp)
+        mull2   r0,-924(fp)
+        addl3   -912(fp),-916(fp),r0
+        bicl3   #0,r0,-912(fp)
+        cmpl    -912(fp),-916(fp)
+        bgequ   noname.297
+        addl2   #65536,-924(fp)
+noname.297:
+        movzwl  -910(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-924(fp)
+        bicl3   #-65536,-912(fp),r0
+        ashl    #16,r0,-916(fp)
+        addl3   -916(fp),-920(fp),r0
+        bicl3   #0,r0,-920(fp)
+        cmpl    -920(fp),-916(fp)
+        bgequ   noname.298
+        incl    -924(fp)
+noname.298:
+        movl    -920(fp),r1
+        movl    -924(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.299
+        incl    r2
+noname.299:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.300
+        incl    r8
+noname.300:
+
+        movl    r10,56(r11)
+
+        movl    r9,60(r11)
+
+        ret     
+
+
+
+;r=4 ;(AP)
+;a=8 ;(AP)
+;b=12 ;(AP)
+;n=16 ;(AP)     n       by value (input)
+
+        .psect  code,nowrt
+
+.entry  BN_MUL_COMBA4,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+        movab   -156(sp),sp
+
+        clrq    r9
+
+        clrl    r8
+
+        movl    8(ap),r6
+        bicl3   #-65536,(r6),r3
+        movzwl  2(r6),r2
+        bicl2   #-65536,r2
+        movl    12(ap),r7
+        bicl3   #-65536,(r7),r1
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r2,r4
+        mull3   r0,r5,-4(fp)
+        mull2   r1,r5
+        mull3   r1,r4,-8(fp)
+        mull2   r0,r4
+        addl3   -4(fp),-8(fp),r0
+        bicl3   #0,r0,-4(fp)
+        cmpl    -4(fp),-8(fp)
+        bgequ   noname.303
+        addl2   #65536,r4
+noname.303:
+        movzwl  -2(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-4(fp),r0
+        ashl    #16,r0,-8(fp)
+        addl2   -8(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-8(fp)
+        bgequ   noname.304
+        incl    r4
+noname.304:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.305
+        incl    r2
+noname.305:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.306
+        incl    r8
+noname.306:
+
+        movl    4(ap),r11
+        movl    r10,(r11)
+
+        clrl    r10
+
+        bicl3   #-65536,(r6),r3
+        movzwl  2(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r7),r2
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-12(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-16(fp)
+        mull2   r0,r4
+        addl3   -12(fp),-16(fp),r0
+        bicl3   #0,r0,-12(fp)
+        cmpl    -12(fp),-16(fp)
+        bgequ   noname.307
+        addl2   #65536,r4
+noname.307:
+        movzwl  -10(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-12(fp),r0
+        ashl    #16,r0,-16(fp)
+        addl2   -16(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-16(fp)
+        bgequ   noname.308
+        incl    r4
+noname.308:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.309
+        incl    r2
+noname.309:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.310
+        incl    r10
+noname.310:
+
+        bicl3   #-65536,4(r6),r3
+        movzwl  6(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r7),r2
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-20(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-24(fp)
+        mull2   r0,r4
+        addl3   -20(fp),-24(fp),r0
+        bicl3   #0,r0,-20(fp)
+        cmpl    -20(fp),-24(fp)
+        bgequ   noname.311
+        addl2   #65536,r4
+noname.311:
+        movzwl  -18(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-20(fp),r0
+        ashl    #16,r0,-24(fp)
+        addl2   -24(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-24(fp)
+        bgequ   noname.312
+        incl    r4
+noname.312:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.313
+        incl    r2
+noname.313:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.314
+        incl    r10
+noname.314:
+
+        movl    r9,4(r11)
+
+        clrl    r9
+
+        bicl3   #-65536,8(r6),r3
+        movzwl  10(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r7),r2
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-28(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-32(fp)
+        mull2   r0,r4
+        addl3   -28(fp),-32(fp),r0
+        bicl3   #0,r0,-28(fp)
+        cmpl    -28(fp),-32(fp)
+        bgequ   noname.315
+        addl2   #65536,r4
+noname.315:
+        movzwl  -26(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-28(fp),r0
+        ashl    #16,r0,-32(fp)
+        addl2   -32(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-32(fp)
+        bgequ   noname.316
+        incl    r4
+noname.316:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.317
+        incl    r2
+noname.317:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.318
+        incl    r9
+noname.318:
+
+        bicl3   #-65536,4(r6),r3
+        movzwl  6(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r7),r2
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-36(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-40(fp)
+        mull2   r0,r4
+        addl3   -36(fp),-40(fp),r0
+        bicl3   #0,r0,-36(fp)
+        cmpl    -36(fp),-40(fp)
+        bgequ   noname.319
+        addl2   #65536,r4
+noname.319:
+        movzwl  -34(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-36(fp),r0
+        ashl    #16,r0,-40(fp)
+        addl2   -40(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-40(fp)
+        bgequ   noname.320
+        incl    r4
+noname.320:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.321
+        incl    r2
+noname.321:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.322
+        incl    r9
+noname.322:
+
+        bicl3   #-65536,(r6),r3
+        movzwl  2(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r7),r2
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-44(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-48(fp)
+        mull2   r0,r4
+        addl3   -44(fp),-48(fp),r0
+        bicl3   #0,r0,-44(fp)
+        cmpl    -44(fp),-48(fp)
+        bgequ   noname.323
+        addl2   #65536,r4
+noname.323:
+        movzwl  -42(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-44(fp),r0
+        ashl    #16,r0,-48(fp)
+        addl2   -48(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-48(fp)
+        bgequ   noname.324
+        incl    r4
+noname.324:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.325
+        incl    r2
+noname.325:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.326
+        incl    r9
+noname.326:
+
+        movl    r8,8(r11)
+
+        clrl    r8
+
+        bicl3   #-65536,(r6),r3
+        movzwl  2(r6),r2
+        bicl3   #-65536,12(r7),r1
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r4
+        bicl3   #-65536,r2,-60(fp)
+        mull3   r0,r4,-52(fp)
+        mull2   r1,r4
+        mull3   r1,-60(fp),-56(fp)
+        mull2   r0,-60(fp)
+        addl3   -52(fp),-56(fp),r0
+        bicl3   #0,r0,-52(fp)
+        cmpl    -52(fp),-56(fp)
+        bgequ   noname.327
+        addl2   #65536,-60(fp)
+noname.327:
+        movzwl  -50(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-60(fp)
+        bicl3   #-65536,-52(fp),r0
+        ashl    #16,r0,-56(fp)
+        addl2   -56(fp),r4
+        bicl2   #0,r4
+        cmpl    r4,-56(fp)
+        bgequ   noname.328
+        incl    -60(fp)
+noname.328:
+        movl    r4,r1
+        movl    -60(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.329
+        incl    r2
+noname.329:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.330
+        incl    r8
+noname.330:
+
+        movzwl  6(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r6),-72(fp)
+        bicl3   #-65536,r2,-76(fp)
+        mull3   r0,-72(fp),-64(fp)
+        mull2   r3,-72(fp)
+        mull3   r3,-76(fp),-68(fp)
+        mull2   r0,-76(fp)
+        addl3   -64(fp),-68(fp),r0
+        bicl3   #0,r0,-64(fp)
+        cmpl    -64(fp),-68(fp)
+        bgequ   noname.331
+        addl2   #65536,-76(fp)
+noname.331:
+        movzwl  -62(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-76(fp)
+        bicl3   #-65536,-64(fp),r0
+        ashl    #16,r0,-68(fp)
+        addl3   -68(fp),-72(fp),r0
+        bicl3   #0,r0,-72(fp)
+        cmpl    -72(fp),-68(fp)
+        bgequ   noname.332
+        incl    -76(fp)
+noname.332:
+        movl    -72(fp),r1
+        movl    -76(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.333
+        incl    r2
+noname.333:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.334
+        incl    r8
+noname.334:
+
+        bicl3   #-65536,8(r6),r3
+        movzwl  10(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r7),r2
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-80(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-84(fp)
+        mull2   r0,r4
+        addl3   -80(fp),-84(fp),r0
+        bicl3   #0,r0,-80(fp)
+        cmpl    -80(fp),-84(fp)
+        bgequ   noname.335
+        addl2   #65536,r4
+noname.335:
+        movzwl  -78(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-80(fp),r0
+        ashl    #16,r0,-84(fp)
+        addl2   -84(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-84(fp)
+        bgequ   noname.336
+        incl    r4
+noname.336:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.337
+        incl    r2
+noname.337:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.338
+        incl    r8
+noname.338:
+
+        bicl3   #-65536,12(r6),r3
+        movzwl  14(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r7),r2
+        movzwl  2(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-88(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-92(fp)
+        mull2   r0,r4
+        addl3   -88(fp),-92(fp),r0
+        bicl3   #0,r0,-88(fp)
+        cmpl    -88(fp),-92(fp)
+        bgequ   noname.339
+        addl2   #65536,r4
+noname.339:
+        movzwl  -86(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-88(fp),r0
+        ashl    #16,r0,-92(fp)
+        addl2   -92(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-92(fp)
+        bgequ   noname.340
+        incl    r4
+noname.340:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.341
+        incl    r2
+noname.341:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.342
+        incl    r8
+noname.342:
+
+        movl    r10,12(r11)
+
+        clrl    r10
+
+        bicl3   #-65536,12(r6),r3
+        movzwl  14(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r7),r2
+        movzwl  6(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-96(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-100(fp)
+        mull2   r0,r4
+        addl3   -96(fp),-100(fp),r0
+        bicl3   #0,r0,-96(fp)
+        cmpl    -96(fp),-100(fp)
+        bgequ   noname.343
+        addl2   #65536,r4
+noname.343:
+        movzwl  -94(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-96(fp),r0
+        ashl    #16,r0,-100(fp)
+        addl2   -100(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-100(fp)
+        bgequ   noname.344
+        incl    r4
+noname.344:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.345
+        incl    r2
+noname.345:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.346
+        incl    r10
+noname.346:
+
+        bicl3   #-65536,8(r6),r3
+        movzwl  10(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r7),r2
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-104(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-108(fp)
+        mull2   r0,r4
+        addl3   -104(fp),-108(fp),r0
+        bicl3   #0,r0,-104(fp)
+        cmpl    -104(fp),-108(fp)
+        bgequ   noname.347
+        addl2   #65536,r4
+noname.347:
+        movzwl  -102(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-104(fp),r0
+        ashl    #16,r0,-108(fp)
+        addl2   -108(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-108(fp)
+        bgequ   noname.348
+        incl    r4
+noname.348:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.349
+        incl    r2
+noname.349:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.350
+        incl    r10
+noname.350:
+
+        bicl3   #-65536,4(r6),r3
+        movzwl  6(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r7),r2
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-112(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-116(fp)
+        mull2   r0,r4
+        addl3   -112(fp),-116(fp),r0
+        bicl3   #0,r0,-112(fp)
+        cmpl    -112(fp),-116(fp)
+        bgequ   noname.351
+        addl2   #65536,r4
+noname.351:
+        movzwl  -110(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-112(fp),r0
+        ashl    #16,r0,-116(fp)
+        addl2   -116(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-116(fp)
+        bgequ   noname.352
+        incl    r4
+noname.352:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.353
+        incl    r2
+noname.353:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.354
+        incl    r10
+noname.354:
+
+        movl    r9,16(r11)
+
+        clrl    r9
+
+        bicl3   #-65536,8(r6),r3
+        movzwl  10(r6),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r7),r2
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-120(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-124(fp)
+        mull2   r0,r4
+        addl3   -120(fp),-124(fp),r0
+        bicl3   #0,r0,-120(fp)
+        cmpl    -120(fp),-124(fp)
+        bgequ   noname.355
+        addl2   #65536,r4
+noname.355:
+        movzwl  -118(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-120(fp),r0
+        ashl    #16,r0,-124(fp)
+        addl2   -124(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-124(fp)
+        bgequ   noname.356
+        incl    r4
+noname.356:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.357
+        incl    r2
+noname.357:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.358
+        incl    r9
+noname.358:
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,8(r7),r3
+        movzwl  10(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-136(fp)
+        bicl3   #-65536,r2,-140(fp)
+        mull3   r0,-136(fp),-128(fp)
+        mull2   r3,-136(fp)
+        mull3   r3,-140(fp),-132(fp)
+        mull2   r0,-140(fp)
+        addl3   -128(fp),-132(fp),r0
+        bicl3   #0,r0,-128(fp)
+        cmpl    -128(fp),-132(fp)
+        bgequ   noname.359
+        addl2   #65536,-140(fp)
+noname.359:
+        movzwl  -126(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-140(fp)
+        bicl3   #-65536,-128(fp),r0
+        ashl    #16,r0,-132(fp)
+        addl3   -132(fp),-136(fp),r0
+        bicl3   #0,r0,-136(fp)
+        cmpl    -136(fp),-132(fp)
+        bgequ   noname.360
+        incl    -140(fp)
+noname.360:
+        movl    -136(fp),r1
+        movl    -140(fp),r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.361
+        incl    r2
+noname.361:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.362
+        incl    r9
+noname.362:
+
+        movl    r8,20(r11)
+
+        clrl    r8
+
+        movzwl  14(r6),r2
+        bicl3   #-65536,12(r7),r3
+        movzwl  14(r7),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r6),-152(fp)
+        bicl3   #-65536,r2,-156(fp)
+        mull3   r0,-152(fp),-144(fp)
+        mull2   r3,-152(fp)
+        mull3   r3,-156(fp),-148(fp)
+        mull2   r0,-156(fp)
+        addl3   -144(fp),-148(fp),r0
+        bicl3   #0,r0,-144(fp)
+        cmpl    -144(fp),-148(fp)
+        bgequ   noname.363
+        addl2   #65536,-156(fp)
+noname.363:
+        movzwl  -142(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-156(fp)
+        bicl3   #-65536,-144(fp),r0
+        ashl    #16,r0,-148(fp)
+        addl3   -148(fp),-152(fp),r0
+        bicl3   #0,r0,-152(fp)
+        cmpl    -152(fp),-148(fp)
+        bgequ   noname.364
+        incl    -156(fp)
+noname.364:
+        movl    -152(fp),r1
+        movl    -156(fp),r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.365
+        incl    r2
+noname.365:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.366
+        incl    r8
+noname.366:
+
+        movl    r10,24(r11)
+
+        movl    r9,28(r11)
+
+        ret     
+
+
+
+;r=4 ;(AP)
+;a=8 ;(AP)
+;b=12 ;(AP)
+;n=16 ;(AP)     n       by value (input)
+
+        .psect  code,nowrt
+
+.entry  BN_SQR_COMBA8,^m<r2,r3,r4,r5,r6,r7,r8,r9>
+        movab   -444(sp),sp
+
+        clrq    r8
+
+        clrl    r7
+
+        movl    8(ap),r4
+        movl    (r4),r3
+        bicl3   #-65536,r3,-4(fp)
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        movl    -4(fp),r0
+        mull3   r0,r3,-8(fp)
+        mull3   r0,r0,-4(fp)
+        mull2   r3,r3
+        bicl3   #32767,-8(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl3   #-65536,-8(fp),r0
+        ashl    #17,r0,-8(fp)
+        addl3   -4(fp),-8(fp),r0
+        bicl3   #0,r0,-4(fp)
+        cmpl    -4(fp),-8(fp)
+        bgequ   noname.369
+        incl    r3
+noname.369:
+        movl    -4(fp),r1
+        movl    r3,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.370
+        incl    r2
+noname.370:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.371
+        incl    r7
+noname.371:
+
+        movl    r9,@4(ap)
+
+        clrl    r9
+
+        movzwl  6(r4),r2
+        bicl3   #-65536,(r4),r3
+        movzwl  2(r4),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,4(r4),-20(fp)
+        bicl3   #-65536,r2,-24(fp)
+        mull3   r0,-20(fp),-12(fp)
+        mull2   r3,-20(fp)
+        mull3   r3,-24(fp),-16(fp)
+        mull2   r0,-24(fp)
+        addl3   -12(fp),-16(fp),r0
+        bicl3   #0,r0,-12(fp)
+        cmpl    -12(fp),-16(fp)
+        bgequ   noname.372
+        addl2   #65536,-24(fp)
+noname.372:
+        movzwl  -10(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-24(fp)
+        bicl3   #-65536,-12(fp),r0
+        ashl    #16,r0,-16(fp)
+        addl3   -16(fp),-20(fp),r0
+        bicl3   #0,r0,-20(fp)
+        cmpl    -20(fp),-16(fp)
+        bgequ   noname.373
+        incl    -24(fp)
+noname.373:
+        movl    -20(fp),r3
+        movl    -24(fp),r2
+        bbc     #31,r2,noname.374
+        incl    r9
+noname.374:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.375
+        incl    r2
+noname.375:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.376
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.376
+        incl    r9
+noname.376:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.377
+        incl    r9
+noname.377:
+
+        movl    4(ap),r0
+        movl    r8,4(r0)
+
+        clrl    r8
+
+        movl    8(ap),r4
+        movl    4(r4),r3
+        bicl3   #-65536,r3,-28(fp)
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        movl    -28(fp),r0
+        mull3   r0,r3,-32(fp)
+        mull3   r0,r0,-28(fp)
+        mull2   r3,r3
+        bicl3   #32767,-32(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl3   #-65536,-32(fp),r0
+        ashl    #17,r0,-32(fp)
+        addl3   -28(fp),-32(fp),r0
+        bicl3   #0,r0,-28(fp)
+        cmpl    -28(fp),-32(fp)
+        bgequ   noname.378
+        incl    r3
+noname.378:
+        movl    -28(fp),r1
+        movl    r3,r2
+        addl2   r1,r7
+        bicl2   #0,r7
+        cmpl    r7,r1
+        bgequ   noname.379
+        incl    r2
+noname.379:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.380
+        incl    r8
+noname.380:
+
+        movzwl  10(r4),r2
+        bicl3   #-65536,(r4),r3
+        movzwl  2(r4),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,8(r4),-44(fp)
+        bicl3   #-65536,r2,-48(fp)
+        mull3   r0,-44(fp),-36(fp)
+        mull2   r3,-44(fp)
+        mull3   r3,-48(fp),-40(fp)
+        mull2   r0,-48(fp)
+        addl3   -36(fp),-40(fp),r0
+        bicl3   #0,r0,-36(fp)
+        cmpl    -36(fp),-40(fp)
+        bgequ   noname.381
+        addl2   #65536,-48(fp)
+noname.381:
+        movzwl  -34(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-48(fp)
+        bicl3   #-65536,-36(fp),r0
+        ashl    #16,r0,-40(fp)
+        addl3   -40(fp),-44(fp),r0
+        bicl3   #0,r0,-44(fp)
+        cmpl    -44(fp),-40(fp)
+        bgequ   noname.382
+        incl    -48(fp)
+noname.382:
+        movl    -44(fp),r3
+        movl    -48(fp),r2
+        bbc     #31,r2,noname.383
+        incl    r8
+noname.383:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.384
+        incl    r2
+noname.384:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.385
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.385
+        incl    r8
+noname.385:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.386
+        incl    r8
+noname.386:
+
+        movl    4(ap),r0
+        movl    r7,8(r0)
+
+        clrl    r7
+
+        movl    8(ap),r0
+        movzwl  14(r0),r2
+        bicl3   #-65536,(r0),r3
+        movzwl  2(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r0),-60(fp)
+        bicl3   #-65536,r2,-64(fp)
+        mull3   r1,-60(fp),-52(fp)
+        mull2   r3,-60(fp)
+        mull3   r3,-64(fp),-56(fp)
+        mull2   r1,-64(fp)
+        addl3   -52(fp),-56(fp),r0
+        bicl3   #0,r0,-52(fp)
+        cmpl    -52(fp),-56(fp)
+        bgequ   noname.387
+        addl2   #65536,-64(fp)
+noname.387:
+        movzwl  -50(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-64(fp)
+        bicl3   #-65536,-52(fp),r0
+        ashl    #16,r0,-56(fp)
+        addl3   -56(fp),-60(fp),r0
+        bicl3   #0,r0,-60(fp)
+        cmpl    -60(fp),-56(fp)
+        bgequ   noname.388
+        incl    -64(fp)
+noname.388:
+        movl    -60(fp),r3
+        movl    -64(fp),r2
+        bbc     #31,r2,noname.389
+        incl    r7
+noname.389:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.390
+        incl    r2
+noname.390:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.391
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.391
+        incl    r7
+noname.391:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.392
+        incl    r7
+noname.392:
+
+        movl    8(ap),r0
+        movzwl  10(r0),r2
+        bicl3   #-65536,4(r0),r3
+        movzwl  6(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r0),-76(fp)
+        bicl3   #-65536,r2,-80(fp)
+        mull3   r1,-76(fp),-68(fp)
+        mull2   r3,-76(fp)
+        mull3   r3,-80(fp),-72(fp)
+        mull2   r1,-80(fp)
+        addl3   -68(fp),-72(fp),r0
+        bicl3   #0,r0,-68(fp)
+        cmpl    -68(fp),-72(fp)
+        bgequ   noname.393
+        addl2   #65536,-80(fp)
+noname.393:
+        movzwl  -66(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-80(fp)
+        bicl3   #-65536,-68(fp),r0
+        ashl    #16,r0,-72(fp)
+        addl3   -72(fp),-76(fp),r0
+        bicl3   #0,r0,-76(fp)
+        cmpl    -76(fp),-72(fp)
+        bgequ   noname.394
+        incl    -80(fp)
+noname.394:
+        movl    -76(fp),r3
+        movl    -80(fp),r2
+        bbc     #31,r2,noname.395
+        incl    r7
+noname.395:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.396
+        incl    r2
+noname.396:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.397
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.397
+        incl    r7
+noname.397:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.398
+        incl    r7
+noname.398:
+
+        movl    4(ap),r0
+        movl    r9,12(r0)
+
+        clrl    r9
+
+        movl    8(ap),r2
+        movl    8(r2),r4
+        bicl3   #-65536,r4,-84(fp)
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        movl    -84(fp),r0
+        mull3   r0,r4,-88(fp)
+        mull3   r0,r0,-84(fp)
+        mull2   r4,r4
+        bicl3   #32767,-88(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-88(fp),r0
+        ashl    #17,r0,-88(fp)
+        addl3   -84(fp),-88(fp),r0
+        bicl3   #0,r0,-84(fp)
+        cmpl    -84(fp),-88(fp)
+        bgequ   noname.399
+        incl    r4
+noname.399:
+        movl    -84(fp),r1
+        movl    r4,r3
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.400
+        incl    r3
+noname.400:
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.401
+        incl    r9
+noname.401:
+
+        movzwl  14(r2),r3
+        bicl3   #-65536,4(r2),r1
+        movzwl  6(r2),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,12(r2),-100(fp)
+        bicl3   #-65536,r3,-104(fp)
+        mull3   r0,-100(fp),-92(fp)
+        mull2   r1,-100(fp)
+        mull3   r1,-104(fp),-96(fp)
+        mull2   r0,-104(fp)
+        addl3   -92(fp),-96(fp),r0
+        bicl3   #0,r0,-92(fp)
+        cmpl    -92(fp),-96(fp)
+        bgequ   noname.402
+        addl2   #65536,-104(fp)
+noname.402:
+        movzwl  -90(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-104(fp)
+        bicl3   #-65536,-92(fp),r0
+        ashl    #16,r0,-96(fp)
+        addl3   -96(fp),-100(fp),r0
+        bicl3   #0,r0,-100(fp)
+        cmpl    -100(fp),-96(fp)
+        bgequ   noname.403
+        incl    -104(fp)
+noname.403:
+        movl    -100(fp),r3
+        movl    -104(fp),r2
+        bbc     #31,r2,noname.404
+        incl    r9
+noname.404:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.405
+        incl    r2
+noname.405:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.406
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.406
+        incl    r9
+noname.406:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.407
+        incl    r9
+noname.407:
+
+        movl    8(ap),r0
+        movzwl  18(r0),r2
+        bicl3   #-65536,(r0),r3
+        movzwl  2(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r0),-116(fp)
+        bicl3   #-65536,r2,-120(fp)
+        mull3   r1,-116(fp),-108(fp)
+        mull2   r3,-116(fp)
+        mull3   r3,-120(fp),-112(fp)
+        mull2   r1,-120(fp)
+        addl3   -108(fp),-112(fp),r0
+        bicl3   #0,r0,-108(fp)
+        cmpl    -108(fp),-112(fp)
+        bgequ   noname.408
+        addl2   #65536,-120(fp)
+noname.408:
+        movzwl  -106(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-120(fp)
+        bicl3   #-65536,-108(fp),r0
+        ashl    #16,r0,-112(fp)
+        addl3   -112(fp),-116(fp),r0
+        bicl3   #0,r0,-116(fp)
+        cmpl    -116(fp),-112(fp)
+        bgequ   noname.409
+        incl    -120(fp)
+noname.409:
+        movl    -116(fp),r3
+        movl    -120(fp),r2
+        bbc     #31,r2,noname.410
+        incl    r9
+noname.410:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.411
+        incl    r2
+noname.411:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.412
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.412
+        incl    r9
+noname.412:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.413
+        incl    r9
+noname.413:
+
+        movl    4(ap),r0
+        movl    r8,16(r0)
+
+        clrl    r8
+
+        movl    8(ap),r0
+        movzwl  22(r0),r2
+        bicl3   #-65536,(r0),r3
+        movzwl  2(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r0),-132(fp)
+        bicl3   #-65536,r2,-136(fp)
+        mull3   r1,-132(fp),-124(fp)
+        mull2   r3,-132(fp)
+        mull3   r3,-136(fp),-128(fp)
+        mull2   r1,-136(fp)
+        addl3   -124(fp),-128(fp),r0
+        bicl3   #0,r0,-124(fp)
+        cmpl    -124(fp),-128(fp)
+        bgequ   noname.414
+        addl2   #65536,-136(fp)
+noname.414:
+        movzwl  -122(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-136(fp)
+        bicl3   #-65536,-124(fp),r0
+        ashl    #16,r0,-128(fp)
+        addl3   -128(fp),-132(fp),r0
+        bicl3   #0,r0,-132(fp)
+        cmpl    -132(fp),-128(fp)
+        bgequ   noname.415
+        incl    -136(fp)
+noname.415:
+        movl    -132(fp),r3
+        movl    -136(fp),r2
+        bbc     #31,r2,noname.416
+        incl    r8
+noname.416:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.417
+        incl    r2
+noname.417:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.418
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.418
+        incl    r8
+noname.418:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.419
+        incl    r8
+noname.419:
+
+        movl    8(ap),r0
+        movzwl  18(r0),r2
+        bicl3   #-65536,4(r0),r3
+        movzwl  6(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r0),-148(fp)
+        bicl3   #-65536,r2,-152(fp)
+        mull3   r1,-148(fp),-140(fp)
+        mull2   r3,-148(fp)
+        mull3   r3,-152(fp),-144(fp)
+        mull2   r1,-152(fp)
+        addl3   -140(fp),-144(fp),r0
+        bicl3   #0,r0,-140(fp)
+        cmpl    -140(fp),-144(fp)
+        bgequ   noname.420
+        addl2   #65536,-152(fp)
+noname.420:
+        movzwl  -138(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-152(fp)
+        bicl3   #-65536,-140(fp),r0
+        ashl    #16,r0,-144(fp)
+        addl3   -144(fp),-148(fp),r0
+        bicl3   #0,r0,-148(fp)
+        cmpl    -148(fp),-144(fp)
+        bgequ   noname.421
+        incl    -152(fp)
+noname.421:
+        movl    -148(fp),r3
+        movl    -152(fp),r2
+        bbc     #31,r2,noname.422
+        incl    r8
+noname.422:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.423
+        incl    r2
+noname.423:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.424
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.424
+        incl    r8
+noname.424:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.425
+        incl    r8
+noname.425:
+
+        movl    8(ap),r0
+        movzwl  14(r0),r2
+        bicl3   #-65536,8(r0),r3
+        movzwl  10(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r0),-164(fp)
+        bicl3   #-65536,r2,-168(fp)
+        mull3   r1,-164(fp),-156(fp)
+        mull2   r3,-164(fp)
+        mull3   r3,-168(fp),-160(fp)
+        mull2   r1,-168(fp)
+        addl3   -156(fp),-160(fp),r0
+        bicl3   #0,r0,-156(fp)
+        cmpl    -156(fp),-160(fp)
+        bgequ   noname.426
+        addl2   #65536,-168(fp)
+noname.426:
+        movzwl  -154(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-168(fp)
+        bicl3   #-65536,-156(fp),r0
+        ashl    #16,r0,-160(fp)
+        addl3   -160(fp),-164(fp),r0
+        bicl3   #0,r0,-164(fp)
+        cmpl    -164(fp),-160(fp)
+        bgequ   noname.427
+        incl    -168(fp)
+noname.427:
+        movl    -164(fp),r3
+        movl    -168(fp),r2
+        bbc     #31,r2,noname.428
+        incl    r8
+noname.428:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.429
+        incl    r2
+noname.429:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.430
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.430
+        incl    r8
+noname.430:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.431
+        incl    r8
+noname.431:
+
+        movl    4(ap),r0
+        movl    r7,20(r0)
+
+        clrl    r7
+
+        movl    8(ap),r2
+        movl    12(r2),r4
+        bicl3   #-65536,r4,-172(fp)
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        movl    -172(fp),r0
+        mull3   r0,r4,-176(fp)
+        mull3   r0,r0,-172(fp)
+        mull2   r4,r4
+        bicl3   #32767,-176(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-176(fp),r0
+        ashl    #17,r0,-176(fp)
+        addl3   -172(fp),-176(fp),r0
+        bicl3   #0,r0,-172(fp)
+        cmpl    -172(fp),-176(fp)
+        bgequ   noname.432
+        incl    r4
+noname.432:
+        movl    -172(fp),r1
+        movl    r4,r3
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.433
+        incl    r3
+noname.433:
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.434
+        incl    r7
+noname.434:
+
+        movzwl  18(r2),r3
+        bicl3   #-65536,8(r2),r1
+        movzwl  10(r2),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,16(r2),-188(fp)
+        bicl3   #-65536,r3,-192(fp)
+        mull3   r0,-188(fp),-180(fp)
+        mull2   r1,-188(fp)
+        mull3   r1,-192(fp),-184(fp)
+        mull2   r0,-192(fp)
+        addl3   -180(fp),-184(fp),r0
+        bicl3   #0,r0,-180(fp)
+        cmpl    -180(fp),-184(fp)
+        bgequ   noname.435
+        addl2   #65536,-192(fp)
+noname.435:
+        movzwl  -178(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-192(fp)
+        bicl3   #-65536,-180(fp),r0
+        ashl    #16,r0,-184(fp)
+        addl3   -184(fp),-188(fp),r0
+        bicl3   #0,r0,-188(fp)
+        cmpl    -188(fp),-184(fp)
+        bgequ   noname.436
+        incl    -192(fp)
+noname.436:
+        movl    -188(fp),r3
+        movl    -192(fp),r2
+        bbc     #31,r2,noname.437
+        incl    r7
+noname.437:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.438
+        incl    r2
+noname.438:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.439
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.439
+        incl    r7
+noname.439:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.440
+        incl    r7
+noname.440:
+
+        movl    8(ap),r0
+        movzwl  22(r0),r2
+        bicl3   #-65536,4(r0),r3
+        movzwl  6(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r0),-204(fp)
+        bicl3   #-65536,r2,-208(fp)
+        mull3   r1,-204(fp),-196(fp)
+        mull2   r3,-204(fp)
+        mull3   r3,-208(fp),-200(fp)
+        mull2   r1,-208(fp)
+        addl3   -196(fp),-200(fp),r0
+        bicl3   #0,r0,-196(fp)
+        cmpl    -196(fp),-200(fp)
+        bgequ   noname.441
+        addl2   #65536,-208(fp)
+noname.441:
+        movzwl  -194(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-208(fp)
+        bicl3   #-65536,-196(fp),r0
+        ashl    #16,r0,-200(fp)
+        addl3   -200(fp),-204(fp),r0
+        bicl3   #0,r0,-204(fp)
+        cmpl    -204(fp),-200(fp)
+        bgequ   noname.442
+        incl    -208(fp)
+noname.442:
+        movl    -204(fp),r3
+        movl    -208(fp),r2
+        bbc     #31,r2,noname.443
+        incl    r7
+noname.443:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.444
+        incl    r2
+noname.444:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.445
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.445
+        incl    r7
+noname.445:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.446
+        incl    r7
+noname.446:
+
+        movl    8(ap),r0
+        movzwl  26(r0),r2
+        bicl3   #-65536,(r0),r3
+        movzwl  2(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,24(r0),-220(fp)
+        bicl3   #-65536,r2,-224(fp)
+        mull3   r1,-220(fp),-212(fp)
+        mull2   r3,-220(fp)
+        mull3   r3,-224(fp),-216(fp)
+        mull2   r1,-224(fp)
+        addl3   -212(fp),-216(fp),r0
+        bicl3   #0,r0,-212(fp)
+        cmpl    -212(fp),-216(fp)
+        bgequ   noname.447
+        addl2   #65536,-224(fp)
+noname.447:
+        movzwl  -210(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-224(fp)
+        bicl3   #-65536,-212(fp),r0
+        ashl    #16,r0,-216(fp)
+        addl3   -216(fp),-220(fp),r0
+        bicl3   #0,r0,-220(fp)
+        cmpl    -220(fp),-216(fp)
+        bgequ   noname.448
+        incl    -224(fp)
+noname.448:
+        movl    -220(fp),r3
+        movl    -224(fp),r2
+        bbc     #31,r2,noname.449
+        incl    r7
+noname.449:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.450
+        incl    r2
+noname.450:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.451
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.451
+        incl    r7
+noname.451:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.452
+        incl    r7
+noname.452:
+
+        movl    4(ap),r0
+        movl    r9,24(r0)
+
+        clrl    r9
+
+        movl    8(ap),r0
+        movzwl  30(r0),r2
+        bicl3   #-65536,(r0),r3
+        movzwl  2(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,28(r0),-236(fp)
+        bicl3   #-65536,r2,-240(fp)
+        mull3   r1,-236(fp),-228(fp)
+        mull2   r3,-236(fp)
+        mull3   r3,-240(fp),-232(fp)
+        mull2   r1,-240(fp)
+        addl3   -228(fp),-232(fp),r0
+        bicl3   #0,r0,-228(fp)
+        cmpl    -228(fp),-232(fp)
+        bgequ   noname.453
+        addl2   #65536,-240(fp)
+noname.453:
+        movzwl  -226(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-240(fp)
+        bicl3   #-65536,-228(fp),r0
+        ashl    #16,r0,-232(fp)
+        addl3   -232(fp),-236(fp),r0
+        bicl3   #0,r0,-236(fp)
+        cmpl    -236(fp),-232(fp)
+        bgequ   noname.454
+        incl    -240(fp)
+noname.454:
+        movl    -236(fp),r3
+        movl    -240(fp),r2
+        bbc     #31,r2,noname.455
+        incl    r9
+noname.455:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.456
+        incl    r2
+noname.456:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.457
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.457
+        incl    r9
+noname.457:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.458
+        incl    r9
+noname.458:
+
+        movl    8(ap),r0
+        movzwl  26(r0),r2
+        bicl3   #-65536,4(r0),r3
+        movzwl  6(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,24(r0),-252(fp)
+        bicl3   #-65536,r2,-256(fp)
+        mull3   r1,-252(fp),-244(fp)
+        mull2   r3,-252(fp)
+        mull3   r3,-256(fp),-248(fp)
+        mull2   r1,-256(fp)
+        addl3   -244(fp),-248(fp),r0
+        bicl3   #0,r0,-244(fp)
+        cmpl    -244(fp),-248(fp)
+        bgequ   noname.459
+        addl2   #65536,-256(fp)
+noname.459:
+        movzwl  -242(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-256(fp)
+        bicl3   #-65536,-244(fp),r0
+        ashl    #16,r0,-248(fp)
+        addl3   -248(fp),-252(fp),r0
+        bicl3   #0,r0,-252(fp)
+        cmpl    -252(fp),-248(fp)
+        bgequ   noname.460
+        incl    -256(fp)
+noname.460:
+        movl    -252(fp),r3
+        movl    -256(fp),r2
+        bbc     #31,r2,noname.461
+        incl    r9
+noname.461:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.462
+        incl    r2
+noname.462:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.463
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.463
+        incl    r9
+noname.463:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.464
+        incl    r9
+noname.464:
+
+        movl    8(ap),r0
+        movzwl  22(r0),r2
+        bicl3   #-65536,8(r0),r3
+        movzwl  10(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r0),-268(fp)
+        bicl3   #-65536,r2,-272(fp)
+        mull3   r1,-268(fp),-260(fp)
+        mull2   r3,-268(fp)
+        mull3   r3,-272(fp),-264(fp)
+        mull2   r1,-272(fp)
+        addl3   -260(fp),-264(fp),r0
+        bicl3   #0,r0,-260(fp)
+        cmpl    -260(fp),-264(fp)
+        bgequ   noname.465
+        addl2   #65536,-272(fp)
+noname.465:
+        movzwl  -258(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-272(fp)
+        bicl3   #-65536,-260(fp),r0
+        ashl    #16,r0,-264(fp)
+        addl3   -264(fp),-268(fp),r0
+        bicl3   #0,r0,-268(fp)
+        cmpl    -268(fp),-264(fp)
+        bgequ   noname.466
+        incl    -272(fp)
+noname.466:
+        movl    -268(fp),r3
+        movl    -272(fp),r2
+        bbc     #31,r2,noname.467
+        incl    r9
+noname.467:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.468
+        incl    r2
+noname.468:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.469
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.469
+        incl    r9
+noname.469:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.470
+        incl    r9
+noname.470:
+
+        movl    8(ap),r0
+        movzwl  18(r0),r2
+        bicl3   #-65536,12(r0),r3
+        movzwl  14(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r0),-284(fp)
+        bicl3   #-65536,r2,-288(fp)
+        mull3   r1,-284(fp),-276(fp)
+        mull2   r3,-284(fp)
+        mull3   r3,-288(fp),-280(fp)
+        mull2   r1,-288(fp)
+        addl3   -276(fp),-280(fp),r0
+        bicl3   #0,r0,-276(fp)
+        cmpl    -276(fp),-280(fp)
+        bgequ   noname.471
+        addl2   #65536,-288(fp)
+noname.471:
+        movzwl  -274(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-288(fp)
+        bicl3   #-65536,-276(fp),r0
+        ashl    #16,r0,-280(fp)
+        addl3   -280(fp),-284(fp),r0
+        bicl3   #0,r0,-284(fp)
+        cmpl    -284(fp),-280(fp)
+        bgequ   noname.472
+        incl    -288(fp)
+noname.472:
+        movl    -284(fp),r3
+        movl    -288(fp),r2
+        bbc     #31,r2,noname.473
+        incl    r9
+noname.473:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.474
+        incl    r2
+noname.474:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.475
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.475
+        incl    r9
+noname.475:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.476
+        incl    r9
+noname.476:
+
+        movl    4(ap),r0
+        movl    r8,28(r0)
+
+        clrl    r8
+
+        movl    8(ap),r3
+        movl    16(r3),r4
+        bicl3   #-65536,r4,r5
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        mull3   r5,r4,-292(fp)
+        mull2   r5,r5
+        mull2   r4,r4
+        bicl3   #32767,-292(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-292(fp),r0
+        ashl    #17,r0,-292(fp)
+        addl2   -292(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-292(fp)
+        bgequ   noname.477
+        incl    r4
+noname.477:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r7
+        bicl2   #0,r7
+        cmpl    r7,r1
+        bgequ   noname.478
+        incl    r2
+noname.478:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.479
+        incl    r8
+noname.479:
+
+        bicl3   #-65536,20(r3),r4
+        movzwl  22(r3),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r3),r2
+        movzwl  14(r3),r0
+        bicl2   #-65536,r0
+        movl    r4,r6
+        movl    r1,r5
+        mull3   r0,r6,-296(fp)
+        mull2   r2,r6
+        mull3   r2,r5,-300(fp)
+        mull2   r0,r5
+        addl3   -296(fp),-300(fp),r0
+        bicl3   #0,r0,-296(fp)
+        cmpl    -296(fp),-300(fp)
+        bgequ   noname.480
+        addl2   #65536,r5
+noname.480:
+        movzwl  -294(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r5
+        bicl3   #-65536,-296(fp),r0
+        ashl    #16,r0,-300(fp)
+        addl2   -300(fp),r6
+        bicl2   #0,r6
+        cmpl    r6,-300(fp)
+        bgequ   noname.481
+        incl    r5
+noname.481:
+        movl    r6,r3
+        movl    r5,r2
+        bbc     #31,r2,noname.482
+        incl    r8
+noname.482:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.483
+        incl    r2
+noname.483:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.484
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.484
+        incl    r8
+noname.484:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.485
+        incl    r8
+noname.485:
+
+        movl    8(ap),r0
+        bicl3   #-65536,24(r0),r3
+        movzwl  26(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r0),r2
+        movzwl  10(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-304(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-308(fp)
+        mull2   r0,r4
+        addl3   -304(fp),-308(fp),r0
+        bicl3   #0,r0,-304(fp)
+        cmpl    -304(fp),-308(fp)
+        bgequ   noname.486
+        addl2   #65536,r4
+noname.486:
+        movzwl  -302(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-304(fp),r0
+        ashl    #16,r0,-308(fp)
+        addl2   -308(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-308(fp)
+        bgequ   noname.487
+        incl    r4
+noname.487:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.488
+        incl    r8
+noname.488:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.489
+        incl    r2
+noname.489:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.490
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.490
+        incl    r8
+noname.490:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.491
+        incl    r8
+noname.491:
+
+        movl    8(ap),r0
+        bicl3   #-65536,28(r0),r3
+        movzwl  30(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r0),r2
+        movzwl  6(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-312(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-316(fp)
+        mull2   r0,r4
+        addl3   -312(fp),-316(fp),r0
+        bicl3   #0,r0,-312(fp)
+        cmpl    -312(fp),-316(fp)
+        bgequ   noname.492
+        addl2   #65536,r4
+noname.492:
+        movzwl  -310(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-312(fp),r0
+        ashl    #16,r0,-316(fp)
+        addl2   -316(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-316(fp)
+        bgequ   noname.493
+        incl    r4
+noname.493:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.494
+        incl    r8
+noname.494:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.495
+        incl    r2
+noname.495:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.496
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.496
+        incl    r8
+noname.496:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.497
+        incl    r8
+noname.497:
+
+        movl    4(ap),r0
+        movl    r7,32(r0)
+
+        clrl    r7
+
+        movl    8(ap),r0
+        bicl3   #-65536,28(r0),r3
+        movzwl  30(r0),r2
+        bicl3   #-65536,8(r0),r1
+        movzwl  10(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r4
+        bicl3   #-65536,r2,-328(fp)
+        mull3   r0,r4,-320(fp)
+        mull2   r1,r4
+        mull3   r1,-328(fp),-324(fp)
+        mull2   r0,-328(fp)
+        addl3   -320(fp),-324(fp),r0
+        bicl3   #0,r0,-320(fp)
+        cmpl    -320(fp),-324(fp)
+        bgequ   noname.498
+        addl2   #65536,-328(fp)
+noname.498:
+        movzwl  -318(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-328(fp)
+        bicl3   #-65536,-320(fp),r0
+        ashl    #16,r0,-324(fp)
+        addl2   -324(fp),r4
+        bicl2   #0,r4
+        cmpl    r4,-324(fp)
+        bgequ   noname.499
+        incl    -328(fp)
+noname.499:
+        movl    r4,r3
+        movl    -328(fp),r2
+        bbc     #31,r2,noname.500
+        incl    r7
+noname.500:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.501
+        incl    r2
+noname.501:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.502
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.502
+        incl    r7
+noname.502:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.503
+        incl    r7
+noname.503:
+
+        movl    8(ap),r0
+        movzwl  26(r0),r2
+        bicl3   #-65536,12(r0),r3
+        movzwl  14(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,24(r0),-340(fp)
+        bicl3   #-65536,r2,-344(fp)
+        mull3   r1,-340(fp),-332(fp)
+        mull2   r3,-340(fp)
+        mull3   r3,-344(fp),-336(fp)
+        mull2   r1,-344(fp)
+        addl3   -332(fp),-336(fp),r0
+        bicl3   #0,r0,-332(fp)
+        cmpl    -332(fp),-336(fp)
+        bgequ   noname.504
+        addl2   #65536,-344(fp)
+noname.504:
+        movzwl  -330(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-344(fp)
+        bicl3   #-65536,-332(fp),r0
+        ashl    #16,r0,-336(fp)
+        addl3   -336(fp),-340(fp),r0
+        bicl3   #0,r0,-340(fp)
+        cmpl    -340(fp),-336(fp)
+        bgequ   noname.505
+        incl    -344(fp)
+noname.505:
+        movl    -340(fp),r3
+        movl    -344(fp),r2
+        bbc     #31,r2,noname.506
+        incl    r7
+noname.506:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.507
+        incl    r2
+noname.507:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.508
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.508
+        incl    r7
+noname.508:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.509
+        incl    r7
+noname.509:
+
+        movl    8(ap),r0
+        movzwl  22(r0),r2
+        bicl3   #-65536,16(r0),r3
+        movzwl  18(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r0),-356(fp)
+        bicl3   #-65536,r2,-360(fp)
+        mull3   r1,-356(fp),-348(fp)
+        mull2   r3,-356(fp)
+        mull3   r3,-360(fp),-352(fp)
+        mull2   r1,-360(fp)
+        addl3   -348(fp),-352(fp),r0
+        bicl3   #0,r0,-348(fp)
+        cmpl    -348(fp),-352(fp)
+        bgequ   noname.510
+        addl2   #65536,-360(fp)
+noname.510:
+        movzwl  -346(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-360(fp)
+        bicl3   #-65536,-348(fp),r0
+        ashl    #16,r0,-352(fp)
+        addl3   -352(fp),-356(fp),r0
+        bicl3   #0,r0,-356(fp)
+        cmpl    -356(fp),-352(fp)
+        bgequ   noname.511
+        incl    -360(fp)
+noname.511:
+        movl    -356(fp),r3
+        movl    -360(fp),r2
+        bbc     #31,r2,noname.512
+        incl    r7
+noname.512:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.513
+        incl    r2
+noname.513:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.514
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.514
+        incl    r7
+noname.514:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.515
+        incl    r7
+noname.515:
+
+        movl    4(ap),r0
+        movl    r9,36(r0)
+
+        clrl    r9
+
+        movl    8(ap),r3
+        movl    20(r3),r4
+        bicl3   #-65536,r4,-364(fp)
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        movl    -364(fp),r0
+        mull3   r0,r4,-368(fp)
+        mull3   r0,r0,-364(fp)
+        mull2   r4,r4
+        bicl3   #32767,-368(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-368(fp),r0
+        ashl    #17,r0,-368(fp)
+        addl3   -364(fp),-368(fp),r0
+        bicl3   #0,r0,-364(fp)
+        cmpl    -364(fp),-368(fp)
+        bgequ   noname.516
+        incl    r4
+noname.516:
+        movl    -364(fp),r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.517
+        incl    r2
+noname.517:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.518
+        incl    r9
+noname.518:
+
+        bicl3   #-65536,24(r3),r4
+        movzwl  26(r3),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r3),r2
+        movzwl  18(r3),r0
+        bicl2   #-65536,r0
+        movl    r4,r6
+        movl    r1,r5
+        mull3   r0,r6,-372(fp)
+        mull2   r2,r6
+        mull3   r2,r5,-376(fp)
+        mull2   r0,r5
+        addl3   -372(fp),-376(fp),r0
+        bicl3   #0,r0,-372(fp)
+        cmpl    -372(fp),-376(fp)
+        bgequ   noname.519
+        addl2   #65536,r5
+noname.519:
+        movzwl  -370(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r5
+        bicl3   #-65536,-372(fp),r0
+        ashl    #16,r0,-376(fp)
+        addl2   -376(fp),r6
+        bicl2   #0,r6
+        cmpl    r6,-376(fp)
+        bgequ   noname.520
+        incl    r5
+noname.520:
+        movl    r6,r3
+        movl    r5,r2
+        bbc     #31,r2,noname.521
+        incl    r9
+noname.521:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.522
+        incl    r2
+noname.522:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.523
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.523
+        incl    r9
+noname.523:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.524
+        incl    r9
+noname.524:
+
+        movl    8(ap),r0
+        bicl3   #-65536,28(r0),r3
+        movzwl  30(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,12(r0),r2
+        movzwl  14(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-380(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-384(fp)
+        mull2   r0,r4
+        addl3   -380(fp),-384(fp),r0
+        bicl3   #0,r0,-380(fp)
+        cmpl    -380(fp),-384(fp)
+        bgequ   noname.525
+        addl2   #65536,r4
+noname.525:
+        movzwl  -378(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-380(fp),r0
+        ashl    #16,r0,-384(fp)
+        addl2   -384(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-384(fp)
+        bgequ   noname.526
+        incl    r4
+noname.526:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.527
+        incl    r9
+noname.527:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.528
+        incl    r2
+noname.528:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.529
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.529
+        incl    r9
+noname.529:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.530
+        incl    r9
+noname.530:
+        movl    4(ap),r0
+        movl    r8,40(r0)
+
+        clrl    r8
+
+        movl    8(ap),r0
+        bicl3   #-65536,28(r0),r3
+        movzwl  30(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,16(r0),r2
+        movzwl  18(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-388(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-392(fp)
+        mull2   r0,r4
+        addl3   -388(fp),-392(fp),r0
+        bicl3   #0,r0,-388(fp)
+        cmpl    -388(fp),-392(fp)
+        bgequ   noname.531
+        addl2   #65536,r4
+noname.531:
+        movzwl  -386(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-388(fp),r0
+        ashl    #16,r0,-392(fp)
+        addl2   -392(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-392(fp)
+        bgequ   noname.532
+        incl    r4
+noname.532:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.533
+        incl    r8
+noname.533:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.534
+        incl    r2
+noname.534:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.535
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.535
+        incl    r8
+noname.535:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.536
+        incl    r8
+noname.536:
+
+        movl    8(ap),r0
+        bicl3   #-65536,24(r0),r3
+        movzwl  26(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,20(r0),r2
+        movzwl  22(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-396(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-400(fp)
+        mull2   r0,r4
+        addl3   -396(fp),-400(fp),r0
+        bicl3   #0,r0,-396(fp)
+        cmpl    -396(fp),-400(fp)
+        bgequ   noname.537
+        addl2   #65536,r4
+noname.537:
+        movzwl  -394(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-396(fp),r0
+        ashl    #16,r0,-400(fp)
+        addl2   -400(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-400(fp)
+        bgequ   noname.538
+        incl    r4
+noname.538:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.539
+        incl    r8
+noname.539:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.540
+        incl    r2
+noname.540:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r7
+        bicl2   #0,r7
+        cmpl    r7,r3
+        bgequ   noname.541
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.541
+        incl    r8
+noname.541:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.542
+        incl    r8
+noname.542:
+
+        movl    4(ap),r0
+        movl    r7,44(r0)
+
+        clrl    r7
+
+        movl    8(ap),r3
+        movl    24(r3),r4
+        bicl3   #-65536,r4,r5
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        mull3   r5,r4,-404(fp)
+        mull2   r5,r5
+        mull2   r4,r4
+        bicl3   #32767,-404(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-404(fp),r0
+        ashl    #17,r0,-404(fp)
+        addl2   -404(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-404(fp)
+        bgequ   noname.543
+        incl    r4
+noname.543:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.544
+        incl    r2
+noname.544:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.545
+        incl    r7
+noname.545:
+
+        movzwl  30(r3),r2
+        bicl3   #-65536,20(r3),r1
+        movzwl  22(r3),r0
+        bicl2   #-65536,r0
+        bicl3   #-65536,28(r3),-416(fp)
+        bicl3   #-65536,r2,-420(fp)
+        mull3   r0,-416(fp),-408(fp)
+        mull2   r1,-416(fp)
+        mull3   r1,-420(fp),-412(fp)
+        mull2   r0,-420(fp)
+        addl3   -408(fp),-412(fp),r0
+        bicl3   #0,r0,-408(fp)
+        cmpl    -408(fp),-412(fp)
+        bgequ   noname.546
+        addl2   #65536,-420(fp)
+noname.546:
+        movzwl  -406(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-420(fp)
+        bicl3   #-65536,-408(fp),r0
+        ashl    #16,r0,-412(fp)
+        addl3   -412(fp),-416(fp),r0
+        bicl3   #0,r0,-416(fp)
+        cmpl    -416(fp),-412(fp)
+        bgequ   noname.547
+        incl    -420(fp)
+noname.547:
+        movl    -416(fp),r3
+        movl    -420(fp),r2
+        bbc     #31,r2,noname.548
+        incl    r7
+noname.548:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.549
+        incl    r2
+noname.549:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.550
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.550
+        incl    r7
+noname.550:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.551
+        incl    r7
+noname.551:
+
+        movl    4(ap),r0
+        movl    r9,48(r0)
+
+        clrl    r9
+
+        movl    8(ap),r0
+        movzwl  30(r0),r2
+        bicl3   #-65536,24(r0),r3
+        movzwl  26(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,28(r0),-432(fp)
+        bicl3   #-65536,r2,-436(fp)
+        mull3   r1,-432(fp),-424(fp)
+        mull2   r3,-432(fp)
+        mull3   r3,-436(fp),-428(fp)
+        mull2   r1,-436(fp)
+        addl3   -424(fp),-428(fp),r0
+        bicl3   #0,r0,-424(fp)
+        cmpl    -424(fp),-428(fp)
+        bgequ   noname.552
+        addl2   #65536,-436(fp)
+noname.552:
+        movzwl  -422(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,-436(fp)
+        bicl3   #-65536,-424(fp),r0
+        ashl    #16,r0,-428(fp)
+        addl3   -428(fp),-432(fp),r0
+        bicl3   #0,r0,-432(fp)
+        cmpl    -432(fp),-428(fp)
+        bgequ   noname.553
+        incl    -436(fp)
+noname.553:
+        movl    -432(fp),r3
+        movl    -436(fp),r2
+        bbc     #31,r2,noname.554
+        incl    r9
+noname.554:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.555
+        incl    r2
+noname.555:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.556
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.556
+        incl    r9
+noname.556:
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.557
+        incl    r9
+noname.557:
+
+        movl    4(ap),r4
+        movl    r8,52(r4)
+
+        clrl    r8
+
+        movl    8(ap),r0
+        movl    28(r0),r3
+        bicl3   #-65536,r3,-440(fp)
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        movl    -440(fp),r0
+        mull3   r0,r3,-444(fp)
+        mull3   r0,r0,-440(fp)
+        mull2   r3,r3
+        bicl3   #32767,-444(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl3   #-65536,-444(fp),r0
+        ashl    #17,r0,-444(fp)
+        addl3   -440(fp),-444(fp),r0
+        bicl3   #0,r0,-440(fp)
+        cmpl    -440(fp),-444(fp)
+        bgequ   noname.558
+        incl    r3
+noname.558:
+        movl    -440(fp),r1
+        movl    r3,r2
+        addl2   r1,r7
+        bicl2   #0,r7
+        cmpl    r7,r1
+        bgequ   noname.559
+        incl    r2
+noname.559:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.560
+        incl    r8
+noname.560:
+
+        movl    r7,56(r4)
+
+        movl    r9,60(r4)
+
+        ret     
+
+
+
+;r=4 ;(AP)
+;a=8 ;(AP)
+;b=12 ;(AP)
+;n=16 ;(AP)     n       by value (input)
+
+        .psect  code,nowrt
+
+.entry  BN_SQR_COMBA4,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10>
+        subl2   #44,sp
+
+        clrq    r8
+
+        clrl    r10
+
+        movl    8(ap),r5
+        movl    (r5),r3
+        bicl3   #-65536,r3,r4
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        mull3   r4,r3,-4(fp)
+        mull2   r4,r4
+        mull2   r3,r3
+        bicl3   #32767,-4(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl3   #-65536,-4(fp),r0
+        ashl    #17,r0,-4(fp)
+        addl2   -4(fp),r4
+        bicl2   #0,r4
+        cmpl    r4,-4(fp)
+        bgequ   noname.563
+        incl    r3
+noname.563:
+        movl    r4,r1
+        movl    r3,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.564
+        incl    r2
+noname.564:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.565
+        incl    r10
+noname.565:
+
+        movl    r9,@4(ap)
+
+        clrl    r9
+
+        bicl3   #-65536,4(r5),r3
+        movzwl  6(r5),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r5),r2
+        movzwl  2(r5),r0
+        bicl2   #-65536,r0
+        movl    r3,r6
+        movl    r1,r4
+        mull3   r0,r6,-8(fp)
+        mull2   r2,r6
+        mull2   r4,r2
+        mull2   r0,r4
+        addl3   -8(fp),r2,r0
+        bicl3   #0,r0,-8(fp)
+        cmpl    -8(fp),r2
+        bgequ   noname.566
+        addl2   #65536,r4
+noname.566:
+        movzwl  -6(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-8(fp),r0
+        ashl    #16,r0,r1
+        addl2   r1,r6
+        bicl2   #0,r6
+        cmpl    r6,r1
+        bgequ   noname.567
+        incl    r4
+noname.567:
+        movl    r6,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.568
+        incl    r9
+noname.568:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.569
+        incl    r2
+noname.569:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.570
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.570
+        incl    r9
+noname.570:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.571
+        incl    r9
+noname.571:
+
+        movl    4(ap),r0
+        movl    r8,4(r0)
+
+        clrl    r8
+
+        movl    8(ap),r4
+        movl    4(r4),r3
+        bicl3   #-65536,r3,r5
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        mull3   r5,r3,r1
+        mull2   r5,r5
+        mull2   r3,r3
+        bicl3   #32767,r1,r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl2   #-65536,r1
+        ashl    #17,r1,r1
+        addl2   r1,r5
+        bicl2   #0,r5
+        cmpl    r5,r1
+        bgequ   noname.572
+        incl    r3
+noname.572:
+        movl    r5,r1
+        movl    r3,r2
+        addl2   r1,r10
+        bicl2   #0,r10
+        cmpl    r10,r1
+        bgequ   noname.573
+        incl    r2
+noname.573:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.574
+        incl    r8
+noname.574:
+
+        bicl3   #-65536,8(r4),r3
+        movzwl  10(r4),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r4),r2
+        movzwl  2(r4),r0
+        bicl2   #-65536,r0
+        movl    r3,r6
+        movl    r1,r5
+        mull3   r0,r6,r7
+        mull2   r2,r6
+        mull2   r5,r2
+        mull2   r0,r5
+        addl2   r2,r7
+        bicl2   #0,r7
+        cmpl    r7,r2
+        bgequ   noname.575
+        addl2   #65536,r5
+noname.575:
+        extzv   #16,#16,r7,r0
+        bicl2   #-65536,r0
+        addl2   r0,r5
+        bicl3   #-65536,r7,r0
+        ashl    #16,r0,r1
+        addl2   r1,r6
+        bicl2   #0,r6
+        cmpl    r6,r1
+        bgequ   noname.576
+        incl    r5
+noname.576:
+        movl    r6,r3
+        movl    r5,r2
+        bbc     #31,r2,noname.577
+        incl    r8
+noname.577:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.578
+        incl    r2
+noname.578:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r10
+        bicl2   #0,r10
+        cmpl    r10,r3
+        bgequ   noname.579
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.579
+        incl    r8
+noname.579:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.580
+        incl    r8
+noname.580:
+
+        movl    4(ap),r0
+        movl    r10,8(r0)
+
+        clrl    r10
+
+        movl    8(ap),r0
+        bicl3   #-65536,12(r0),r3
+        movzwl  14(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,(r0),r2
+        movzwl  2(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,r6
+        mull2   r2,r5
+        mull3   r2,r4,-12(fp)
+        mull2   r0,r4
+        addl2   -12(fp),r6
+        bicl2   #0,r6
+        cmpl    r6,-12(fp)
+        bgequ   noname.581
+        addl2   #65536,r4
+noname.581:
+        extzv   #16,#16,r6,r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,r6,r0
+        ashl    #16,r0,-12(fp)
+        addl2   -12(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-12(fp)
+        bgequ   noname.582
+        incl    r4
+noname.582:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.583
+        incl    r10
+noname.583:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.584
+        incl    r2
+noname.584:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.585
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.585
+        incl    r10
+noname.585:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.586
+        incl    r10
+noname.586:
+
+        movl    8(ap),r0
+        bicl3   #-65536,8(r0),r3
+        movzwl  10(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r0),r2
+        movzwl  6(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-16(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-20(fp)
+        mull2   r0,r4
+        addl3   -16(fp),-20(fp),r0
+        bicl3   #0,r0,-16(fp)
+        cmpl    -16(fp),-20(fp)
+        bgequ   noname.587
+        addl2   #65536,r4
+noname.587:
+        movzwl  -14(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-16(fp),r0
+        ashl    #16,r0,-20(fp)
+        addl2   -20(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-20(fp)
+        bgequ   noname.588
+        incl    r4
+noname.588:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.589
+        incl    r10
+noname.589:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.590
+        incl    r2
+noname.590:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r9
+        bicl2   #0,r9
+        cmpl    r9,r3
+        bgequ   noname.591
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.591
+        incl    r10
+noname.591:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.592
+        incl    r10
+noname.592:
+        movl    4(ap),r0
+        movl    r9,12(r0)
+
+        clrl    r9
+
+        movl    8(ap),r3
+        movl    8(r3),r4
+        bicl3   #-65536,r4,r5
+        extzv   #16,#16,r4,r0
+        bicl3   #-65536,r0,r4
+        mull3   r5,r4,-24(fp)
+        mull2   r5,r5
+        mull2   r4,r4
+        bicl3   #32767,-24(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r4
+        bicl3   #-65536,-24(fp),r0
+        ashl    #17,r0,-24(fp)
+        addl2   -24(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-24(fp)
+        bgequ   noname.593
+        incl    r4
+noname.593:
+        movl    r5,r1
+        movl    r4,r2
+        addl2   r1,r8
+        bicl2   #0,r8
+        cmpl    r8,r1
+        bgequ   noname.594
+        incl    r2
+noname.594:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.595
+        incl    r9
+noname.595:
+
+        bicl3   #-65536,12(r3),r4
+        movzwl  14(r3),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,4(r3),r2
+        movzwl  6(r3),r0
+        bicl2   #-65536,r0
+        movl    r4,r6
+        movl    r1,r5
+        mull3   r0,r6,-28(fp)
+        mull2   r2,r6
+        mull3   r2,r5,-32(fp)
+        mull2   r0,r5
+        addl3   -28(fp),-32(fp),r0
+        bicl3   #0,r0,-28(fp)
+        cmpl    -28(fp),-32(fp)
+        bgequ   noname.596
+        addl2   #65536,r5
+noname.596:
+        movzwl  -26(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r5
+        bicl3   #-65536,-28(fp),r0
+        ashl    #16,r0,-32(fp)
+        addl2   -32(fp),r6
+        bicl2   #0,r6
+        cmpl    r6,-32(fp)
+        bgequ   noname.597
+        incl    r5
+noname.597:
+        movl    r6,r3
+        movl    r5,r2
+        bbc     #31,r2,noname.598
+        incl    r9
+noname.598:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.599
+        incl    r2
+noname.599:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r8
+        bicl2   #0,r8
+        cmpl    r8,r3
+        bgequ   noname.600
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.600
+        incl    r9
+noname.600:
+        addl2   r2,r10
+        bicl2   #0,r10
+        cmpl    r10,r2
+        bgequ   noname.601
+        incl    r9
+noname.601:
+
+        movl    4(ap),r0
+        movl    r8,16(r0)
+
+        clrl    r8
+
+        movl    8(ap),r0
+        bicl3   #-65536,12(r0),r3
+        movzwl  14(r0),r1
+        bicl2   #-65536,r1
+        bicl3   #-65536,8(r0),r2
+        movzwl  10(r0),r0
+        bicl2   #-65536,r0
+        movl    r3,r5
+        movl    r1,r4
+        mull3   r0,r5,-36(fp)
+        mull2   r2,r5
+        mull3   r2,r4,-40(fp)
+        mull2   r0,r4
+        addl3   -36(fp),-40(fp),r0
+        bicl3   #0,r0,-36(fp)
+        cmpl    -36(fp),-40(fp)
+        bgequ   noname.602
+        addl2   #65536,r4
+noname.602:
+        movzwl  -34(fp),r0
+        bicl2   #-65536,r0
+        addl2   r0,r4
+        bicl3   #-65536,-36(fp),r0
+        ashl    #16,r0,-40(fp)
+        addl2   -40(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-40(fp)
+        bgequ   noname.603
+        incl    r4
+noname.603:
+        movl    r5,r3
+        movl    r4,r2
+        bbc     #31,r2,noname.604
+        incl    r8
+noname.604:
+        addl2   r2,r2
+        bicl2   #0,r2
+        bbc     #31,r3,noname.605
+        incl    r2
+noname.605:
+        addl2   r3,r3
+        bicl2   #0,r3
+        addl2   r3,r10
+        bicl2   #0,r10
+        cmpl    r10,r3
+        bgequ   noname.606
+        incl    r2
+        bicl3   #0,r2,r0
+        bneq    noname.606
+        incl    r8
+noname.606:
+        addl2   r2,r9
+        bicl2   #0,r9
+        cmpl    r9,r2
+        bgequ   noname.607
+        incl    r8
+noname.607:
+
+        movl    4(ap),r4
+        movl    r10,20(r4)
+
+        clrl    r10
+
+        movl    8(ap),r0
+        movl    12(r0),r3
+        bicl3   #-65536,r3,r5
+        extzv   #16,#16,r3,r0
+        bicl3   #-65536,r0,r3
+        mull3   r5,r3,-44(fp)
+        mull2   r5,r5
+        mull2   r3,r3
+        bicl3   #32767,-44(fp),r0
+        extzv   #15,#17,r0,r0
+        addl2   r0,r3
+        bicl3   #-65536,-44(fp),r0
+        ashl    #17,r0,-44(fp)
+        addl2   -44(fp),r5
+        bicl2   #0,r5
+        cmpl    r5,-44(fp)
+        bgequ   noname.608
+        incl    r3
+noname.608:
+        movl    r5,r1
+        movl    r3,r2
+        addl2   r1,r9
+        bicl2   #0,r9
+        cmpl    r9,r1
+        bgequ   noname.609
+        incl    r2
+noname.609:
+        addl2   r2,r8
+        bicl2   #0,r8
+        cmpl    r8,r2
+        bgequ   noname.610
+        incl    r10
+noname.610:
+
+        movl    r9,24(r4)
+
+        movl    r8,28(r4)
+
+        ret     
+
+; For now, the code below doesn't work, so I end this prematurely.
+.end
+
+        .title  vax_bn_div64    division 64/32=>32
+; 
+; r.l. 16-jan-1998
+;
+; unsigned int bn_div64(unsigned long h, unsigned long l, unsigned long d)
+;       return <h,l>/d;
+;
+
+        .psect  code,nowrt
+
+h=4 ;(AP)       by value (input)
+l=8 ;(AP)       by value (input)
+d=12 ;(AP)      by value (input)
+
+.entry  bn_div64,^m<r2,r3,r4,r5,r6,r7,r8,r9>
+
+        movl    l(ap),r2        ; l
+        movl    h(ap),r3        ; h
+        movl    d(ap),r4        ; d
+        clrl    r5              ; q
+        clrl    r6              ; r
+
+        ; Treat "negative" specially
+        tstl    r3
+        blss    30$
+
+        tstl    r4
+        beql    90$
+
+        ediv    r4,r2,r5,r6
+        bvs     666$
+
+        movl    r5,r0
+        ret
+
+30$:
+        ; The theory here is to do some harmless shifting and a little
+        ; bit of rounding (brackets are to designate when decimals are
+        ; cut off):
+        ;
+        ;       result = 2 * [ ([<h,0>/2] + [d/2]) / d ] + [ l / d ]
+
+        movl    #0,r7
+        movl    r3,r8           ; copy h
+        ashq    #-1,r7,r7       ; [<h,0>/2] => <r8,r7>
+        bicl2   #^X80000000,r8  ; Remove "sign"
+
+        movl    r4,r9           ; copy d
+        ashl    #-1,r9,r9       ; [d/2] => r9
+        bicl2   #^X80000000,r9  ; Remove "sign"
+
+        addl2   r9,r7
+        adwc    #0,r8           ; [<h,0>/2] + [d/2] => <r8,r7>
+
+        ediv    r4,r7,r5,r6     ; [ ([<h,0>/2] + [d/2]) / d ] => <r5,r6>
+        bvs     666$
+
+        movl    #0,r6
+        ashq    #1,r5,r5        ; 2 * [ ([<h,0>/2] + [d/2]) / d ] => r5
+
+        movl    #0,r3
+        ediv    r4,r2,r8,r9     ; [ l / d ] => <r8,r9>
+
+        addl2   r8,r5           ;
+        bcs     666$
+
+        movl    r5,r0
+        ret
+                
+90$:
+        movl    #-1,r0
+        ret
+
+666$:
+
+        
+.end
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86.pl b/src/lib/libssl/src/crypto/bn/asm/x86.pl
new file mode 100644
index 0000000000..1bc4f1bb27
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86.pl
@@ -0,0 +1,28 @@
+#!/usr/local/bin/perl
+
+push(@INC,"perlasm","../../perlasm");
+require "x86asm.pl";
+
+require("x86/mul_add.pl");
+require("x86/mul.pl");
+require("x86/sqr.pl");
+require("x86/div.pl");
+require("x86/add.pl");
+require("x86/sub.pl");
+require("x86/comba.pl");
+
+&asm_init($ARGV[0],$0);
+
+&bn_mul_add_words("bn_mul_add_words");
+&bn_mul_words("bn_mul_words");
+&bn_sqr_words("bn_sqr_words");
+&bn_div_words("bn_div_words");
+&bn_add_words("bn_add_words");
+&bn_sub_words("bn_sub_words");
+&bn_mul_comba("bn_mul_comba8",8);
+&bn_mul_comba("bn_mul_comba4",4);
+&bn_sqr_comba("bn_sqr_comba8",8);
+&bn_sqr_comba("bn_sqr_comba4",4);
+
+&asm_finish();
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/add.pl b/src/lib/libssl/src/crypto/bn/asm/x86/add.pl
new file mode 100644
index 0000000000..0b5cf583e3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/add.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_add_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $a="esi";
+        $b="edi";
+        $c="eax";
+        $r="ebx";
+        $tmp1="ecx";
+        $tmp2="edx";
+        $num="ebp";
+
+        &mov($r,&wparam(0));    # get r
+         &mov($a,&wparam(1));   # get a
+        &mov($b,&wparam(2));    # get b
+         &mov($num,&wparam(3)); # get num
+        &xor($c,$c);            # clear carry
+         &and($num,0xfffffff8); # num / 8
+
+        &jz(&label("aw_finish"));
+
+        &set_label("aw_loop",0);
+        for ($i=0; $i<8; $i++)
+                {
+                &comment("Round $i");
+
+                &mov($tmp1,&DWP($i*4,$a,"",0));         # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));        # *b
+                &add($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &add($tmp1,$tmp2);
+                &adc($c,0);
+                 &mov(&DWP($i*4,$r,"",0),$tmp1);        # *r
+                }
+
+        &comment("");
+        &add($a,32);
+         &add($b,32);
+        &add($r,32);
+         &sub($num,8);
+        &jnz(&label("aw_loop"));
+
+        &set_label("aw_finish",0);
+        &mov($num,&wparam(3));  # get num
+        &and($num,7);
+         &jz(&label("aw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov($tmp1,&DWP($i*4,$a,"",0)); # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+                &add($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &add($tmp1,$tmp2);
+                &adc($c,0);
+                 &dec($num) if ($i != 6);
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                 &jz(&label("aw_end")) if ($i != 6);
+                }
+        &set_label("aw_end",0);
+
+#       &mov("eax",$c);         # $c is "eax"
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/comba.pl b/src/lib/libssl/src/crypto/bn/asm/x86/comba.pl
new file mode 100644
index 0000000000..2291253629
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/comba.pl
@@ -0,0 +1,277 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub mul_add_c
+        {
+        local($a,$ai,$b,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("mul a[$ai]*b[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        &mul("edx");
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # laod next a
+         &mov("eax",&wparam(0)) if $pos > 0;                    # load r[]
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 0;        # laod next b
+         &mov("edx",&DWP(($nb)*4,$b,"",0)) if $pos == 1;        # laod next b
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,"eax","",0),$c0) if $pos > 0;           # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # laod next a
+        }
+
+sub sqr_add_c
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$b,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add($c0,"eax");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         ###
+        &adc($c1,"edx");
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos == 1) && ($na != $nb);
+         ###
+        &adc($c2,0);
+         # is pos > 1, it means it is the last loop 
+         &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;              # save r[];
+        &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;         # load next b
+        }
+
+sub sqr_add_c2
+        {
+        local($r,$a,$ai,$bi,$c0,$c1,$c2,$pos,$i,$na,$nb)=@_;
+
+        # pos == -1 if eax and edx are pre-loaded, 0 to load from next
+        # words, and 1 if load return value
+
+        &comment("sqr a[$ai]*a[$bi]");
+
+        # "eax" and "edx" will always be pre-loaded.
+        # &mov("eax",&DWP($ai*4,$a,"",0)) ;
+        # &mov("edx",&DWP($bi*4,$a,"",0));
+
+        if ($ai == $bi)
+                { &mul("eax");}
+        else
+                { &mul("edx");}
+        &add("eax","eax");
+         ###
+        &adc("edx","edx");
+         ###
+        &adc($c2,0);
+         &add($c0,"eax");
+        &adc($c1,"edx");
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 0;        # load next a
+         &mov("eax",&DWP(($na)*4,$a,"",0)) if $pos == 1;        # load next b
+        &adc($c2,0);
+        &mov(&DWP($i*4,$r,"",0),$c0) if $pos > 0;               # save r[];
+         &mov("edx",&DWP(($nb)*4,$a,"",0)) if ($pos <= 1) && ($na != $nb);
+         ###
+        }
+
+sub bn_mul_comba
+        {
+        local($name,$num)=@_;
+        local($a,$b,$c0,$c1,$c2);
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($tot,$end);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $b="edi";
+        
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        &push("esi");
+         &mov($a,&wparam(1));
+        &push("edi");
+         &mov($b,&wparam(2));
+        &push("ebp");
+         &push("ebx");
+
+        &xor($c0,$c0);
+         &mov("eax",&DWP(0,$a,"",0));   # load the first word 
+        &xor($c1,$c1);
+         &mov("edx",&DWP(0,$b,"",0));   # load the first second 
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("################## Calculate word $i"); 
+
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($j+1) == $end)
+                                {
+                                $v=1;
+                                $v=2 if (($i+1) == $tot);
+                                }
+                        else
+                                { $v=0; }
+                        if (($j+1) != $end)
+                                {
+                                $na=($ai-1);
+                                $nb=($bi+1);
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+#printf STDERR "[$ai,$bi] -> [$na,$nb]\n";
+                        &mul_add_c($a,$ai,$b,$bi,$c0,$c1,$c2,$v,$i,$na,$nb);
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                # &mov("eax",&wparam(0));
+                                # &mov(&DWP($i*4,"eax","",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &comment("save r[$i]");
+        # &mov("eax",&wparam(0));
+        &mov(&DWP($i*4,"eax","",0),$c0);
+
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+sub bn_sqr_comba
+        {
+        local($name,$num)=@_;
+        local($r,$a,$c0,$c1,$c2)=@_;
+        local($i,$as,$ae,$bs,$be,$ai,$bi);
+        local($b,$tot,$end,$half);
+
+        &function_begin_B($name,"");
+
+        $c0="ebx";
+        $c1="ecx";
+        $c2="ebp";
+        $a="esi";
+        $r="edi";
+
+        &push("esi");
+         &push("edi");
+        &push("ebp");
+         &push("ebx");
+        &mov($r,&wparam(0));
+         &mov($a,&wparam(1));
+        &xor($c0,$c0);
+         &xor($c1,$c1);
+        &mov("eax",&DWP(0,$a,"",0)); # load the first word
+
+        $as=0;
+        $ae=0;
+        $bs=0;
+        $be=0;
+        $tot=$num+$num-1;
+
+        for ($i=0; $i<$tot; $i++)
+                {
+                $ai=$as;
+                $bi=$bs;
+                $end=$be+1;
+
+                &comment("############### Calculate word $i");
+                for ($j=$bs; $j<$end; $j++)
+                        {
+                        &xor($c2,$c2) if ($j == $bs);
+                        if (($ai-1) < ($bi+1))
+                                {
+                                $v=1;
+                                $v=2 if ($i+1) == $tot;
+                                }
+                        else
+                                { $v=0; }
+                        if (!$v)
+                                {
+                                $na=$ai-1;
+                                $nb=$bi+1;
+                                }
+                        else
+                                {
+                                $na=$as+($i < ($num-1));
+                                $nb=$bs+($i >= ($num-1));
+                                }
+                        if ($ai == $bi)
+                                {
+                                &sqr_add_c($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        else
+                                {
+                                &sqr_add_c2($r,$a,$ai,$bi,
+                                        $c0,$c1,$c2,$v,$i,$na,$nb);
+                                }
+                        if ($v)
+                                {
+                                &comment("saved r[$i]");
+                                #&mov(&DWP($i*4,$r,"",0),$c0);
+                                ($c0,$c1,$c2)=($c1,$c2,$c0);
+                                last;
+                                }
+                        $ai--;
+                        $bi++;
+                        }
+                $as++ if ($i < ($num-1));
+                $ae++ if ($i >= ($num-1));
+
+                $bs++ if ($i >= ($num-1));
+                $be++ if ($i < ($num-1));
+                }
+        &mov(&DWP($i*4,$r,"",0),$c0);
+        &pop("ebx");
+        &pop("ebp");
+        &pop("edi");
+        &pop("esi");
+        &ret();
+        &function_end_B($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/div.pl b/src/lib/libssl/src/crypto/bn/asm/x86/div.pl
new file mode 100644
index 0000000000..0e90152caa
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/div.pl
@@ -0,0 +1,15 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_div_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+        &mov("edx",&wparam(0)); #
+        &mov("eax",&wparam(1)); #
+        &mov("ebx",&wparam(2)); #
+        &div("ebx");
+        &function_end($name);
+        }
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/f b/src/lib/libssl/src/crypto/bn/asm/x86/f
new file mode 100644
index 0000000000..22e4112224
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/f
@@ -0,0 +1,3 @@
+#!/usr/local/bin/perl
+# x86 assember
+
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/mul.pl b/src/lib/libssl/src/crypto/bn/asm/x86/mul.pl
new file mode 100644
index 0000000000..674cb9b055
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/mul.pl
@@ -0,0 +1,77 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $Low="eax";
+        $High="edx";
+        $a="ebx";
+        $w="ecx";
+        $r="edi";
+        $c="esi";
+        $num="ebp";
+
+        &xor($c,$c);            # clear carry
+        &mov($r,&wparam(0));    #
+        &mov($a,&wparam(1));    #
+        &mov($num,&wparam(2));  #
+        &mov($w,&wparam(3));    #
+
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("mw_finish"));
+
+        &set_label("mw_loop",0);
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+
+                 &mov("eax",&DWP($i,$a,"",0));  # *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 # XXX
+
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i,$r,"",0),"eax");  # *r= L(t);
+
+                &mov($c,"edx");                 # c=  H(t);
+                }
+
+        &comment("");
+        &add($a,32);
+        &add($r,32);
+        &sub($num,8);
+        &jz(&label("mw_finish"));
+        &jmp(&label("mw_loop"));
+
+        &set_label("mw_finish",0);
+        &mov($num,&wparam(2));  # get num
+        &and($num,7);
+        &jnz(&label("mw_finish2"));
+        &jmp(&label("mw_end"));
+
+        &set_label("mw_finish2",1);
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                 &mov("eax",&DWP($i*4,$a,"",0));# *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 # XXX
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t);
+                &mov($c,"edx");                 # c=  H(t);
+                 &dec($num) if ($i != 7-1);
+                &jz(&label("mw_end")) if ($i != 7-1);
+                }
+        &set_label("mw_end",0);
+        &mov("eax",$c);
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/mul_add.pl b/src/lib/libssl/src/crypto/bn/asm/x86/mul_add.pl
new file mode 100644
index 0000000000..61830d3a90
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/mul_add.pl
@@ -0,0 +1,87 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_mul_add_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $Low="eax";
+        $High="edx";
+        $a="ebx";
+        $w="ebp";
+        $r="edi";
+        $c="esi";
+
+        &xor($c,$c);            # clear carry
+        &mov($r,&wparam(0));    #
+
+        &mov("ecx",&wparam(2)); #
+        &mov($a,&wparam(1));    #
+
+        &and("ecx",0xfffffff8); # num / 8
+        &mov($w,&wparam(3));    #
+
+        &push("ecx");           # Up the stack for a tmp variable
+
+        &jz(&label("maw_finish"));
+
+        &set_label("maw_loop",0);
+
+        &mov(&swtmp(0),"ecx");  #
+
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+
+                 &mov("eax",&DWP($i,$a,"",0));  # *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);         # L(t)+= *r
+                 &mov($c,&DWP($i,$r,"",0));     # L(t)+= *r
+                &adc("edx",0);                  # H(t)+=carry
+                 &add("eax",$c);                # L(t)+=c
+                &adc("edx",0);                  # H(t)+=carry
+                 &mov(&DWP($i,$r,"",0),"eax");  # *r= L(t);
+                &mov($c,"edx");                 # c=  H(t);
+                }
+
+        &comment("");
+        &mov("ecx",&swtmp(0));  #
+        &add($a,32);
+        &add($r,32);
+        &sub("ecx",8);
+        &jnz(&label("maw_loop"));
+
+        &set_label("maw_finish",0);
+        &mov("ecx",&wparam(2)); # get num
+        &and("ecx",7);
+        &jnz(&label("maw_finish2"));    # helps branch prediction
+        &jmp(&label("maw_end"));
+
+        &set_label("maw_finish2",1);
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                 &mov("eax",&DWP($i*4,$a,"",0));# *a
+                &mul($w);                       # *a * w
+                &add("eax",$c);                 # L(t)+=c
+                 &mov($c,&DWP($i*4,$r,"",0));   # L(t)+= *r
+                &adc("edx",0);                  # H(t)+=carry
+                 &add("eax",$c);
+                &adc("edx",0);                  # H(t)+=carry
+                 &dec("ecx") if ($i != 7-1);
+                &mov(&DWP($i*4,$r,"",0),"eax"); # *r= L(t);
+                 &mov($c,"edx");                        # c=  H(t);
+                &jz(&label("maw_end")) if ($i != 7-1);
+                }
+        &set_label("maw_end",0);
+        &mov("eax",$c);
+
+        &pop("ecx");    # clear variable from
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/sqr.pl b/src/lib/libssl/src/crypto/bn/asm/x86/sqr.pl
new file mode 100644
index 0000000000..1f90993cf6
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/sqr.pl
@@ -0,0 +1,60 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sqr_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $r="esi";
+        $a="edi";
+        $num="ebx";
+
+        &mov($r,&wparam(0));    #
+        &mov($a,&wparam(1));    #
+        &mov($num,&wparam(2));  #
+
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("sw_finish"));
+
+        &set_label("sw_loop",0);
+        for ($i=0; $i<32; $i+=4)
+                {
+                &comment("Round $i");
+                &mov("eax",&DWP($i,$a,"",0));   # *a
+                 # XXX
+                &mul("eax");                    # *a * *a
+                &mov(&DWP($i*2,$r,"",0),"eax"); #
+                 &mov(&DWP($i*2+4,$r,"",0),"edx");#
+                }
+
+        &comment("");
+        &add($a,32);
+        &add($r,64);
+        &sub($num,8);
+        &jnz(&label("sw_loop"));
+
+        &set_label("sw_finish",0);
+        &mov($num,&wparam(2));  # get num
+        &and($num,7);
+        &jz(&label("sw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov("eax",&DWP($i*4,$a,"",0)); # *a
+                 # XXX
+                &mul("eax");                    # *a * *a
+                &mov(&DWP($i*8,$r,"",0),"eax"); #
+                 &dec($num) if ($i != 7-1);
+                &mov(&DWP($i*8+4,$r,"",0),"edx");
+                 &jz(&label("sw_end")) if ($i != 7-1);
+                }
+        &set_label("sw_end",0);
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86/sub.pl b/src/lib/libssl/src/crypto/bn/asm/x86/sub.pl
new file mode 100644
index 0000000000..837b0e1b07
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/asm/x86/sub.pl
@@ -0,0 +1,76 @@
+#!/usr/local/bin/perl
+# x86 assember
+
+sub bn_sub_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $a="esi";
+        $b="edi";
+        $c="eax";
+        $r="ebx";
+        $tmp1="ecx";
+        $tmp2="edx";
+        $num="ebp";
+
+        &mov($r,&wparam(0));    # get r
+         &mov($a,&wparam(1));   # get a
+        &mov($b,&wparam(2));    # get b
+         &mov($num,&wparam(3)); # get num
+        &xor($c,$c);            # clear carry
+         &and($num,0xfffffff8); # num / 8
+
+        &jz(&label("aw_finish"));
+
+        &set_label("aw_loop",0);
+        for ($i=0; $i<8; $i++)
+                {
+                &comment("Round $i");
+
+                &mov($tmp1,&DWP($i*4,$a,"",0));         # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));        # *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                 &mov(&DWP($i*4,$r,"",0),$tmp1);        # *r
+                }
+
+        &comment("");
+        &add($a,32);
+         &add($b,32);
+        &add($r,32);
+         &sub($num,8);
+        &jnz(&label("aw_loop"));
+
+        &set_label("aw_finish",0);
+        &mov($num,&wparam(3));  # get num
+        &and($num,7);
+         &jz(&label("aw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov($tmp1,&DWP($i*4,$a,"",0)); # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                 &dec($num) if ($i != 6);
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                 &jz(&label("aw_end")) if ($i != 6);
+                }
+        &set_label("aw_end",0);
+
+#       &mov("eax",$c);         # $c is "eax"
+
+        &function_end($name);
+        }
+
+1;
diff --git a/src/lib/libssl/src/crypto/bn/bn.h b/src/lib/libssl/src/crypto/bn/bn.h
new file mode 100644
index 0000000000..f935e1ca79
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn.h
@@ -0,0 +1,467 @@
+/* crypto/bn/bn.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_BN_H
+#define HEADER_BN_H
+
+#ifndef WIN16
+#include <stdio.h> /* FILE */
+#endif
+#include <openssl/opensslconf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef VMS
+#undef BN_LLONG /* experimental, so far... */
+#endif
+
+#define BN_MUL_COMBA
+#define BN_SQR_COMBA
+#define BN_RECURSION
+#define RECP_MUL_MOD
+#define MONT_MUL_MOD
+
+/* This next option uses the C libraries (2 word)/(1 word) function.
+ * If it is not defined, I use my C version (which is slower).
+ * The reason for this flag is that when the particular C compiler
+ * library routine is used, and the library is linked with a different
+ * compiler, the library is missing.  This mostly happens when the
+ * library is built with gcc and then linked using nornal cc.  This would
+ * be a common occurance because gcc normally produces code that is
+ * 2 times faster than system compilers for the big number stuff.
+ * For machines with only one compiler (or shared libraries), this should
+ * be on.  Again this in only really a problem on machines
+ * using "long long's", are 32bit, and are not using my assember code. */
+#if defined(MSDOS) || defined(WINDOWS) || defined(linux)
+#define BN_DIV2W
+#endif
+
+/* assuming long is 64bit - this is the DEC Alpha
+ * unsigned long long is only 64 bits :-(, don't define
+ * BN_LLONG for the DEC Alpha */
+#ifdef SIXTY_FOUR_BIT_LONG
+#define BN_ULLONG       unsigned long long
+#define BN_ULONG        unsigned long
+#define BN_LONG         long
+#define BN_BITS         128
+#define BN_BYTES        8
+#define BN_BITS2        64
+#define BN_BITS4        32
+#define BN_MASK         (0xffffffffffffffffffffffffffffffffLL)
+#define BN_MASK2        (0xffffffffffffffffL)
+#define BN_MASK2l       (0xffffffffL)
+#define BN_MASK2h       (0xffffffff00000000L)
+#define BN_MASK2h1      (0xffffffff80000000L)
+#define BN_TBIT         (0x8000000000000000L)
+#define BN_DEC_CONV     (10000000000000000000UL)
+#define BN_DEC_FMT1     "%lu"
+#define BN_DEC_FMT2     "%019lu"
+#define BN_DEC_NUM      19
+#endif
+
+/* This is where the long long data type is 64 bits, but long is 32.
+ * For machines where there are 64bit registers, this is the mode to use.
+ * IRIX, on R4000 and above should use this mode, along with the relevent
+ * assember code :-).  Do NOT define BN_LLONG.
+ */
+#ifdef SIXTY_FOUR_BIT
+#undef BN_LLONG
+#undef BN_ULLONG
+#define BN_ULONG        unsigned long long
+#define BN_LONG         long long
+#define BN_BITS         128
+#define BN_BYTES        8
+#define BN_BITS2        64
+#define BN_BITS4        32
+#define BN_MASK2        (0xffffffffffffffffLL)
+#define BN_MASK2l       (0xffffffffL)
+#define BN_MASK2h       (0xffffffff00000000LL)
+#define BN_MASK2h1      (0xffffffff80000000LL)
+#define BN_TBIT         (0x8000000000000000LL)
+#define BN_DEC_CONV     (10000000000000000000LL)
+#define BN_DEC_FMT1     "%llu"
+#define BN_DEC_FMT2     "%019llu"
+#define BN_DEC_NUM      19
+#endif
+
+#ifdef THIRTY_TWO_BIT
+#if defined(WIN32) && !defined(__GNUC__)
+#define BN_ULLONG       unsigned _int64
+#else
+#define BN_ULLONG       unsigned long long
+#endif
+#define BN_ULONG        unsigned long
+#define BN_LONG         long
+#define BN_BITS         64
+#define BN_BYTES        4
+#define BN_BITS2        32
+#define BN_BITS4        16
+#ifdef WIN32
+/* VC++ doesn't like the LL suffix */
+#define BN_MASK         (0xffffffffffffffffL)
+#else
+#define BN_MASK         (0xffffffffffffffffLL)
+#endif
+#define BN_MASK2        (0xffffffffL)
+#define BN_MASK2l       (0xffff)
+#define BN_MASK2h1      (0xffff8000L)
+#define BN_MASK2h       (0xffff0000L)
+#define BN_TBIT         (0x80000000L)
+#define BN_DEC_CONV     (1000000000L)
+#define BN_DEC_FMT1     "%lu"
+#define BN_DEC_FMT2     "%09lu"
+#define BN_DEC_NUM      9
+#endif
+
+#ifdef SIXTEEN_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG       unsigned long
+#define BN_ULONG        unsigned short
+#define BN_LONG         short
+#define BN_BITS         32
+#define BN_BYTES        2
+#define BN_BITS2        16
+#define BN_BITS4        8
+#define BN_MASK         (0xffffffff)
+#define BN_MASK2        (0xffff)
+#define BN_MASK2l       (0xff)
+#define BN_MASK2h1      (0xff80)
+#define BN_MASK2h       (0xff00)
+#define BN_TBIT         (0x8000)
+#define BN_DEC_CONV     (100000)
+#define BN_DEC_FMT1     "%u"
+#define BN_DEC_FMT2     "%05u"
+#define BN_DEC_NUM      5
+#endif
+
+#ifdef EIGHT_BIT
+#ifndef BN_DIV2W
+#define BN_DIV2W
+#endif
+#define BN_ULLONG       unsigned short
+#define BN_ULONG        unsigned char
+#define BN_LONG         char
+#define BN_BITS         16
+#define BN_BYTES        1
+#define BN_BITS2        8
+#define BN_BITS4        4
+#define BN_MASK         (0xffff)
+#define BN_MASK2        (0xff)
+#define BN_MASK2l       (0xf)
+#define BN_MASK2h1      (0xf8)
+#define BN_MASK2h       (0xf0)
+#define BN_TBIT         (0x80)
+#define BN_DEC_CONV     (100)
+#define BN_DEC_FMT1     "%u"
+#define BN_DEC_FMT2     "%02u"
+#define BN_DEC_NUM      2
+#endif
+
+#define BN_DEFAULT_BITS 1280
+
+#ifdef BIGNUM
+#undef BIGNUM
+#endif
+
+#define BN_FLG_MALLOCED         0x01
+#define BN_FLG_STATIC_DATA      0x02
+#define BN_FLG_FREE             0x8000  /* used for debuging */
+#define BN_set_flags(b,n)       ((b)->flags|=(n))
+#define BN_get_flags(b,n)       ((b)->flags&(n))
+
+typedef struct bignum_st
+        {
+        BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
+        int top;        /* Index of last used d +1. */
+        /* The next are internal book keeping for bn_expand. */
+        int max;        /* Size of the d array. */
+        int neg;        /* one if the number is negative */
+        int flags;
+        } BIGNUM;
+
+/* Used for temp variables */
+#define BN_CTX_NUM      12
+typedef struct bignum_ctx
+        {
+        int tos;
+        BIGNUM bn[BN_CTX_NUM+1];
+        int flags;
+        } BN_CTX;
+
+typedef struct bn_blinding_st
+        {
+        int init;
+        BIGNUM *A;
+        BIGNUM *Ai;
+        BIGNUM *mod; /* just a reference */
+        } BN_BLINDING;
+
+/* Used for montgomery multiplication */
+typedef struct bn_mont_ctx_st
+        {
+        int use_word;   /* 0 for word form, 1 for long form */
+        int ri;         /* number of bits in R */
+        BIGNUM RR;     /* used to convert to montgomery form */
+        BIGNUM N;      /* The modulus */
+        BIGNUM Ni;     /* The inverse of N */
+        BN_ULONG n0;    /* word form of inverse, normally only one of
+                         * Ni or n0 is defined */
+        int flags;
+        } BN_MONT_CTX;
+
+/* Used for reciprocal division/mod functions
+ * It cannot be shared between threads
+ */
+typedef struct bn_recp_ctx_st
+        {
+        BIGNUM N;       /* the divisor */
+        BIGNUM Nr;      /* the reciprocal */
+        int num_bits;
+        int shift;
+        int flags;
+        } BN_RECP_CTX;
+
+#define BN_to_montgomery(r,a,mont,ctx)  BN_mod_mul_montgomery(\
+        r,a,&((mont)->RR),(mont),ctx)
+
+#define BN_prime_checks         (5)
+
+#define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
+#define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
+#define BN_is_zero(a)   (((a)->top == 0) || BN_is_word(a,0))
+#define BN_is_one(a)    (BN_is_word((a),1))
+#define BN_is_odd(a)    (((a)->top > 0) && ((a)->d[0] & 1))
+#define BN_one(a)       (BN_set_word((a),1))
+#define BN_zero(a)      (BN_set_word((a),0))
+
+/*#define BN_ascii2bn(a)        BN_hex2bn(a) */
+/*#define BN_bn2ascii(a)        BN_bn2hex(a) */
+
+#define bn_expand(n,b) ((((((b+BN_BITS2-1))/BN_BITS2)) <= (n)->max)?\
+        (n):bn_expand2((n),(b)/BN_BITS2+1))
+#define bn_wexpand(n,b) (((b) <= (n)->max)?(n):bn_expand2((n),(b)))
+
+#define bn_fix_top(a) \
+        { \
+        BN_ULONG *ftl; \
+        if ((a)->top > 0) \
+                { \
+                for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \
+                if (*(ftl--)) break; \
+                } \
+        }
+
+BIGNUM *BN_value_one(void);
+char *  BN_options(void);
+BN_CTX *BN_CTX_new(void);
+void    BN_CTX_init(BN_CTX *c);
+void    BN_CTX_free(BN_CTX *c);
+int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
+int     BN_num_bits(const BIGNUM *a);
+int     BN_num_bits_word(BN_ULONG);
+BIGNUM *BN_new(void);
+void    BN_init(BIGNUM *);
+void    BN_clear_free(BIGNUM *a);
+BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
+int     BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_mpi2bn(unsigned char *s,int len,BIGNUM *ret);
+int     BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+int     BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int     BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+int     BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int     BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+               BN_CTX *ctx);
+int     BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b,BN_CTX *ctx);
+int     BN_sqr(BIGNUM *r, BIGNUM *a,BN_CTX *ctx);
+BN_ULONG BN_mod_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+int     BN_mul_word(BIGNUM *a, BN_ULONG w);
+int     BN_add_word(BIGNUM *a, BN_ULONG w);
+int     BN_sub_word(BIGNUM *a, BN_ULONG w);
+int     BN_set_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_get_word(BIGNUM *a);
+int     BN_cmp(const BIGNUM *a, const BIGNUM *b);
+void    BN_free(BIGNUM *a);
+int     BN_is_bit_set(const BIGNUM *a, int n);
+int     BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+int     BN_lshift1(BIGNUM *r, BIGNUM *a);
+int     BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p,BN_CTX *ctx);
+int     BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                   const BIGNUM *m,BN_CTX *ctx);
+int     BN_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int     BN_mod_exp2_mont(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
+                BIGNUM *p2,BIGNUM *m,BN_CTX *ctx,BN_MONT_CTX *m_ctx);
+int     BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p,
+        BIGNUM *m,BN_CTX *ctx);
+int     BN_mask_bits(BIGNUM *a,int n);
+int     BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+#ifndef WIN16
+int     BN_print_fp(FILE *fp, BIGNUM *a);
+#endif
+#ifdef HEADER_BIO_H
+int     BN_print(BIO *fp, const BIGNUM *a);
+#else
+int     BN_print(char *fp, const BIGNUM *a);
+#endif
+int     BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx);
+int     BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+int     BN_rshift1(BIGNUM *r, BIGNUM *a);
+void    BN_clear(BIGNUM *a);
+BIGNUM *bn_expand2(BIGNUM *b, int bits);
+BIGNUM *BN_dup(const BIGNUM *a);
+int     BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+int     BN_set_bit(BIGNUM *a, int n);
+int     BN_clear_bit(BIGNUM *a, int n);
+char *  BN_bn2hex(const BIGNUM *a);
+char *  BN_bn2dec(const BIGNUM *a);
+int     BN_hex2bn(BIGNUM **a, const char *str);
+int     BN_dec2bn(BIGNUM **a, const char *str);
+int     BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
+BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int strong,BIGNUM *add,
+                BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
+int     BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *),
+                BN_CTX *ctx,void *cb_arg);
+void    ERR_load_BN_strings(void );
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+
+BN_MONT_CTX *BN_MONT_CTX_new(void );
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
+void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+
+BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
+void BN_BLINDING_free(BN_BLINDING *b);
+int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *r, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+
+void BN_set_params(int mul,int high,int low,int mont);
+int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+
+void    BN_RECP_CTX_init(BN_RECP_CTX *recp);
+BN_RECP_CTX *BN_RECP_CTX_new(void);
+void    BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int     BN_RECP_CTX_set(BN_RECP_CTX *recp,const BIGNUM *rdiv,BN_CTX *ctx);
+int     BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y,
+                BN_RECP_CTX *recp,BN_CTX *ctx);
+int     BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx);
+int     BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
+                BN_RECP_CTX *recp, BN_CTX *ctx);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the BN functions. */
+
+/* Function codes. */
+#define BN_F_BN_BLINDING_CONVERT                         100
+#define BN_F_BN_BLINDING_INVERT                          101
+#define BN_F_BN_BLINDING_NEW                             102
+#define BN_F_BN_BLINDING_UPDATE                          103
+#define BN_F_BN_BN2DEC                                   104
+#define BN_F_BN_BN2HEX                                   105
+#define BN_F_BN_CTX_NEW                                  106
+#define BN_F_BN_DIV                                      107
+#define BN_F_BN_EXPAND2                                  108
+#define BN_F_BN_MOD_EXP_MONT                             109
+#define BN_F_BN_MOD_INVERSE                              110
+#define BN_F_BN_MOD_MUL_RECIPROCAL                       111
+#define BN_F_BN_MPI2BN                                   112
+#define BN_F_BN_NEW                                      113
+#define BN_F_BN_RAND                                     114
+#define BN_F_BN_USUB                                     115
+
+/* Reason codes. */
+#define BN_R_ARG2_LT_ARG3                                100
+#define BN_R_BAD_RECIPROCAL                              101
+#define BN_R_CALLED_WITH_EVEN_MODULUS                    102
+#define BN_R_DIV_BY_ZERO                                 103
+#define BN_R_ENCODING_ERROR                              104
+#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA                105
+#define BN_R_INVALID_LENGTH                              106
+#define BN_R_NOT_INITIALIZED                             107
+#define BN_R_NO_INVERSE                                  108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/bn/bn.mul b/src/lib/libssl/src/crypto/bn/bn.mul
new file mode 100644
index 0000000000..9728870d38
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn.mul
@@ -0,0 +1,19 @@
+We need
+
+* bn_mul_comba8
+* bn_mul_comba4
+* bn_mul_normal
+* bn_mul_recursive
+
+* bn_sqr_comba8
+* bn_sqr_comba4
+bn_sqr_normal -> BN_sqr
+* bn_sqr_recursive
+
+* bn_mul_low_recursive
+* bn_mul_low_normal
+* bn_mul_high
+
+* bn_mul_part_recursive # symetric but not power of 2
+
+bn_mul_asymetric_recursive # uneven, but do the chop up.
diff --git a/src/lib/libssl/src/crypto/bn/bn_asm.c b/src/lib/libssl/src/crypto/bn/bn_asm.c
new file mode 100644
index 0000000000..4d3da16a0c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_asm.c
@@ -0,0 +1,802 @@
+/* crypto/bn/bn_asm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+#ifdef BN_LLONG 
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c1=0;
+
+        bn_check_num(num);
+        if (num <= 0) return(c1);
+
+        for (;;)
+                {
+                mul_add(rp[0],ap[0],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[1],ap[1],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[2],ap[2],w,c1);
+                if (--num == 0) break;
+                mul_add(rp[3],ap[3],w,c1);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        
+        return(c1);
+        } 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c1=0;
+
+        bn_check_num(num);
+        if (num <= 0) return(c1);
+
+        /* for (;;) */
+        while (1) /* circumvent egcs-1.1.2 bug */
+                {
+                mul(rp[0],ap[0],w,c1);
+                if (--num == 0) break;
+                mul(rp[1],ap[1],w,c1);
+                if (--num == 0) break;
+                mul(rp[2],ap[2],w,c1);
+                if (--num == 0) break;
+                mul(rp[3],ap[3],w,c1);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(c1);
+        } 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+        bn_check_num(n);
+        if (n <= 0) return;
+        for (;;)
+                {
+                BN_ULLONG t;
+
+                t=(BN_ULLONG)(a[0])*(a[0]);
+                r[0]=Lw(t); r[1]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[1])*(a[1]);
+                r[2]=Lw(t); r[3]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[2])*(a[2]);
+                r[4]=Lw(t); r[5]=Hw(t);
+                if (--n == 0) break;
+
+                t=(BN_ULLONG)(a[3])*(a[3]);
+                r[6]=Lw(t); r[7]=Hw(t);
+                if (--n == 0) break;
+
+                a+=4;
+                r+=8;
+                }
+        }
+
+#else
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG c=0;
+        BN_ULONG bl,bh;
+
+        bn_check_num(num);
+        if (num <= 0) return((BN_ULONG)0);
+
+        bl=LBITS(w);
+        bh=HBITS(w);
+
+        for (;;)
+                {
+                mul_add(rp[0],ap[0],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[1],ap[1],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[2],ap[2],bl,bh,c);
+                if (--num == 0) break;
+                mul_add(rp[3],ap[3],bl,bh,c);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(c);
+        } 
+
+BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+        {
+        BN_ULONG carry=0;
+        BN_ULONG bl,bh;
+
+        bn_check_num(num);
+        if (num <= 0) return((BN_ULONG)0);
+
+        bl=LBITS(w);
+        bh=HBITS(w);
+
+        for (;;)
+                {
+                mul(rp[0],ap[0],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[1],ap[1],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[2],ap[2],bl,bh,carry);
+                if (--num == 0) break;
+                mul(rp[3],ap[3],bl,bh,carry);
+                if (--num == 0) break;
+                ap+=4;
+                rp+=4;
+                }
+        return(carry);
+        } 
+
+void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+        {
+        bn_check_num(n);
+        if (n <= 0) return;
+        for (;;)
+                {
+                sqr64(r[0],r[1],a[0]);
+                if (--n == 0) break;
+
+                sqr64(r[2],r[3],a[1]);
+                if (--n == 0) break;
+
+                sqr64(r[4],r[5],a[2]);
+                if (--n == 0) break;
+
+                sqr64(r[6],r[7],a[3]);
+                if (--n == 0) break;
+
+                a+=4;
+                r+=8;
+                }
+        }
+
+#endif
+
+#if defined(BN_LLONG) && defined(BN_DIV2W)
+
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+        {
+        return((BN_ULONG)(((((BN_ULLONG)h)<<BN_BITS2)|l)/(BN_ULLONG)d));
+        }
+
+#else
+
+/* Divide h-l by d and return the result. */
+/* I need to test this some more :-( */
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+        {
+        BN_ULONG dh,dl,q,ret=0,th,tl,t;
+        int i,count=2;
+
+        if (d == 0) return(BN_MASK2);
+
+        i=BN_num_bits_word(d);
+        if ((i != BN_BITS2) && (h > (BN_ULONG)1<<i))
+                {
+#if !defined(NO_STDIO) && !defined(WIN16)
+                fprintf(stderr,"Division would overflow (%d)\n",i);
+#endif
+                abort();
+                }
+        i=BN_BITS2-i;
+        if (h >= d) h-=d;
+
+        if (i)
+                {
+                d<<=i;
+                h=(h<<i)|(l>>(BN_BITS2-i));
+                l<<=i;
+                }
+        dh=(d&BN_MASK2h)>>BN_BITS4;
+        dl=(d&BN_MASK2l);
+        for (;;)
+                {
+                if ((h>>BN_BITS4) == dh)
+                        q=BN_MASK2l;
+                else
+                        q=h/dh;
+
+                th=q*dh;
+                tl=dl*q;
+                for (;;)
+                        {
+                        t=h-th;
+                        if ((t&BN_MASK2h) ||
+                                ((tl) <= (
+                                        (t<<BN_BITS4)|
+                                        ((l&BN_MASK2h)>>BN_BITS4))))
+                                break;
+                        q--;
+                        th-=dh;
+                        tl-=dl;
+                        }
+                t=(tl>>BN_BITS4);
+                tl=(tl<<BN_BITS4)&BN_MASK2h;
+                th+=t;
+
+                if (l < tl) th++;
+                l-=tl;
+                if (h < th)
+                        {
+                        h+=d;
+                        q--;
+                        }
+                h-=th;
+
+                if (--count == 0) break;
+
+                ret=q<<BN_BITS4;
+                h=((h<<BN_BITS4)|(l>>BN_BITS4))&BN_MASK2;
+                l=(l&BN_MASK2l)<<BN_BITS4;
+                }
+        ret|=q;
+        return(ret);
+        }
+#endif
+
+#ifdef BN_LLONG
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULLONG ll=0;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        for (;;)
+                {
+                ll+=(BN_ULLONG)a[0]+b[0];
+                r[0]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[1]+b[1];
+                r[1]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[2]+b[2];
+                r[2]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                ll+=(BN_ULLONG)a[3]+b[3];
+                r[3]=(BN_ULONG)ll&BN_MASK2;
+                ll>>=BN_BITS2;
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return((BN_ULONG)ll);
+        }
+#else
+BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULONG c,l,t;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        c=0;
+        for (;;)
+                {
+                t=a[0];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[0])&BN_MASK2;
+                c+=(l < t);
+                r[0]=l;
+                if (--n <= 0) break;
+
+                t=a[1];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[1])&BN_MASK2;
+                c+=(l < t);
+                r[1]=l;
+                if (--n <= 0) break;
+
+                t=a[2];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[2])&BN_MASK2;
+                c+=(l < t);
+                r[2]=l;
+                if (--n <= 0) break;
+
+                t=a[3];
+                t=(t+c)&BN_MASK2;
+                c=(t < c);
+                l=(t+b[3])&BN_MASK2;
+                c+=(l < t);
+                r[3]=l;
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return((BN_ULONG)c);
+        }
+#endif
+
+BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+        {
+        BN_ULONG t1,t2;
+        int c=0;
+
+        bn_check_num(n);
+        if (n <= 0) return((BN_ULONG)0);
+
+        for (;;)
+                {
+                t1=a[0]; t2=b[0];
+                r[0]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[1]; t2=b[1];
+                r[1]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[2]; t2=b[2];
+                r[2]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                t1=a[3]; t2=b[3];
+                r[3]=(t1-t2-c)&BN_MASK2;
+                if (t1 != t2) c=(t1 < t2);
+                if (--n <= 0) break;
+
+                a+=4;
+                b+=4;
+                r+=4;
+                }
+        return(c);
+        }
+
+#ifdef BN_MUL_COMBA
+
+#undef bn_mul_comba8
+#undef bn_mul_comba4
+#undef bn_sqr_comba8
+#undef bn_sqr_comba4
+
+#ifdef BN_LLONG
+#define mul_add_c(a,b,c0,c1,c2) \
+        t=(BN_ULLONG)a*b; \
+        t1=(BN_ULONG)Lw(t); \
+        t2=(BN_ULONG)Hw(t); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+        t=(BN_ULLONG)a*b; \
+        tt=(t+t)&BN_MASK; \
+        if (tt < t) c2++; \
+        t1=(BN_ULONG)Lw(tt); \
+        t2=(BN_ULONG)Hw(tt); \
+        c0=(c0+t1)&BN_MASK2;  \
+        if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+        t=(BN_ULLONG)a[i]*a[i]; \
+        t1=(BN_ULONG)Lw(t); \
+        t2=(BN_ULONG)Hw(t); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+        mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#else
+#define mul_add_c(a,b,c0,c1,c2) \
+        t1=LBITS(a); t2=HBITS(a); \
+        bl=LBITS(b); bh=HBITS(b); \
+        mul64(t1,t2,bl,bh); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define mul_add_c2(a,b,c0,c1,c2) \
+        t1=LBITS(a); t2=HBITS(a); \
+        bl=LBITS(b); bh=HBITS(b); \
+        mul64(t1,t2,bl,bh); \
+        if (t2 & BN_TBIT) c2++; \
+        t2=(t2+t2)&BN_MASK2; \
+        if (t1 & BN_TBIT) t2++; \
+        t1=(t1+t1)&BN_MASK2; \
+        c0=(c0+t1)&BN_MASK2;  \
+        if ((c0 < t1) && (((++t2)&BN_MASK2) == 0)) c2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c(a,i,c0,c1,c2) \
+        sqr64(t1,t2,(a)[i]); \
+        c0=(c0+t1)&BN_MASK2; if ((c0) < t1) t2++; \
+        c1=(c1+t2)&BN_MASK2; if ((c1) < t2) c2++;
+
+#define sqr_add_c2(a,i,j,c0,c1,c2) \
+        mul_add_c2((a)[i],(a)[j],c0,c1,c2)
+#endif
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        mul_add_c(a[0],b[0],c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        mul_add_c(a[0],b[1],c2,c3,c1);
+        mul_add_c(a[1],b[0],c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        mul_add_c(a[2],b[0],c3,c1,c2);
+        mul_add_c(a[1],b[1],c3,c1,c2);
+        mul_add_c(a[0],b[2],c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        mul_add_c(a[0],b[3],c1,c2,c3);
+        mul_add_c(a[1],b[2],c1,c2,c3);
+        mul_add_c(a[2],b[1],c1,c2,c3);
+        mul_add_c(a[3],b[0],c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        mul_add_c(a[4],b[0],c2,c3,c1);
+        mul_add_c(a[3],b[1],c2,c3,c1);
+        mul_add_c(a[2],b[2],c2,c3,c1);
+        mul_add_c(a[1],b[3],c2,c3,c1);
+        mul_add_c(a[0],b[4],c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        mul_add_c(a[0],b[5],c3,c1,c2);
+        mul_add_c(a[1],b[4],c3,c1,c2);
+        mul_add_c(a[2],b[3],c3,c1,c2);
+        mul_add_c(a[3],b[2],c3,c1,c2);
+        mul_add_c(a[4],b[1],c3,c1,c2);
+        mul_add_c(a[5],b[0],c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        mul_add_c(a[6],b[0],c1,c2,c3);
+        mul_add_c(a[5],b[1],c1,c2,c3);
+        mul_add_c(a[4],b[2],c1,c2,c3);
+        mul_add_c(a[3],b[3],c1,c2,c3);
+        mul_add_c(a[2],b[4],c1,c2,c3);
+        mul_add_c(a[1],b[5],c1,c2,c3);
+        mul_add_c(a[0],b[6],c1,c2,c3);
+        r[6]=c1;
+        c1=0;
+        mul_add_c(a[0],b[7],c2,c3,c1);
+        mul_add_c(a[1],b[6],c2,c3,c1);
+        mul_add_c(a[2],b[5],c2,c3,c1);
+        mul_add_c(a[3],b[4],c2,c3,c1);
+        mul_add_c(a[4],b[3],c2,c3,c1);
+        mul_add_c(a[5],b[2],c2,c3,c1);
+        mul_add_c(a[6],b[1],c2,c3,c1);
+        mul_add_c(a[7],b[0],c2,c3,c1);
+        r[7]=c2;
+        c2=0;
+        mul_add_c(a[7],b[1],c3,c1,c2);
+        mul_add_c(a[6],b[2],c3,c1,c2);
+        mul_add_c(a[5],b[3],c3,c1,c2);
+        mul_add_c(a[4],b[4],c3,c1,c2);
+        mul_add_c(a[3],b[5],c3,c1,c2);
+        mul_add_c(a[2],b[6],c3,c1,c2);
+        mul_add_c(a[1],b[7],c3,c1,c2);
+        r[8]=c3;
+        c3=0;
+        mul_add_c(a[2],b[7],c1,c2,c3);
+        mul_add_c(a[3],b[6],c1,c2,c3);
+        mul_add_c(a[4],b[5],c1,c2,c3);
+        mul_add_c(a[5],b[4],c1,c2,c3);
+        mul_add_c(a[6],b[3],c1,c2,c3);
+        mul_add_c(a[7],b[2],c1,c2,c3);
+        r[9]=c1;
+        c1=0;
+        mul_add_c(a[7],b[3],c2,c3,c1);
+        mul_add_c(a[6],b[4],c2,c3,c1);
+        mul_add_c(a[5],b[5],c2,c3,c1);
+        mul_add_c(a[4],b[6],c2,c3,c1);
+        mul_add_c(a[3],b[7],c2,c3,c1);
+        r[10]=c2;
+        c2=0;
+        mul_add_c(a[4],b[7],c3,c1,c2);
+        mul_add_c(a[5],b[6],c3,c1,c2);
+        mul_add_c(a[6],b[5],c3,c1,c2);
+        mul_add_c(a[7],b[4],c3,c1,c2);
+        r[11]=c3;
+        c3=0;
+        mul_add_c(a[7],b[5],c1,c2,c3);
+        mul_add_c(a[6],b[6],c1,c2,c3);
+        mul_add_c(a[5],b[7],c1,c2,c3);
+        r[12]=c1;
+        c1=0;
+        mul_add_c(a[6],b[7],c2,c3,c1);
+        mul_add_c(a[7],b[6],c2,c3,c1);
+        r[13]=c2;
+        c2=0;
+        mul_add_c(a[7],b[7],c3,c1,c2);
+        r[14]=c3;
+        r[15]=c1;
+        }
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        mul_add_c(a[0],b[0],c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        mul_add_c(a[0],b[1],c2,c3,c1);
+        mul_add_c(a[1],b[0],c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        mul_add_c(a[2],b[0],c3,c1,c2);
+        mul_add_c(a[1],b[1],c3,c1,c2);
+        mul_add_c(a[0],b[2],c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        mul_add_c(a[0],b[3],c1,c2,c3);
+        mul_add_c(a[1],b[2],c1,c2,c3);
+        mul_add_c(a[2],b[1],c1,c2,c3);
+        mul_add_c(a[3],b[0],c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        mul_add_c(a[3],b[1],c2,c3,c1);
+        mul_add_c(a[2],b[2],c2,c3,c1);
+        mul_add_c(a[1],b[3],c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        mul_add_c(a[2],b[3],c3,c1,c2);
+        mul_add_c(a[3],b[2],c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        mul_add_c(a[3],b[3],c1,c2,c3);
+        r[6]=c1;
+        r[7]=c2;
+        }
+
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t,tt;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        sqr_add_c(a,0,c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        sqr_add_c2(a,1,0,c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        sqr_add_c(a,1,c3,c1,c2);
+        sqr_add_c2(a,2,0,c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        sqr_add_c2(a,3,0,c1,c2,c3);
+        sqr_add_c2(a,2,1,c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        sqr_add_c(a,2,c2,c3,c1);
+        sqr_add_c2(a,3,1,c2,c3,c1);
+        sqr_add_c2(a,4,0,c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        sqr_add_c2(a,5,0,c3,c1,c2);
+        sqr_add_c2(a,4,1,c3,c1,c2);
+        sqr_add_c2(a,3,2,c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        sqr_add_c(a,3,c1,c2,c3);
+        sqr_add_c2(a,4,2,c1,c2,c3);
+        sqr_add_c2(a,5,1,c1,c2,c3);
+        sqr_add_c2(a,6,0,c1,c2,c3);
+        r[6]=c1;
+        c1=0;
+        sqr_add_c2(a,7,0,c2,c3,c1);
+        sqr_add_c2(a,6,1,c2,c3,c1);
+        sqr_add_c2(a,5,2,c2,c3,c1);
+        sqr_add_c2(a,4,3,c2,c3,c1);
+        r[7]=c2;
+        c2=0;
+        sqr_add_c(a,4,c3,c1,c2);
+        sqr_add_c2(a,5,3,c3,c1,c2);
+        sqr_add_c2(a,6,2,c3,c1,c2);
+        sqr_add_c2(a,7,1,c3,c1,c2);
+        r[8]=c3;
+        c3=0;
+        sqr_add_c2(a,7,2,c1,c2,c3);
+        sqr_add_c2(a,6,3,c1,c2,c3);
+        sqr_add_c2(a,5,4,c1,c2,c3);
+        r[9]=c1;
+        c1=0;
+        sqr_add_c(a,5,c2,c3,c1);
+        sqr_add_c2(a,6,4,c2,c3,c1);
+        sqr_add_c2(a,7,3,c2,c3,c1);
+        r[10]=c2;
+        c2=0;
+        sqr_add_c2(a,7,4,c3,c1,c2);
+        sqr_add_c2(a,6,5,c3,c1,c2);
+        r[11]=c3;
+        c3=0;
+        sqr_add_c(a,6,c1,c2,c3);
+        sqr_add_c2(a,7,5,c1,c2,c3);
+        r[12]=c1;
+        c1=0;
+        sqr_add_c2(a,7,6,c2,c3,c1);
+        r[13]=c2;
+        c2=0;
+        sqr_add_c(a,7,c3,c1,c2);
+        r[14]=c3;
+        r[15]=c1;
+        }
+
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+        {
+#ifdef BN_LLONG
+        BN_ULLONG t,tt;
+#else
+        BN_ULONG bl,bh;
+#endif
+        BN_ULONG t1,t2;
+        BN_ULONG c1,c2,c3;
+
+        c1=0;
+        c2=0;
+        c3=0;
+        sqr_add_c(a,0,c1,c2,c3);
+        r[0]=c1;
+        c1=0;
+        sqr_add_c2(a,1,0,c2,c3,c1);
+        r[1]=c2;
+        c2=0;
+        sqr_add_c(a,1,c3,c1,c2);
+        sqr_add_c2(a,2,0,c3,c1,c2);
+        r[2]=c3;
+        c3=0;
+        sqr_add_c2(a,3,0,c1,c2,c3);
+        sqr_add_c2(a,2,1,c1,c2,c3);
+        r[3]=c1;
+        c1=0;
+        sqr_add_c(a,2,c2,c3,c1);
+        sqr_add_c2(a,3,1,c2,c3,c1);
+        r[4]=c2;
+        c2=0;
+        sqr_add_c2(a,3,2,c3,c1,c2);
+        r[5]=c3;
+        c3=0;
+        sqr_add_c(a,3,c1,c2,c3);
+        r[6]=c1;
+        r[7]=c2;
+        }
+#else
+
+/* hmm... is it faster just to do a multiply? */
+#undef bn_sqr_comba4
+void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+        {
+        BN_ULONG t[8];
+        bn_sqr_normal(r,a,4,t);
+        }
+
+#undef bn_sqr_comba8
+void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+        {
+        BN_ULONG t[16];
+        bn_sqr_normal(r,a,8,t);
+        }
+
+void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+        r[4]=bn_mul_words(    &(r[0]),a,4,b[0]);
+        r[5]=bn_mul_add_words(&(r[1]),a,4,b[1]);
+        r[6]=bn_mul_add_words(&(r[2]),a,4,b[2]);
+        r[7]=bn_mul_add_words(&(r[3]),a,4,b[3]);
+        }
+
+void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+        {
+        r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+        r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+        r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+        r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+        r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+        r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+        r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+        r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+        }
+
+#endif /* BN_COMBA */
diff --git a/src/lib/libssl/src/crypto/bn/bn_ctx.c b/src/lib/libssl/src/crypto/bn/bn_ctx.c
new file mode 100644
index 0000000000..46132fd180
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_ctx.c
@@ -0,0 +1,144 @@
+/* crypto/bn/bn_ctx.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef BN_CTX_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+
+
+BN_CTX *BN_CTX_new(void)
+        {
+        BN_CTX *ret;
+
+        ret=(BN_CTX *)Malloc(sizeof(BN_CTX));
+        if (ret == NULL)
+                {
+                BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+
+        BN_CTX_init(ret);
+        ret->flags=BN_FLG_MALLOCED;
+        return(ret);
+        }
+
+void BN_CTX_init(BN_CTX *ctx)
+        {
+        int i;
+        ctx->tos = 0;
+        ctx->flags = 0;
+        ctx->depth = 0;
+        ctx->too_many = 0;
+        for (i = 0; i < BN_CTX_NUM; i++)
+                BN_init(&(ctx->bn[i]));
+        }
+
+void BN_CTX_free(BN_CTX *ctx)
+        {
+        int i;
+
+        if (ctx == NULL) return;
+        assert(ctx->depth == 0);
+
+        for (i=0; i < BN_CTX_NUM; i++)
+                BN_clear_free(&(ctx->bn[i]));
+        if (ctx->flags & BN_FLG_MALLOCED)
+                Free(ctx);
+        }
+
+void BN_CTX_start(BN_CTX *ctx)
+        {
+        if (ctx->depth < BN_CTX_NUM_POS)
+                ctx->pos[ctx->depth] = ctx->tos;
+        ctx->depth++;
+        }
+
+BIGNUM *BN_CTX_get(BN_CTX *ctx)
+        {
+        if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM)
+                {
+                if (!ctx->too_many)
+                        {
+                        BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+                        /* disable error code until BN_CTX_end is called: */
+                        ctx->too_many = 1;
+                        }
+                return NULL;
+                }
+        return (&(ctx->bn[ctx->tos++]));
+        }
+
+void BN_CTX_end(BN_CTX *ctx)
+        {
+        if (ctx == NULL) return;
+        assert(ctx->depth > 0);
+        if (ctx->depth == 0)
+                /* should never happen, but we can tolerate it if not in
+                 * debug mode (could be a 'goto err' in the calling function
+                 * before BN_CTX_start was reached) */
+                BN_CTX_start(ctx);
+
+        ctx->too_many = 0;
+        ctx->depth--;
+        if (ctx->depth < BN_CTX_NUM_POS)
+                ctx->tos = ctx->pos[ctx->depth];
+        }
diff --git a/src/lib/libssl/src/crypto/bn/bn_exp2.c b/src/lib/libssl/src/crypto/bn/bn_exp2.c
new file mode 100644
index 0000000000..1132d53365
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_exp2.c
@@ -0,0 +1,195 @@
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+/* I've done some timing with different table sizes.
+ * The main hassle is that even with bits set at 3, this requires
+ * 63 BIGNUMs to store the pre-calculated values.
+ *          512   1024 
+ * bits=1  75.4%  79.4%
+ * bits=2  61.2%  62.4%
+ * bits=3  61.3%  59.3%
+ * The lack of speed improvment is also a function of the pre-calculation
+ * which could be removed.
+ */
+#define EXP2_TABLE_BITS 2 /* 1  2  3  4  5  */
+#define EXP2_TABLE_SIZE 4 /* 2  4  8 16 32  */
+
+int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
+             BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        int i,j,k,bits,bits1,bits2,ret=0,wstart,wend,window,xvalue,yvalue;
+        int start=1,ts=0,x,y;
+        BIGNUM *d,*aa1,*aa2,*r;
+        BIGNUM val[EXP2_TABLE_SIZE][EXP2_TABLE_SIZE];
+        BN_MONT_CTX *mont=NULL;
+
+        bn_check_top(a1);
+        bn_check_top(p1);
+        bn_check_top(a2);
+        bn_check_top(p2);
+        bn_check_top(m);
+
+        if (!(m->d[0] & 1))
+                {
+                BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
+                return(0);
+                }
+        d= &(ctx->bn[ctx->tos++]);
+        r= &(ctx->bn[ctx->tos++]);
+        bits1=BN_num_bits(p1);
+        bits2=BN_num_bits(p2);
+        if ((bits1 == 0) && (bits2 == 0))
+                {
+                BN_one(r);
+                return(1);
+                }
+        bits=(bits1 > bits2)?bits1:bits2;
+
+        /* If this is not done, things will break in the montgomery
+         * part */
+
+        if (in_mont != NULL)
+                mont=in_mont;
+        else
+                {
+                if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+                if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+                }
+
+        BN_init(&(val[0][0]));
+        BN_init(&(val[1][1]));
+        BN_init(&(val[0][1]));
+        BN_init(&(val[1][0]));
+        ts=1;
+        if (BN_ucmp(a1,m) >= 0)
+                {
+                BN_mod(&(val[1][0]),a1,m,ctx);
+                aa1= &(val[1][0]);
+                }
+        else
+                aa1=a1;
+        if (BN_ucmp(a2,m) >= 0)
+                {
+                BN_mod(&(val[0][1]),a2,m,ctx);
+                aa2= &(val[0][1]);
+                }
+        else
+                aa2=a2;
+        if (!BN_to_montgomery(&(val[1][0]),aa1,mont,ctx)) goto err;
+        if (!BN_to_montgomery(&(val[0][1]),aa2,mont,ctx)) goto err;
+        if (!BN_mod_mul_montgomery(&(val[1][1]),
+                &(val[1][0]),&(val[0][1]),mont,ctx))
+                goto err;
+
+#if 0
+        if (bits <= 20) /* This is probably 3 or 0x10001, so just do singles */
+                window=1;
+        else if (bits > 250)
+                window=5;       /* max size of window */
+        else if (bits >= 120)
+                window=4;
+        else
+                window=3;
+#else
+        window=EXP2_TABLE_BITS;
+#endif
+
+        k=1<<window;
+        for (x=0; x<k; x++)
+                {
+                if (x >= 2)
+                        {
+                        BN_init(&(val[x][0]));
+                        BN_init(&(val[x][1]));
+                        if (!BN_mod_mul_montgomery(&(val[x][0]),
+                                &(val[1][0]),&(val[x-1][0]),mont,ctx)) goto err;
+                        if (!BN_mod_mul_montgomery(&(val[x][1]),
+                                &(val[1][0]),&(val[x-1][1]),mont,ctx)) goto err;
+                        }
+                for (y=2; y<k; y++)
+                        {
+                        BN_init(&(val[x][y]));
+                        if (!BN_mod_mul_montgomery(&(val[x][y]),
+                                &(val[x][y-1]),&(val[0][1]),mont,ctx))
+                                goto err;
+                        }
+                }
+        ts=k;
+
+        start=1;        /* This is used to avoid multiplication etc
+                         * when there is only the value '1' in the
+                         * buffer. */
+        xvalue=0;       /* The 'x value' of the window */
+        yvalue=0;       /* The 'y value' of the window */
+        wstart=bits-1;  /* The top bit of the window */
+        wend=0;         /* The bottom bit of the window */
+
+        if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+        for (;;)
+                {
+                xvalue=BN_is_bit_set(p1,wstart);
+                yvalue=BN_is_bit_set(p2,wstart);
+                if (!(xvalue || yvalue))
+                        {
+                        if (!start)
+                                {
+                                if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+                                        goto err;
+                                }
+                        wstart--;
+                        if (wstart < 0) break;
+                        continue;
+                        }
+                /* We now have wstart on a 'set' bit, we now need to work out
+                 * how bit a window to do.  To do this we need to scan
+                 * forward until the last set bit before the end of the
+                 * window */
+                j=wstart;
+                /* xvalue=BN_is_bit_set(p1,wstart); already set */
+                /* yvalue=BN_is_bit_set(p1,wstart); already set */
+                wend=0;
+                for (i=1; i<window; i++)
+                        {
+                        if (wstart-i < 0) break;
+                        xvalue+=xvalue;
+                        xvalue|=BN_is_bit_set(p1,wstart-i);
+                        yvalue+=yvalue;
+                        yvalue|=BN_is_bit_set(p2,wstart-i);
+                        }
+
+                /* i is the size of the current window */
+                /* add the 'bytes above' */
+                if (!start)
+                        for (j=0; j<i; j++)
+                                {
+                                if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))
+                                        goto err;
+                                }
+                
+                /* wvalue will be an odd number < 2^window */
+                if (xvalue || yvalue)
+                        {
+                        if (!BN_mod_mul_montgomery(r,r,&(val[xvalue][yvalue]),
+                                mont,ctx)) goto err;
+                        }
+
+                /* move the 'window' down further */
+                wstart-=i;
+                start=0;
+                if (wstart < 0) break;
+                }
+        BN_from_montgomery(rr,r,mont,ctx);
+        ret=1;
+err:
+        if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+        ctx->tos-=2;
+        for (i=0; i<ts; i++)
+                {
+                for (j=0; j<ts; j++)
+                        {
+                        BN_clear_free(&(val[i][j]));
+                        }
+                }
+        return(ret);
+        }
diff --git a/src/lib/libssl/src/crypto/bn/bn_kron.c b/src/lib/libssl/src/crypto/bn/bn_kron.c
new file mode 100644
index 0000000000..49f75594ae
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_kron.c
@@ -0,0 +1,182 @@
+/* crypto/bn/bn_kron.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "bn_lcl.h"
+
+
+/* least significant word */
+#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
+
+/* Returns -2 for errors because both -1 and 0 are valid results. */
+int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int i;
+        int ret = -2; /* avoid 'uninitialized' warning */
+        int err = 0;
+        BIGNUM *A, *B, *tmp;
+        /* In 'tab', only odd-indexed entries are relevant:
+         * For any odd BIGNUM n,
+         *     tab[BN_lsw(n) & 7]
+         * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+         * Note that the sign of n does not matter.
+         */
+        static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
+
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        B = BN_CTX_get(ctx);
+        if (B == NULL) goto end;
+        
+        err = !BN_copy(A, a);
+        if (err) goto end;
+        err = !BN_copy(B, b);
+        if (err) goto end;
+
+        /*
+         * Kronecker symbol, imlemented according to Henri Cohen,
+         * "A Course in Computational Algebraic Number Theory"
+         * (algorithm 1.4.10).
+         */
+
+        /* Cohen's step 1: */
+
+        if (BN_is_zero(B))
+                {
+                ret = BN_abs_is_word(A, 1);
+                goto end;
+                }
+        
+        /* Cohen's step 2: */
+
+        if (!BN_is_odd(A) && !BN_is_odd(B))
+                {
+                ret = 0;
+                goto end;
+                }
+
+        /* now  B  is non-zero */
+        i = 0;
+        while (!BN_is_bit_set(B, i))
+                i++;
+        err = !BN_rshift(B, B, i);
+        if (err) goto end;
+        if (i & 1)
+                {
+                /* i is odd */
+                /* (thus  B  was even, thus  A  must be odd!)  */
+
+                /* set 'ret' to $(-1)^{(A^2-1)/8}$ */
+                ret = tab[BN_lsw(A) & 7];
+                }
+        else
+                {
+                /* i is even */
+                ret = 1;
+                }
+        
+        if (B->neg)
+                {
+                B->neg = 0;
+                if (A->neg)
+                        ret = -ret;
+                }
+
+        /* now  B  is positive and odd, so what remains to be done is
+         * to compute the Jacobi symbol  (A/B)  and multiply it by 'ret' */
+
+        while (1)
+                {
+                /* Cohen's step 3: */
+
+                /*  B  is positive and odd */
+
+                if (BN_is_zero(A))
+                        {
+                        ret = BN_is_one(B) ? ret : 0;
+                        goto end;
+                        }
+
+                /* now  A  is non-zero */
+                i = 0;
+                while (!BN_is_bit_set(A, i))
+                        i++;
+                err = !BN_rshift(A, A, i);
+                if (err) goto end;
+                if (i & 1)
+                        {
+                        /* i is odd */
+                        /* multiply 'ret' by  $(-1)^{(B^2-1)/8}$ */
+                        ret = ret * tab[BN_lsw(B) & 7];
+                        }
+        
+                /* Cohen's step 4: */
+                /* multiply 'ret' by  $(-1)^{(A-1)(B-1)/4}$ */
+                if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2)
+                        ret = -ret;
+                
+                /* (A, B) := (B mod |A|, |A|) */
+                err = !BN_nnmod(B, B, A, ctx);
+                if (err) goto end;
+                tmp = A; A = B; B = tmp;
+                tmp->neg = 0;
+                }
+        
+ end:
+        BN_CTX_end(ctx);
+        if (err)
+                return -2;
+        else
+                return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/bn/bn_sqrt.c b/src/lib/libssl/src/crypto/bn/bn_sqrt.c
new file mode 100644
index 0000000000..e2a1105dc8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/bn_sqrt.c
@@ -0,0 +1,387 @@
+/* crypto/bn/bn_mod.c */
+/* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * and Bodo Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+
+BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) 
+/* Returns 'ret' such that
+ *      ret^2 == a (mod p),
+ * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
+ * in Algebraic Computational Number Theory", algorithm 1.5.1).
+ * 'p' must be prime!
+ * If 'a' is not a square, this is not necessarily detected by
+ * the algorithms; a bogus result must be expected in this case.
+ */
+        {
+        BIGNUM *ret = in;
+        int err = 1;
+        int r;
+        BIGNUM *b, *q, *t, *x, *y;
+        int e, i, j;
+        
+        if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
+                {
+                if (BN_abs_is_word(p, 2))
+                        {
+                        if (ret == NULL)
+                                ret = BN_new();
+                        if (ret == NULL)
+                                goto end;
+                        if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
+                                {
+                                BN_free(ret);
+                                return NULL;
+                                }
+                        return ret;
+                        }
+
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                return(NULL);
+                }
+
+        if (BN_is_zero(a) || BN_is_one(a))
+                {
+                if (ret == NULL)
+                        ret = BN_new();
+                if (ret == NULL)
+                        goto end;
+                if (!BN_set_word(ret, BN_is_one(a)))
+                        {
+                        BN_free(ret);
+                        return NULL;
+                        }
+                return ret;
+                }
+
+#if 0 /* if BN_mod_sqrt is used with correct input, this just wastes time */
+        r = BN_kronecker(a, p, ctx);
+        if (r < -1) return NULL;
+        if (r == -1)
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                return(NULL);
+                }
+#endif
+
+        BN_CTX_start(ctx);
+        b = BN_CTX_get(ctx);
+        q = BN_CTX_get(ctx);
+        t = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto end;
+        
+        if (ret == NULL)
+                ret = BN_new();
+        if (ret == NULL) goto end;
+
+        /* now write  |p| - 1  as  2^e*q  where  q  is odd */
+        e = 1;
+        while (!BN_is_bit_set(p, e))
+                e++;
+        /* we'll set  q  later (if needed) */
+
+        if (e == 1)
+                {
+                /* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+                 * modulo  (|p|-1)/2,  and square roots can be computed
+                 * directly by modular exponentiation.
+                 * We have
+                 *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
+                 * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
+                 */
+                if (!BN_rshift(q, p, 2)) goto end;
+                q->neg = 0;
+                if (!BN_add_word(q, 1)) goto end;
+                if (!BN_mod_exp(ret, a, q, p, ctx)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        if (e == 2)
+                {
+                /* |p| == 5  (mod 8)
+                 *
+                 * In this case  2  is always a non-square since
+                 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
+                 * So if  a  really is a square, then  2*a  is a non-square.
+                 * Thus for
+                 *      b := (2*a)^((|p|-5)/8),
+                 *      i := (2*a)*b^2
+                 * we have
+                 *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+                 *         = (2*a)^((p-1)/2)
+                 *         = -1;
+                 * so if we set
+                 *      x := a*b*(i-1),
+                 * then
+                 *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+                 *         = a^2 * b^2 * (-2*i)
+                 *         = a*(-i)*(2*a*b^2)
+                 *         = a*(-i)*i
+                 *         = a.
+                 *
+                 * (This is due to A.O.L. Atkin, 
+                 * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+                 * November 1992.)
+                 */
+
+                /* make sure that  a  is reduced modulo p */
+                if (a->neg || BN_ucmp(a, p) >= 0)
+                        {
+                        if (!BN_nnmod(x, a, p, ctx)) goto end;
+                        a = x; /* use x as temporary variable */
+                        }
+
+                /* t := 2*a */
+                if (!BN_mod_lshift1_quick(t, a, p)) goto end;
+
+                /* b := (2*a)^((|p|-5)/8) */
+                if (!BN_rshift(q, p, 3)) goto end;
+                q->neg = 0;
+                if (!BN_mod_exp(b, t, q, p, ctx)) goto end;
+
+                /* y := b^2 */
+                if (!BN_mod_sqr(y, b, p, ctx)) goto end;
+
+                /* t := (2*a)*b^2 - 1*/
+                if (!BN_mod_mul(t, t, y, p, ctx)) goto end;
+                if (!BN_sub_word(t, 1)) goto end;
+
+                /* x = a*b*t */
+                if (!BN_mod_mul(x, a, b, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+
+                if (!BN_copy(ret, x)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
+         * First, find some  y  that is not a square. */
+        if (!BN_copy(q, p)) goto end; /* use 'q' as temp */
+        q->neg = 0;
+        i = 2;
+        do
+                {
+                /* For efficiency, try small numbers first;
+                 * if this fails, try random numbers.
+                 */
+                if (i < 22)
+                        {
+                        if (!BN_set_word(y, i)) goto end;
+                        }
+                else
+                        {
+                        if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end;
+                        if (BN_ucmp(y, p) >= 0)
+                                {
+                                if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end;
+                                }
+                        /* now 0 <= y < |p| */
+                        if (BN_is_zero(y))
+                                if (!BN_set_word(y, i)) goto end;
+                        }
+                
+                r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
+                if (r < -1) goto end;
+                if (r == 0)
+                        {
+                        /* m divides p */
+                        BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                        goto end;
+                        }
+                }
+        while (r == 1 && ++i < 82);
+        
+        if (r != -1)
+                {
+                /* Many rounds and still no non-square -- this is more likely
+                 * a bug than just bad luck.
+                 * Even if  p  is not prime, we should have found some  y
+                 * such that r == -1.
+                 */
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
+                goto end;
+                }
+
+        /* Here's our actual 'q': */
+        if (!BN_rshift(q, q, e)) goto end;
+
+        /* Now that we have some non-square, we can find an element
+         * of order  2^e  by computing its q'th power. */
+        if (!BN_mod_exp(y, y, q, p, ctx)) goto end;
+        if (BN_is_one(y))
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                goto end;
+                }
+
+        /* Now we know that (if  p  is indeed prime) there is an integer
+         * k,  0 <= k < 2^e,  such that
+         *
+         *      a^q * y^k == 1   (mod p).
+         *
+         * As  a^q  is a square and  y  is not,  k  must be even.
+         * q+1  is even, too, so there is an element
+         *
+         *     X := a^((q+1)/2) * y^(k/2),
+         *
+         * and it satisfies
+         *
+         *     X^2 = a^q * a     * y^k
+         *         = a,
+         *
+         * so it is the square root that we are looking for.
+         */
+        
+        /* t := (q-1)/2  (note that  q  is odd) */
+        if (!BN_rshift1(t, q)) goto end;
+        
+        /* x := a^((q-1)/2) */
+        if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
+                {
+                if (!BN_nnmod(t, a, p, ctx)) goto end;
+                if (BN_is_zero(t))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                else
+                        if (!BN_one(x)) goto end;
+                }
+        else
+                {
+                if (!BN_mod_exp(x, a, t, p, ctx)) goto end;
+                if (BN_is_zero(x))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                }
+
+        /* b := a*x^2  (= a^q) */
+        if (!BN_mod_sqr(b, x, p, ctx)) goto end;
+        if (!BN_mod_mul(b, b, a, p, ctx)) goto end;
+        
+        /* x := a*x    (= a^((q+1)/2)) */
+        if (!BN_mod_mul(x, x, a, p, ctx)) goto end;
+
+        while (1)
+                {
+                /* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+                 * where  E  refers to the original value of  e,  which we
+                 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
+                 *
+                 * We have  a*b = x^2,
+                 *    y^2^(e-1) = -1,
+                 *    b^2^(e-1) = 1.
+                 */
+
+                if (BN_is_one(b))
+                        {
+                        if (!BN_copy(ret, x)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+
+
+                /* find smallest  i  such that  b^(2^i) = 1 */
+                i = 1;
+                if (!BN_mod_sqr(t, b, p, ctx)) goto end;
+                while (!BN_is_one(t))
+                        {
+                        i++;
+                        if (i == e)
+                                {
+                                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                                goto end;
+                                }
+                        if (!BN_mod_mul(t, t, t, p, ctx)) goto end;
+                        }
+                
+
+                /* t := y^2^(e - i - 1) */
+                if (!BN_copy(t, y)) goto end;
+                for (j = e - i - 1; j > 0; j--)
+                        {
+                        if (!BN_mod_sqr(t, t, p, ctx)) goto end;
+                        }
+                if (!BN_mod_mul(y, t, t, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+                if (!BN_mod_mul(b, b, y, p, ctx)) goto end;
+                e = i;
+                }
+
+ end:
+        if (err)
+                {
+                if (ret != NULL && ret != in)
+                        {
+                        BN_clear_free(ret);
+                        }
+                ret = NULL;
+                }
+        BN_CTX_end(ctx);
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/bn/divtest.c b/src/lib/libssl/src/crypto/bn/divtest.c
new file mode 100644
index 0000000000..13ba86e3c4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/divtest.c
@@ -0,0 +1,41 @@
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+
+static int rand(n)
+{
+    unsigned char x[2];
+    RAND_pseudo_bytes(x,2);
+    return (x[0] + 2*x[1]);
+}
+
+static void bug(char *m, BIGNUM *a, BIGNUM *b)
+{
+    printf("%s!\na=",m);
+    BN_print_fp(stdout, a);
+    printf("\nb=");
+    BN_print_fp(stdout, b);
+    printf("\n");
+    fflush(stdout);
+}
+
+main()
+{
+    BIGNUM *a=BN_new(), *b=BN_new(), *c=BN_new(), *d=BN_new(),
+        *C=BN_new(), *D=BN_new();
+    BN_RECP_CTX *recp=BN_RECP_CTX_new();
+    BN_CTX *ctx=BN_CTX_new();
+
+    for(;;) {
+        BN_pseudo_rand(a,rand(),0,0);
+        BN_pseudo_rand(b,rand(),0,0);
+        if (BN_is_zero(b)) continue;
+
+        BN_RECP_CTX_set(recp,b,ctx);
+        if (BN_div(C,D,a,b,ctx) != 1)
+            bug("BN_div failed",a,b);
+        if (BN_div_recp(c,d,a,recp,ctx) != 1)
+            bug("BN_div_recp failed",a,b);
+        else if (BN_cmp(c,C) != 0 || BN_cmp(c,C) != 0)
+            bug("mismatch",a,b);
+    }
+}
diff --git a/src/lib/libssl/src/crypto/bn/exp.c b/src/lib/libssl/src/crypto/bn/exp.c
new file mode 100644
index 0000000000..ec443459d8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/exp.c
@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <openssl/tmdiff.h>
+#include "bn_lcl.h"
+
+#define SIZE    256
+#define NUM     (8*8*8)
+#define MOD     (8*8*8*8*8)
+
+main(argc,argv)
+int argc;
+char *argv[];
+        {
+        BN_CTX ctx;
+        BIGNUM a,b,c,r,rr,t,l;
+        int j,i,size=SIZE,num=NUM,mod=MOD;
+        char *start,*end;
+        BN_MONT_CTX mont;
+        double d,md;
+
+        BN_MONT_CTX_init(&mont);
+        BN_CTX_init(&ctx);
+        BN_init(&a);
+        BN_init(&b);
+        BN_init(&c);
+        BN_init(&r);
+
+        start=ms_time_new();
+        end=ms_time_new();
+        while (size <= 1024*8)
+                {
+                BN_rand(&a,size,0,0);
+                BN_rand(&b,size,1,0);
+                BN_rand(&c,size,0,1);
+
+                BN_mod(&a,&a,&c,&ctx);
+
+                ms_time_get(start);
+                for (i=0; i<10; i++)
+                        BN_MONT_CTX_set(&mont,&c,&ctx);
+                ms_time_get(end);
+                md=ms_time_diff(start,end);
+
+                ms_time_get(start);
+                for (i=0; i<num; i++)
+                        {
+                        /* bn_mull(&r,&a,&b,&ctx); */
+                        /* BN_sqr(&r,&a,&ctx); */
+                        BN_mod_exp_mont(&r,&a,&b,&c,&ctx,&mont);
+                        }
+                ms_time_get(end);
+                d=ms_time_diff(start,end)/* *50/33 */;
+                printf("%5d bit:%6.2f %6d %6.4f %4d m_set(%5.4f)\n",size,
+                        d,num,d/num,(int)((d/num)*mod),md/10.0);
+                num/=8;
+                mod/=8;
+                if (num <= 0) num=1;
+                size*=2;
+                }
+
+        }
diff --git a/src/lib/libssl/src/crypto/bn/todo b/src/lib/libssl/src/crypto/bn/todo
new file mode 100644
index 0000000000..e47e381aea
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/todo
@@ -0,0 +1,3 @@
+Cache RECP_CTX values
+make the result argument independant of the inputs.
+split up the _exp_ functions
diff --git a/src/lib/libssl/src/crypto/bn/vms-helper.c b/src/lib/libssl/src/crypto/bn/vms-helper.c
new file mode 100644
index 0000000000..73af337069
--- /dev/null
+++ b/src/lib/libssl/src/crypto/bn/vms-helper.c
@@ -0,0 +1,66 @@
+/* vms-helper.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+bn_div_words_abort(int i)
+{
+#if !defined(NO_STDIO) && !defined(WIN16)
+        fprintf(stderr,"Division would overflow (%d)\n",i);
+#endif
+        abort();
+}
diff --git a/src/lib/libssl/src/crypto/comp/c_rle.c b/src/lib/libssl/src/crypto/comp/c_rle.c
new file mode 100644
index 0000000000..1a819e3737
--- /dev/null
+++ b/src/lib/libssl/src/crypto/comp/c_rle.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static COMP_METHOD rle_method={
+        NID_rle_compression,
+        LN_rle_compression,
+        NULL,
+        NULL,
+        rle_compress_block,
+        rle_expand_block,
+        NULL,
+        };
+
+COMP_METHOD *COMP_rle(void)
+        {
+        return(&rle_method);
+        }
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        /* int i; */
+
+        if (olen < (ilen+1))
+                {
+                /* ZZZZZZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+
+        *(out++)=0;
+        memcpy(out,in,ilen);
+        return(ilen+1);
+        }
+
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        int i;
+
+        if (olen < (ilen-1))
+                {
+                /* ZZZZZZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+
+        i= *(in++);
+        if (i == 0)
+                {
+                memcpy(out,in,ilen-1);
+                }
+        return(ilen-1);
+        }
+
diff --git a/src/lib/libssl/src/crypto/comp/c_zlib.c b/src/lib/libssl/src/crypto/comp/c_zlib.c
new file mode 100644
index 0000000000..6684ab4841
--- /dev/null
+++ b/src/lib/libssl/src/crypto/comp/c_zlib.c
@@ -0,0 +1,133 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_METHOD *COMP_zlib(void );
+
+#ifndef ZLIB
+
+static COMP_METHOD zlib_method={
+        NID_undef,
+        "(null)",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        };
+
+#else
+
+#include <zlib.h>
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+        unsigned int olen, unsigned char *in, unsigned int ilen);
+
+static int zz_uncompress(Bytef *dest, uLongf *destLen, const Bytef *source,
+        uLong sourceLen);
+
+static COMP_METHOD zlib_method={
+        NID_zlib_compression,
+        LN_zlib_compression,
+        NULL,
+        NULL,
+        zlib_compress_block,
+        zlib_expand_block,
+        NULL,
+        };
+
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        unsigned long l;
+        int i;
+        int clear=1;
+
+        if (ilen > 128)
+                {
+                out[0]=1;
+                l=olen-1;
+                i=compress(&(out[1]),&l,in,(unsigned long)ilen);
+                if (i != Z_OK)
+                        return(-1);
+                if (ilen > l)
+                        {
+                        clear=0;
+                        l++;
+                        }
+                }
+        if (clear)
+                {
+                out[0]=0;
+                memcpy(&(out[1]),in,ilen);
+                l=ilen+1;
+                }
+fprintf(stderr,"compress(%4d)->%4d %s\n",ilen,(int)l,(clear)?"clear":"zlib");
+        return((int)l);
+        }
+
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+             unsigned int olen, unsigned char *in, unsigned int ilen)
+        {
+        unsigned long l;
+        int i;
+
+        if (in[0])
+                {
+                l=olen;
+                i=zz_uncompress(out,&l,&(in[1]),(unsigned long)ilen-1);
+                if (i != Z_OK)
+                        return(-1);
+                }
+        else
+                {
+                memcpy(out,&(in[1]),ilen-1);
+                l=ilen-1;
+                }
+        fprintf(stderr,"expand  (%4d)->%4d %s\n",ilen,(int)l,in[0]?"zlib":"clear");
+        return((int)l);
+        }
+
+static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
+             uLong sourceLen)
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef*)source;
+    stream.avail_in = (uInt)sourceLen;
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong)stream.avail_in != sourceLen) return Z_BUF_ERROR;
+
+    stream.next_out = dest;
+    stream.avail_out = (uInt)*destLen;
+    if ((uLong)stream.avail_out != *destLen) return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func)0;
+    stream.zfree = (free_func)0;
+
+    err = inflateInit(&stream);
+    if (err != Z_OK) return err;
+
+    err = inflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        inflateEnd(&stream);
+        return err;
+    }
+    *destLen = stream.total_out;
+
+    err = inflateEnd(&stream);
+    return err;
+}
+
+#endif
+
+COMP_METHOD *COMP_zlib(void)
+        {
+        return(&zlib_method);
+        }
+
diff --git a/src/lib/libssl/src/crypto/comp/comp.h b/src/lib/libssl/src/crypto/comp/comp.h
new file mode 100644
index 0000000000..93bd9c34c8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/comp/comp.h
@@ -0,0 +1,60 @@
+
+#ifndef HEADER_COMP_H
+#define HEADER_COMP_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/crypto.h>
+
+typedef struct comp_method_st
+        {
+        int type;               /* NID for compression library */
+        const char *name;       /* A text string to identify the library */
+        int (*init)();
+        void (*finish)();
+        int (*compress)();
+        int (*expand)();
+        long (*ctrl)();
+        } COMP_METHOD;
+
+typedef struct comp_ctx_st
+        {
+        COMP_METHOD *meth;
+        unsigned long compress_in;
+        unsigned long compress_out;
+        unsigned long expand_in;
+        unsigned long expand_out;
+
+        CRYPTO_EX_DATA  ex_data;
+        } COMP_CTX;
+
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
+void COMP_CTX_free(COMP_CTX *ctx);
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+        unsigned char *in, int ilen);
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+        unsigned char *in, int ilen);
+COMP_METHOD *COMP_rle(void );
+#ifdef ZLIB
+COMP_METHOD *COMP_zlib(void );
+#endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the COMP functions. */
+
+/* Function codes. */
+
+/* Reason codes. */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/comp/comp_err.c b/src/lib/libssl/src/crypto/comp/comp_err.c
new file mode 100644
index 0000000000..77a3f7070c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/comp/comp_err.c
@@ -0,0 +1,91 @@
+/* crypto/comp/comp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/comp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA COMP_str_functs[]=
+        {
+{0,NULL}
+        };
+
+static ERR_STRING_DATA COMP_str_reasons[]=
+        {
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_COMP_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_COMP,COMP_str_functs);
+                ERR_load_strings(ERR_LIB_COMP,COMP_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/comp/comp_lib.c b/src/lib/libssl/src/crypto/comp/comp_lib.c
new file mode 100644
index 0000000000..a67ef23bc0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/comp/comp_lib.c
@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
+        {
+        COMP_CTX *ret;
+
+        if ((ret=(COMP_CTX *)Malloc(sizeof(COMP_CTX))) == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZ */
+                return(NULL);
+                }
+        memset(ret,0,sizeof(COMP_CTX));
+        ret->meth=meth;
+        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
+                {
+                Free(ret);
+                ret=NULL;
+                }
+#if 0
+        else
+                CRYPTO_new_ex_data(rsa_meth,(char *)ret,&ret->ex_data);
+#endif
+        return(ret);
+        }
+
+void COMP_CTX_free(COMP_CTX *ctx)
+        {
+        /* CRYPTO_free_ex_data(rsa_meth,(char *)ctx,&ctx->ex_data); */
+
+        if(ctx == NULL)
+            return;
+
+        if (ctx->meth->finish != NULL)
+                ctx->meth->finish(ctx);
+
+        Free(ctx);
+        }
+
+int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+             unsigned char *in, int ilen)
+        {
+        int ret;
+        if (ctx->meth->compress == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+        ret=ctx->meth->compress(ctx,out,olen,in,ilen);
+        if (ret > 0)
+                {
+                ctx->compress_in+=ilen;
+                ctx->compress_out+=ret;
+                }
+        return(ret);
+        }
+
+int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+             unsigned char *in, int ilen)
+        {
+        int ret;
+
+        if (ctx->meth->expand == NULL)
+                {
+                /* ZZZZZZZZZZZZZZZZZ */
+                return(-1);
+                }
+        ret=ctx->meth->expand(ctx,out,olen,in,ilen);
+        if (ret > 0)
+                {
+                ctx->expand_in+=ilen;
+                ctx->expand_out+=ret;
+                }
+        return(ret);
+        }
diff --git a/src/lib/libssl/src/crypto/conf/README b/src/lib/libssl/src/crypto/conf/README
new file mode 100644
index 0000000000..ca58d0240f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/README
@@ -0,0 +1,78 @@
+WARNING WARNING WARNING!!!
+
+This stuff is experimental, may change radically or be deleted altogether
+before OpenSSL 0.9.7 release. You have been warned!
+
+Configuration modules. These are a set of modules which can perform
+various configuration functions.
+
+Currently the routines should be called at most once when an application
+starts up: that is before it starts any threads.
+
+The routines read a configuration file set up like this:
+
+-----
+#default section
+openssl_init=init_section
+
+[init_section]
+
+module1=value1
+#Second instance of module1
+module1.1=valueX
+module2=value2
+module3=dso_literal
+module4=dso_section
+
+[dso_section]
+
+path=/some/path/to/some/dso.so
+other_stuff=other_value
+----
+
+When this file is loaded a configuration module with the specified
+string (module* in the above example) is looked up and its init
+function called as:
+
+int conf_init_func(CONF_IMODULE *md, CONF *cnf);
+
+The function can then take whatever action is appropriate, for example
+further lookups based on the value. Multiple instances of the same 
+config module can be loaded.
+
+When the application closes down the modules are cleaned up by calling
+an optional finish function:
+
+void conf_finish_func(CONF_IMODULE *md);
+
+The finish functions are called in reverse order: that is the last module
+loaded is the first one cleaned up.
+
+If no module exists with a given name then an attempt is made to load
+a DSO with the supplied name. This might mean that "module3" attempts
+to load a DSO called libmodule3.so or module3.dll for example. An explicit
+DSO name can be given by including a separate section as in the module4 example
+above.
+
+The DSO is expected to at least contain an initialization function:
+
+int OPENSSL_init(CONF_IMODULE *md, CONF *cnf);
+
+and may also include a finish function:
+
+void OPENSSL_finish(CONF_IMODULE *md);
+
+Static modules can also be added using,
+
+int CONF_module_add(char *name, dso_mod_init_func *ifunc, dso_mod_finish_func *ffunc);
+
+where "name" is the name in the configuration file this function corresponds to.
+
+A set of builtin modules (currently only an ASN1 non functional test module) can be 
+added by calling OPENSSL_load_builtin_modules(). 
+
+The function OPENSSL_config() is intended as a simple configuration function that
+any application can call to perform various default configuration tasks. It uses the
+file openssl.cnf in the usual locations.
+
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_api.c b/src/lib/libssl/src/crypto/conf/conf_api.c
new file mode 100644
index 0000000000..d05a778ff6
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_api.c
@@ -0,0 +1,289 @@
+/* conf_api.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Part of the code in here was originally in conf.c, which is now removed */
+
+#ifndef CONF_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf);
+static void value_free_stack(CONF_VALUE *a,LHASH *conf);
+static unsigned long hash(CONF_VALUE *v);
+static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b);
+
+/* Up until OpenSSL 0.9.5a, this was get_section */
+CONF_VALUE *_CONF_get_section(CONF *conf, char *section)
+        {
+        CONF_VALUE *v,vv;
+
+        if ((conf == NULL) || (section == NULL)) return(NULL);
+        vv.name=NULL;
+        vv.section=section;
+        v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+        return(v);
+        }
+
+/* Up until OpenSSL 0.9.5a, this was CONF_get_section */
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section)
+        {
+        CONF_VALUE *v;
+
+        v=_CONF_get_section(conf,section);
+        if (v != NULL)
+                return((STACK_OF(CONF_VALUE) *)v->value);
+        else
+                return(NULL);
+        }
+
+int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value)
+        {
+        CONF_VALUE *v = NULL;
+        STACK_OF(CONF_VALUE) *ts;
+
+        ts = (STACK_OF(CONF_VALUE) *)section->value;
+
+        value->section=section->section;        
+        if (!sk_CONF_VALUE_push(ts,value))
+                {
+                return 0;
+                }
+
+        v = (CONF_VALUE *)lh_insert(conf->data, value);
+        if (v != NULL)
+                {
+                sk_CONF_VALUE_delete_ptr(ts,v);
+                OPENSSL_free(v->name);
+                OPENSSL_free(v->value);
+                OPENSSL_free(v);
+                }
+        return 1;
+        }
+
+char *_CONF_get_string(CONF *conf, char *section, char *name)
+        {
+        CONF_VALUE *v,vv;
+        char *p;
+
+        if (name == NULL) return(NULL);
+        if (conf != NULL)
+                {
+                if (section != NULL)
+                        {
+                        vv.name=name;
+                        vv.section=section;
+                        v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+                        if (v != NULL) return(v->value);
+                        if (strcmp(section,"ENV") == 0)
+                                {
+                                p=Getenv(name);
+                                if (p != NULL) return(p);
+                                }
+                        }
+                vv.section="default";
+                vv.name=name;
+                v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
+                if (v != NULL)
+                        return(v->value);
+                else
+                        return(NULL);
+                }
+        else
+                return(Getenv(name));
+        }
+
+long _CONF_get_number(CONF *conf, char *section, char *name)
+        {
+        char *str;
+        long ret=0;
+
+        str=_CONF_get_string(conf,section,name);
+        if (str == NULL) return(0);
+        for (;;)
+                {
+                if (conf->meth->is_number(conf, *str))
+                        ret=ret*10+conf->meth->to_int(conf, *str);
+                else
+                        return(ret);
+                str++;
+                }
+        }
+
+int _CONF_new_data(CONF *conf)
+        {
+        if (conf == NULL)
+                {
+                return 0;
+                }
+        if (conf->data == NULL)
+                if ((conf->data = lh_new(hash,cmp_conf)) == NULL)
+                        {
+                        return 0;
+                        }
+        return 1;
+        }
+
+void _CONF_free_data(CONF *conf)
+        {
+        if (conf == NULL || conf->data == NULL) return;
+
+        conf->data->down_load=0; /* evil thing to make sure the 'OPENSSL_free()'
+                                  * works as expected */
+        lh_doall_arg(conf->data,(void (*)())value_free_hash,conf->data);
+
+        /* We now have only 'section' entries in the hash table.
+         * Due to problems with */
+
+        lh_doall_arg(conf->data,(void (*)())value_free_stack,conf->data);
+        lh_free(conf->data);
+        }
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf)
+        {
+        if (a->name != NULL)
+                {
+                a=(CONF_VALUE *)lh_delete(conf,a);
+                }
+        }
+
+static void value_free_stack(CONF_VALUE *a, LHASH *conf)
+        {
+        CONF_VALUE *vv;
+        STACK *sk;
+        int i;
+
+        if (a->name != NULL) return;
+
+        sk=(STACK *)a->value;
+        for (i=sk_num(sk)-1; i>=0; i--)
+                {
+                vv=(CONF_VALUE *)sk_value(sk,i);
+                OPENSSL_free(vv->value);
+                OPENSSL_free(vv->name);
+                OPENSSL_free(vv);
+                }
+        if (sk != NULL) sk_free(sk);
+        OPENSSL_free(a->section);
+        OPENSSL_free(a);
+        }
+
+static unsigned long hash(CONF_VALUE *v)
+        {
+        return((lh_strhash(v->section)<<2)^lh_strhash(v->name));
+        }
+
+static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
+        {
+        int i;
+
+        if (a->section != b->section)
+                {
+                i=strcmp(a->section,b->section);
+                if (i) return(i);
+                }
+
+        if ((a->name != NULL) && (b->name != NULL))
+                {
+                i=strcmp(a->name,b->name);
+                return(i);
+                }
+        else if (a->name == b->name)
+                return(0);
+        else
+                return((a->name == NULL)?-1:1);
+        }
+
+/* Up until OpenSSL 0.9.5a, this was new_section */
+CONF_VALUE *_CONF_new_section(CONF *conf, char *section)
+        {
+        STACK *sk=NULL;
+        int ok=0,i;
+        CONF_VALUE *v=NULL,*vv;
+
+        if ((sk=sk_new_null()) == NULL)
+                goto err;
+        if ((v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))) == NULL)
+                goto err;
+        i=strlen(section)+1;
+        if ((v->section=(char *)OPENSSL_malloc(i)) == NULL)
+                goto err;
+
+        memcpy(v->section,section,i);
+        v->name=NULL;
+        v->value=(char *)sk;
+        
+        vv=(CONF_VALUE *)lh_insert(conf->data,v);
+        assert(vv == NULL);
+        ok=1;
+err:
+        if (!ok)
+                {
+                if (sk != NULL) sk_free(sk);
+                if (v != NULL) OPENSSL_free(v);
+                v=NULL;
+                }
+        return(v);
+        }
+
+IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/src/lib/libssl/src/crypto/conf/conf_api.h b/src/lib/libssl/src/crypto/conf/conf_api.h
new file mode 100644
index 0000000000..a5cc17b233
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_api.h
@@ -0,0 +1,87 @@
+/* conf_api.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef  HEADER_CONF_API_H
+#define HEADER_CONF_API_H
+
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Up until OpenSSL 0.9.5a, this was new_section */
+CONF_VALUE *_CONF_new_section(CONF *conf, char *section);
+/* Up until OpenSSL 0.9.5a, this was get_section */
+CONF_VALUE *_CONF_get_section(CONF *conf, char *section);
+/* Up until OpenSSL 0.9.5a, this was CONF_get_section */
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section);
+
+int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value);
+char *_CONF_get_string(CONF *conf, char *section, char *name);
+long _CONF_get_number(CONF *conf, char *section, char *name);
+
+int _CONF_new_data(CONF *conf);
+void _CONF_free_data(CONF *conf);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c
new file mode 100644
index 0000000000..773df32c68
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_def.c
@@ -0,0 +1,703 @@
+/* crypto/conf/conf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Part of the code in here was originally in conf.c, which is now removed */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+#include "conf_def.h"
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+static char *eat_ws(CONF *conf, char *p);
+static char *eat_alpha_numeric(CONF *conf, char *p);
+static void clear_comments(CONF *conf, char *p);
+static int str_copy(CONF *conf,char *section,char **to, char *from);
+static char *scan_quote(CONF *conf, char *p);
+static char *scan_dquote(CONF *conf, char *p);
+#define scan_esc(conf,p)        (((IS_EOF((conf),(p)[1]))?((p)+1):((p)+2)))
+
+static CONF *def_create(CONF_METHOD *meth);
+static int def_init_default(CONF *conf);
+static int def_init_WIN32(CONF *conf);
+static int def_destroy(CONF *conf);
+static int def_destroy_data(CONF *conf);
+static int def_load(CONF *conf, BIO *bp, long *eline);
+static int def_dump(CONF *conf, BIO *bp);
+static int def_is_number(CONF *conf, char c);
+static int def_to_int(CONF *conf, char c);
+
+const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT;
+
+static CONF_METHOD default_method = {
+        "OpenSSL default",
+        def_create,
+        def_init_default,
+        def_destroy,
+        def_destroy_data,
+        def_load,
+        def_dump,
+        def_is_number,
+        def_to_int
+        };
+
+static CONF_METHOD WIN32_method = {
+        "WIN32",
+        def_create,
+        def_init_WIN32,
+        def_destroy,
+        def_destroy_data,
+        def_load,
+        def_dump,
+        def_is_number,
+        def_to_int
+        };
+
+CONF_METHOD *NCONF_default()
+        {
+        return &default_method;
+        }
+CONF_METHOD *NCONF_WIN32()
+        {
+        return &WIN32_method;
+        }
+
+static CONF *def_create(CONF_METHOD *meth)
+        {
+        CONF *ret;
+
+        ret = (CONF *)OPENSSL_malloc(sizeof(CONF) + sizeof(unsigned short *));
+        if (ret)
+                if (meth->init(ret) == 0)
+                        {
+                        OPENSSL_free(ret);
+                        ret = NULL;
+                        }
+        return ret;
+        }
+        
+static int def_init_default(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+
+        conf->meth = &default_method;
+        conf->meth_data = (void *)CONF_type_default;
+        conf->data = NULL;
+
+        return 1;
+        }
+
+static int def_init_WIN32(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+
+        conf->meth = &WIN32_method;
+        conf->meth_data = (void *)CONF_type_win32;
+        conf->data = NULL;
+
+        return 1;
+        }
+
+static int def_destroy(CONF *conf)
+        {
+        if (def_destroy_data(conf))
+                {
+                OPENSSL_free(conf);
+                return 1;
+                }
+        return 0;
+        }
+
+static int def_destroy_data(CONF *conf)
+        {
+        if (conf == NULL)
+                return 0;
+        _CONF_free_data(conf);
+        return 1;
+        }
+
+static int def_load(CONF *conf, BIO *in, long *line)
+        {
+#define BUFSIZE 512
+        char btmp[16];
+        int bufnum=0,i,ii;
+        BUF_MEM *buff=NULL;
+        char *s,*p,*end;
+        int again,n;
+        long eline=0;
+        CONF_VALUE *v=NULL,*tv;
+        CONF_VALUE *sv=NULL;
+        char *section=NULL,*buf;
+        STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
+        char *start,*psection,*pname;
+        void *h = (void *)(conf->data);
+
+        if ((buff=BUF_MEM_new()) == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                goto err;
+                }
+
+        section=(char *)OPENSSL_malloc(10);
+        if (section == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        strcpy(section,"default");
+
+        if (_CONF_new_data(conf) == 0)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        sv=_CONF_new_section(conf,section);
+        if (sv == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                goto err;
+                }
+        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+
+        bufnum=0;
+        for (;;)
+                {
+                again=0;
+                if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+                        {
+                        CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                        goto err;
+                        }
+                p= &(buff->data[bufnum]);
+                *p='\0';
+                BIO_gets(in, p, BUFSIZE-1);
+                p[BUFSIZE-1]='\0';
+                ii=i=strlen(p);
+                if (i == 0) break;
+                while (i > 0)
+                        {
+                        if ((p[i-1] != '\r') && (p[i-1] != '\n'))
+                                break;
+                        else
+                                i--;
+                        }
+                /* we removed some trailing stuff so there is a new
+                 * line on the end. */
+                if (i == ii)
+                        again=1; /* long line */
+                else
+                        {
+                        p[i]='\0';
+                        eline++; /* another input line */
+                        }
+
+                /* we now have a line with trailing \r\n removed */
+
+                /* i is the number of bytes */
+                bufnum+=i;
+
+                v=NULL;
+                /* check for line continuation */
+                if (bufnum >= 1)
+                        {
+                        /* If we have bytes and the last char '\\' and
+                         * second last char is not '\\' */
+                        p= &(buff->data[bufnum-1]);
+                        if (IS_ESC(conf,p[0]) &&
+                                ((bufnum <= 1) || !IS_ESC(conf,p[-1])))
+                                {
+                                bufnum--;
+                                again=1;
+                                }
+                        }
+                if (again) continue;
+                bufnum=0;
+                buf=buff->data;
+
+                clear_comments(conf, buf);
+                n=strlen(buf);
+                s=eat_ws(conf, buf);
+                if (IS_EOF(conf,*s)) continue; /* blank line */
+                if (*s == '[')
+                        {
+                        char *ss;
+
+                        s++;
+                        start=eat_ws(conf, s);
+                        ss=start;
+again:
+                        end=eat_alpha_numeric(conf, ss);
+                        p=eat_ws(conf, end);
+                        if (*p != ']')
+                                {
+                                if (*p != '\0')
+                                        {
+                                        ss=p;
+                                        goto again;
+                                        }
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
+                                goto err;
+                                }
+                        *end='\0';
+                        if (!str_copy(conf,NULL,&section,start)) goto err;
+                        if ((sv=_CONF_get_section(conf,section)) == NULL)
+                                sv=_CONF_new_section(conf,section);
+                        if (sv == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                goto err;
+                                }
+                        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+                        continue;
+                        }
+                else
+                        {
+                        pname=s;
+                        psection=NULL;
+                        end=eat_alpha_numeric(conf, s);
+                        if ((end[0] == ':') && (end[1] == ':'))
+                                {
+                                *end='\0';
+                                end+=2;
+                                psection=pname;
+                                pname=end;
+                                end=eat_alpha_numeric(conf, end);
+                                }
+                        p=eat_ws(conf, end);
+                        if (*p != '=')
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                CONF_R_MISSING_EQUAL_SIGN);
+                                goto err;
+                                }
+                        *end='\0';
+                        p++;
+                        start=eat_ws(conf, p);
+                        while (!IS_EOF(conf,*p))
+                                p++;
+                        p--;
+                        while ((p != start) && (IS_WS(conf,*p)))
+                                p--;
+                        p++;
+                        *p='\0';
+
+                        if (!(v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        if (psection == NULL) psection=section;
+                        v->name=(char *)OPENSSL_malloc(strlen(pname)+1);
+                        v->value=NULL;
+                        if (v->name == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        strcpy(v->name,pname);
+                        if (!str_copy(conf,psection,&(v->value),start)) goto err;
+
+                        if (strcmp(psection,section) != 0)
+                                {
+                                if ((tv=_CONF_get_section(conf,psection))
+                                        == NULL)
+                                        tv=_CONF_new_section(conf,psection);
+                                if (tv == NULL)
+                                        {
+                                        CONFerr(CONF_F_CONF_LOAD_BIO,
+                                           CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                        goto err;
+                                        }
+                                ts=(STACK_OF(CONF_VALUE) *)tv->value;
+                                }
+                        else
+                                {
+                                tv=sv;
+                                ts=section_sk;
+                                }
+#if 1
+                        if (_CONF_add_string(conf, tv, v) == 0)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+#else
+                        v->section=tv->section; 
+                        if (!sk_CONF_VALUE_push(ts,v))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        vv=(CONF_VALUE *)lh_insert(conf->data,v);
+                        if (vv != NULL)
+                                {
+                                sk_CONF_VALUE_delete_ptr(ts,vv);
+                                OPENSSL_free(vv->name);
+                                OPENSSL_free(vv->value);
+                                OPENSSL_free(vv);
+                                }
+#endif
+                        v=NULL;
+                        }
+                }
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) OPENSSL_free(section);
+        return(1);
+err:
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) OPENSSL_free(section);
+        if (line != NULL) *line=eline;
+        sprintf(btmp,"%ld",eline);
+        ERR_add_error_data(2,"line ",btmp);
+        if ((h != conf->data) && (conf->data != NULL)) CONF_free(conf->data);
+        if (v != NULL)
+                {
+                if (v->name != NULL) OPENSSL_free(v->name);
+                if (v->value != NULL) OPENSSL_free(v->value);
+                if (v != NULL) OPENSSL_free(v);
+                }
+        return(0);
+        }
+
+static void clear_comments(CONF *conf, char *p)
+        {
+        char *to;
+
+        to=p;
+        for (;;)
+                {
+                if (IS_FCOMMENT(conf,*p))
+                        {
+                        *p='\0';
+                        return;
+                        }
+                if (!IS_WS(conf,*p))
+                        {
+                        break;
+                        }
+                p++;
+                }
+
+        for (;;)
+                {
+                if (IS_COMMENT(conf,*p))
+                        {
+                        *p='\0';
+                        return;
+                        }
+                if (IS_DQUOTE(conf,*p))
+                        {
+                        p=scan_dquote(conf, p);
+                        continue;
+                        }
+                if (IS_QUOTE(conf,*p))
+                        {
+                        p=scan_quote(conf, p);
+                        continue;
+                        }
+                if (IS_ESC(conf,*p))
+                        {
+                        p=scan_esc(conf,p);
+                        continue;
+                        }
+                if (IS_EOF(conf,*p))
+                        return;
+                else
+                        p++;
+                }
+        }
+
+static int str_copy(CONF *conf, char *section, char **pto, char *from)
+        {
+        int q,r,rr=0,to=0,len=0;
+        char *s,*e,*rp,*p,*rrp,*np,*cp,v;
+        BUF_MEM *buf;
+
+        if ((buf=BUF_MEM_new()) == NULL) return(0);
+
+        len=strlen(from)+1;
+        if (!BUF_MEM_grow(buf,len)) goto err;
+
+        for (;;)
+                {
+                if (IS_QUOTE(conf,*from))
+                        {
+                        q= *from;
+                        from++;
+                        while (!IS_EOF(conf,*from) && (*from != q))
+                                {
+                                if (IS_ESC(conf,*from))
+                                        {
+                                        from++;
+                                        if (IS_EOF(conf,*from)) break;
+                                        }
+                                buf->data[to++]= *(from++);
+                                }
+                        if (*from == q) from++;
+                        }
+                else if (IS_DQUOTE(conf,*from))
+                        {
+                        q= *from;
+                        from++;
+                        while (!IS_EOF(conf,*from))
+                                {
+                                if (*from == q)
+                                        {
+                                        if (*(from+1) == q)
+                                                {
+                                                from++;
+                                                }
+                                        else
+                                                {
+                                                break;
+                                                }
+                                        }
+                                buf->data[to++]= *(from++);
+                                }
+                        if (*from == q) from++;
+                        }
+                else if (IS_ESC(conf,*from))
+                        {
+                        from++;
+                        v= *(from++);
+                        if (IS_EOF(conf,v)) break;
+                        else if (v == 'r') v='\r';
+                        else if (v == 'n') v='\n';
+                        else if (v == 'b') v='\b';
+                        else if (v == 't') v='\t';
+                        buf->data[to++]= v;
+                        }
+                else if (IS_EOF(conf,*from))
+                        break;
+                else if (*from == '$')
+                        {
+                        /* try to expand it */
+                        rrp=NULL;
+                        s= &(from[1]);
+                        if (*s == '{')
+                                q='}';
+                        else if (*s == '(')
+                                q=')';
+                        else q=0;
+
+                        if (q) s++;
+                        cp=section;
+                        e=np=s;
+                        while (IS_ALPHA_NUMERIC(conf,*e))
+                                e++;
+                        if ((e[0] == ':') && (e[1] == ':'))
+                                {
+                                cp=np;
+                                rrp=e;
+                                rr= *e;
+                                *rrp='\0';
+                                e+=2;
+                                np=e;
+                                while (IS_ALPHA_NUMERIC(conf,*e))
+                                        e++;
+                                }
+                        r= *e;
+                        *e='\0';
+                        rp=e;
+                        if (q)
+                                {
+                                if (r != q)
+                                        {
+                                        CONFerr(CONF_F_STR_COPY,CONF_R_NO_CLOSE_BRACE);
+                                        goto err;
+                                        }
+                                e++;
+                                }
+                        /* So at this point we have
+                         * ns which is the start of the name string which is
+                         *   '\0' terminated. 
+                         * cs which is the start of the section string which is
+                         *   '\0' terminated.
+                         * e is the 'next point after'.
+                         * r and s are the chars replaced by the '\0'
+                         * rp and sp is where 'r' and 's' came from.
+                         */
+                        p=_CONF_get_string(conf,cp,np);
+                        if (rrp != NULL) *rrp=rr;
+                        *rp=r;
+                        if (p == NULL)
+                                {
+                                CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
+                                goto err;
+                                }
+                        BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+                        while (*p)
+                                buf->data[to++]= *(p++);
+                        from=e;
+                        }
+                else
+                        buf->data[to++]= *(from++);
+                }
+        buf->data[to]='\0';
+        if (*pto != NULL) OPENSSL_free(*pto);
+        *pto=buf->data;
+        OPENSSL_free(buf);
+        return(1);
+err:
+        if (buf != NULL) BUF_MEM_free(buf);
+        return(0);
+        }
+
+static char *eat_ws(CONF *conf, char *p)
+        {
+        while (IS_WS(conf,*p) && (!IS_EOF(conf,*p)))
+                p++;
+        return(p);
+        }
+
+static char *eat_alpha_numeric(CONF *conf, char *p)
+        {
+        for (;;)
+                {
+                if (IS_ESC(conf,*p))
+                        {
+                        p=scan_esc(conf,p);
+                        continue;
+                        }
+                if (!IS_ALPHA_NUMERIC_PUNCT(conf,*p))
+                        return(p);
+                p++;
+                }
+        }
+
+static char *scan_quote(CONF *conf, char *p)
+        {
+        int q= *p;
+
+        p++;
+        while (!(IS_EOF(conf,*p)) && (*p != q))
+                {
+                if (IS_ESC(conf,*p))
+                        {
+                        p++;
+                        if (IS_EOF(conf,*p)) return(p);
+                        }
+                p++;
+                }
+        if (*p == q) p++;
+        return(p);
+        }
+
+
+static char *scan_dquote(CONF *conf, char *p)
+        {
+        int q= *p;
+
+        p++;
+        while (!(IS_EOF(conf,*p)))
+                {
+                if (*p == q)
+                        {
+                        if (*(p+1) == q)
+                                {
+                                p++;
+                                }
+                        else
+                                {
+                                break;
+                                }
+                        }
+                p++;
+                }
+        if (*p == q) p++;
+        return(p);
+        }
+
+static void dump_value(CONF_VALUE *a, BIO *out)
+        {
+        if (a->name)
+                BIO_printf(out, "[%s] %s=%s\n", a->section, a->name, a->value);
+        else
+                BIO_printf(out, "[[%s]]\n", a->section);
+        }
+
+static int def_dump(CONF *conf, BIO *out)
+        {
+        lh_doall_arg(conf->data, (void (*)())dump_value, out);
+        return 1;
+        }
+
+static int def_is_number(CONF *conf, char c)
+        {
+        return IS_NUMBER(conf,c);
+        }
+
+static int def_to_int(CONF *conf, char c)
+        {
+        return c - '0';
+        }
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.h b/src/lib/libssl/src/crypto/conf/conf_def.h
new file mode 100644
index 0000000000..3244d9a331
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_def.h
@@ -0,0 +1,145 @@
+/* crypto/conf/conf_def.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE WAS AUTOMAGICALLY GENERATED!
+   Please modify and use keysets.pl to regenerate it. */
+
+#define CONF_NUMBER             1
+#define CONF_UPPER              2
+#define CONF_LOWER              4
+#define CONF_UNDER              256
+#define CONF_PUNCTUATION        512
+#define CONF_WS                 16
+#define CONF_ESC                32
+#define CONF_QUOTE              64
+#define CONF_DQUOTE             1024
+#define CONF_COMMENT            128
+#define CONF_FCOMMENT           2048
+#define CONF_EOF                8
+#define CONF_ALPHA              (CONF_UPPER|CONF_LOWER)
+#define CONF_ALPHA_NUMERIC      (CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
+#define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
+                                        CONF_PUNCTUATION)
+
+#define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
+#ifndef CHARSET_EBCDIC
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0x7f]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0x7f]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(c,a) \
+                                (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0x7f]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_DQUOTE)
+
+#else /*CHARSET_EBCDIC*/
+
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_ALPHA_NUMERIC_PUNCT(c,a) \
+                                (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_DQUOTE)
+#endif /*CHARSET_EBCDIC*/
+
+static unsigned short CONF_type_default[128]={
+        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x010,0x200,0x040,0x080,0x000,0x200,0x200,0x040,
+        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
+        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
+        0x001,0x001,0x000,0x200,0x000,0x000,0x000,0x200,
+        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x000,0x020,0x000,0x200,0x100,
+        0x040,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+        };
+
+static unsigned short CONF_type_win32[128]={
+        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
+        0x010,0x200,0x400,0x000,0x000,0x200,0x200,0x000,
+        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
+        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
+        0x001,0x001,0x000,0xA00,0x000,0x000,0x000,0x200,
+        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
+        0x002,0x002,0x002,0x000,0x000,0x000,0x200,0x100,
+        0x000,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
+        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+        };
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_lib.c b/src/lib/libssl/src/crypto/conf/conf_lib.c
new file mode 100644
index 0000000000..4c8ca9e9ae
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_lib.c
@@ -0,0 +1,352 @@
+/* conf_lib.c */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/conf.h>
+#include <openssl/conf_api.h>
+#include <openssl/lhash.h>
+
+const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
+
+static CONF_METHOD *default_CONF_method=NULL;
+
+/* The following section contains the "CONF classic" functions,
+   rewritten in terms of the new CONF interface. */
+
+int CONF_set_default_method(CONF_METHOD *meth)
+        {
+        default_CONF_method = meth;
+        return 1;
+        }
+
+LHASH *CONF_load(LHASH *conf, const char *file, long *eline)
+        {
+        LHASH *ltmp;
+        BIO *in=NULL;
+
+#ifdef VMS
+        in=BIO_new_file(file, "r");
+#else
+        in=BIO_new_file(file, "rb");
+#endif
+        if (in == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return NULL;
+                }
+
+        ltmp = CONF_load_bio(conf, in, eline);
+        BIO_free(in);
+
+        return ltmp;
+        }
+
+#ifndef NO_FP_API
+LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline)
+        {
+        BIO *btmp;
+        LHASH *ltmp;
+        if(!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ltmp = CONF_load_bio(conf, btmp, eline);
+        BIO_free(btmp);
+        return ltmp;
+        }
+#endif
+
+LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline)
+        {
+        CONF ctmp;
+        int ret;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        ret = NCONF_load_bio(&ctmp, bp, eline);
+        if (ret)
+                return ctmp.data;
+        return NULL;
+        }
+
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_section(&ctmp, section);
+        }
+
+char *CONF_get_string(LHASH *conf,char *group,char *name)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_string(&ctmp, group, name);
+        }
+
+long CONF_get_number(LHASH *conf,char *group,char *name)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_get_number(&ctmp, group, name);
+        }
+
+void CONF_free(LHASH *conf)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        NCONF_free_data(&ctmp);
+        }
+
+#ifndef NO_FP_API
+int CONF_dump_fp(LHASH *conf, FILE *out)
+        {
+        BIO *btmp;
+        int ret;
+
+        if(!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_CONF_DUMP_FP,ERR_R_BUF_LIB);
+                return 0;
+        }
+        ret = CONF_dump_bio(conf, btmp);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int CONF_dump_bio(LHASH *conf, BIO *out)
+        {
+        CONF ctmp;
+
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(&ctmp);
+        ctmp.data = conf;
+        return NCONF_dump_bio(&ctmp, out);
+        }
+
+/* The following section contains the "New CONF" functions.  They are
+   completely centralised around a new CONF structure that may contain
+   basically anything, but at least a method pointer and a table of data.
+   These functions are also written in terms of the bridge functions used
+   by the "CONF classic" functions, for consistency.  */
+
+CONF *NCONF_new(CONF_METHOD *meth)
+        {
+        CONF *ret;
+
+        if (meth == NULL)
+                meth = NCONF_default();
+
+        ret = meth->create(meth);
+        if (ret == NULL)
+                {
+                CONFerr(CONF_F_NCONF_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+
+        return ret;
+        }
+
+void NCONF_free(CONF *conf)
+        {
+        if (conf == NULL)
+                return;
+        conf->meth->destroy(conf);
+        }
+
+void NCONF_free_data(CONF *conf)
+        {
+        if (conf == NULL)
+                return;
+        conf->meth->destroy_data(conf);
+        }
+
+int NCONF_load(CONF *conf, const char *file, long *eline)
+        {
+        int ret;
+        BIO *in=NULL;
+
+#ifdef VMS
+        in=BIO_new_file(file, "r");
+#else
+        in=BIO_new_file(file, "rb");
+#endif
+        if (in == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return 0;
+                }
+
+        ret = NCONF_load_bio(conf, in, eline);
+        BIO_free(in);
+
+        return ret;
+        }
+
+#ifndef NO_FP_API
+int NCONF_load_fp(CONF *conf, FILE *fp,long *eline)
+        {
+        BIO *btmp;
+        int ret;
+        if(!(btmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+                {
+                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                return 0;
+                }
+        ret = NCONF_load_bio(conf, btmp, eline);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int NCONF_load_bio(CONF *conf, BIO *bp,long *eline)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_LOAD_BIO,CONF_R_NO_CONF);
+                return 0;
+                }
+
+        return conf->meth->load(conf, bp, eline);
+        }
+
+STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_CONF);
+                return NULL;
+                }
+
+        return _CONF_get_section_values(conf, section);
+        }
+
+char *NCONF_get_string(CONF *conf,char *group,char *name)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF);
+                return NULL;
+                }
+
+        return _CONF_get_string(conf, group, name);
+        }
+
+long NCONF_get_number(CONF *conf,char *group,char *name)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF);
+                return 0;
+                }
+        
+        return _CONF_get_number(conf, group, name);
+        }
+
+#ifndef NO_FP_API
+int NCONF_dump_fp(CONF *conf, FILE *out)
+        {
+        BIO *btmp;
+        int ret;
+        if(!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_NCONF_DUMP_FP,ERR_R_BUF_LIB);
+                return 0;
+        }
+        ret = NCONF_dump_bio(conf, btmp);
+        BIO_free(btmp);
+        return ret;
+        }
+#endif
+
+int NCONF_dump_bio(CONF *conf, BIO *out)
+        {
+        if (conf == NULL)
+                {
+                CONFerr(CONF_F_NCONF_DUMP_BIO,CONF_R_NO_CONF);
+                return 0;
+                }
+
+        return conf->meth->dump(conf, out);
+        }
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_mall.c b/src/lib/libssl/src/crypto/conf/conf_mall.c
new file mode 100644
index 0000000000..d702af689b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_mall.c
@@ -0,0 +1,76 @@
+/* conf_mall.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* Load all OpenSSL builtin modules */
+
+void OPENSSL_load_builtin_modules(void)
+        {
+        /* Add builtin modules here */
+        ASN1_add_oid_module();
+        ENGINE_add_conf_module();
+        }
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_mod.c b/src/lib/libssl/src/crypto/conf/conf_mod.c
new file mode 100644
index 0000000000..f92babc2e2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_mod.c
@@ -0,0 +1,616 @@
+/* conf_mod.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+
+#define DSO_mod_init_name "OPENSSL_init"
+#define DSO_mod_finish_name "OPENSSL_finish"
+
+
+/* This structure contains a data about supported modules.
+ * entries in this table correspond to either dynamic or
+ * static modules.
+ */
+
+struct conf_module_st
+        {
+        /* DSO of this module or NULL if static */
+        DSO *dso;
+        /* Name of the module */
+        char *name;
+        /* Init function */
+        conf_init_func *init; 
+        /* Finish function */
+        conf_finish_func *finish;
+        /* Number of successfully initialized modules */
+        int links;
+        void *usr_data;
+        };
+
+
+/* This structure contains information about modules that have been
+ * successfully initialized. There may be more than one entry for a
+ * given module.
+ */
+
+struct conf_imodule_st
+        {
+        CONF_MODULE *pmod;
+        char *name;
+        char *value;
+        unsigned long flags;
+        void *usr_data;
+        };
+
+static STACK_OF(CONF_MODULE) *supported_modules = NULL;
+static STACK_OF(CONF_IMODULE) *initialized_modules = NULL;
+
+static void module_free(CONF_MODULE *md);
+static void module_finish(CONF_IMODULE *imod);
+static int module_run(const CONF *cnf, char *name, char *value,
+                                          unsigned long flags);
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                        conf_init_func *ifunc, conf_finish_func *ffunc);
+static CONF_MODULE *module_find(char *name);
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                                           const CONF *cnf);
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                                                        unsigned long flags);
+
+/* Main function: load modules from a CONF structure */
+
+int CONF_modules_load(const CONF *cnf, const char *appname,
+                      unsigned long flags)
+        {
+        STACK_OF(CONF_VALUE) *values;
+        CONF_VALUE *vl;
+        char *vsection;
+
+        int ret, i;
+
+        if (!cnf)
+                return 1;
+
+        if (appname == NULL)
+                appname = "openssl_conf";
+
+        vsection = NCONF_get_string(cnf, NULL, appname); 
+
+        if (!vsection)
+                {
+                ERR_clear_error();
+                return 1;
+                }
+
+        values = NCONF_get_section(cnf, vsection);
+
+        if (!values)
+                return 0;
+
+        for (i = 0; i < sk_CONF_VALUE_num(values); i++)
+                {
+                vl = sk_CONF_VALUE_value(values, i);
+                ret = module_run(cnf, vl->name, vl->value, flags);
+                if (ret <= 0)
+                        if(!(flags & CONF_MFLAGS_IGNORE_ERRORS))
+                                return ret;
+                }
+
+        return 1;
+
+        }
+
+int CONF_modules_load_file(const char *filename, const char *appname,
+                           unsigned long flags)
+        {
+        char *file = NULL;
+        CONF *conf = NULL;
+        int ret = 0;
+        conf = NCONF_new(NULL);
+        if (!conf)
+                goto err;
+
+        if (filename == NULL)
+                {
+                file = CONF_get1_default_config_file();
+                if (!file)
+                        goto err;
+                }
+        else
+                file = (char *)filename;
+
+        if (NCONF_load(conf, file, NULL) <= 0)
+                {
+                if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) &&
+                  (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE))
+                        {
+                        ERR_clear_error();
+                        ret = 1;
+                        }
+                goto err;
+                }
+
+        ret = CONF_modules_load(conf, appname, flags);
+
+        err:
+        if (filename == NULL)
+                OPENSSL_free(file);
+        NCONF_free(conf);
+
+        return ret;
+        }
+
+static int module_run(const CONF *cnf, char *name, char *value,
+                      unsigned long flags)
+        {
+        CONF_MODULE *md;
+        int ret;
+
+        md = module_find(name);
+
+        /* Module not found: try to load DSO */
+        if (!md && !(flags & CONF_MFLAGS_NO_DSO))
+                md = module_load_dso(cnf, name, value, flags);
+
+        if (!md)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        CONFerr(CONF_F_MODULE_RUN, CONF_R_UNKNOWN_MODULE_NAME);
+                        ERR_add_error_data(2, "module=", name);
+                        }
+                return -1;
+                }
+
+        ret = module_init(md, name, value, cnf);
+
+        if (ret <= 0)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        char rcode[10];
+                        CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
+                        sprintf(rcode, "%-8d", ret);
+                        ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
+                        }
+                }
+
+        return ret;
+        }
+
+/* Load a module from a DSO */
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                    unsigned long flags)
+        {
+        DSO *dso = NULL;
+        conf_init_func *ifunc;
+        conf_finish_func *ffunc;
+        char *path = NULL;
+        int errcode = 0;
+        CONF_MODULE *md;
+        /* Look for alternative path in module section */
+        path = NCONF_get_string(cnf, value, "path");
+        if (!path)
+                {
+                ERR_get_error();
+                path = name;
+                }
+        dso = DSO_load(NULL, path, NULL, 0);
+        if (!dso)
+                {
+                errcode = CONF_R_ERROR_LOADING_DSO;
+                goto err;
+                }
+        ifunc = (conf_init_func *)DSO_bind_func(dso, DSO_mod_init_name);
+        if (!ifunc)
+                {
+                errcode = CONF_R_MISSING_INIT_FUNCTION;
+                goto err;
+                }
+        ffunc = (conf_finish_func *)DSO_bind_func(dso, DSO_mod_finish_name);
+        /* All OK, add module */
+        md = module_add(dso, name, ifunc, ffunc);
+
+        if (!md)
+                goto err;
+
+        return md;
+
+        err:
+        if (dso)
+                DSO_free(dso);
+        CONFerr(CONF_F_MODULE_LOAD_DSO, errcode);
+        ERR_add_error_data(4, "module=", name, ", path=", path);
+        return NULL;
+        }
+
+/* add module to list */
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                               conf_init_func *ifunc, conf_finish_func *ffunc)
+        {
+        CONF_MODULE *tmod = NULL;
+        if (supported_modules == NULL)
+                supported_modules = sk_CONF_MODULE_new_null();
+        if (supported_modules == NULL)
+                return NULL;
+        tmod = OPENSSL_malloc(sizeof(CONF_MODULE));
+        if (tmod == NULL)
+                return NULL;
+
+        tmod->dso = dso;
+        tmod->name = BUF_strdup(name);
+        tmod->init = ifunc;
+        tmod->finish = ffunc;
+        tmod->links = 0;
+
+        if (!sk_CONF_MODULE_push(supported_modules, tmod))
+                {
+                OPENSSL_free(tmod);
+                return NULL;
+                }
+
+        return tmod;
+        }
+
+/* Find a module from the list. We allow module names of the
+ * form modname.XXXX to just search for modname to allow the
+ * same module to be initialized more than once.
+ */
+
+static CONF_MODULE *module_find(char *name)
+        {
+        CONF_MODULE *tmod;
+        int i, nchar;
+        char *p;
+        p = strrchr(name, '.');
+
+        if (p)
+                nchar = p - name;
+        else 
+                nchar = strlen(name);
+
+        for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++)
+                {
+                tmod = sk_CONF_MODULE_value(supported_modules, i);
+                if (!strncmp(tmod->name, name, nchar))
+                        return tmod;
+                }
+
+        return NULL;
+
+        }
+
+/* initialize a module */
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                       const CONF *cnf)
+        {
+        int ret = 1;
+        int init_called = 0;
+        CONF_IMODULE *imod = NULL;
+
+        /* Otherwise add initialized module to list */
+        imod = OPENSSL_malloc(sizeof(CONF_IMODULE));
+        if (!imod)
+                goto err;
+
+        imod->pmod = pmod;
+        imod->name = BUF_strdup(name);
+        imod->value = BUF_strdup(value);
+        imod->usr_data = NULL;
+
+        if (!imod->name || !imod->value)
+                goto memerr;
+
+        /* Try to initialize module */
+        if(pmod->init)
+                {
+                ret = pmod->init(imod, cnf);
+                init_called = 1;
+                /* Error occurred, exit */
+                if (ret <= 0)
+                        goto err;
+                }
+
+        if (initialized_modules == NULL)
+                {
+                initialized_modules = sk_CONF_IMODULE_new_null();
+                if (!initialized_modules)
+                        {
+                        CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+
+        if (!sk_CONF_IMODULE_push(initialized_modules, imod))
+                {
+                CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        pmod->links++;
+
+        return ret;
+
+        err:
+
+        /* We've started the module so we'd better finish it */
+        if (pmod->finish && init_called)
+                pmod->finish(imod);
+
+        memerr:
+        if (imod)
+                {
+                if (imod->name)
+                        OPENSSL_free(imod->name);
+                if (imod->value)
+                        OPENSSL_free(imod->value);
+                OPENSSL_free(imod);
+                }
+
+        return -1;
+
+        }
+
+/* Unload any dynamic modules that have a link count of zero:
+ * i.e. have no active initialized modules. If 'all' is set
+ * then all modules are unloaded including static ones.
+ */
+
+void CONF_modules_unload(int all)
+        {
+        int i;
+        CONF_MODULE *md;
+        CONF_modules_finish();
+        /* unload modules in reverse order */
+        for (i = sk_CONF_MODULE_num(supported_modules) - 1; i >= 0; i--)
+                {
+                md = sk_CONF_MODULE_value(supported_modules, i);
+                /* If static or in use and 'all' not set ignore it */
+                if (((md->links > 0) || !md->dso) && !all)
+                        continue;
+                /* Since we're working in reverse this is OK */
+                sk_CONF_MODULE_delete(supported_modules, i);
+                module_free(md);
+                }
+        if (sk_CONF_MODULE_num(supported_modules) == 0)
+                {
+                sk_CONF_MODULE_free(supported_modules);
+                supported_modules = NULL;
+                }
+        }
+
+/* unload a single module */
+static void module_free(CONF_MODULE *md)
+        {
+        if (md->dso)
+                DSO_free(md->dso);
+        OPENSSL_free(md->name);
+        OPENSSL_free(md);
+        }
+
+/* finish and free up all modules instances */
+
+void CONF_modules_finish(void)
+        {
+        CONF_IMODULE *imod;
+        while (sk_CONF_IMODULE_num(initialized_modules) > 0)
+                {
+                imod = sk_CONF_IMODULE_pop(initialized_modules);
+                module_finish(imod);
+                }
+        sk_CONF_IMODULE_free(initialized_modules);
+        initialized_modules = NULL;
+        }
+
+/* finish a module instance */
+
+static void module_finish(CONF_IMODULE *imod)
+        {
+        if (imod->pmod->finish)
+                imod->pmod->finish(imod);
+        imod->pmod->links--;
+        OPENSSL_free(imod->name);
+        OPENSSL_free(imod->value);
+        OPENSSL_free(imod);
+        }
+
+/* Add a static module to OpenSSL */
+
+int CONF_module_add(const char *name, conf_init_func *ifunc, 
+                    conf_finish_func *ffunc)
+        {
+        if (module_add(NULL, name, ifunc, ffunc))
+                return 1;
+        else
+                return 0;
+        }
+
+void CONF_modules_free(void)
+        {
+        CONF_modules_finish();
+        CONF_modules_unload(1);
+        }
+
+/* Utility functions */
+
+const char *CONF_imodule_get_name(const CONF_IMODULE *md)
+        {
+        return md->name;
+        }
+
+const char *CONF_imodule_get_value(const CONF_IMODULE *md)
+        {
+        return md->value;
+        }
+
+void *CONF_imodule_get_usr_data(const CONF_IMODULE *md)
+        {
+        return md->usr_data;
+        }
+
+void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data)
+        {
+        md->usr_data = usr_data;
+        }
+
+CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md)
+        {
+        return md->pmod;
+        }
+
+unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md)
+        {
+        return md->flags;
+        }
+
+void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags)
+        {
+        md->flags = flags;
+        }
+
+void *CONF_module_get_usr_data(CONF_MODULE *pmod)
+        {
+        return pmod->usr_data;
+        }
+
+void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
+        {
+        pmod->usr_data = usr_data;
+        }
+
+/* Return default config file name */
+
+char *CONF_get1_default_config_file(void)
+        {
+        char *file;
+        int len;
+
+        file = getenv("OPENSSL_CONF");
+        if (file) 
+                return BUF_strdup(file);
+
+        len = strlen(X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        len++;
+#endif
+        len += strlen(OPENSSL_CONF);
+
+        file = OPENSSL_malloc(len + 1);
+
+        if (!file)
+                return NULL;
+        strcpy(file,X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        strcat(file,"/");
+#endif
+        strcat(file,OPENSSL_CONF);
+
+        return file;
+        }
+
+/* This function takes a list separated by 'sep' and calls the
+ * callback function giving the start and length of each member
+ * optionally stripping leading and trailing whitespace. This can
+ * be used to parse comma separated lists for example.
+ */
+
+int CONF_parse_list(const char *list, int sep, int nospc,
+        int (*list_cb)(const char *elem, int len, void *usr), void *arg)
+        {
+        int ret;
+        const char *lstart, *tmpend, *p;
+        lstart = list;
+
+        for(;;)
+                {
+                if (nospc)
+                        {
+                        while(*lstart && isspace((unsigned char)*lstart))
+                                lstart++;
+                        }
+                p = strchr(lstart, sep);
+                if (p == lstart || !*lstart)
+                        ret = list_cb(NULL, 0, arg);
+                else
+                        {
+                        if (p)
+                                tmpend = p - 1;
+                        else 
+                                tmpend = lstart + strlen(lstart) - 1;
+                        if (nospc)
+                                {
+                                while(isspace((unsigned char)*tmpend))
+                                        tmpend--;
+                                }
+                        ret = list_cb(lstart, tmpend - lstart + 1, arg);
+                        }
+                if (ret <= 0)
+                        return ret;
+                if (p == NULL)
+                        return 1;
+                lstart = p + 1;
+                }
+        }
+
diff --git a/src/lib/libssl/src/crypto/conf/conf_sap.c b/src/lib/libssl/src/crypto/conf/conf_sap.c
new file mode 100644
index 0000000000..97fb174303
--- /dev/null
+++ b/src/lib/libssl/src/crypto/conf/conf_sap.c
@@ -0,0 +1,107 @@
+/* conf_sap.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* This is the automatic configuration loader: it is called automatically by
+ * OpenSSL when any of a number of standard initialisation functions are called,
+ * unless this is overridden by calling OPENSSL_no_config()
+ */
+
+static int openssl_configured = 0;
+
+void OPENSSL_config(const char *config_name)
+        {
+        if (openssl_configured)
+                return;
+
+        OPENSSL_load_builtin_modules();
+        /* Need to load ENGINEs */
+        ENGINE_load_builtin_engines();
+        /* Add others here? */
+
+
+        ERR_clear_error();
+        if (CONF_modules_load_file(NULL, NULL,
+                                        CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
+                {
+                BIO *bio_err;
+                ERR_load_crypto_strings();
+                if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
+                        {
+                        BIO_printf(bio_err,"Auto configuration failed\n");
+                        ERR_print_errors(bio_err);
+                        BIO_free(bio_err);
+                        }
+                exit(1);
+                }
+
+        return;
+        }
+
+void OPENSSL_no_config()
+        {
+        openssl_configured = 1;
+        }
diff --git a/src/lib/libssl/src/crypto/crypto-lib.com b/src/lib/libssl/src/crypto/crypto-lib.com
new file mode 100644
index 0000000000..bf916528eb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/crypto-lib.com
@@ -0,0 +1,1218 @@
+$!
+$!  CRYPTO-LIB.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!
+$!  This command files compiles and creates the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" 
+$!  library for OpenSSL.  The "xxx" denotes the machine architecture of AXP
+$!  or VAX.
+$!
+$!  It was re-written so it would try to determine what "C" compiler to use 
+$!  or you can specify which "C" compiler to use.
+$!
+$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  the regular one.  If you specify NORSAREF it will compile with the
+$!  regular RSAREF routines.  (Note: If you are in the United States
+$!  you MUST compile with RSAREF unless you have a license from RSA).
+$!
+$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
+$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
+$!        get the ".tar-Z" file as the ".zip" file dosen't have the
+$!        directory structure stored.  You have to extract the file
+$!        into the [.RSAREF] directory under the root directory as that
+$!        is where the scripts will look for the files.
+$!
+$!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
+$!  information.
+$!
+$!  Specify which compiler at P3 to try to compile under.
+$!
+$!         VAXC  For VAX C.
+$!         DECC  For DEC C.
+$!         GNUC  For GNU C.
+$!
+$!  If you don't speficy a compiler, it will try to determine which
+$!  "C" compiler to use.
+$!
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  keywords:
+$!
+$!      UCX             for UCX
+$!      SOCKETSHR       for SOCKETSHR+NETLIB
+$!
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!  P6, if defined, sets a choice of crypto methods to compile.
+$!  WARNING: this should only be done to recompile some part of an already
+$!  fully compiled library.
+$!
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That Is, If We Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$!
+$! Check Which Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128)
+$ THEN
+$!
+$!  The Architecture Is AXP
+$!
+$   ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Define The Different Encryption Types.
+$!
+$ ENCRYPT_TYPES = ",MD2,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
+                  "DES,RC2,RC4,RC5,IDEA,BF,CAST,"+ -
+                  "BN,RSA,DSA,DH,"+ -
+                  "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
+                  "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
+                  "CONF,TXT_DB,PKCS7,PKCS12,COMP"
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The OBJ Directory.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.CRYPTO]
+$!
+$! Check To See If The Architecture Specific OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIR 'OBJ_DIR'
+$!
+$! End The Architecture Specific OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory.
+$!
+$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]
+$!
+$! Check To See If The Architecture Specific Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'EXE_DIR'
+$!
+$! End The Architecture Specific Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The Library Name.
+$!
+$ LIB_NAME := 'EXE_DIR'LIBCRYPTO.OLB
+$!
+$! Check To See If We Already Have A "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" Library...
+$!
+$ IF (F$SEARCH(LIB_NAME).EQS."")
+$ THEN
+$!
+$! Guess Not, Create The Library.
+$!
+$   LIBRARY/CREATE/OBJECT 'LIB_NAME'
+$!
+$! End The Library Check.
+$!
+$ ENDIF
+$!
+$! Define The Different Encryption "library" Strings.
+$!
+$ LIB_ = "cryptlib,mem,cversion,ex_data,tmdiff,cpt_err"
+$ LIB_MD2 = "md2_dgst,md2_one"
+$ LIB_MD5 = "md5_dgst,md5_one"
+$ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one"
+$ LIB_MDC2 = "mdc2dgst,mdc2_one"
+$ LIB_HMAC = "hmac"
+$ LIB_RIPEMD = "rmd_dgst,rmd_one"
+$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
+        "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
+        "enc_read,enc_writ,ofb64enc,"+ -
+        "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
+        "des_enc,fcrypt_b,read2pwd,"+ -
+        "fcrypt,xcbc_enc,read_pwd,rpc_enc,cbc_cksm,supp,ede_cbcm_enc"
+$ LIB_RC2 = "rc2_ecb,rc2_skey,rc2_cbc,rc2cfb64,rc2ofb64"
+$ LIB_RC4 = "rc4_skey,rc4_enc"
+$ LIB_RC5 = "rc5_skey,rc5_ecb,rc5_enc,rc5cfb64,rc5ofb64"
+$ LIB_IDEA = "i_cbc,i_cfb64,i_ofb64,i_ecb,i_skey"
+$ LIB_BF = "bf_skey,bf_ecb,bf_enc,bf_cfb64,bf_ofb64"
+$ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
+$ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
+$ IF F$TRNLNM("OPENSSL_NO_ASM") .NES. "" THEN LIB_BN_ASM = "bn_asm"
+$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_mul,"+ -
+        "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
+        "bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+",bn_recp,bn_mont,"+ -
+        "bn_mpi,bn_exp2"
+$ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
+        "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk"
+$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err"
+$ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
+$ LIB_BUFFER = "buffer,buf_err"
+$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
+        "bss_mem,bss_null,bss_fd,"+ -
+        "bss_file,bss_sock,bss_conn,"+ -
+        "bf_null,bf_buff,b_print,b_dump,"+ -
+        "b_sock,bss_acpt,bf_nbio,bss_rtcp,bss_bio" ! + ",bss_log" for syslog
+$ LIB_STACK = "stack"
+$ LIB_LHASH = "lhash,lh_stats"
+$ LIB_RAND = "md_rand,randfile,rand_lib"
+$ LIB_ERR = "err,err_all,err_prn"
+$ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
+$ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
+        "e_ecb_d,e_cbc_d,e_cfb_d,e_ofb_d,"+ -
+        "e_ecb_i,e_cbc_i,e_cfb_i,e_ofb_i,"+ -
+        "e_ecb_3d,e_cbc_3d,e_rc4,names,"+ -
+        "e_cfb_3d,e_ofb_3d,e_xcbc_d,"+ -
+        "e_ecb_r2,e_cbc_r2,e_cfb_r2,e_ofb_r2,"+ -
+        "e_ecb_bf,e_cbc_bf,e_cfb_bf,e_ofb_bf"
+$ LIB_EVP_2 = "e_ecb_c,e_cbc_c,e_cfb_c,e_ofb_c,"+ -
+        "e_ecb_r5,e_cbc_r5,e_cfb_r5,e_ofb_r5,"+ -
+        "m_null,m_md2,m_md5,m_sha,m_sha1,m_dss,m_dss1,m_mdc2,"+ -
+        "m_ripemd,"+ -
+        "p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ -
+        "bio_md,bio_b64,bio_enc,evp_err,e_null,"+ -
+        "c_all,evp_lib,bio_ok,evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
+$ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
+        "a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ -
+        "a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,"+ -
+        "x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,"+ -
+        "x_name,x_cinf,x_x509,x_crl,x_info,x_spki,nsseq,"+ -
+        "d2i_r_pr,i2d_r_pr,d2i_r_pu,i2d_r_pu,"+ -
+        "d2i_s_pr,i2d_s_pr,d2i_s_pu,i2d_s_pu,"+ -
+        "d2i_pu,d2i_pr,i2d_pu,i2d_pr"
+$ LIB_ASN1_2 = "t_req,t_x509,t_crl,t_pkey,"+ -
+        "p7_i_s,p7_signi,p7_signd,p7_recip,p7_enc_c,p7_evp,"+ -
+        "p7_dgst,p7_s_e,p7_enc,p7_lib,"+ -
+        "f_int,f_string,i2d_dhp,i2d_dsap,d2i_dhp,d2i_dsap,n_pkey,"+ -
+        "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ -
+        "asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,"+ -
+        "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey"
+$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err"
+$ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ -
+        "x509_obj,x509_req,x509_vfy,"+ -
+        "x509_set,x509rset,x509_err,"+ -
+        "x509name,x509_v3,x509_ext,"+ -
+        "x509type,x509_lu,x_all,x509_txt,"+ -
+        "by_file,by_dir"
+$ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
+        "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
+        "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld"
+$ LIB_CONF = "conf,conf_err"
+$ LIB_TXT_DB = "txt_db"
+$ LIB_PKCS7 = "pk7_lib,pkcs7err,pk7_doit"
+$ LIB_PKCS12 = "p12_add,p12_attr,p12_bags,p12_crpt,p12_crt,p12_decr,"+ -
+        "p12_init,p12_key,p12_kiss,p12_lib,p12_mac,p12_mutl,"+ -
+        "p12_sbag,p12_utl,pk12err"
+$ LIB_COMP = "comp_lib,"+ -
+        "c_rle,c_zlib"
+$!
+$! Setup exceptional compilations
+$!
+$ COMPILEWITH_CC3 = ",bss_rtcp,"
+$ COMPILEWITH_CC4 = ",a_utctm,"
+$ COMPILEWITH_CC5 = ",md2_dgst,md5_dgst,mdc2dgst,sha_dgst,sha1dgst," + -
+                    "rmd_dgst,bf_enc,"
+$!
+$! Check To See If We Are Going To Use RSAREF.
+$!
+$ IF (RSAREF.EQS."TRUE" .AND. ENCRYPT_TYPES - "RSA".NES.ENCRYPT_TYPES)
+$ THEN
+$!
+$!  Check To See If The File [-.RSAREF]RSAREF.C Is Actually There.
+$!
+$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAREF.C").EQS."")
+$   THEN
+$!
+$!    Tell The User That The File Dosen't Exist.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAREF.C Dosen't Exist."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Exit The Build.
+$!
+$     GOTO EXIT
+$!
+$!  End The [-.RSAREF]RSAREF.C Check.
+$!
+$   ENDIF
+$!
+$!  Tell The User We Are Compiling The [-.RSAREF]RSAREF File.
+$!
+$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAREF File."
+$!
+$!  Compile [-.RSAREF]RSAREF.C
+$!
+$   CC/OBJECT='OBJ_DIR'RSAREF.OBJ SYS$DISK:[-.RSAREF]RSAREF.C
+$!
+$!  Add It To The Library.
+$!
+$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAREF.OBJ
+$!
+$!  Delete The Object File.
+$!
+$   DELETE 'OBJ_DIR'RSAREF.OBJ;*
+$!
+$!  Check To See If The File [-.RSAREF]RSAR_ERR.C Is Actually There.
+$!
+$   IF (F$SEARCH("SYS$DISK:[-.RSAREF]RSAR_ERR.C").EQS."")
+$   THEN
+$!
+$!    Tell The User That The File Dosen't Exist.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The File [-.RSAREF]RSAR_ERR.C Dosen't Exist."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Exit The Build.
+$!
+$     GOTO EXIT
+$!
+$!  End The [-.RSAREF]RSAR_ERR.C File Check.
+$!
+$   ENDIF
+$!
+$!  Tell The User We Are Compiling The [-.RSAREF]RSAR_ERR File.
+$!
+$   WRITE SYS$OUTPUT "Compiling The [-.RSAREF]RSAR_ERR File."
+$!
+$!  Compile [-.RSAREF]RSAR_ERR.C
+$!
+$   CC/OBJECT='OBJ_DIR'RSAR_ERR.OBJ SYS$DISK:[-.RSAREF]RSAR_ERR.C
+$!
+$!  Add It To The Library.
+$!
+$   LIBRARY/REPLACE 'LIB_NAME' 'OBJ_DIR'RSAR_ERR.OBJ
+$!
+$!  Delete The Object File.
+$!
+$   DELETE 'OBJ_DIR'RSAR_ERR.OBJ;*
+$!
+$! End The RSAREF Check.
+$!
+$ ENDIF
+$!
+$! Figure Out What Other Modules We Are To Build.
+$!
+$ BUILD_SET:
+$!
+$! Define A Module Counter.
+$!
+$ MODULE_COUNTER = 0
+$!
+$! Top Of The Loop.
+$!
+$ MODULE_NEXT:
+$!
+$! Extract The Module Name From The Encryption List.
+$!
+$ MODULE_NAME = F$ELEMENT(MODULE_COUNTER,",",ENCRYPT_TYPES)
+$!
+$! Check To See If We Are At The End Of The Module List.
+$!
+$ IF (MODULE_NAME.EQS.",") 
+$ THEN 
+$!
+$!  We Are At The End Of The Module List, Go To MODULE_DONE.
+$!
+$   GOTO MODULE_DONE
+$!
+$! End The Module List Check.
+$!
+$ ENDIF
+$!
+$! Increment The Moudle Counter.
+$!
+$ MODULE_COUNTER = MODULE_COUNTER + 1
+$!
+$! Tell The User What Module We Are Building.
+$!
+$ IF (MODULE_NAME.NES."") 
+$ THEN
+$   WRITE SYS$OUTPUT "Compiling The ",MODULE_NAME," Files."
+$ ENDIF
+$!
+$!  Define A File Counter And Set It To "0".
+$!
+$ FILE_COUNTER = 0
+$!
+$! Create The Library Module Name.
+$!
+$ LIB_MODULE = "LIB_" + MODULE_NAME
+$ IF (MODULE_NAME.EQS."ASN1_2")
+$ THEN
+$   MODULE_NAME = "ASN1"
+$ ENDIF
+$ IF (MODULE_NAME.EQS."EVP_2")
+$ THEN
+$   MODULE_NAME = "EVP"
+$ ENDIF
+$!
+$! Check if the library module name actually is defined
+$!
+$ IF F$TYPE('LIB_MODULE') .EQS. ""
+$ THEN
+$   WRITE SYS$ERROR ""
+$   WRITE SYS$ERROR "The module ",MODULE_NAME," does not exist.  Continuing..."
+$   WRITE SYS$ERROR ""
+$   GOTO MODULE_NEXT
+$ ENDIF
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",'LIB_MODULE')
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME.EQS.",") 
+$ THEN 
+$!
+$!  We Are At The End Of The File List, Goto FILE_DONE.
+$!
+$   GOTO FILE_DONE
+$!
+$! End The File List Check.
+$!
+$ ENDIF
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Create The Source File Name.
+$!
+$ TMP_FILE_NAME = F$ELEMENT(1,"]",FILE_NAME)
+$ IF TMP_FILE_NAME .EQS. "]" THEN TMP_FILE_NAME = FILE_NAME
+$ IF F$ELEMENT(0,".",TMP_FILE_NAME) .EQS. TMP_FILE_NAME THEN -
+        FILE_NAME = FILE_NAME + ".c"
+$ IF (MODULE_NAME.NES."")
+$ THEN
+$   SOURCE_FILE = "SYS$DISK:[." + MODULE_NAME+ "]" + FILE_NAME
+$ ELSE
+$   SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME
+$ ENDIF
+$ SOURCE_FILE = SOURCE_FILE - "]["
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + F$PARSE(FILE_NAME,,,"NAME","SYNTAX_ONLY") + ".OBJ"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Is Actually There.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   GOTO EXIT
+$!
+$! End The File Exist Check.
+$!
+$ ENDIF
+$!
+$! Tell The User We Are Compiling The File.
+$!
+$ IF (MODULE_NAME.EQS."")
+$ THEN
+     WRITE SYS$OUTPUT "Compiling The ",FILE_NAME," File."
+$ ENDIF
+$ IF (MODULE_NAME.NES."")
+$ THEN 
+$   WRITE SYS$OUTPUT "  ",FILE_NAME,""
+$ ENDIF
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ FILE_NAME0 = F$ELEMENT(0,".",FILE_NAME)
+$ IF FILE_NAME - ".mar" .NES. FILE_NAME
+$ THEN
+$   MACRO/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$ ELSE
+$   IF COMPILEWITH_CC3 - FILE_NAME0 .NES. COMPILEWITH_CC3
+$   THEN
+$     CC3/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$   ELSE
+$     IF COMPILEWITH_CC4 - FILE_NAME0 .NES. COMPILEWITH_CC4
+$     THEN
+$       CC4/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$     ELSE
+$       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
+$       THEN
+$         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$       ELSE
+$         CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$       ENDIF
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Add It To The Library.
+$!
+$ LIBRARY/REPLACE 'LIB_NAME' 'OBJECT_FILE'
+$!
+$! Time To Clean Up The Object File.
+$!
+$ DELETE 'OBJECT_FILE';*
+$!
+$! Go Back And Do It Again.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This Library Part.
+$!
+$ FILE_DONE:
+$!
+$! Go Back And Get The Next Module.
+$!
+$ GOTO MODULE_NEXT
+$!
+$! All Done With This Module.
+$!
+$ MODULE_DONE:
+$!
+$! Tell The User That We Are All Done.
+$!
+$ WRITE SYS$OUTPUT "All Done..."
+$ EXIT:
+$ GOSUB CLEANUP
+$ EXIT
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF ARCH .EQS. "VAX"
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The AXP Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The VAX/AXP DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."NORSAREF")
+$ THEN
+$!
+$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!
+$    RSAREF = "FALSE"
+$ ELSE
+$!
+$!  Check To See If We Are To Use The RSAREF Library.
+$!
+$   IF (P1.EQS."RSAREF")
+$   THEN
+$!
+$!    Check To Make Sure We Have The RSAREF Source Code Directory.
+$!
+$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
+$     THEN
+$!
+$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
+$!      User This.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
+$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
+$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
+$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
+$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
+$       WRITE SYS$OUTPUT ""
+$!
+$!      Time To Exit.
+$!
+$       EXIT
+$!
+$!    Else, Compile Using The RSAREF Library.
+$!
+$     ELSE
+$       RSAREF = "TRUE"
+$     ENDIF
+$   ELSE 
+$!
+$!    They Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
+$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NODEBUG")
+$ THEN
+$!
+$!   P2 Is NODEBUG, So Compile Without The Debugger Information.
+$!
+$    DEBUGGER = "NODEBUG"
+$    TRACEBACK = "NOTRACEBACK" 
+$    GCC_OPTIMIZE = "OPTIMIZE"
+$    CC_OPTIMIZE = "OPTIMIZE"
+$    MACRO_OPTIMIZE = "OPTIMIZE"
+$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P2.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER = "DEBUG"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     MACRO_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$   ELSE 
+$!
+$!    They Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "     DEBUG   :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "     NODEBUG :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P2 Check.
+$!
+$ ENDIF
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P5.
+$!
+$ IF (P5.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN :=
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P5 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P3 = "GNUC"
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P3 = "DECC"
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P3 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P4.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  Find out what socket library we have available
+$!
+$   IF F$PARSE("SOCKETSHR:") .NES. ""
+$   THEN
+$!
+$!    We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$     P4 = "SOCKETSHR"
+$!
+$!    Tell the user
+$!
+$     WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$!    Else, let's look for something else
+$!
+$   ELSE
+$!
+$!    Like UCX (the reason to do this before Multinet is that the UCX
+$!    emulation is easier to use...)
+$!
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+         .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+         .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$     THEN
+$!
+$!      Last resort: a UCX or UCX-compatible library
+$!
+$       P4 = "UCX"
+$!
+$!      Tell the user
+$!
+$       WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$!      That was all...
+$!
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P4'"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+        CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$!  Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ THEN
+$!
+$!    Check To See If The User Wanted DECC.
+$!
+$   IF (P3.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+         THEN CC = "CC/DECC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+           "/NOLIST/PREFIX=ALL/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P3.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$!
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."AXP"
+$     THEN
+$       WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$       EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST/INCLUDE=SYS$DISK:[]" + -
+           CCEXTRAFLAGS
+$     CCDEFS = """VAXC""," + CCDEFS
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P3.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+           "/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Check To See If We Are To Compile With RSAREF Routines.
+$!
+$   IF (RSAREF.EQS."TRUE")
+$   THEN
+$!
+$!    Compile With RSAREF.
+$!
+$     CCDEFS = CCDEFS + ",""RSAref=1"""
+$!
+$!    Tell The User This.
+$!
+$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
+$!
+$!    Else, We Don't Care.  Compile Without The RSAREF Library.
+$!
+$   ELSE
+$!
+$!    Tell The User We Are Compile Without The RSAREF Routines.
+$!
+$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
+$!
+$!  End The RSAREF Check.
+$!
+$   ENDIF
+$!
+$!  Finish up the definition of CC.
+$!
+$   IF COMPILER .EQS. "DECC"
+$   THEN
+$     IF CCDISABLEWARNINGS .EQS. ""
+$     THEN
+$       CC4DISABLEWARNINGS = "DOLLARID"
+$     ELSE
+$       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$     ENDIF
+$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$   ELSE
+$     CCDISABLEWARNINGS = ""
+$     CC4DISABLEWARNINGS = ""
+$   ENDIF
+$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   IF ARCH .EQS. "VAX" .AND. COMPILER .EQS. "DECC" .AND. P2 .NES. "DEBUG"
+$   THEN
+$     CC5 = CC + "/OPTIMIZE=NODISJOINT"
+$   ELSE
+$     CC5 = CC + "/NOOPTIMIZE"
+$   ENDIF
+$   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$!
+$!  Show user the result
+$!
+$   WRITE SYS$OUTPUT "Main C Compiling Command: ",CC
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$! End The Valid Arguement Check.
+$!
+$ ENDIF
+$!
+$! Build a MACRO command for the architecture at hand
+$!
+$ IF ARCH .EQS. "VAX" THEN MACRO = "MACRO/''DEBUGGER'"
+$ IF ARCH .EQS. "AXP" THEN MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE'"
+$!
+$!  Show user the result
+$!
+$   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ THEN
+$!
+$!  Check to see if SOCKETSHR was chosen
+$!
+$   IF P4.EQS."SOCKETSHR"
+$   THEN
+$!
+$!    Set the library to use SOCKETSHR
+$!
+$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$!
+$!    Done with SOCKETSHR
+$!
+$   ENDIF
+$!
+$!  Check to see if MULTINET was chosen
+$!
+$   IF P4.EQS."MULTINET"
+$   THEN
+$!
+$!    Set the library to use UCX emulation.
+$!
+$     P4 = "UCX"
+$!
+$!    Done with MULTINET
+$!
+$   ENDIF
+$!
+$!  Check to see if UCX was chosen
+$!
+$   IF P4.EQS."UCX"
+$   THEN
+$!
+$!    Set the library to use UCX.
+$!
+$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$     THEN
+$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$     ELSE
+$       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+          TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+$     ENDIF
+$!
+$!    Done with UCX
+$!
+$   ENDIF
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
+$   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$!  Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$! Check if the user wanted to compile just a subset of all the encryption
+$! methods.
+$!
+$ IF P6 .NES. ""
+$ THEN
+$   ENCRYPT_TYPES = P6
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __TOP = __HERE - "CRYPTO]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the logical name OPENSSL if it had a value
+$!
+$ IF __SAVE_OPENSSL .EQS. ""
+$ THEN
+$   DEASSIGN OPENSSL
+$ ELSE
+$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$ ENDIF
+$!
+$! Done
+$!
+$ RETURN
diff --git a/src/lib/libssl/src/crypto/des/des-lib.com b/src/lib/libssl/src/crypto/des/des-lib.com
new file mode 100644
index 0000000000..2aea7a0dea
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des-lib.com
@@ -0,0 +1,1003 @@
+$!
+$!  DES-LIB.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!
+$!  This command files compiles and creates the 
+$!  "[.xxx.EXE.CRYPTO.DES]LIBDES.OLB" library.  The "xxx" denotes the machine 
+$!  architecture of AXP or VAX.
+$!
+$!  It was re-written to try to determine which "C" compiler to try to use
+$!  or the user can specify a compiler in P3.
+$!
+$!  Specify one of the following to build just that part, specify "ALL" to
+$!  just build everything.
+$!
+$!         ALL       To Just Build "Everything".
+$!         LIBRARY   To Just Build The [.xxx.EXE.CRYPTO.DES]LIBDES.OLB Library.
+$!         DESTEST   To Just Build The [.xxx.EXE.CRYPTO.DES]DESTEST.EXE Program.
+$!         SPEED     To Just Build The [.xxx.EXE.CRYPTO.DES]SPEED.EXE Program.
+$!         RPW       To Just Build The [.xxx.EXE.CRYPTO.DES]RPW.EXE Program.
+$!         DES       To Just Build The [.xxx.EXE.CRYPTO.DES]DES.EXE Program.
+$!         DES_OPTS  To Just Build The [.xxx.EXE.CRYPTO.DES]DES_OPTS.EXE Program.
+$!
+$!  Specify either DEBUG or NODEBUG as P2 to compile with or without
+$!  debugging information.
+$!
+$!  Specify which compiler at P3 to try to compile under.
+$!
+$!         VAXC  For VAX C.
+$!         DECC  For DEC C.
+$!         GNUC  For GNU C.
+$!
+$!  If you don't speficy a compiler, it will try to determine which
+$!  "C" compiler to try to use.
+$!
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!
+$! Make sure we know what architecture we run on.
+$!
+$!
+$! Check Which Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128)
+$ THEN
+$!
+$!  The Architecture Is AXP.
+$!
+$   ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The OBJ Directory Name.
+$!
+$ OBJ_DIR := SYS$DISK:[--.'ARCH'.OBJ.CRYPTO.DES]
+$!
+$! Check To See If The Architecture Specific OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIR 'OBJ_DIR'
+$!
+$! End The Architecture Specific OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory Name.
+$!
+$ EXE_DIR :== SYS$DISK:[--.'ARCH'.EXE.CRYPTO.DES]
+$!
+$! Check To See If The Architecture Specific Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIR 'EXE_DIR'
+$!
+$! End The Architecture Specific Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The Library Name.
+$!
+$ LIB_NAME := 'EXE_DIR'LIBDES.OLB
+$!
+$! Check To See What We Are To Do.
+$!
+$ IF (BUILDALL.EQS."TRUE")
+$ THEN
+$!
+$!  Since Nothing Special Was Specified, Do Everything.
+$!
+$   GOSUB LIBRARY
+$   GOSUB DESTEST
+$   GOSUB SPEED
+$   GOSUB RPW
+$   GOSUB DES
+$   GOSUB DES_OPTS
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!    Build Just What The User Wants Us To Build.
+$!
+$     GOSUB 'BUILDALL'
+$!
+$! End The BUILDALL Check.
+$!
+$ ENDIF
+$!
+$! Time To EXIT.
+$!
+$ EXIT
+$ LIBRARY:
+$!
+$! Tell The User That We Are Compiling.
+$!
+$ WRITE SYS$OUTPUT "Compiling The ",LIB_NAME," Files."
+$!
+$! Check To See If We Already Have A "[.xxx.EXE.CRYPTO.DES]LIBDES.OLB" Library...
+$!
+$ IF (F$SEARCH(LIB_NAME).EQS."")
+$ THEN
+$!
+$! Guess Not, Create The Library.
+$!
+$   LIBRARY/CREATE/OBJECT 'LIB_NAME'
+$!
+$! End The Library Exist Check.
+$!
+$ ENDIF
+$!
+$! Define The DES Library Files.
+$!
+$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
+                "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
+                "enc_read,enc_writ,ofb64enc,"+ -
+                "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
+                "des_enc,fcrypt_b,read2pwd,"+ -
+                "fcrypt,xcbc_enc,read_pwd,rpc_enc,cbc_cksm,supp"
+$!
+$!  Define A File Counter And Set It To "0".
+$!
+$ FILE_COUNTER = 0
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",LIB_DES)
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME.EQS.",") THEN GOTO FILE_DONE
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Create The Source File Name.
+$!
+$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$!  Tell The User We Are Compiling The Source File.
+$!
+$ WRITE SYS$OUTPUT "    ",FILE_NAME,".C"
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + FILE_NAME + "." + ARCH + "OBJ"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The File Exists Check.
+$!
+$ ENDIF
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$!
+$! Add It To The Library.
+$!
+$ LIBRARY/REPLACE/OBJECT 'LIB_NAME' 'OBJECT_FILE'
+$!
+$! Time To Clean Up The Object File.
+$!
+$ DELETE 'OBJECT_FILE';*
+$!
+$! Go Back And Do It Again.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This Library Part.
+$!
+$ FILE_DONE:
+$!
+$! Tell The User That We Are All Done.
+$!
+$ WRITE SYS$OUTPUT "Library ",LIB_NAME," Built."
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$!
+$!  Compile The DESTEST Program.
+$!
+$ DESTEST:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]DESTEST.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File DESTEST.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The DESTEST.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building ",EXE_DIR,"DESTEST.EXE"
+$!
+$! Compile The DESTEST Program.
+$!
+$ CC/OBJECT='OBJ_DIR'DESTEST.OBJ SYS$DISK:[]DESTEST.C
+$!
+$! Link The DESTEST Program.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/CONTIGUOUS/EXE='EXE_DIR'DESTEST.EXE -
+      'OBJ_DIR'DESTEST.OBJ,'LIB_NAME'/LIBRARY,'OPT_FILE'/OPTION
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$!
+$!  Compile The SPEED Program.
+$!
+$ SPEED:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]SPEED.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File SPEED.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The SPEED.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building ",EXE_DIR,"SPEED.EXE"
+$!
+$! Compile The SPEED Program.
+$!
+$ CC/OBJECT='OBJ_DIR'SPEED.OBJ SYS$DISK:[]SPEED.C
+$!
+$! Link The SPEED Program.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/CONTIGUOUS/EXE='EXE_DIR'SPEED.EXE -
+      'OBJ_DIR'SPEED.OBJ,'LIB_NAME'/LIBRARY,'OPT_FILE'/OPTION
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$!
+$!  Compile The RPW Program.
+$!
+$ RPW:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]RPW.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File RPW.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The RPW.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building ",EXE_DIR,"RPW.EXE"
+$!
+$! Compile The RPW Program.
+$!
+$ CC/OBJECT='OBJ_DIR'RPW.OBJ SYS$DISK:[]RPW.C
+$!
+$! Link The RPW Program.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/CONTIGUOUS/EXE='EXE_DIR'RPW.EXE -
+      'OBJ_DIR'RPW.OBJ,'LIB_NAME'/LIBRARY,'OPT_FILE'/OPTION
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$!
+$!  Compile The DES Program.
+$!
+$ DES:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]DES.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File DES.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The DES.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building ",EXE_DIR,"DES.EXE"
+$!
+$! Compile The DES Program.
+$!
+$ CC/OBJECT='OBJ_DIR'DES.OBJ SYS$DISK:[]DES.C
+$ CC/OBJECT='OBJ_DIR'DES.OBJ SYS$DISK:[]CBC3_ENC.C
+$!
+$! Link The DES Program.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/CONTIGUOUS/EXE='EXE_DIR'DES.EXE -
+      'OBJ_DIR'DES.OBJ,'OBJ_DIR'CBC3_ENC.OBJ,-
+      'LIB_NAME'/LIBRARY,'OPT_FILE'/OPTION
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$!
+$!  Compile The DES_OPTS Program.
+$!
+$ DES_OPTS:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]DES_OPTS.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File DES_OPTS.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The DES_OPTS.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building ",EXE_DIR,"DES_OPTS.EXE"
+$!
+$! Compile The DES_OPTS Program.
+$!
+$ CC/OBJECT='OBJ_DIR'DES_OPTS.OBJ SYS$DISK:[]DES_OPTS.C
+$!
+$! Link The DES_OPTS Program.
+$!
+$ LINK/'DEBUGGER'/'TRACEBACK'/CONTIGUOUS/EXE='EXE_DIR'DES_OPTS.EXE -
+      'OBJ_DIR'DES_OPTS.OBJ,'LIB_NAME'/LIBRARY,'OPT_FILE'/OPTION
+$!
+$! All Done, Time To Return.
+$!
+$ RETURN
+$ EXIT
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF (F$GETSYI("CPU").LT.128)
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The AXP Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The VAX/AXP DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$!
+$! Library Check.
+$!
+$ LIB_CHECK:
+$!
+$!  Look For The Library LIBDES.OLB.
+$!
+$ IF (F$SEARCH(LIB_NAME).EQS."")
+$ THEN
+$!
+$!    Tell The User We Can't Find The [.xxx.CRYPTO.DES]LIBDES.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",LIB_NAME,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!    Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If We Are To "Just Build Everything".
+$!
+$ IF (P1.EQS."ALL")
+$ THEN
+$!
+$!   P1 Is "ALL", So Build Everything.
+$!
+$    BUILDALL = "TRUE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Else, Check To See If P1 Has A Valid Arguement.
+$!
+$   IF (P1.EQS."LIBRARY").OR.(P1.EQS."DESTEST").OR.(P1.EQS."SPEED") -
+       .OR.(P1.EQS."RPW").OR.(P1.EQS."DES").OR.(P1.EQS."DES_OPTS")
+$   THEN
+$!
+$!    A Valid Arguement.
+$!
+$     BUILDALL = P1
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Tell The User We Don't Know What They Want.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything.
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO.DES]LIBDES.OLB Library."
+$     WRITE SYS$OUTPUT "    DESTEST  :  To Compile Just The [.xxx.EXE.CRYPTO.DES]DESTEST.EXE Program."
+$     WRITE SYS$OUTPUT "    SPEED    :  To Compile Just The [.xxx.EXE.CRYPTO.DES]SPEED.EXE Program."
+$     WRITE SYS$OUTPUT "    RPW      :  To Compile Just The [.xxx.EXE.CRYPTO.DES]RPW.EXE Program."
+$     WRITE SYS$OUTPUT "    DES      :  To Compile Just The [.xxx.EXE.CRYPTO.DES]DES.EXE Program."
+$     WRITE SYS$OUTPUT "    DES_OPTS :  To Compile Just The [.xxx.EXE.CRYTPO.DES]DES_OPTS.EXE Program."
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT " Where 'xxx' Stands For: "
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "        AXP  :  Alpha Architecture."
+$     WRITE SYS$OUTPUT "        VAX  :  VAX Architecture."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Are To Compile Without Debugger Information.
+$!
+$ IF (P2.EQS."NODEBUG")
+$ THEN
+$!
+$!   P2 Is Blank, So Compile Without Debugger Information.
+$!
+$    DEBUGGER  = "NODEBUG"
+$    TRACEBACK = "NOTRACEBACK" 
+$    GCC_OPTIMIZE = "OPTIMIZE"
+$    CC_OPTIMIZE = "OPTIMIZE"
+$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P2.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER  = "DEBUG"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Tell The User Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P2 Check.
+$!
+$ ENDIF
+$!
+$! Special Threads For OpenVMS v7.1 Or Later.
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P4.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN := ""
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P4 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P3 = "GNUC"
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P3 = "DECC"
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P3 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+        CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$!  Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ THEN
+$!
+$!    Check To See If The User Wanted DECC.
+$!
+$   IF (P3.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+         THEN CC = "CC/DECC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+           "/NOLIST/PREFIX=ALL" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P3.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$!
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."AXP"
+$     THEN
+$       WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$       EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$     CCDEFS = """VAXC""," + CCDEFS
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P3.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Finish up the definition of CC.
+$!
+$   IF COMPILER .EQS. "DECC"
+$   THEN
+$     IF CCDISABLEWARNINGS .EQS. ""
+$     THEN
+$       CC4DISABLEWARNINGS = "DOLLARID"
+$     ELSE
+$       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$     ENDIF
+$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$   ELSE
+$     CCDISABLEWARNINGS = ""
+$     CC4DISABLEWARNINGS = ""
+$   ENDIF
+$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$!
+$!  Show user the result
+$!
+$   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$! End The P3 Check.
+$!
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
diff --git a/src/lib/libssl/src/crypto/des/des.h b/src/lib/libssl/src/crypto/des/des.h
new file mode 100644
index 0000000000..67f90aaf17
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des.h
@@ -0,0 +1,249 @@
+/* crypto/des/des.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_DES
+#error DES is disabled.
+#endif
+
+#ifdef _KERBEROS_DES_H
+#error <openssl/des.h> replaces <kerberos/des.h>.
+#endif
+
+#include <stdio.h>
+#include <openssl/opensslconf.h> /* DES_LONG */
+#include <openssl/e_os2.h>      /* OPENSSL_EXTERN */
+
+typedef unsigned char des_cblock[8];
+typedef /* const */ unsigned char const_des_cblock[8];
+/* With "const", gcc 2.8.1 on Solaris thinks that des_cblock *
+ * and const_des_cblock * are incompatible pointer types.
+ * I haven't seen that warning on other systems ... I'll look
+ * what the standard says. */
+
+
+typedef struct des_ks_struct
+        {
+        union   {
+                des_cblock cblock;
+                /* make sure things are correct size on machines with
+                 * 8 byte longs */
+                DES_LONG deslong[2];
+                } ks;
+        int weak_key;
+        } des_key_schedule[16];
+
+#define DES_KEY_SZ      (sizeof(des_cblock))
+#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
+
+#define DES_ENCRYPT     1
+#define DES_DECRYPT     0
+
+#define DES_CBC_MODE    0
+#define DES_PCBC_MODE   1
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+OPENSSL_EXTERN int des_check_key;       /* defaults to false */
+OPENSSL_EXTERN int des_rw_mode;         /* defaults to DES_PCBC_MODE */
+OPENSSL_EXTERN int des_set_weak_key_flag; /* set the weak key flag */
+
+const char *des_options(void);
+void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
+                      des_key_schedule ks1,des_key_schedule ks2,
+                      des_key_schedule ks3, int enc);
+DES_LONG des_cbc_cksum(const unsigned char *input,des_cblock *output,
+                       long length,des_key_schedule schedule,
+                       const_des_cblock *ivec);
+/* des_cbc_encrypt does not update the IV!  Use des_ncbc_encrypt instead. */
+void des_cbc_encrypt(const unsigned char *input,unsigned char *output,
+                     long length,des_key_schedule schedule,des_cblock *ivec,
+                     int enc);
+void des_ncbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      int enc);
+void des_xcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      const_des_cblock *inw,const_des_cblock *outw,int enc);
+void des_cfb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,des_key_schedule schedule,des_cblock *ivec,
+                     int enc);
+void des_ecb_encrypt(const_des_cblock *input,des_cblock *output,
+                     des_key_schedule ks,int enc);
+void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
+void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3);
+void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3);
+void des_ede3_cbc_encrypt(const unsigned char *input,unsigned char *output, 
+                          long length,
+                          des_key_schedule ks1,des_key_schedule ks2,
+                          des_key_schedule ks3,des_cblock *ivec,int enc);
+void des_ede3_cbcm_encrypt(const unsigned char *in,unsigned char *out,
+                           long length,
+                           des_key_schedule ks1,des_key_schedule ks2,
+                           des_key_schedule ks3,
+                           des_cblock *ivec1,des_cblock *ivec2,
+                           int enc);
+void des_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,des_key_schedule ks1,
+                            des_key_schedule ks2,des_key_schedule ks3,
+                            des_cblock *ivec,int *num,int enc);
+void des_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,des_key_schedule ks1,
+                            des_key_schedule ks2,des_key_schedule ks3,
+                            des_cblock *ivec,int *num);
+
+void des_xwhite_in2out(const_des_cblock *des_key,const_des_cblock *in_white,
+                       des_cblock *out_white);
+
+int des_enc_read(int fd,void *buf,int len,des_key_schedule sched,
+                 des_cblock *iv);
+int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched,
+                  des_cblock *iv);
+char *des_fcrypt(const char *buf,const char *salt, char *ret);
+char *des_crypt(const char *buf,const char *salt);
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *crypt(const char *buf,const char *salt);
+#endif
+void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,des_key_schedule schedule,des_cblock *ivec);
+void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,des_key_schedule schedule,des_cblock *ivec,
+                      int enc);
+DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
+                        long length,int out_count,des_cblock *seed);
+void des_random_seed(des_cblock *key);
+void des_random_key(des_cblock *ret);
+int des_read_password(des_cblock *key,const char *prompt,int verify);
+int des_read_2passwords(des_cblock *key1,des_cblock *key2,
+                        const char *prompt,int verify);
+int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+void des_set_odd_parity(des_cblock *key);
+int des_is_weak_key(const_des_cblock *key);
+int des_set_key(const_des_cblock *key,des_key_schedule schedule);
+int des_key_sched(const_des_cblock *key,des_key_schedule schedule);
+void des_string_to_key(const char *str,des_cblock *key);
+void des_string_to_2keys(const char *str,des_cblock *key1,des_cblock *key2);
+void des_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       des_key_schedule schedule,des_cblock *ivec,int *num,
+                       int enc);
+void des_ofb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       des_key_schedule schedule,des_cblock *ivec,int *num);
+int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+/* Extra functions from Mark Murray <mark@grondar.za> */
+void des_cblock_print_file(const_des_cblock *cb, FILE *fp);
+
+/* The following definitions provide compatibility with the MIT Kerberos
+ * library. The des_key_schedule structure is not binary compatible. */
+
+#define _KERBEROS_DES_H
+
+#define KRBDES_ENCRYPT DES_ENCRYPT
+#define KRBDES_DECRYPT DES_DECRYPT
+
+#ifdef KERBEROS
+#  define ENCRYPT DES_ENCRYPT
+#  define DECRYPT DES_DECRYPT
+#endif
+
+#ifndef NCOMPAT
+#  define C_Block des_cblock
+#  define Key_schedule des_key_schedule
+#  define KEY_SZ DES_KEY_SZ
+#  define string_to_key des_string_to_key
+#  define read_pw_string des_read_pw_string
+#  define random_key des_random_key
+#  define pcbc_encrypt des_pcbc_encrypt
+#  define set_key des_set_key
+#  define key_sched des_key_sched
+#  define ecb_encrypt des_ecb_encrypt
+#  define cbc_encrypt des_cbc_encrypt
+#  define ncbc_encrypt des_ncbc_encrypt
+#  define xcbc_encrypt des_xcbc_encrypt
+#  define cbc_cksum des_cbc_cksum
+#  define quad_cksum des_quad_cksum
+#endif
+
+typedef des_key_schedule bit_64;
+#define des_fixup_key_parity des_set_odd_parity
+#define des_check_key_parity check_parity
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/des/des.pod b/src/lib/libssl/src/crypto/des/des.pod
new file mode 100644
index 0000000000..bf479e83d2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des.pod
@@ -0,0 +1,217 @@
+=pod
+
+=head1 NAME
+
+des - encrypt or decrypt data using Data Encryption Standard
+
+=head1 SYNOPSIS
+
+B<des>
+(
+B<-e>
+|
+B<-E>
+) | (
+B<-d>
+|
+B<-D>
+) | (
+B<->[B<cC>][B<ckname>]
+) |
+[
+B<-b3hfs>
+] [
+B<-k>
+I<key>
+]
+] [
+B<-u>[I<uuname>]
+[
+I<input-file>
+[
+I<output-file>
+] ]
+
+=head1 NOTE
+
+This page describes the B<des> stand-alone program, not the B<openssl des>
+command.
+
+=head1 DESCRIPTION
+
+B<des>
+encrypts and decrypts data using the
+Data Encryption Standard algorithm.
+One of
+B<-e>, B<-E>
+(for encrypt) or
+B<-d>, B<-D>
+(for decrypt) must be specified.
+It is also possible to use
+B<-c>
+or
+B<-C>
+in conjunction or instead of the a encrypt/decrypt option to generate
+a 16 character hexadecimal checksum, generated via the
+I<des_cbc_cksum>.
+
+Two standard encryption modes are supported by the
+B<des>
+program, Cipher Block Chaining (the default) and Electronic Code Book
+(specified with
+B<-b>).
+
+The key used for the DES
+algorithm is obtained by prompting the user unless the
+B<-k>
+I<key>
+option is given.
+If the key is an argument to the
+B<des>
+command, it is potentially visible to users executing
+ps(1)
+or a derivative.  To minimise this possibility,
+B<des>
+takes care to destroy the key argument immediately upon entry.
+If your shell keeps a history file be careful to make sure it is not
+world readable.
+
+Since this program attempts to maintain compatibility with sunOS's
+des(1) command, there are 2 different methods used to convert the user
+supplied key to a des key.
+Whenever and one or more of
+B<-E>, B<-D>, B<-C>
+or
+B<-3>
+options are used, the key conversion procedure will not be compatible
+with the sunOS des(1) version but will use all the user supplied
+character to generate the des key.
+B<des>
+command reads from standard input unless
+I<input-file>
+is specified and writes to standard output unless
+I<output-file>
+is given.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-b>
+
+Select ECB
+(eight bytes at a time) encryption mode.
+
+=item B<-3>
+
+Encrypt using triple encryption.
+By default triple cbc encryption is used but if the
+B<-b>
+option is used then triple ECB encryption is performed.
+If the key is less than 8 characters long, the flag has no effect.
+
+=item B<-e>
+
+Encrypt data using an 8 byte key in a manner compatible with sunOS
+des(1).
+
+=item B<-E>
+
+Encrypt data using a key of nearly unlimited length (1024 bytes).
+This will product a more secure encryption.
+
+=item B<-d>
+
+Decrypt data that was encrypted with the B<-e> option.
+
+=item B<-D>
+
+Decrypt data that was encrypted with the B<-E> option.
+
+=item B<-c>
+
+Generate a 16 character hexadecimal cbc checksum and output this to
+stderr.
+If a filename was specified after the
+B<-c>
+option, the checksum is output to that file.
+The checksum is generated using a key generated in a sunOS compatible
+manner.
+
+=item B<-C>
+
+A cbc checksum is generated in the same manner as described for the
+B<-c>
+option but the DES key is generated in the same manner as used for the
+B<-E>
+and
+B<-D>
+options
+
+=item B<-f>
+
+Does nothing - allowed for compatibility with sunOS des(1) command.
+
+=item B<-s>
+
+Does nothing - allowed for compatibility with sunOS des(1) command.
+
+=item B<-k> I<key>
+
+Use the encryption 
+I<key>
+specified.
+
+=item B<-h>
+
+The
+I<key>
+is assumed to be a 16 character hexadecimal number.
+If the
+B<-3>
+option is used the key is assumed to be a 32 character hexadecimal
+number.
+
+=item B<-u>
+
+This flag is used to read and write uuencoded files.  If decrypting,
+the input file is assumed to contain uuencoded, DES encrypted data.
+If encrypting, the characters following the B<-u> are used as the name of
+the uuencoded file to embed in the begin line of the uuencoded
+output.  If there is no name specified after the B<-u>, the name text.des
+will be embedded in the header.
+
+=head1 SEE ALSO
+
+ps(1),
+L<des_crypt(3)|des_crypt(3)>
+
+=head1 BUGS
+
+The problem with using the
+B<-e>
+option is the short key length.
+It would be better to use a real 56-bit key rather than an
+ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII
+radically reduces the time necessary for a brute-force cryptographic attack.
+My attempt to remove this problem is to add an alternative text-key to
+DES-key function.  This alternative function (accessed via
+B<-E>, B<-D>, B<-S>
+and
+B<-3>)
+uses DES to help generate the key.
+
+Be carefully when using the B<-u> option.  Doing B<des -ud> I<filename> will
+not decrypt filename (the B<-u> option will gobble the B<-d> option).
+
+The VMS operating system operates in a world where files are always a
+multiple of 512 bytes.  This causes problems when encrypted data is
+send from Unix to VMS since a 88 byte file will suddenly be padded
+with 424 null bytes.  To get around this problem, use the B<-u> option
+to uuencode the data before it is send to the VMS system.
+
+=head1 AUTHOR
+
+Eric Young (eay@cryptsoft.com)
+
+=cut
diff --git a/src/lib/libssl/src/crypto/des/des_locl.h b/src/lib/libssl/src/crypto/des/des_locl.h
new file mode 100644
index 0000000000..d6ea17cb68
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des_locl.h
@@ -0,0 +1,408 @@
+/* crypto/des/des_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_DES_LOCL_H
+#define HEADER_DES_LOCL_H
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/opensslconf.h>
+
+#ifndef MSDOS
+#if !defined(VMS) || defined(__DECC)
+#include OPENSSL_UNISTD
+#include <math.h>
+#endif
+#endif
+#include <openssl/des.h>
+
+#ifdef MSDOS            /* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#include <string.h>
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE        (1024*16)
+#define BSIZE           (MAXWRITE+4)
+
+#define c2l(c,l)        (l =((DES_LONG)(*((c)++)))    , \
+                         l|=((DES_LONG)(*((c)++)))<< 8L, \
+                         l|=((DES_LONG)(*((c)++)))<<16L, \
+                         l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n) { \
+                        c+=n; \
+                        l1=l2=0; \
+                        switch (n) { \
+                        case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+                        case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+                        case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+                        case 5: l2|=((DES_LONG)(*(--(c))));     \
+                        case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+                        case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+                        case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+                        case 1: l1|=((DES_LONG)(*(--(c))));     \
+                                } \
+                        }
+
+#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)     )&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)        (l =((DES_LONG)(*((c)++)))<<24L, \
+                         l|=((DES_LONG)(*((c)++)))<<16L, \
+                         l|=((DES_LONG)(*((c)++)))<< 8L, \
+                         l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+                         *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n) { \
+                        c+=n; \
+                        switch (n) { \
+                        case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+                        case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+                        case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+                        case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+                        case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+                        case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+                        case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+                        case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+                                } \
+                        }
+
+#if defined(WIN32)
+#define ROTATE(a,n)     (_lrotr(a,n))
+#else
+#define ROTATE(a,n)     (((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+        { DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+        t=R^(R>>16L); \
+        u=t&E0; t&=E1; \
+        tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+        tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+        u=R^s[S  ]; \
+        t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+        unsigned int u1,u2,u3; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0xfc; \
+        u2&=0xfc; \
+        t=ROTATE(t,4); \
+        u>>=16L; \
+        LL^= *(const DES_LONG *)(des_SP      +u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+        u3=(int)(u>>8L); \
+        u1=(int)u&0xfc; \
+        u3&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x400+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x600+u3); \
+        u2=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u2&=0xfc; \
+        t>>=16L; \
+        LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+        u3=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u3&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x500+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+        unsigned int u1,u2,s1,s2; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0xfc; \
+        u2&=0xfc; \
+        t=ROTATE(t,4); \
+        LL^= *(const DES_LONG *)(des_SP      +u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x200+u2); \
+        s1=(int)(u>>16L); \
+        s2=(int)(u>>24L); \
+        s1&=0xfc; \
+        s2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x400+s1); \
+        LL^= *(const DES_LONG *)(des_SP+0x600+s2); \
+        u2=(int)t>>8L; \
+        u1=(int)t&0xfc; \
+        u2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x100+u1); \
+        LL^= *(const DES_LONG *)(des_SP+0x300+u2); \
+        s1=(int)(t>>16L); \
+        s2=(int)(t>>24L); \
+        s1&=0xfc; \
+        s2&=0xfc; \
+        LL^= *(const DES_LONG *)(des_SP+0x500+s1); \
+        LL^= *(const DES_LONG *)(des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+        LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+        t=ROTATE(t,4); \
+        LL^= \
+        *(const DES_LONG *)(des_SP      +((u     )&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x200+((u>> 8L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x400+((u>>16L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x600+((u>>24L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x100+((t     )&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x300+((t>> 8L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x500+((t>>16L)&0xfc))^ \
+        *(const DES_LONG *)(des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+        unsigned int u1,u2,u3; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u>>=2L; \
+        t=ROTATE(t,6); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u2&=0x3f; \
+        u>>=16L; \
+        LL^=des_SPtrans[0][u1]; \
+        LL^=des_SPtrans[2][u2]; \
+        u3=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u3&=0x3f; \
+        LL^=des_SPtrans[4][u1]; \
+        LL^=des_SPtrans[6][u3]; \
+        u2=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u2&=0x3f; \
+        t>>=16L; \
+        LL^=des_SPtrans[1][u1]; \
+        LL^=des_SPtrans[3][u2]; \
+        u3=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u3&=0x3f; \
+        LL^=des_SPtrans[5][u1]; \
+        LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+        unsigned int u1,u2,s1,s2; \
+        LOAD_DATA(R,S,u,t,E0,E1,u1); \
+        u>>=2L; \
+        t=ROTATE(t,6); \
+        u2=(int)u>>8L; \
+        u1=(int)u&0x3f; \
+        u2&=0x3f; \
+        LL^=des_SPtrans[0][u1]; \
+        LL^=des_SPtrans[2][u2]; \
+        s1=(int)u>>16L; \
+        s2=(int)u>>24L; \
+        s1&=0x3f; \
+        s2&=0x3f; \
+        LL^=des_SPtrans[4][s1]; \
+        LL^=des_SPtrans[6][s2]; \
+        u2=(int)t>>8L; \
+        u1=(int)t&0x3f; \
+        u2&=0x3f; \
+        LL^=des_SPtrans[1][u1]; \
+        LL^=des_SPtrans[3][u2]; \
+        s1=(int)t>>16; \
+        s2=(int)t>>24L; \
+        s1&=0x3f; \
+        s2&=0x3f; \
+        LL^=des_SPtrans[5][s1]; \
+        LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+        LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+        t=ROTATE(t,4); \
+        LL^=\
+                des_SPtrans[0][(u>> 2L)&0x3f]^ \
+                des_SPtrans[2][(u>>10L)&0x3f]^ \
+                des_SPtrans[4][(u>>18L)&0x3f]^ \
+                des_SPtrans[6][(u>>26L)&0x3f]^ \
+                des_SPtrans[1][(t>> 2L)&0x3f]^ \
+                des_SPtrans[3][(t>>10L)&0x3f]^ \
+                des_SPtrans[5][(t>>18L)&0x3f]^ \
+                des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+        /* IP and FP
+         * The problem is more of a geometric problem that random bit fiddling.
+         0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+         8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+        16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+        24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+        32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+        40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+        48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+        56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+        The output has been subject to swaps of the form
+        0 1 -> 3 1 but the odd and even bits have been put into
+        2 3    2 0
+        different words.  The main trick is to remember that
+        t=((l>>size)^r)&(mask);
+        r^=t;
+        l^=(t<<size);
+        can be used to swap and move bits between words.
+
+        So l =  0  1  2  3  r = 16 17 18 19
+                4  5  6  7      20 21 22 23
+                8  9 10 11      24 25 26 27
+               12 13 14 15      28 29 30 31
+        becomes (for size == 2 and mask == 0x3333)
+           t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+                 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+                10^24 11^25 -- --        8  9 24 25      10 11 24 25
+                14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+        Thanks for hints from Richard Outerbridge - he told me IP&FP
+        could be done in 15 xor, 10 shifts and 5 ands.
+        When I finally started to think of the problem in 2D
+        I first got ~42 operations without xors.  When I remembered
+        how to use xors :-) I got it to its final state.
+        */
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+        (b)^=(t),\
+        (a)^=((t)<<(n)))
+
+#define IP(l,r) \
+        { \
+        register DES_LONG tt; \
+        PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+        PERM_OP(l,r,tt,16,0x0000ffffL); \
+        PERM_OP(r,l,tt, 2,0x33333333L); \
+        PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+        PERM_OP(r,l,tt, 1,0x55555555L); \
+        }
+
+#define FP(l,r) \
+        { \
+        register DES_LONG tt; \
+        PERM_OP(l,r,tt, 1,0x55555555L); \
+        PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+        PERM_OP(l,r,tt, 2,0x33333333L); \
+        PERM_OP(r,l,tt,16,0x0000ffffL); \
+        PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+        }
+
+OPENSSL_EXTERN const DES_LONG des_SPtrans[8][64];
+
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+        DES_LONG Eswap0, DES_LONG Eswap1);
+#endif
diff --git a/src/lib/libssl/src/crypto/des/des_old.c b/src/lib/libssl/src/crypto/des/des_old.c
new file mode 100644
index 0000000000..7e4cd7180d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des_old.c
@@ -0,0 +1,271 @@
+/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with libdes.  OpenSSL now provides
+ * functions where "des_" has been replaced with "DES_" in the names,
+ * to make it possible to make incompatible changes that are needed
+ * for C type security and other stuff.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will dissapear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+const char *_ossl_old_des_options(void)
+        {
+        return DES_options();
+        }
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        des_key_schedule ks1,des_key_schedule ks2,
+        des_key_schedule ks3, int enc)
+        {
+        DES_ecb3_encrypt((const_DES_cblock *)input, output,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, enc);
+        }
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
+        {
+        return DES_cbc_cksum((unsigned char *)input, output, length,
+                (DES_key_schedule *)schedule, ivec);
+        }
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_ncbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+        _ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc)
+        {
+        DES_xcbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, inw, outw, enc);
+        }
+void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
+        long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_cfb_encrypt(in, out, numbits, length,
+                (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        des_key_schedule ks,int enc)
+        {
+        DES_ecb_encrypt(input, output, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt(DES_LONG *data,des_key_schedule ks, int enc)
+        {
+        DES_encrypt1(data, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc)
+        {
+        DES_encrypt2(data, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3)
+        {
+        DES_encrypt3(data, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3);
+        }
+void _ossl_old_des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3)
+        {
+        DES_decrypt3(data, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3);
+        }
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
+        long length, des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc)
+        {
+        DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, enc);
+        }
+void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc)
+        {
+        DES_ede3_cfb64_encrypt(in, out, length,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, num, enc);
+        }
+void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num)
+        {
+        DES_ede3_ofb64_encrypt(in, out, length,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, num);
+        }
+
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+        _ossl_old_des_cblock (*out_white))
+        {
+        DES_xwhite_in2out(des_key, in_white, out_white);
+        }
+
+int _ossl_old_des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
+        _ossl_old_des_cblock *iv)
+        {
+        return DES_enc_read(fd, buf, len, (DES_key_schedule *)sched, iv);
+        }
+int _ossl_old_des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
+        _ossl_old_des_cblock *iv)
+        {
+        return DES_enc_write(fd, buf, len, (DES_key_schedule *)sched, iv);
+        }
+char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret)
+        {
+        return DES_fcrypt(buf, salt, ret);
+        }
+char *_ossl_old_des_crypt(const char *buf,const char *salt)
+        {
+        return DES_crypt(buf, salt);
+        }
+char *_ossl_old_crypt(const char *buf,const char *salt)
+        {
+        return DES_crypt(buf, salt);
+        }
+void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
+        int numbits,long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
+        {
+        DES_ofb_encrypt(in, out, numbits, length, (DES_key_schedule *)schedule,
+                ivec);
+        }
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_pcbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,int out_count,_ossl_old_des_cblock *seed)
+        {
+        return DES_quad_cksum((unsigned char *)input, output, length,
+                out_count, seed);
+        }
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key)
+        {
+        RAND_seed(key, sizeof(_ossl_old_des_cblock));
+        }
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret)
+        {
+        DES_random_key((DES_cblock *)ret);
+        }
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key, const char *prompt,
+                                int verify)
+        {
+        return DES_read_password(key, prompt, verify);
+        }
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1, _ossl_old_des_cblock *key2,
+        const char *prompt, int verify)
+        {
+        return DES_read_2passwords(key1, key2, prompt, verify);
+        }
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key)
+        {
+        DES_set_odd_parity(key);
+        }
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key)
+        {
+        return DES_is_weak_key(key);
+        }
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,des_key_schedule schedule)
+        {
+        return DES_set_key(key, (DES_key_schedule *)schedule);
+        }
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,des_key_schedule schedule)
+        {
+        return DES_key_sched(key, (DES_key_schedule *)schedule);
+        }
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key)
+        {
+        DES_string_to_key(str, key);
+        }
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2)
+        {
+        DES_string_to_2keys(str, key1, key2);
+        }
+void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc)
+        {
+        DES_cfb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
+                ivec, num, enc);
+        }
+void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num)
+        {
+        DES_ofb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
+                ivec, num);
+        }
diff --git a/src/lib/libssl/src/crypto/des/des_old.h b/src/lib/libssl/src/crypto/des/des_old.h
new file mode 100644
index 0000000000..3778f93c15
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des_old.h
@@ -0,0 +1,437 @@
+/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with openssl 0.9.6 and older as
+ * well as libdes.  OpenSSL now provides functions where "des_" has
+ * been replaced with "DES_" in the names, to make it possible to
+ * make incompatible changes that are needed for C type security and
+ * other stuff.
+ *
+ * This include files has two compatibility modes:
+ *
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API
+ *     that is compatible with libdes and SSLeay.
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an
+ *     API that is compatible with OpenSSL 0.9.5x to 0.9.6x.
+ *
+ * Note that these modes break earlier snapshots of OpenSSL, where
+ * libdes compatibility was the only available mode or (later on) the
+ * prefered compatibility mode.  However, after much consideration
+ * (and more or less violent discussions with external parties), it
+ * was concluded that OpenSSL should be compatible with earlier versions
+ * of itself before anything else.  Also, in all honesty, libdes is
+ * an old beast that shouldn't really be used any more.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will disappear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DES_OLD_H
+#define HEADER_DES_OLD_H
+
+#ifdef OPENSSL_NO_DES
+#error DES is disabled.
+#endif
+
+#ifndef HEADER_DES_H
+#error You must include des.h, not des_old.h directly.
+#endif
+
+#ifdef _KERBEROS_DES_H
+#error <openssl/des_old.h> replaces <kerberos/des.h>.
+#endif
+
+#include <openssl/opensslconf.h> /* DES_LONG */
+#include <openssl/e_os2.h>      /* OPENSSL_EXTERN */
+#include <openssl/symhacks.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+typedef unsigned char _ossl_old_des_cblock[8];
+typedef struct _ossl_old_des_ks_struct
+        {
+        union   {
+                _ossl_old_des_cblock _;
+                /* make sure things are correct size on machines with
+                 * 8 byte longs */
+                DES_LONG pad[2];
+                } ks;
+        } _ossl_old_des_key_schedule[16];
+
+#ifndef OPENSSL_DES_LIBDES_COMPATIBILITY
+#define des_cblock DES_cblock
+#define const_des_cblock const_DES_cblock
+#define des_key_schedule DES_key_schedule
+#define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
+        DES_ecb3_encrypt((i),(o),&(k1),&(k2),&(k3),(e))
+#define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
+        DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e))
+#define des_ede3_cbcm_encrypt(i,o,l,k1,k2,k3,iv1,iv2,e)\
+        DES_ede3_cbcm_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv1),(iv2),(e))
+#define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
+        DES_ede3_cfb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n),(e))
+#define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
+        DES_ede3_ofb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n))
+#define des_options()\
+        DES_options()
+#define des_cbc_cksum(i,o,l,k,iv)\
+        DES_cbc_cksum((i),(o),(l),&(k),(iv))
+#define des_cbc_encrypt(i,o,l,k,iv,e)\
+        DES_cbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_ncbc_encrypt(i,o,l,k,iv,e)\
+        DES_ncbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
+        DES_xcbc_encrypt((i),(o),(l),&(k),(iv),(inw),(outw),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+        DES_cfb_encrypt((i),(o),(n),(l),&(k),(iv),(e))
+#define des_ecb_encrypt(i,o,k,e)\
+        DES_ecb_encrypt((i),(o),&(k),(e))
+#define des_encrypt1(d,k,e)\
+        DES_encrypt1((d),&(k),(e))
+#define des_encrypt2(d,k,e)\
+        DES_encrypt2((d),&(k),(e))
+#define des_encrypt3(d,k1,k2,k3)\
+        DES_encrypt3((d),&(k1),&(k2),&(k3))
+#define des_decrypt3(d,k1,k2,k3)\
+        DES_decrypt3((d),&(k1),&(k2),&(k3))
+#define des_xwhite_in2out(k,i,o)\
+        DES_xwhite_in2out((k),(i),(o))
+#define des_enc_read(f,b,l,k,iv)\
+        DES_enc_read((f),(b),(l),&(k),(iv))
+#define des_enc_write(f,b,l,k,iv)\
+        DES_enc_write((f),(b),(l),&(k),(iv))
+#define des_fcrypt(b,s,r)\
+        DES_fcrypt((b),(s),(r))
+#define des_crypt(b,s)\
+        DES_crypt((b),(s))
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#define crypt(b,s)\
+        DES_crypt((b),(s))
+#endif
+#define des_ofb_encrypt(i,o,n,l,k,iv)\
+        DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
+#define des_pcbc_encrypt(i,o,l,k,iv,e)\
+        DES_pcbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_quad_cksum(i,o,l,c,s)\
+        DES_quad_cksum((i),(o),(l),(c),(s))
+#define des_random_seed(k)\
+        _ossl_096_des_random_seed((k))
+#define des_random_key(r)\
+        DES_random_key((r))
+#define des_read_password(k,p,v) \
+        DES_read_password((k),(p),(v))
+#define des_read_2passwords(k1,k2,p,v) \
+        DES_read_2passwords((k1),(k2),(p),(v))
+#define des_set_odd_parity(k)\
+        DES_set_odd_parity((k))
+#define des_check_key_parity(k)\
+        DES_check_key_parity((k))
+#define des_is_weak_key(k)\
+        DES_is_weak_key((k))
+#define des_set_key(k,ks)\
+        DES_set_key((k),&(ks))
+#define des_key_sched(k,ks)\
+        DES_key_sched((k),&(ks))
+#define des_set_key_checked(k,ks)\
+        DES_set_key_checked((k),&(ks))
+#define des_set_key_unchecked(k,ks)\
+        DES_set_key_unchecked((k),&(ks))
+#define des_string_to_key(s,k)\
+        DES_string_to_key((s),(k))
+#define des_string_to_2keys(s,k1,k2)\
+        DES_string_to_2keys((s),(k1),(k2))
+#define des_cfb64_encrypt(i,o,l,ks,iv,n,e)\
+        DES_cfb64_encrypt((i),(o),(l),&(ks),(iv),(n),(e))
+#define des_ofb64_encrypt(i,o,l,ks,iv,n)\
+        DES_ofb64_encrypt((i),(o),(l),&(ks),(iv),(n))
+                
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define des_check_key DES_check_key
+#define des_rw_mode DES_rw_mode
+#else /* libdes compatibility */
+/* Map all symbol names to _ossl_old_des_* form, so we avoid all
+   clashes with libdes */
+#define des_cblock _ossl_old_des_cblock
+#define des_key_schedule _ossl_old_des_key_schedule
+#define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
+        _ossl_old_des_ecb3_encrypt((i),(o),(k1),(k2),(k3),(e))
+#define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
+        _ossl_old_des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(e))
+#define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
+        _ossl_old_des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n),(e))
+#define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
+        _ossl_old_des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n))
+#define des_options()\
+        _ossl_old_des_options()
+#define des_cbc_cksum(i,o,l,k,iv)\
+        _ossl_old_des_cbc_cksum((i),(o),(l),(k),(iv))
+#define des_cbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_cbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_ncbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_ncbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
+        _ossl_old_des_xcbc_encrypt((i),(o),(l),(k),(iv),(inw),(outw),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+        _ossl_old_des_cfb_encrypt((i),(o),(n),(l),(k),(iv),(e))
+#define des_ecb_encrypt(i,o,k,e)\
+        _ossl_old_des_ecb_encrypt((i),(o),(k),(e))
+#define des_encrypt(d,k,e)\
+        _ossl_old_des_encrypt((d),(k),(e))
+#define des_encrypt2(d,k,e)\
+        _ossl_old_des_encrypt2((d),(k),(e))
+#define des_encrypt3(d,k1,k2,k3)\
+        _ossl_old_des_encrypt3((d),(k1),(k2),(k3))
+#define des_decrypt3(d,k1,k2,k3)\
+        _ossl_old_des_decrypt3((d),(k1),(k2),(k3))
+#define des_xwhite_in2out(k,i,o)\
+        _ossl_old_des_xwhite_in2out((k),(i),(o))
+#define des_enc_read(f,b,l,k,iv)\
+        _ossl_old_des_enc_read((f),(b),(l),(k),(iv))
+#define des_enc_write(f,b,l,k,iv)\
+        _ossl_old_des_enc_write((f),(b),(l),(k),(iv))
+#define des_fcrypt(b,s,r)\
+        _ossl_old_des_fcrypt((b),(s),(r))
+#define des_crypt(b,s)\
+        _ossl_old_des_crypt((b),(s))
+#define crypt(b,s)\
+        _ossl_old_crypt((b),(s))
+#define des_ofb_encrypt(i,o,n,l,k,iv)\
+        _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv))
+#define des_pcbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_pcbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_quad_cksum(i,o,l,c,s)\
+        _ossl_old_des_quad_cksum((i),(o),(l),(c),(s))
+#define des_random_seed(k)\
+        _ossl_old_des_random_seed((k))
+#define des_random_key(r)\
+        _ossl_old_des_random_key((r))
+#define des_read_password(k,p,v) \
+        _ossl_old_des_read_password((k),(p),(v))
+#define des_read_2passwords(k1,k2,p,v) \
+        _ossl_old_des_read_2passwords((k1),(k2),(p),(v))
+#define des_set_odd_parity(k)\
+        _ossl_old_des_set_odd_parity((k))
+#define des_is_weak_key(k)\
+        _ossl_old_des_is_weak_key((k))
+#define des_set_key(k,ks)\
+        _ossl_old_des_set_key((k),(ks))
+#define des_key_sched(k,ks)\
+        _ossl_old_des_key_sched((k),(ks))
+#define des_string_to_key(s,k)\
+        _ossl_old_des_string_to_key((s),(k))
+#define des_string_to_2keys(s,k1,k2)\
+        _ossl_old_des_string_to_2keys((s),(k1),(k2))
+#define des_cfb64_encrypt(i,o,l,ks,iv,n,e)\
+        _ossl_old_des_cfb64_encrypt((i),(o),(l),(ks),(iv),(n),(e))
+#define des_ofb64_encrypt(i,o,l,ks,iv,n)\
+        _ossl_old_des_ofb64_encrypt((i),(o),(l),(ks),(iv),(n))
+                
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define des_check_key DES_check_key
+#define des_rw_mode DES_rw_mode
+#endif
+
+const char *_ossl_old_des_options(void);
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        _ossl_old_des_key_schedule ks1,_ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, int enc);
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+        _ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc);
+void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
+        long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        _ossl_old_des_key_schedule ks,int enc);
+void _ossl_old_des_encrypt(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt2(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+        _ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_decrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+        _ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2, 
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc);
+void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc);
+void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num);
+
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+        _ossl_old_des_cblock (*out_white));
+
+int _ossl_old_des_enc_read(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+        _ossl_old_des_cblock *iv);
+int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+        _ossl_old_des_cblock *iv);
+char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
+char *_ossl_old_des_crypt(const char *buf,const char *salt);
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *_ossl_old_crypt(const char *buf,const char *salt);
+#endif
+void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
+        int numbits,long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,int out_count,_ossl_old_des_cblock *seed);
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key);
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret);
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key,const char *prompt,int verify);
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2,
+        const char *prompt,int verify);
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key);
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key);
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key);
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2);
+void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        _ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc);
+void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        _ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num);
+
+void _ossl_096_des_random_seed(des_cblock *key);
+
+/* The following definitions provide compatibility with the MIT Kerberos
+ * library. The _ossl_old_des_key_schedule structure is not binary compatible. */
+
+#define _KERBEROS_DES_H
+
+#define KRBDES_ENCRYPT DES_ENCRYPT
+#define KRBDES_DECRYPT DES_DECRYPT
+
+#ifdef KERBEROS
+#  define ENCRYPT DES_ENCRYPT
+#  define DECRYPT DES_DECRYPT
+#endif
+
+#ifndef NCOMPAT
+#  define C_Block des_cblock
+#  define Key_schedule des_key_schedule
+#  define KEY_SZ DES_KEY_SZ
+#  define string_to_key des_string_to_key
+#  define read_pw_string des_read_pw_string
+#  define random_key des_random_key
+#  define pcbc_encrypt des_pcbc_encrypt
+#  define set_key des_set_key
+#  define key_sched des_key_sched
+#  define ecb_encrypt des_ecb_encrypt
+#  define cbc_encrypt des_cbc_encrypt
+#  define ncbc_encrypt des_ncbc_encrypt
+#  define xcbc_encrypt des_xcbc_encrypt
+#  define cbc_cksum des_cbc_cksum
+#  define quad_cksum des_quad_cksum
+#  define check_parity des_check_key_parity
+#endif
+
+#define des_fixup_key_parity DES_fixup_key_parity
+
+#ifdef  __cplusplus
+}
+#endif
+
+/* for DES_read_pw_string et al */
+#include <openssl/ui_compat.h>
+
+#endif
diff --git a/src/lib/libssl/src/crypto/des/des_old2.c b/src/lib/libssl/src/crypto/des/des_old2.c
new file mode 100644
index 0000000000..c8fa3ee135
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/des_old2.c
@@ -0,0 +1,82 @@
+/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with OpenSSL 0.9.6c.  OpenSSL now
+ * provides functions where "des_" has been replaced with "DES_" in
+ * the names, to make it possible to make incompatible changes that
+ * are needed for C type security and other stuff.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will dissapear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#undef OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+void _ossl_096_des_random_seed(DES_cblock *key)
+        {
+        RAND_seed(key, sizeof(DES_cblock));
+        }
diff --git a/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c b/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c
new file mode 100644
index 0000000000..c53062481d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/des/ede_cbcm_enc.c
@@ -0,0 +1,197 @@
+/* ede_cbcm_enc.c */
+/* Written by Ben Laurie <ben@algroup.co.uk> for the OpenSSL
+ * project 13 Feb 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+
+This is an implementation of Triple DES Cipher Block Chaining with Output
+Feedback Masking, by Coppersmith, Johnson and Matyas, (IBM and Certicom).
+
+Note that there is a known attack on this by Biham and Knudsen but it takes
+a lot of work:
+
+http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
+
+*/
+
+#ifndef NO_DESCBCM
+#include "des_locl.h"
+
+void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
+             long length, des_key_schedule ks1, des_key_schedule ks2,
+             des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2,
+             int enc)
+    {
+    register DES_LONG tin0,tin1;
+    register DES_LONG tout0,tout1,xor0,xor1,m0,m1;
+    register long l=length;
+    DES_LONG tin[2];
+    unsigned char *iv1,*iv2;
+
+    iv1 = &(*ivec1)[0];
+    iv2 = &(*ivec2)[0];
+
+    if (enc)
+        {
+        c2l(iv1,m0);
+        c2l(iv1,m1);
+        c2l(iv2,tout0);
+        c2l(iv2,tout1);
+        for (l-=8; l>=-7; l-=8)
+            {
+            tin[0]=m0;
+            tin[1]=m1;
+            des_encrypt(tin,ks3,1);
+            m0=tin[0];
+            m1=tin[1];
+
+            if(l < 0)
+                {
+                c2ln(in,tin0,tin1,l+8);
+                }
+            else
+                {
+                c2l(in,tin0);
+                c2l(in,tin1);
+                }
+            tin0^=tout0;
+            tin1^=tout1;
+
+            tin[0]=tin0;
+            tin[1]=tin1;
+            des_encrypt(tin,ks1,1);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks2,0);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks1,1);
+            tout0=tin[0];
+            tout1=tin[1];
+
+            l2c(tout0,out);
+            l2c(tout1,out);
+            }
+        iv1=&(*ivec1)[0];
+        l2c(m0,iv1);
+        l2c(m1,iv1);
+
+        iv2=&(*ivec2)[0];
+        l2c(tout0,iv2);
+        l2c(tout1,iv2);
+        }
+    else
+        {
+        register DES_LONG t0,t1;
+
+        c2l(iv1,m0);
+        c2l(iv1,m1);
+        c2l(iv2,xor0);
+        c2l(iv2,xor1);
+        for (l-=8; l>=-7; l-=8)
+            {
+            tin[0]=m0;
+            tin[1]=m1;
+            des_encrypt(tin,ks3,1);
+            m0=tin[0];
+            m1=tin[1];
+
+            c2l(in,tin0);
+            c2l(in,tin1);
+
+            t0=tin0;
+            t1=tin1;
+
+            tin[0]=tin0;
+            tin[1]=tin1;
+            des_encrypt(tin,ks1,0);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks2,1);
+            tin[0]^=m0;
+            tin[1]^=m1;
+            des_encrypt(tin,ks1,0);
+            tout0=tin[0];
+            tout1=tin[1];
+
+            tout0^=xor0;
+            tout1^=xor1;
+            if(l < 0)
+                {
+                l2cn(tout0,tout1,out,l+8);
+                }
+            else
+                {
+                l2c(tout0,out);
+                l2c(tout1,out);
+                }
+            xor0=t0;
+            xor1=t1;
+            }
+
+        iv1=&(*ivec1)[0];
+        l2c(m0,iv1);
+        l2c(m1,iv1);
+
+        iv2=&(*ivec2)[0];
+        l2c(xor0,iv2);
+        l2c(xor1,iv2);
+        }
+    tin0=tin1=tout0=tout1=xor0=xor1=0;
+    tin[0]=tin[1]=0;
+    }
+#endif
diff --git a/src/lib/libssl/src/crypto/dh/dh_asn1.c b/src/lib/libssl/src/crypto/dh/dh_asn1.c
new file mode 100644
index 0000000000..769b5b68c5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dh/dh_asn1.c
@@ -0,0 +1,87 @@
+/* dh_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/objects.h>
+#include <openssl/asn1t.h>
+
+/* Override the default free and new methods */
+static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)DH_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                DH_free((DH *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(DHparams, dh_cb) = {
+        ASN1_SIMPLE(DH, p, BIGNUM),
+        ASN1_SIMPLE(DH, g, BIGNUM),
+        ASN1_OPT(DH, length, ZLONG),
+} ASN1_SEQUENCE_END_cb(DH, DHparams)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DH, DHparams, DHparams)
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_asn1.c b/src/lib/libssl/src/crypto/dsa/dsa_asn1.c
new file mode 100644
index 0000000000..7523b21654
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dsa/dsa_asn1.c
@@ -0,0 +1,96 @@
+/* crypto/dsa/dsa_asn1.c */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dsa.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+
+DSA_SIG *DSA_SIG_new(void)
+{
+        DSA_SIG *ret;
+
+        ret = Malloc(sizeof(DSA_SIG));
+        if (ret == NULL)
+                {
+                DSAerr(DSA_F_DSA_SIG_NEW,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+        ret->r = NULL;
+        ret->s = NULL;
+        return(ret);
+}
+
+void DSA_SIG_free(DSA_SIG *r)
+{
+        if (r == NULL) return;
+        if (r->r) BN_clear_free(r->r);
+        if (r->s) BN_clear_free(r->s);
+        Free(r);
+}
+
+int i2d_DSA_SIG(DSA_SIG *v, unsigned char **pp)
+{
+        int t=0,len;
+        ASN1_INTEGER rbs,sbs;
+        unsigned char *p;
+
+        rbs.data=Malloc(BN_num_bits(v->r)/8+1);
+        if (rbs.data == NULL)
+                {
+                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        rbs.type=V_ASN1_INTEGER;
+        rbs.length=BN_bn2bin(v->r,rbs.data);
+        sbs.data=Malloc(BN_num_bits(v->s)/8+1);
+        if (sbs.data == NULL)
+                {
+                Free(rbs.data);
+                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        sbs.type=V_ASN1_INTEGER;
+        sbs.length=BN_bn2bin(v->s,sbs.data);
+
+        len=i2d_ASN1_INTEGER(&rbs,NULL);
+        len+=i2d_ASN1_INTEGER(&sbs,NULL);
+
+        if (pp)
+                {
+                p=*pp;
+                ASN1_put_object(&p,1,len,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+                i2d_ASN1_INTEGER(&rbs,&p);
+                i2d_ASN1_INTEGER(&sbs,&p);
+                }
+        t=ASN1_object_size(1,len,V_ASN1_SEQUENCE);
+        Free(rbs.data);
+        Free(sbs.data);
+        return(t);
+}
+
+DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
+{
+        int i=ERR_R_NESTED_ASN1_ERROR;
+        ASN1_INTEGER *bs=NULL;
+        M_ASN1_D2I_vars(a,DSA_SIG *,DSA_SIG_new);
+
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+        if ((ret->r=BN_bin2bn(bs->data,bs->length,ret->r)) == NULL)
+                goto err_bn;
+        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
+        if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
+                goto err_bn;
+        ASN1_BIT_STRING_free(bs);
+        M_ASN1_D2I_Finish_2(a);
+
+err_bn:
+        i=ERR_R_BN_LIB;
+err:
+        DSAerr(DSA_F_D2I_DSA_SIG,i);
+        if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_SIG_free(ret);
+        if (bs != NULL) ASN1_BIT_STRING_free(bs);
+        return(NULL);
+}
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
new file mode 100644
index 0000000000..b51cf6ad8d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c
@@ -0,0 +1,321 @@
+/* crypto/dsa/dsa_ossl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rand.h>
+#include <openssl/asn1.h>
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa);
+static int dsa_init(DSA *dsa);
+static int dsa_finish(DSA *dsa);
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont);
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+
+static DSA_METHOD openssl_dsa_meth = {
+"OpenSSL DSA method",
+dsa_do_sign,
+dsa_sign_setup,
+dsa_do_verify,
+dsa_mod_exp,
+dsa_bn_mod_exp,
+dsa_init,
+dsa_finish,
+0,
+NULL
+};
+
+DSA_METHOD *DSA_OpenSSL(void)
+{
+        return &openssl_dsa_meth;
+}
+
+static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        BIGNUM *kinv=NULL,*r=NULL,*s=NULL;
+        BIGNUM m;
+        BIGNUM xr;
+        BN_CTX *ctx=NULL;
+        int i,reason=ERR_R_BN_LIB;
+        DSA_SIG *ret=NULL;
+
+        BN_init(&m);
+        BN_init(&xr);
+        s=BN_new();
+        if (s == NULL) goto err;
+
+        i=BN_num_bytes(dsa->q); /* should be 20 */
+        if ((dlen > i) || (dlen > 50))
+                {
+                reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+                goto err;
+                }
+
+        ctx=BN_CTX_new();
+        if (ctx == NULL) goto err;
+
+        if ((dsa->kinv == NULL) || (dsa->r == NULL))
+                {
+                if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
+                }
+        else
+                {
+                kinv=dsa->kinv;
+                dsa->kinv=NULL;
+                r=dsa->r;
+                dsa->r=NULL;
+                }
+
+        if (BN_bin2bn(dgst,dlen,&m) == NULL) goto err;
+
+        /* Compute  s = inv(k) (m + xr) mod q */
+        if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
+        if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
+        if (BN_cmp(s,dsa->q) > 0)
+                BN_sub(s,s,dsa->q);
+        if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
+
+        ret=DSA_SIG_new();
+        if (ret == NULL) goto err;
+        ret->r = r;
+        ret->s = s;
+        
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_DO_SIGN,reason);
+                BN_free(r);
+                BN_free(s);
+                }
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_clear_free(&m);
+        BN_clear_free(&xr);
+        if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
+            BN_clear_free(kinv);
+        return(ret);
+        }
+
+static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
+        {
+        BN_CTX *ctx;
+        BIGNUM k,*kinv=NULL,*r=NULL;
+        int ret=0;
+
+        if (ctx_in == NULL)
+                {
+                if ((ctx=BN_CTX_new()) == NULL) goto err;
+                }
+        else
+                ctx=ctx_in;
+
+        BN_init(&k);
+        if ((r=BN_new()) == NULL) goto err;
+        kinv=NULL;
+
+        /* Get random k */
+        for (;;)
+                {
+                if (!BN_rand(&k, BN_num_bits(dsa->q), 1, 0)) goto err;
+                if (BN_cmp(&k,dsa->q) >= 0)
+                        BN_sub(&k,&k,dsa->q);
+                if (!BN_is_zero(&k)) break;
+                }
+
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+
+        /* Compute r = (g^k mod p) mod q */
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+                (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
+        if (!BN_mod(r,r,dsa->q,ctx)) goto err;
+
+        /* Compute  part of 's = inv(k) (m + xr) mod q' */
+        if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err;
+
+        if (*kinvp != NULL) BN_clear_free(*kinvp);
+        *kinvp=kinv;
+        kinv=NULL;
+        if (*rp != NULL) BN_clear_free(*rp);
+        *rp=r;
+        ret=1;
+err:
+        if (!ret)
+                {
+                DSAerr(DSA_F_DSA_SIGN_SETUP,ERR_R_BN_LIB);
+                if (kinv != NULL) BN_clear_free(kinv);
+                if (r != NULL) BN_clear_free(r);
+                }
+        if (ctx_in == NULL) BN_CTX_free(ctx);
+        if (kinv != NULL) BN_clear_free(kinv);
+        BN_clear_free(&k);
+        return(ret);
+        }
+
+static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
+                  DSA *dsa)
+        {
+        BN_CTX *ctx;
+        BIGNUM u1,u2,t1;
+        BN_MONT_CTX *mont=NULL;
+        int ret = -1;
+
+        if ((ctx=BN_CTX_new()) == NULL) goto err;
+        BN_init(&u1);
+        BN_init(&u2);
+        BN_init(&t1);
+
+        /* Calculate W = inv(S) mod Q
+         * save W in u2 */
+        if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
+
+        /* save M in u1 */
+        if (BN_bin2bn(dgst,dgst_len,&u1) == NULL) goto err;
+
+        /* u1 = M * w mod q */
+        if (!BN_mod_mul(&u1,&u1,&u2,dsa->q,ctx)) goto err;
+
+        /* u2 = r * w mod q */
+        if (!BN_mod_mul(&u2,sig->r,&u2,dsa->q,ctx)) goto err;
+
+        if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
+                {
+                if ((dsa->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dsa->method_mont_p,
+                                dsa->p,ctx)) goto err;
+                }
+        mont=(BN_MONT_CTX *)dsa->method_mont_p;
+
+#if 0
+        {
+        BIGNUM t2;
+
+        BN_init(&t2);
+        /* v = ( g^u1 * y^u2 mod p ) mod q */
+        /* let t1 = g ^ u1 mod p */
+        if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err;
+        /* let t2 = y ^ u2 mod p */
+        if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err;
+        /* let u1 = t1 * t2 mod p */
+        if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn;
+        BN_free(&t2);
+        }
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
+#else
+        {
+        if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+                                                dsa->p,ctx,mont)) goto err;
+        /* BN_copy(&u1,&t1); */
+        /* let u1 = u1 mod q */
+        if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err;
+        }
+#endif
+        /* V is now in u1.  If the signature is correct, it will be
+         * equal to R. */
+        ret=(BN_ucmp(&u1, sig->r) == 0);
+
+        err:
+        if (ret != 1) DSAerr(DSA_F_DSA_DO_VERIFY,ERR_R_BN_LIB);
+        if (ctx != NULL) BN_CTX_free(ctx);
+        BN_free(&u1);
+        BN_free(&u2);
+        BN_free(&t1);
+        return(ret);
+        }
+
+static int dsa_init(DSA *dsa)
+{
+        dsa->flags|=DSA_FLAG_CACHE_MONT_P;
+        return(1);
+}
+
+static int dsa_finish(DSA *dsa)
+{
+        if(dsa->method_mont_p)
+                BN_MONT_CTX_free((BN_MONT_CTX *)dsa->method_mont_p);
+        return(1);
+}
+
+static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont);
+}
+        
+static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx)
+{
+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+}
diff --git a/src/lib/libssl/src/crypto/dso/README b/src/lib/libssl/src/crypto/dso/README
new file mode 100644
index 0000000000..6ba03c5631
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/README
@@ -0,0 +1,24 @@
+TODO
+----
+
+Find a way where name-translation can be done in a way that is
+sensitive to particular methods (ie. generic code could still do
+different path/filename substitutions on win32 to what it does on
+*nix) but doesn't assume some canonical form. Already one case
+exists where the "blah -> (libblah.so,blah.dll)" mapping doesn't
+suffice. I suspect a callback with an enumerated (or string?)
+parameter could be the way to go here ... DSO_ctrl the callback
+into place and it can be invoked to handle name translation with
+some clue to the calling code as to what kind of system it is.
+
+NOTES
+-----
+
+I've checked out HPUX (well, version 11 at least) and shl_t is
+a pointer type so it's safe to use in the way it has been in
+dso_dl.c. On the other hand, HPUX11 support dlfcn too and
+according to their man page, prefer developers to move to that.
+I'll leave Richard's changes there as I guess dso_dl is needed
+for HPUX10.20.
+
+
diff --git a/src/lib/libssl/src/crypto/dso/dso.h b/src/lib/libssl/src/crypto/dso/dso.h
new file mode 100644
index 0000000000..bed7c464a6
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso.h
@@ -0,0 +1,250 @@
+/* dso.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DSO_H
+#define HEADER_DSO_H
+
+#include <openssl/crypto.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* These values are used as commands to DSO_ctrl() */
+#define DSO_CTRL_GET_FLAGS      1
+#define DSO_CTRL_SET_FLAGS      2
+#define DSO_CTRL_OR_FLAGS       3
+
+/* These flags control the translation of file-names from canonical to
+ * native. Eg. in the CryptoSwift support, the "dl" and "dlfcn"
+ * methods will translate "swift" -> "libswift.so" whereas the "win32"
+ * method will translate "swift" -> "swift.dll". NB: Until I can figure
+ * out how to be more "conventional" with this, the methods will only
+ * honour this flag if it looks like it was passed a file without any
+ * path and if the filename is small enough.
+ */
+#define DSO_FLAG_NAME_TRANSLATION 0x01
+
+/* The following flag controls the translation of symbol names to upper
+ * case.  This is currently only being implemented for OpenVMS.
+ */
+#define DSO_FLAG_UPCASE_SYMBOL    0x02
+
+
+typedef void (*DSO_FUNC_TYPE)(void);
+
+typedef struct dso_st DSO;
+
+typedef struct dso_meth_st
+        {
+        const char *name;
+        /* Loads a shared library */
+        int (*dso_load)(DSO *dso, const char *filename);
+        /* Unloads a shared library */
+        int (*dso_unload)(DSO *dso);
+        /* Binds a variable */
+        void *(*dso_bind_var)(DSO *dso, const char *symname);
+        /* Binds a function - assumes a return type of DSO_FUNC_TYPE.
+         * This should be cast to the real function prototype by the
+         * caller. Platforms that don't have compatible representations
+         * for different prototypes (this is possible within ANSI C)
+         * are highly unlikely to have shared libraries at all, let
+         * alone a DSO_METHOD implemented for them. */
+        DSO_FUNC_TYPE (*dso_bind_func)(DSO *dso, const char *symname);
+
+/* I don't think this would actually be used in any circumstances. */
+#if 0
+        /* Unbinds a variable */
+        int (*dso_unbind_var)(DSO *dso, char *symname, void *symptr);
+        /* Unbinds a function */
+        int (*dso_unbind_func)(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+#endif
+        /* The generic (yuck) "ctrl()" function. NB: Negative return
+         * values (rather than zero) indicate errors. */
+        long (*dso_ctrl)(DSO *dso, int cmd, long larg, void *parg);
+
+        /* [De]Initialisation handlers. */
+        int (*init)(DSO *dso);
+        int (*finish)(DSO *dso);
+        } DSO_METHOD;
+
+/**********************************************************************/
+/* The low-level handle type used to refer to a loaded shared library */
+
+struct dso_st
+        {
+        DSO_METHOD *meth;
+        /* Standard dlopen uses a (void *). Win32 uses a HANDLE. VMS
+         * doesn't use anything but will need to cache the filename
+         * for use in the dso_bind handler. All in all, let each
+         * method control its own destiny. "Handles" and such go in
+         * a STACK. */
+        STACK *meth_data;
+        int references;
+        int flags;
+        /* For use by applications etc ... use this for your bits'n'pieces,
+         * don't touch meth_data! */
+        CRYPTO_EX_DATA ex_data;
+        };
+
+
+DSO *   DSO_new(void);
+DSO *   DSO_new_method(DSO_METHOD *method);
+int     DSO_free(DSO *dso);
+int     DSO_flags(DSO *dso);
+int     DSO_up(DSO *dso);
+long    DSO_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+void DSO_set_default_method(DSO_METHOD *meth);
+DSO_METHOD *DSO_get_default_method(void);
+DSO_METHOD *DSO_get_method(DSO *dso);
+DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth);
+
+/* The all-singing all-dancing load function, you normally pass NULL
+ * for the first and third parameters. Use DSO_up and DSO_free for
+ * subsequent reference count handling. Any flags passed in will be set
+ * in the constructed DSO after its init() function but before the
+ * load operation. This will be done with;
+ *    DSO_ctrl(dso, DSO_CTRL_SET_FLAGS, flags, NULL); */
+DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags);
+
+/* This function binds to a variable inside a shared library. */
+void *DSO_bind_var(DSO *dso, const char *symname);
+
+/* This function binds to a function inside a shared library. */
+DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname);
+
+/* This method is the default, but will beg, borrow, or steal whatever
+ * method should be the default on any particular platform (including
+ * DSO_METH_null() if necessary). */
+DSO_METHOD *DSO_METHOD_openssl(void);
+
+/* This method is defined for all platforms - if a platform has no
+ * DSO support then this will be the only method! */
+DSO_METHOD *DSO_METHOD_null(void);
+
+/* If DSO_DLFCN is defined, the standard dlfcn.h-style functions
+ * (dlopen, dlclose, dlsym, etc) will be used and incorporated into
+ * this method. If not, this method will return NULL. */
+DSO_METHOD *DSO_METHOD_dlfcn(void);
+
+/* If DSO_DL is defined, the standard dl.h-style functions (shl_load, 
+ * shl_unload, shl_findsym, etc) will be used and incorporated into
+ * this method. If not, this method will return NULL. */
+DSO_METHOD *DSO_METHOD_dl(void);
+
+/* If WIN32 is defined, use DLLs. If not, return NULL. */
+DSO_METHOD *DSO_METHOD_win32(void);
+
+/* If VMS is defined, use shared images. If not, return NULL. */
+DSO_METHOD *DSO_METHOD_vms(void);
+
+void ERR_load_DSO_strings(void);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the DSO functions. */
+
+/* Function codes. */
+#define DSO_F_DLFCN_BIND_FUNC                            100
+#define DSO_F_DLFCN_BIND_VAR                             101
+#define DSO_F_DLFCN_CTRL                                 102
+#define DSO_F_DLFCN_LOAD                                 103
+#define DSO_F_DLFCN_UNLOAD                               104
+#define DSO_F_DL_BIND_FUNC                               105
+#define DSO_F_DL_BIND_VAR                                106
+#define DSO_F_DL_CTRL                                    107
+#define DSO_F_DL_LOAD                                    108
+#define DSO_F_DL_UNLOAD                                  109
+#define DSO_F_DSO_BIND_FUNC                              110
+#define DSO_F_DSO_BIND_VAR                               111
+#define DSO_F_DSO_CTRL                                   112
+#define DSO_F_DSO_FREE                                   113
+#define DSO_F_DSO_LOAD                                   114
+#define DSO_F_DSO_NEW_METHOD                             115
+#define DSO_F_DSO_UP                                     116
+#define DSO_F_VMS_BIND_VAR                               122
+#define DSO_F_VMS_CTRL                                   123
+#define DSO_F_VMS_LOAD                                   124
+#define DSO_F_VMS_UNLOAD                                 125
+#define DSO_F_WIN32_BIND_FUNC                            117
+#define DSO_F_WIN32_BIND_VAR                             118
+#define DSO_F_WIN32_CTRL                                 119
+#define DSO_F_WIN32_LOAD                                 120
+#define DSO_F_WIN32_UNLOAD                               121
+
+/* Reason codes. */
+#define DSO_R_CTRL_FAILED                                100
+#define DSO_R_FILENAME_TOO_BIG                           109
+#define DSO_R_FINISH_FAILED                              101
+#define DSO_R_LOAD_FAILED                                102
+#define DSO_R_NULL_HANDLE                                103
+#define DSO_R_STACK_ERROR                                104
+#define DSO_R_SYM_FAILURE                                105
+#define DSO_R_UNKNOWN_COMMAND                            106
+#define DSO_R_UNLOAD_FAILED                              107
+#define DSO_R_UNSUPPORTED                                108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/dso/dso_dl.c b/src/lib/libssl/src/crypto/dso/dso_dl.c
new file mode 100644
index 0000000000..69810fc3bb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_dl.c
@@ -0,0 +1,251 @@
+/* dso_dl.c */
+/* Written by Richard Levitte (levitte@openssl.org) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#ifndef DSO_DL
+DSO_METHOD *DSO_METHOD_dl(void)
+       {
+       return NULL;
+       }
+#else
+
+#include <dl.h>
+
+/* Part of the hack in "dl_load" ... */
+#define DSO_MAX_TRANSLATED_SIZE 256
+
+static int dl_load(DSO *dso, const char *filename);
+static int dl_unload(DSO *dso);
+static void *dl_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname);
+#if 0
+static int dl_unbind_var(DSO *dso, char *symname, void *symptr);
+static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int dl_init(DSO *dso);
+static int dl_finish(DSO *dso);
+#endif
+static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+static DSO_METHOD dso_meth_dl = {
+        "OpenSSL 'dl' shared library method",
+        dl_load,
+        dl_unload,
+        dl_bind_var,
+        dl_bind_func,
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        dl_ctrl,
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_dl(void)
+        {
+        return(&dso_meth_dl);
+        }
+
+/* For this DSO_METHOD, our meth_data STACK will contain;
+ * (i) the handle (shl_t) returned from shl_load().
+ * NB: I checked on HPUX11 and shl_t is itself a pointer
+ * type so the cast is safe.
+ */
+
+static int dl_load(DSO *dso, const char *filename)
+        {
+        shl_t ptr;
+        char translated[DSO_MAX_TRANSLATED_SIZE];
+        int len;
+
+        /* The same comment as in dlfcn_load applies here. bleurgh. */
+        len = strlen(filename);
+        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
+                        (len + 6 < DSO_MAX_TRANSLATED_SIZE) &&
+                        (strstr(filename, "/") == NULL))
+                {
+                sprintf(translated, "lib%s.so", filename);
+                ptr = shl_load(translated, BIND_IMMEDIATE, NULL);
+                }
+        else
+                ptr = shl_load(filename, BIND_IMMEDIATE, NULL);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
+                return(0);
+                }
+        if(!sk_push(dso->meth_data, (char *)ptr))
+                {
+                DSOerr(DSO_F_DL_LOAD,DSO_R_STACK_ERROR);
+                shl_unload(ptr);
+                return(0);
+                }
+        return(1);
+        }
+
+static int dl_unload(DSO *dso)
+        {
+        shl_t ptr;
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DL_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                return(1);
+        /* Is this statement legal? */
+        ptr = (shl_t)sk_pop(dso->meth_data);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DL_UNLOAD,DSO_R_NULL_HANDLE);
+                /* Should push the value back onto the stack in
+                 * case of a retry. */
+                sk_push(dso->meth_data, (char *)ptr);
+                return(0);
+                }
+        shl_unload(ptr);
+        return(1);
+        }
+
+static void *dl_bind_var(DSO *dso, const char *symname)
+        {
+        shl_t ptr;
+        void *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DL_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DL_BIND_VAR,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (shl_t)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+                {
+                DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
+        {
+        shl_t ptr;
+        void *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DL_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (shl_t)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0)
+                {
+                DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return((DSO_FUNC_TYPE)sym);
+        }
+
+static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DL_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
+        DSOerr(DSO_F_DL_CTRL,DSO_R_UNKNOWN_COMMAND);
+        return(-1);
+        }
+
+#endif /* DSO_DL */
diff --git a/src/lib/libssl/src/crypto/dso/dso_dlfcn.c b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
new file mode 100644
index 0000000000..e709c721cc
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_dlfcn.c
@@ -0,0 +1,276 @@
+/* dso_dlfcn.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#ifndef DSO_DLFCN
+DSO_METHOD *DSO_METHOD_dlfcn(void)
+        {
+        return NULL;
+        }
+#else
+
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+/* Part of the hack in "dlfcn_load" ... */
+#define DSO_MAX_TRANSLATED_SIZE 256
+
+static int dlfcn_load(DSO *dso, const char *filename);
+static int dlfcn_unload(DSO *dso);
+static void *dlfcn_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname);
+#if 0
+static int dlfcn_unbind(DSO *dso, char *symname, void *symptr);
+static int dlfcn_init(DSO *dso);
+static int dlfcn_finish(DSO *dso);
+#endif
+static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+static DSO_METHOD dso_meth_dlfcn = {
+        "OpenSSL 'dlfcn' shared library method",
+        dlfcn_load,
+        dlfcn_unload,
+        dlfcn_bind_var,
+        dlfcn_bind_func,
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        dlfcn_ctrl,
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_dlfcn(void)
+        {
+        return(&dso_meth_dlfcn);
+        }
+
+/* Prior to using the dlopen() function, we should decide on the flag
+ * we send. There's a few different ways of doing this and it's a
+ * messy venn-diagram to match up which platforms support what. So
+ * as we don't have autoconf yet, I'm implementing a hack that could
+ * be hacked further relatively easily to deal with cases as we find
+ * them. Initially this is to cope with OpenBSD. */
+#ifdef __OpenBSD__
+#       ifdef DL_LAZY
+#               define DLOPEN_FLAG DL_LAZY
+#       else
+#               ifdef RTLD_NOW
+#                       define DLOPEN_FLAG RTLD_NOW
+#               else
+#                       define DLOPEN_FLAG 0
+#               endif
+#       endif
+#else
+#       define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#endif
+
+/* For this DSO_METHOD, our meth_data STACK will contain;
+ * (i) the handle (void*) returned from dlopen().
+ */
+
+static int dlfcn_load(DSO *dso, const char *filename)
+        {
+        void *ptr;
+        char translated[DSO_MAX_TRANSLATED_SIZE];
+        int len;
+
+        /* NB: This is a hideous hack, but I'm not yet sure what
+         * to replace it with. This attempts to convert any filename,
+         * that looks like it has no path information, into a
+         * translated form, e. "blah" -> "libblah.so" */
+        len = strlen(filename);
+        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
+                        (len + 6 < DSO_MAX_TRANSLATED_SIZE) &&
+                        (strstr(filename, "/") == NULL))
+                {
+                sprintf(translated, "lib%s.so", filename);
+                ptr = dlopen(translated, DLOPEN_FLAG);
+                }
+        else
+                {
+                ptr = dlopen(filename, DLOPEN_FLAG);
+                }
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_LOAD_FAILED);
+                return(0);
+                }
+        if(!sk_push(dso->meth_data, (char *)ptr))
+                {
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_STACK_ERROR);
+                dlclose(ptr);
+                return(0);
+                }
+        return(1);
+        }
+
+static int dlfcn_unload(DSO *dso)
+        {
+        void *ptr;
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                return(1);
+        ptr = (void *)sk_pop(dso->meth_data);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_UNLOAD,DSO_R_NULL_HANDLE);
+                /* Should push the value back onto the stack in
+                 * case of a retry. */
+                sk_push(dso->meth_data, (char *)ptr);
+                return(0);
+                }
+        /* For now I'm not aware of any errors associated with dlclose() */
+        dlclose(ptr);
+        return(1);
+        }
+
+static void *dlfcn_bind_var(DSO *dso, const char *symname)
+        {
+        void *ptr, *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (void *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = dlsym(ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
+        {
+        void *ptr;
+        DSO_FUNC_TYPE sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (void *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = (DSO_FUNC_TYPE)dlsym(ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
+        DSOerr(DSO_F_DLFCN_CTRL,DSO_R_UNKNOWN_COMMAND);
+        return(-1);
+        }
+
+#endif /* DSO_DLFCN */
diff --git a/src/lib/libssl/src/crypto/dso/dso_err.c b/src/lib/libssl/src/crypto/dso/dso_err.c
new file mode 100644
index 0000000000..a3d7321c9b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_err.c
@@ -0,0 +1,128 @@
+/* crypto/dso/dso_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/dso.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA DSO_str_functs[]=
+        {
+{ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),   "DLFCN_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),    "DLFCN_BIND_VAR"},
+{ERR_PACK(0,DSO_F_DLFCN_CTRL,0),        "DLFCN_CTRL"},
+{ERR_PACK(0,DSO_F_DLFCN_LOAD,0),        "DLFCN_LOAD"},
+{ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),      "DLFCN_UNLOAD"},
+{ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),      "DL_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_DL_BIND_VAR,0),       "DL_BIND_VAR"},
+{ERR_PACK(0,DSO_F_DL_CTRL,0),   "DL_CTRL"},
+{ERR_PACK(0,DSO_F_DL_LOAD,0),   "DL_LOAD"},
+{ERR_PACK(0,DSO_F_DL_UNLOAD,0), "DL_UNLOAD"},
+{ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),     "DSO_bind_func"},
+{ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),      "DSO_bind_var"},
+{ERR_PACK(0,DSO_F_DSO_CTRL,0),  "DSO_ctrl"},
+{ERR_PACK(0,DSO_F_DSO_FREE,0),  "DSO_free"},
+{ERR_PACK(0,DSO_F_DSO_LOAD,0),  "DSO_load"},
+{ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),    "DSO_new_method"},
+{ERR_PACK(0,DSO_F_DSO_UP,0),    "DSO_up"},
+{ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),      "VMS_BIND_VAR"},
+{ERR_PACK(0,DSO_F_VMS_CTRL,0),  "VMS_CTRL"},
+{ERR_PACK(0,DSO_F_VMS_LOAD,0),  "VMS_LOAD"},
+{ERR_PACK(0,DSO_F_VMS_UNLOAD,0),        "VMS_UNLOAD"},
+{ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),   "WIN32_BIND_FUNC"},
+{ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),    "WIN32_BIND_VAR"},
+{ERR_PACK(0,DSO_F_WIN32_CTRL,0),        "WIN32_CTRL"},
+{ERR_PACK(0,DSO_F_WIN32_LOAD,0),        "WIN32_LOAD"},
+{ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),      "WIN32_UNLOAD"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA DSO_str_reasons[]=
+        {
+{DSO_R_CTRL_FAILED                       ,"control command failed"},
+{DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
+{DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
+{DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
+{DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
+{DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
+{DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
+{DSO_R_UNKNOWN_COMMAND                   ,"unknown control command"},
+{DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
+{DSO_R_UNSUPPORTED                       ,"functionality not supported"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_DSO_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
+                ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/dso/dso_lib.c b/src/lib/libssl/src/crypto/dso/dso_lib.c
new file mode 100644
index 0000000000..acd166697e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_lib.c
@@ -0,0 +1,306 @@
+/* dso_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+static DSO_METHOD *default_DSO_meth = NULL;
+
+DSO *DSO_new(void)
+        {
+        return(DSO_new_method(NULL));
+        }
+
+void DSO_set_default_method(DSO_METHOD *meth)
+        {
+        default_DSO_meth = meth;
+        }
+
+DSO_METHOD *DSO_get_default_method(void)
+        {
+        return(default_DSO_meth);
+        }
+
+DSO_METHOD *DSO_get_method(DSO *dso)
+        {
+        return(dso->meth);
+        }
+
+DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth)
+        {
+        DSO_METHOD *mtmp;
+        mtmp = dso->meth;
+        dso->meth = meth;
+        return(mtmp);
+        }
+
+DSO *DSO_new_method(DSO_METHOD *meth)
+        {
+        DSO *ret;
+
+        if(default_DSO_meth == NULL)
+                /* We default to DSO_METH_openssl() which in turn defaults
+                 * to stealing the "best available" method. Will fallback
+                 * to DSO_METH_null() in the worst case. */
+                default_DSO_meth = DSO_METHOD_openssl();
+        ret = (DSO *)OPENSSL_malloc(sizeof(DSO));
+        if(ret == NULL)
+                {
+                DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+        memset(ret, 0, sizeof(DSO));
+        ret->meth_data = sk_new_null();
+        if((ret->meth_data = sk_new_null()) == NULL)
+                {
+                /* sk_new doesn't generate any errors so we do */
+                DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                OPENSSL_free(ret);
+                return(NULL);
+                }
+        if(meth == NULL)
+                ret->meth = default_DSO_meth;
+        else
+                ret->meth = meth;
+        ret->references = 1;
+        if((ret->meth->init != NULL) && !ret->meth->init(ret))
+                {
+                OPENSSL_free(ret);
+                ret=NULL;
+                }
+        return(ret);
+        }
+
+int DSO_free(DSO *dso)
+        {
+        int i;
+ 
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_FREE,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+ 
+        i=CRYPTO_add(&dso->references,-1,CRYPTO_LOCK_DSO);
+#ifdef REF_PRINT
+        REF_PRINT("DSO",dso);
+#endif
+        if(i > 0) return(1);
+#ifdef REF_CHECK
+        if(i < 0)
+                {
+                fprintf(stderr,"DSO_free, bad reference count\n");
+                abort();
+                }
+#endif
+
+        if((dso->meth->dso_unload != NULL) && !dso->meth->dso_unload(dso))
+                {
+                DSOerr(DSO_F_DSO_FREE,DSO_R_UNLOAD_FAILED);
+                return(0);
+                }
+ 
+        if((dso->meth->finish != NULL) && !dso->meth->finish(dso))
+                {
+                DSOerr(DSO_F_DSO_FREE,DSO_R_FINISH_FAILED);
+                return(0);
+                }
+        
+        sk_free(dso->meth_data);
+ 
+        OPENSSL_free(dso);
+        return(1);
+        }
+
+int DSO_flags(DSO *dso)
+        {
+        return((dso == NULL) ? 0 : dso->flags);
+        }
+
+
+int DSO_up(DSO *dso)
+        {
+        if (dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_UP,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+
+        CRYPTO_add(&dso->references,1,CRYPTO_LOCK_DSO);
+        return(1);
+        }
+
+DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags)
+        {
+        DSO *ret;
+        int allocated = 0;
+
+        if(filename == NULL)
+                {
+                DSOerr(DSO_F_DSO_LOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso == NULL)
+                {
+                ret = DSO_new_method(meth);
+                if(ret == NULL)
+                        {
+                        DSOerr(DSO_F_DSO_LOAD,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
+                allocated = 1;
+                }
+        else
+                ret = dso;
+        /* Bleurgh ... have to check for negative return values for
+         * errors. <grimace> */
+        if(DSO_ctrl(ret, DSO_CTRL_SET_FLAGS, flags, NULL) < 0)
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_CTRL_FAILED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        if(ret->meth->dso_load == NULL)
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_UNSUPPORTED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        if(!ret->meth->dso_load(ret, filename))
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_LOAD_FAILED);
+                if(allocated)
+                        DSO_free(ret);
+                return(NULL);
+                }
+        /* Load succeeded */
+        return(ret);
+        }
+
+void *DSO_bind_var(DSO *dso, const char *symname)
+        {
+        void *ret = NULL;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso->meth->dso_bind_var == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_UNSUPPORTED);
+                return(NULL);
+                }
+        if((ret = dso->meth->dso_bind_var(dso, symname)) == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        /* Success */
+        return(ret);
+        }
+
+DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname)
+        {
+        DSO_FUNC_TYPE ret = NULL;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(dso->meth->dso_bind_func == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_UNSUPPORTED);
+                return(NULL);
+                }
+        if((ret = dso->meth->dso_bind_func(dso, symname)) == NULL)
+                {
+                DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        /* Success */
+        return(ret);
+        }
+
+/* I don't really like these *_ctrl functions very much to be perfectly
+ * honest. For one thing, I think I have to return a negative value for
+ * any error because possible DSO_ctrl() commands may return values
+ * such as "size"s that can legitimately be zero (making the standard
+ * "if(DSO_cmd(...))" form that works almost everywhere else fail at
+ * odd times. I'd prefer "output" values to be passed by reference and
+ * the return value as success/failure like usual ... but we conform
+ * when we must... :-) */
+long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        if((dso->meth == NULL) || (dso->meth->dso_ctrl == NULL))
+                {
+                DSOerr(DSO_F_DSO_CTRL,DSO_R_UNSUPPORTED);
+                return(-1);
+                }
+        return(dso->meth->dso_ctrl(dso,cmd,larg,parg));
+        }
diff --git a/src/lib/libssl/src/crypto/dso/dso_null.c b/src/lib/libssl/src/crypto/dso/dso_null.c
new file mode 100644
index 0000000000..fa13a7cb0f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_null.c
@@ -0,0 +1,86 @@
+/* dso_null.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* This "NULL" method is provided as the fallback for systems that have
+ * no appropriate support for "shared-libraries". */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+static DSO_METHOD dso_meth_null = {
+        "NULL shared library method",
+        NULL, /* load */
+        NULL, /* unload */
+        NULL, /* bind_var */
+        NULL, /* bind_func */
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        NULL, /* ctrl */
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_null(void)
+        {
+        return(&dso_meth_null);
+        }
+
diff --git a/src/lib/libssl/src/crypto/dso/dso_openssl.c b/src/lib/libssl/src/crypto/dso/dso_openssl.c
new file mode 100644
index 0000000000..a4395ebffe
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_openssl.c
@@ -0,0 +1,81 @@
+/* dso_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+/* We just pinch the method from an appropriate "default" method. */
+
+DSO_METHOD *DSO_METHOD_openssl(void)
+        {
+#ifdef DEF_DSO_METHOD
+        return(DEF_DSO_METHOD());
+#elif defined(DSO_DLFCN)
+        return(DSO_METHOD_dlfcn());
+#elif defined(DSO_DL)
+        return(DSO_METHOD_dl());
+#elif defined(DSO_WIN32)
+        return(DSO_METHOD_win32());
+#elif defined(DSO_VMS)
+        return(DSO_METHOD_vms());
+#else
+        return(DSO_METHOD_null());
+#endif
+        }
+
diff --git a/src/lib/libssl/src/crypto/dso/dso_vms.c b/src/lib/libssl/src/crypto/dso/dso_vms.c
new file mode 100644
index 0000000000..8ff7090129
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_vms.c
@@ -0,0 +1,371 @@
+/* dso_vms.c */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#ifdef VMS
+#pragma message disable DOLLARID
+#include <lib$routines.h>
+#include <libfisdef.h>
+#include <stsdef.h>
+#include <descrip.h>
+#include <starlet.h>
+#endif
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#ifndef VMS
+DSO_METHOD *DSO_METHOD_vms(void)
+        {
+        return NULL;
+        }
+#else
+#pragma message disable DOLLARID
+
+static int vms_load(DSO *dso, const char *filename);
+static int vms_unload(DSO *dso);
+static void *vms_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname);
+#if 0
+static int vms_unbind_var(DSO *dso, char *symname, void *symptr);
+static int vms_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int vms_init(DSO *dso);
+static int vms_finish(DSO *dso);
+#endif
+static long vms_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+static DSO_METHOD dso_meth_vms = {
+        "OpenSSL 'VMS' shared library method",
+        vms_load,
+        NULL, /* unload */
+        vms_bind_var,
+        vms_bind_func,
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        vms_ctrl,
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+/* On VMS, the only "handle" is the file name.  LIB$FIND_IMAGE_SYMBOL depends
+ * on the reference to the file name being the same for all calls regarding
+ * one shared image, so we'll just store it in an instance of the following
+ * structure and put a pointer to that instance in the meth_data stack.
+ */
+typedef struct dso_internal_st
+        {
+        /* This should contain the name only, no directory,
+         * no extension, nothing but a name. */
+        struct dsc$descriptor_s filename_dsc;
+        char filename[FILENAME_MAX+1];
+        /* This contains whatever is not in filename, if needed.
+         * Normally not defined. */
+        struct dsc$descriptor_s imagename_dsc;
+        char imagename[FILENAME_MAX+1];
+        } DSO_VMS_INTERNAL;
+
+
+DSO_METHOD *DSO_METHOD_vms(void)
+        {
+        return(&dso_meth_vms);
+        }
+
+static int vms_load(DSO *dso, const char *filename)
+        {
+        DSO_VMS_INTERNAL *p;
+        const char *sp1, *sp2;  /* Search result */
+
+        /* A file specification may look like this:
+         *
+         *      node::dev:[dir-spec]name.type;ver
+         *
+         * or (for compatibility with TOPS-20):
+         *
+         *      node::dev:<dir-spec>name.type;ver
+         *
+         * and the dir-spec uses '.' as separator.  Also, a dir-spec
+         * may consist of several parts, with mixed use of [] and <>:
+         *
+         *      [dir1.]<dir2>
+         *
+         * We need to split the file specification into the name and
+         * the rest (both before and after the name itself).
+         */
+        /* Start with trying to find the end of a dir-spec, and save the
+           position of the byte after in sp1 */
+        sp1 = strrchr(filename, ']');
+        sp2 = strrchr(filename, '>');
+        if (sp1 == NULL) sp1 = sp2;
+        if (sp2 != NULL && sp2 > sp1) sp1 = sp2;
+        if (sp1 == NULL) sp1 = strrchr(filename, ':');
+        if (sp1 == NULL)
+                sp1 = filename;
+        else
+                sp1++;          /* The byte after the found character */
+        /* Now, let's see if there's a type, and save the position in sp2 */
+        sp2 = strchr(sp1, '.');
+        /* If we found it, that's where we'll cut.  Otherwise, look for a
+           version number and save the position in sp2 */
+        if (sp2 == NULL) sp2 = strchr(sp1, ';');
+        /* If there was still nothing to find, set sp2 to point at the end of
+           the string */
+        if (sp2 == NULL) sp2 = sp1 + strlen(sp1);
+
+        /* Check that we won't get buffer overflows */
+        if (sp2 - sp1 > FILENAME_MAX
+                || (sp1 - filename) + strlen(sp2) > FILENAME_MAX)
+                {
+                DSOerr(DSO_F_VMS_LOAD,DSO_R_FILENAME_TOO_BIG);
+                return(0);
+                }
+
+        p = (DSO_VMS_INTERNAL *)OPENSSL_malloc(sizeof(DSO_VMS_INTERNAL));
+        if(p == NULL)
+                {
+                DSOerr(DSO_F_VMS_LOAD,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+
+        strncpy(p->filename, sp1, sp2-sp1);
+        p->filename[sp2-sp1] = '\0';
+
+        strncpy(p->imagename, filename, sp1-filename);
+        p->imagename[sp1-filename] = '\0';
+        strcat(p->imagename, sp2);
+
+        p->filename_dsc.dsc$w_length = strlen(p->filename);
+        p->filename_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+        p->filename_dsc.dsc$b_class = DSC$K_CLASS_S;
+        p->filename_dsc.dsc$a_pointer = p->filename;
+        p->imagename_dsc.dsc$w_length = strlen(p->imagename);
+        p->imagename_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+        p->imagename_dsc.dsc$b_class = DSC$K_CLASS_S;
+        p->imagename_dsc.dsc$a_pointer = p->imagename;
+
+        if(!sk_push(dso->meth_data, (char *)p))
+                {
+                DSOerr(DSO_F_VMS_LOAD,DSO_R_STACK_ERROR);
+                OPENSSL_free(p);
+                return(0);
+                }
+        return(1);
+        }
+
+/* Note that this doesn't actually unload the shared image, as there is no
+ * such thing in VMS.  Next time it get loaded again, a new copy will
+ * actually be loaded.
+ */
+static int vms_unload(DSO *dso)
+        {
+        DSO_VMS_INTERNAL *p;
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_VMS_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                return(1);
+        p = (DSO_VMS_INTERNAL *)sk_pop(dso->meth_data);
+        if(p == NULL)
+                {
+                DSOerr(DSO_F_VMS_UNLOAD,DSO_R_NULL_HANDLE);
+                return(0);
+                }
+        /* Cleanup */
+        OPENSSL_free(p);
+        return(1);
+        }
+
+/* We must do this in a separate function because of the way the exception
+   handler works (it makes this function return */
+static int do_find_symbol(DSO_VMS_INTERNAL *ptr,
+        struct dsc$descriptor_s *symname_dsc, void **sym,
+        unsigned long flags)
+        {
+        /* Make sure that signals are caught and returned instead of
+           aborting the program.  The exception handler gets unestablished
+           automatically on return from this function.  */
+        lib$establish(lib$sig_to_ret);
+
+        if(ptr->imagename_dsc.dsc$w_length)
+                return lib$find_image_symbol(&ptr->filename_dsc,
+                        symname_dsc, sym,
+                        &ptr->imagename_dsc, flags);
+        else
+                return lib$find_image_symbol(&ptr->filename_dsc,
+                        symname_dsc, sym,
+                        0, flags);
+        }
+
+void vms_bind_sym(DSO *dso, const char *symname, void **sym)
+        {
+        DSO_VMS_INTERNAL *ptr;
+        int status;
+        int flags = LIB$M_FIS_MIXEDCASE;
+        struct dsc$descriptor_s symname_dsc;
+        *sym = NULL;
+
+        symname_dsc.dsc$w_length = strlen(symname);
+        symname_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+        symname_dsc.dsc$b_class = DSC$K_CLASS_S;
+        symname_dsc.dsc$a_pointer = (char *)symname; /* The cast is needed */
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_VMS_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return;
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_VMS_BIND_VAR,DSO_R_STACK_ERROR);
+                return;
+                }
+        ptr = (DSO_VMS_INTERNAL *)sk_value(dso->meth_data,
+                sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_VMS_BIND_VAR,DSO_R_NULL_HANDLE);
+                return;
+                }
+
+        if(dso->flags & DSO_FLAG_UPCASE_SYMBOL) flags = 0;
+
+        status = do_find_symbol(ptr, &symname_dsc, sym, flags);
+
+        if(!$VMS_STATUS_SUCCESS(status))
+                {
+                unsigned short length;
+                char errstring[257];
+                struct dsc$descriptor_s errstring_dsc;
+
+                errstring_dsc.dsc$w_length = sizeof(errstring);
+                errstring_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
+                errstring_dsc.dsc$b_class = DSC$K_CLASS_S;
+                errstring_dsc.dsc$a_pointer = errstring;
+
+                *sym = NULL;
+
+                status = sys$getmsg(status, &length, &errstring_dsc, 1, 0);
+
+                if (!$VMS_STATUS_SUCCESS(status))
+                        lib$signal(status); /* This is really bad.  Abort!  */
+                else
+                        {
+                        errstring[length] = '\0';
+
+                        DSOerr(DSO_F_VMS_BIND_VAR,DSO_R_SYM_FAILURE);
+                        if (ptr->imagename_dsc.dsc$w_length)
+                                ERR_add_error_data(9,
+                                        "Symbol ", symname,
+                                        " in ", ptr->filename,
+                                        " (", ptr->imagename, ")",
+                                        ": ", errstring);
+                        else
+                                ERR_add_error_data(6,
+                                        "Symbol ", symname,
+                                        " in ", ptr->filename,
+                                        ": ", errstring);
+                        }
+                return;
+                }
+        return;
+        }
+
+static void *vms_bind_var(DSO *dso, const char *symname)
+        {
+        void *sym = 0;
+        vms_bind_sym(dso, symname, &sym);
+        return sym;
+        }
+
+static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname)
+        {
+        DSO_FUNC_TYPE sym = 0;
+        vms_bind_sym(dso, symname, (void **)&sym);
+        return sym;
+        }
+
+static long vms_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_VMS_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
+        DSOerr(DSO_F_VMS_CTRL,DSO_R_UNKNOWN_COMMAND);
+        return(-1);
+        }
+
+#endif /* VMS */
diff --git a/src/lib/libssl/src/crypto/dso/dso_win32.c b/src/lib/libssl/src/crypto/dso/dso_win32.c
new file mode 100644
index 0000000000..7f1d904806
--- /dev/null
+++ b/src/lib/libssl/src/crypto/dso/dso_win32.c
@@ -0,0 +1,273 @@
+/* dso_win32.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#ifndef WIN32
+DSO_METHOD *DSO_METHOD_win32(void)
+        {
+        return NULL;
+        }
+#else
+
+/* Part of the hack in "win32_load" ... */
+#define DSO_MAX_TRANSLATED_SIZE 256
+
+static int win32_load(DSO *dso, const char *filename);
+static int win32_unload(DSO *dso);
+static void *win32_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname);
+#if 0
+static int win32_unbind_var(DSO *dso, char *symname, void *symptr);
+static int win32_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int win32_init(DSO *dso);
+static int win32_finish(DSO *dso);
+#endif
+static long win32_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+static DSO_METHOD dso_meth_win32 = {
+        "OpenSSL 'win32' shared library method",
+        win32_load,
+        win32_unload,
+        win32_bind_var,
+        win32_bind_func,
+/* For now, "unbind" doesn't exist */
+#if 0
+        NULL, /* unbind_var */
+        NULL, /* unbind_func */
+#endif
+        win32_ctrl,
+        NULL, /* init */
+        NULL  /* finish */
+        };
+
+DSO_METHOD *DSO_METHOD_win32(void)
+        {
+        return(&dso_meth_win32);
+        }
+
+/* For this DSO_METHOD, our meth_data STACK will contain;
+ * (i) a pointer to the handle (HINSTANCE) returned from
+ *     LoadLibrary(), and copied.
+ */
+
+static int win32_load(DSO *dso, const char *filename)
+        {
+        HINSTANCE h, *p;
+        char translated[DSO_MAX_TRANSLATED_SIZE];
+        int len;
+
+        /* NB: This is a hideous hack, but I'm not yet sure what
+         * to replace it with. This attempts to convert any filename,
+         * that looks like it has no path information, into a
+         * translated form, e. "blah" -> "blah.dll" ... I'm more
+         * comfortable putting hacks into win32 code though ;-) */
+        len = strlen(filename);
+        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
+                        (len + 4 < DSO_MAX_TRANSLATED_SIZE) &&
+                        (strstr(filename, "/") == NULL) &&
+                        (strstr(filename, "\\") == NULL) &&
+                        (strstr(filename, ":") == NULL))
+                {
+                sprintf(translated, "%s.dll", filename);
+                h = LoadLibrary(translated);
+                }
+        else
+                h = LoadLibrary(filename);
+        if(h == NULL)
+                {
+                DSOerr(DSO_F_WIN32_LOAD,DSO_R_LOAD_FAILED);
+                return(0);
+                }
+        p = (HINSTANCE *)OPENSSL_malloc(sizeof(HINSTANCE));
+        if(p == NULL)
+                {
+                DSOerr(DSO_F_WIN32_LOAD,ERR_R_MALLOC_FAILURE);
+                FreeLibrary(h);
+                return(0);
+                }
+        *p = h;
+        if(!sk_push(dso->meth_data, (char *)p))
+                {
+                DSOerr(DSO_F_WIN32_LOAD,DSO_R_STACK_ERROR);
+                FreeLibrary(h);
+                OPENSSL_free(p);
+                return(0);
+                }
+        return(1);
+        }
+
+static int win32_unload(DSO *dso)
+        {
+        HINSTANCE *p;
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_WIN32_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                return(1);
+        p = (HINSTANCE *)sk_pop(dso->meth_data);
+        if(p == NULL)
+                {
+                DSOerr(DSO_F_WIN32_UNLOAD,DSO_R_NULL_HANDLE);
+                return(0);
+                }
+        if(!FreeLibrary(*p))
+                {
+                DSOerr(DSO_F_WIN32_UNLOAD,DSO_R_UNLOAD_FAILED);
+                /* We should push the value back onto the stack in
+                 * case of a retry. */
+                sk_push(dso->meth_data, (char *)p);
+                return(0);
+                }
+        /* Cleanup */
+        OPENSSL_free(p);
+        return(1);
+        }
+
+/* Using GetProcAddress for variables? TODO: Check this out in
+ * the Win32 API docs, there's probably a variant for variables. */
+static void *win32_bind_var(DSO *dso, const char *symname)
+        {
+        HINSTANCE *ptr;
+        void *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_WIN32_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_WIN32_BIND_VAR,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (HINSTANCE *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_WIN32_BIND_VAR,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = GetProcAddress(*ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_WIN32_BIND_VAR,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return(sym);
+        }
+
+static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname)
+        {
+        HINSTANCE *ptr;
+        void *sym;
+
+        if((dso == NULL) || (symname == NULL))
+                {
+                DSOerr(DSO_F_WIN32_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(sk_num(dso->meth_data) < 1)
+                {
+                DSOerr(DSO_F_WIN32_BIND_FUNC,DSO_R_STACK_ERROR);
+                return(NULL);
+                }
+        ptr = (HINSTANCE *)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+        if(ptr == NULL)
+                {
+                DSOerr(DSO_F_WIN32_BIND_FUNC,DSO_R_NULL_HANDLE);
+                return(NULL);
+                }
+        sym = GetProcAddress(*ptr, symname);
+        if(sym == NULL)
+                {
+                DSOerr(DSO_F_WIN32_BIND_FUNC,DSO_R_SYM_FAILURE);
+                return(NULL);
+                }
+        return((DSO_FUNC_TYPE)sym);
+        }
+
+static long win32_ctrl(DSO *dso, int cmd, long larg, void *parg)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_WIN32_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return(-1);
+                }
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
+        DSOerr(DSO_F_WIN32_CTRL,DSO_R_UNKNOWN_COMMAND);
+        return(-1);
+        }
+
+#endif /* WIN32 */
diff --git a/src/lib/libssl/src/crypto/ebcdic.c b/src/lib/libssl/src/crypto/ebcdic.c
new file mode 100644
index 0000000000..31397b2add
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ebcdic.c
@@ -0,0 +1,217 @@
+/* crypto/ebcdic.c */
+
+#ifdef CHARSET_EBCDIC
+#include "ebcdic.h"
+/*      Initial Port for  Apache-1.3     by <Martin.Kraemer@Mch.SNI.De>
+ *      Adapted for       OpenSSL-0.9.4  by <Martin.Kraemer@Mch.SNI.De>
+ */
+
+#ifdef _OSD_POSIX
+/*
+    "BS2000 OSD" is a POSIX subsystem on a main frame.
+    It is made by Siemens AG, Germany, for their BS2000 mainframe machines.
+    Within the POSIX subsystem, the same character set was chosen as in
+    "native BS2000", namely EBCDIC. (EDF04)
+
+    The name "ASCII" in these routines is misleading: actually, conversion
+    is not between EBCDIC and ASCII, but EBCDIC(EDF04) and ISO-8859.1;
+    that means that (western european) national characters are preserved.
+
+    This table is identical to the one used by rsh/rcp/ftp and other POSIX tools.
+*/
+
+/* Here's the bijective ebcdic-to-ascii table: */
+const unsigned char os_toascii[256] = {
+/*00*/ 0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f,
+       0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /*................*/
+/*10*/ 0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97,
+       0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /*................*/
+/*20*/ 0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b,
+       0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /*................*/
+/*30*/ 0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04,
+       0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /*................*/
+/*40*/ 0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5,
+       0xe7, 0xf1, 0x60, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /* .........`.<(+|*/
+/*50*/ 0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef,
+       0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x9f, /*&.........!$*);.*/
+/*60*/ 0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5,
+       0xc7, 0xd1, 0x5e, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /*-/........^,%_>?*/
+/*70*/ 0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf,
+       0xcc, 0xa8, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /*..........:#@'="*/
+/*80*/ 0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+       0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /*.abcdefghi......*/
+/*90*/ 0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+       0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /*.jklmnopqr......*/
+/*a0*/ 0xb5, 0xaf, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+       0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0xdd, 0xde, 0xae, /*..stuvwxyz......*/
+/*b0*/ 0xa2, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc,
+       0xbd, 0xbe, 0xac, 0x5b, 0x5c, 0x5d, 0xb4, 0xd7, /*...........[\]..*/
+/*c0*/ 0xf9, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+       0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /*.ABCDEFGHI......*/
+/*d0*/ 0xa6, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+       0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xdb, 0xfa, 0xff, /*.JKLMNOPQR......*/
+/*e0*/ 0xd9, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
+       0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /*..STUVWXYZ......*/
+/*f0*/ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+       0x38, 0x39, 0xb3, 0x7b, 0xdc, 0x7d, 0xda, 0x7e  /*0123456789.{.}.~*/
+};
+
+
+/* The ascii-to-ebcdic table: */
+const unsigned char os_toebcdic[256] = {
+/*00*/  0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f,
+        0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,  /*................*/
+/*10*/  0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26,
+        0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f,  /*................*/
+/*20*/  0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d,
+        0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61,  /* !"#$%&'()*+,-./ */
+/*30*/  0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+        0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f,  /*0123456789:;<=>?*/
+/*40*/  0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+        0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6,  /*@ABCDEFGHIJKLMNO*/
+/*50*/  0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6,
+        0xe7, 0xe8, 0xe9, 0xbb, 0xbc, 0xbd, 0x6a, 0x6d,  /*PQRSTUVWXYZ[\]^_*/
+/*60*/  0x4a, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96,  /*`abcdefghijklmno*/
+/*70*/  0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6,
+        0xa7, 0xa8, 0xa9, 0xfb, 0x4f, 0xfd, 0xff, 0x07,  /*pqrstuvwxyz{|}~.*/
+/*80*/  0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08,
+        0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14,  /*................*/
+/*90*/  0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17,
+        0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0x5f,  /*................*/
+/*a0*/  0x41, 0xaa, 0xb0, 0xb1, 0x9f, 0xb2, 0xd0, 0xb5,
+        0x79, 0xb4, 0x9a, 0x8a, 0xba, 0xca, 0xaf, 0xa1,  /*................*/
+/*b0*/  0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3,
+        0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab,  /*................*/
+/*c0*/  0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68,
+        0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77,  /*................*/
+/*d0*/  0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf,
+        0x80, 0xe0, 0xfe, 0xdd, 0xfc, 0xad, 0xae, 0x59,  /*................*/
+/*e0*/  0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48,
+        0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57,  /*................*/
+/*f0*/  0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1,
+        0x70, 0xc0, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf   /*................*/
+};
+
+#else  /*_OSD_POSIX*/
+
+/*
+This code does basic character mapping for IBM's TPF and OS/390 operating systems.
+It is a modified version of the BS2000 table.
+
+Bijective EBCDIC (character set IBM-1047) to US-ASCII table:
+This table is bijective - there are no ambigous or duplicate characters.
+*/
+const unsigned char os_toascii[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f:           */
+    0x87, 0x8d, 0x8e, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x8f, 0x0a, 0x08, 0x97, /* 10-1f:           */
+    0x18, 0x19, 0x9c, 0x9d, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x92, 0x17, 0x1b, /* 20-2f:           */
+    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x05, 0x06, 0x07, /* ................ */
+    0x90, 0x91, 0x16, 0x93, 0x94, 0x95, 0x96, 0x04, /* 30-3f:           */
+    0x98, 0x99, 0x9a, 0x9b, 0x14, 0x15, 0x9e, 0x1a, /* ................ */
+    0x20, 0xa0, 0xe2, 0xe4, 0xe0, 0xe1, 0xe3, 0xe5, /* 40-4f:           */
+    0xe7, 0xf1, 0xa2, 0x2e, 0x3c, 0x28, 0x2b, 0x7c, /*  ...........<(+| */
+    0x26, 0xe9, 0xea, 0xeb, 0xe8, 0xed, 0xee, 0xef, /* 50-5f:           */
+    0xec, 0xdf, 0x21, 0x24, 0x2a, 0x29, 0x3b, 0x5e, /* &.........!$*);^ */
+    0x2d, 0x2f, 0xc2, 0xc4, 0xc0, 0xc1, 0xc3, 0xc5, /* 60-6f:           */
+    0xc7, 0xd1, 0xa6, 0x2c, 0x25, 0x5f, 0x3e, 0x3f, /* -/.........,%_>? */
+    0xf8, 0xc9, 0xca, 0xcb, 0xc8, 0xcd, 0xce, 0xcf, /* 70-7f:           */
+    0xcc, 0x60, 0x3a, 0x23, 0x40, 0x27, 0x3d, 0x22, /* .........`:#@'=" */
+    0xd8, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, /* 80-8f:           */
+    0x68, 0x69, 0xab, 0xbb, 0xf0, 0xfd, 0xfe, 0xb1, /* .abcdefghi...... */
+    0xb0, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, /* 90-9f:           */
+    0x71, 0x72, 0xaa, 0xba, 0xe6, 0xb8, 0xc6, 0xa4, /* .jklmnopqr...... */
+    0xb5, 0x7e, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, /* a0-af:           */
+    0x79, 0x7a, 0xa1, 0xbf, 0xd0, 0x5b, 0xde, 0xae, /* .~stuvwxyz...[.. */
+    0xac, 0xa3, 0xa5, 0xb7, 0xa9, 0xa7, 0xb6, 0xbc, /* b0-bf:           */
+    0xbd, 0xbe, 0xdd, 0xa8, 0xaf, 0x5d, 0xb4, 0xd7, /* .............].. */
+    0x7b, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, /* c0-cf:           */
+    0x48, 0x49, 0xad, 0xf4, 0xf6, 0xf2, 0xf3, 0xf5, /* {ABCDEFGHI...... */
+    0x7d, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, /* d0-df:           */
+    0x51, 0x52, 0xb9, 0xfb, 0xfc, 0xf9, 0xfa, 0xff, /* }JKLMNOPQR...... */
+    0x5c, 0xf7, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, /* e0-ef:           */
+    0x59, 0x5a, 0xb2, 0xd4, 0xd6, 0xd2, 0xd3, 0xd5, /* \.STUVWXYZ...... */
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, /* f0-ff:           */
+    0x38, 0x39, 0xb3, 0xdb, 0xdc, 0xd9, 0xda, 0x9f  /* 0123456789...... */
+};
+
+
+/*
+The US-ASCII to EBCDIC (character set IBM-1047) table:
+This table is bijective (no ambiguous or duplicate characters)
+*/
+const unsigned char os_toebcdic[256] = {
+    0x00, 0x01, 0x02, 0x03, 0x37, 0x2d, 0x2e, 0x2f, /* 00-0f:           */
+    0x16, 0x05, 0x15, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* ................ */
+    0x10, 0x11, 0x12, 0x13, 0x3c, 0x3d, 0x32, 0x26, /* 10-1f:           */
+    0x18, 0x19, 0x3f, 0x27, 0x1c, 0x1d, 0x1e, 0x1f, /* ................ */
+    0x40, 0x5a, 0x7f, 0x7b, 0x5b, 0x6c, 0x50, 0x7d, /* 20-2f:           */
+    0x4d, 0x5d, 0x5c, 0x4e, 0x6b, 0x60, 0x4b, 0x61, /*  !"#$%&'()*+,-./ */
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, /* 30-3f:           */
+    0xf8, 0xf9, 0x7a, 0x5e, 0x4c, 0x7e, 0x6e, 0x6f, /* 0123456789:;<=>? */
+    0x7c, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, /* 40-4f:           */
+    0xc8, 0xc9, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, /* @ABCDEFGHIJKLMNO */
+    0xd7, 0xd8, 0xd9, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, /* 50-5f:           */
+    0xe7, 0xe8, 0xe9, 0xad, 0xe0, 0xbd, 0x5f, 0x6d, /* PQRSTUVWXYZ[\]^_ */
+    0x79, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, /* 60-6f:           */
+    0x88, 0x89, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, /* `abcdefghijklmno */
+    0x97, 0x98, 0x99, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, /* 70-7f:           */
+    0xa7, 0xa8, 0xa9, 0xc0, 0x4f, 0xd0, 0xa1, 0x07, /* pqrstuvwxyz{|}~. */
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x04, 0x06, 0x08, /* 80-8f:           */
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x09, 0x0a, 0x14, /* ................ */
+    0x30, 0x31, 0x25, 0x33, 0x34, 0x35, 0x36, 0x17, /* 90-9f:           */
+    0x38, 0x39, 0x3a, 0x3b, 0x1a, 0x1b, 0x3e, 0xff, /* ................ */
+    0x41, 0xaa, 0x4a, 0xb1, 0x9f, 0xb2, 0x6a, 0xb5, /* a0-af:           */
+    0xbb, 0xb4, 0x9a, 0x8a, 0xb0, 0xca, 0xaf, 0xbc, /* ................ */
+    0x90, 0x8f, 0xea, 0xfa, 0xbe, 0xa0, 0xb6, 0xb3, /* b0-bf:           */
+    0x9d, 0xda, 0x9b, 0x8b, 0xb7, 0xb8, 0xb9, 0xab, /* ................ */
+    0x64, 0x65, 0x62, 0x66, 0x63, 0x67, 0x9e, 0x68, /* c0-cf:           */
+    0x74, 0x71, 0x72, 0x73, 0x78, 0x75, 0x76, 0x77, /* ................ */
+    0xac, 0x69, 0xed, 0xee, 0xeb, 0xef, 0xec, 0xbf, /* d0-df:           */
+    0x80, 0xfd, 0xfe, 0xfb, 0xfc, 0xba, 0xae, 0x59, /* ................ */
+    0x44, 0x45, 0x42, 0x46, 0x43, 0x47, 0x9c, 0x48, /* e0-ef:           */
+    0x54, 0x51, 0x52, 0x53, 0x58, 0x55, 0x56, 0x57, /* ................ */
+    0x8c, 0x49, 0xcd, 0xce, 0xcb, 0xcf, 0xcc, 0xe1, /* f0-ff:           */
+    0x70, 0xdd, 0xde, 0xdb, 0xdc, 0x8d, 0x8e, 0xdf  /* ................ */
+};
+#endif /*_OSD_POSIX*/
+
+/* Translate a memory block from EBCDIC (host charset) to ASCII (net charset)
+ * dest and srce may be identical, or separate memory blocks, but
+ * should not overlap. These functions intentionally have an interface
+ * compatible to memcpy(3).
+ */
+
+void *
+ebcdic2ascii(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toascii[*usrce++];
+    }
+
+    return dest;
+}
+
+void *
+ascii2ebcdic(void *dest, const void *srce, size_t count)
+{
+    unsigned char *udest = dest;
+    const unsigned char *usrce = srce;
+
+    while (count-- != 0) {
+        *udest++ = os_toebcdic[*usrce++];
+    }
+
+    return dest;
+}
+
+#else /*CHARSET_EBCDIC*/
+#ifdef PEDANTIC
+static void *dummy=&dummy;
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/ebcdic.h b/src/lib/libssl/src/crypto/ebcdic.h
new file mode 100644
index 0000000000..d3b4e98b12
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ebcdic.h
@@ -0,0 +1,17 @@
+#ifndef HEADER_EBCDIC_H
+#define HEADER_EBCDIC_H
+
+#include <sys/types.h>
+
+/* Avoid name clashes with other applications */
+#define os_toascii   _eay2000_os_toascii
+#define os_toebcdic  _eay2000_os_toebcdic
+#define ebcdic2ascii _eay2000_ebcdic2ascii
+#define ascii2ebcdic _eay2000_ascii2ebcdic
+
+extern const unsigned char os_toascii[256];
+extern const unsigned char os_toebcdic[256];
+void ebcdic2ascii(unsigned char *dest, const unsigned char *srce, size_t count);
+void ascii2ebcdic(unsigned char *dest, const unsigned char *srce, size_t count);
+
+#endif
diff --git a/src/lib/libssl/src/crypto/ec/ec.h b/src/lib/libssl/src/crypto/ec/ec.h
new file mode 100644
index 0000000000..a52d4edf14
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec.h
@@ -0,0 +1,245 @@
+/* crypto/ec/ec.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_EC_H
+#define HEADER_EC_H
+
+#ifdef OPENSSL_NO_EC
+#error EC is disabled.
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+typedef enum {
+        /* values as defined in X9.62 (ECDSA) and elsewhere */
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+
+
+typedef struct ec_method_st EC_METHOD;
+
+typedef struct ec_group_st
+        /*
+         EC_METHOD *meth;
+         -- field definition
+         -- curve coefficients
+         -- optional generator with associated information (order, cofactor)
+         -- optional extra data (TODO: precomputed table for fast computation of multiples of generator)
+        */
+        EC_GROUP;
+
+typedef struct ec_point_st EC_POINT;
+
+
+/* EC_METHODs for curves over GF(p).
+ * EC_GFp_simple_method provides the basis for the optimized methods.
+ */
+const EC_METHOD *EC_GFp_simple_method(void);
+const EC_METHOD *EC_GFp_mont_method(void);
+#if 0
+const EC_METHOD *EC_GFp_recp_method(void); /* TODO */
+const EC_METHOD *EC_GFp_nist_method(void); /* TODO */
+#endif
+
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *);
+void EC_GROUP_free(EC_GROUP *);
+void EC_GROUP_clear_free(EC_GROUP *);
+int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *);
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
+        
+
+/* We don't have types for field specifications and field elements in general.
+ * Otherwise we could declare
+ *     int EC_GROUP_set_curve(EC_GROUP *, .....);
+ */
+int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+/* EC_GROUP_new_GFp() calls EC_GROUP_new() and EC_GROUP_set_GFp()
+ * after choosing an appropriate EC_METHOD */
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+
+int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
+int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+EC_POINT *EC_POINT_new(const EC_GROUP *);
+void EC_POINT_free(EC_POINT *);
+void EC_POINT_clear_free(EC_POINT *);
+int EC_POINT_copy(EC_POINT *, const EC_POINT *);
+ 
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *);
+
+int EC_POINT_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+
+size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+
+int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+int EC_POINT_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int EC_POINT_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int EC_POINT_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *);
+int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *);
+int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *);
+
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_EC_strings(void);
+
+/* Error codes for the EC functions. */
+
+/* Function codes. */
+#define EC_F_COMPUTE_WNAF                                143
+#define EC_F_EC_GFP_MONT_FIELD_DECODE                    133
+#define EC_F_EC_GFP_MONT_FIELD_ENCODE                    134
+#define EC_F_EC_GFP_MONT_FIELD_MUL                       131
+#define EC_F_EC_GFP_MONT_FIELD_SQR                       132
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP           100
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR           101
+#define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE                   102
+#define EC_F_EC_GFP_SIMPLE_OCT2POINT                     103
+#define EC_F_EC_GFP_SIMPLE_POINT2OCT                     104
+#define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE            137
+#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105
+#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128
+#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129
+#define EC_F_EC_GROUP_COPY                               106
+#define EC_F_EC_GROUP_GET0_GENERATOR                     139
+#define EC_F_EC_GROUP_GET_COFACTOR                       140
+#define EC_F_EC_GROUP_GET_CURVE_GFP                      130
+#define EC_F_EC_GROUP_GET_EXTRA_DATA                     107
+#define EC_F_EC_GROUP_GET_ORDER                          141
+#define EC_F_EC_GROUP_NEW                                108
+#define EC_F_EC_GROUP_PRECOMPUTE_MULT                    142
+#define EC_F_EC_GROUP_SET_CURVE_GFP                      109
+#define EC_F_EC_GROUP_SET_EXTRA_DATA                     110
+#define EC_F_EC_GROUP_SET_GENERATOR                      111
+#define EC_F_EC_POINTS_MAKE_AFFINE                       136
+#define EC_F_EC_POINTS_MUL                               138
+#define EC_F_EC_POINT_ADD                                112
+#define EC_F_EC_POINT_CMP                                113
+#define EC_F_EC_POINT_COPY                               114
+#define EC_F_EC_POINT_DBL                                115
+#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP         116
+#define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP    117
+#define EC_F_EC_POINT_IS_AT_INFINITY                     118
+#define EC_F_EC_POINT_IS_ON_CURVE                        119
+#define EC_F_EC_POINT_MAKE_AFFINE                        120
+#define EC_F_EC_POINT_NEW                                121
+#define EC_F_EC_POINT_OCT2POINT                          122
+#define EC_F_EC_POINT_POINT2OCT                          123
+#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP         124
+#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP     125
+#define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP    126
+#define EC_F_EC_POINT_SET_TO_INFINITY                    127
+#define EC_F_GFP_MONT_GROUP_SET_CURVE_GFP                135
+
+/* Reason codes. */
+#define EC_R_BUFFER_TOO_SMALL                            100
+#define EC_R_INCOMPATIBLE_OBJECTS                        101
+#define EC_R_INVALID_ARGUMENT                            112
+#define EC_R_INVALID_COMPRESSED_POINT                    110
+#define EC_R_INVALID_COMPRESSION_BIT                     109
+#define EC_R_INVALID_ENCODING                            102
+#define EC_R_INVALID_FIELD                               103
+#define EC_R_INVALID_FORM                                104
+#define EC_R_NOT_INITIALIZED                             111
+#define EC_R_NO_SUCH_EXTRA_DATA                          105
+#define EC_R_POINT_AT_INFINITY                           106
+#define EC_R_POINT_IS_NOT_ON_CURVE                       107
+#define EC_R_SLOT_FULL                                   108
+#define EC_R_UNDEFINED_GENERATOR                         113
+#define EC_R_UNKNOWN_ORDER                               114
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/ec/ec_cvt.c b/src/lib/libssl/src/crypto/ec/ec_cvt.c
new file mode 100644
index 0000000000..45b0ec33a0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec_cvt.c
@@ -0,0 +1,80 @@
+/* crypto/ec/ec_cvt.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        const EC_METHOD *meth;
+        EC_GROUP *ret;
+        
+        /* Finally, this will use EC_GFp_nist_method if 'p' is a special
+         * prime with optimized modular arithmetics (for NIST curves)
+         */
+        meth = EC_GFp_mont_method();
+        
+        ret = EC_GROUP_new(meth);
+        if (ret == NULL)
+                return NULL;
+
+        if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
+                {
+                EC_GROUP_clear_free(ret);
+                return NULL;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ec_err.c b/src/lib/libssl/src/crypto/ec/ec_err.c
new file mode 100644
index 0000000000..394cdc021f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec_err.c
@@ -0,0 +1,151 @@
+/* crypto/ec/ec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ec.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA EC_str_functs[]=
+        {
+{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),       "COMPUTE_WNAF"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),   "ec_GFp_mont_field_decode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),   "ec_GFp_mont_field_encode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),      "ec_GFp_mont_field_mul"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),      "ec_GFp_mont_field_sqr"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),  "ec_GFp_simple_group_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),  "ec_GFp_simple_group_set_generator"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),  "ec_GFp_simple_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),    "ec_GFp_simple_oct2point"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),    "ec_GFp_simple_point2oct"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),   "ec_GFp_simple_points_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),       "ec_GFp_simple_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),      "EC_GROUP_copy"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0),    "EC_GROUP_get_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
+{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
+{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),     "EC_GROUP_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),    "EC_GROUP_set_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),     "EC_GROUP_set_generator"},
+{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),      "EC_POINTs_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),      "EC_POINTs_mul"},
+{ERR_PACK(0,EC_F_EC_POINT_ADD,0),       "EC_POINT_add"},
+{ERR_PACK(0,EC_F_EC_POINT_CMP,0),       "EC_POINT_cmp"},
+{ERR_PACK(0,EC_F_EC_POINT_COPY,0),      "EC_POINT_copy"},
+{ERR_PACK(0,EC_F_EC_POINT_DBL,0),       "EC_POINT_dbl"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),    "EC_POINT_is_at_infinity"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),       "EC_POINT_is_on_curve"},
+{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),       "EC_POINT_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINT_NEW,0),       "EC_POINT_new"},
+{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0), "EC_POINT_oct2point"},
+{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0), "EC_POINT_point2oct"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),    "EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),   "EC_POINT_set_to_infinity"},
+{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),       "GFP_MONT_GROUP_SET_CURVE_GFP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA EC_str_reasons[]=
+        {
+{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
+{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
+{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
+{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
+{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
+{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
+{EC_R_INVALID_FIELD                      ,"invalid field"},
+{EC_R_INVALID_FORM                       ,"invalid form"},
+{EC_R_NOT_INITIALIZED                    ,"not initialized"},
+{EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
+{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
+{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
+{EC_R_SLOT_FULL                          ,"slot full"},
+{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
+{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_EC_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_EC,EC_str_functs);
+                ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ec_lcl.h b/src/lib/libssl/src/crypto/ec/ec_lcl.h
new file mode 100644
index 0000000000..cc4cf27755
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec_lcl.h
@@ -0,0 +1,277 @@
+/* crypto/ec/ec_lcl.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdlib.h>
+
+#include <openssl/ec.h>
+
+
+/* Structure details are not part of the exported interface,
+ * so all this may change in future versions. */
+
+struct ec_method_st {
+        /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */
+        int (*group_init)(EC_GROUP *);
+        void (*group_finish)(EC_GROUP *);
+        void (*group_clear_finish)(EC_GROUP *);
+        int (*group_copy)(EC_GROUP *, const EC_GROUP *);
+
+        /* used by EC_GROUP_set_curve_GFp and EC_GROUP_get_curve_GFp: */
+        int (*group_set_curve_GFp)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*group_get_curve_GFp)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+        /* used by EC_GROUP_set_generator, EC_GROUP_get0_generator,
+         * EC_GROUP_get_order, EC_GROUP_get_cofactor:
+         */
+        int (*group_set_generator)(EC_GROUP *, const EC_POINT *generator,
+                const BIGNUM *order, const BIGNUM *cofactor);
+        EC_POINT *(*group_get0_generator)(const EC_GROUP *);
+        int (*group_get_order)(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+        int (*group_get_cofactor)(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+        /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */
+        int (*point_init)(EC_POINT *);
+        void (*point_finish)(EC_POINT *);
+        void (*point_clear_finish)(EC_POINT *);
+        int (*point_copy)(EC_POINT *, const EC_POINT *);
+
+        /* used by EC_POINT_set_to_infinity,
+         * EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_get_Jprojective_coordinates_GFp,
+         * EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
+         * EC_POINT_set_compressed_coordinates_GFp:
+         */
+        int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
+        int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+        int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+        int (*point_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+        int (*point_get_affine_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BN_CTX *);
+        int (*point_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, int y_bit, BN_CTX *);
+
+        /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
+        size_t (*point2oct)(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+                unsigned char *buf, size_t len, BN_CTX *);
+        int (*oct2point)(const EC_GROUP *, EC_POINT *,
+                const unsigned char *buf, size_t len, BN_CTX *);
+
+        /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
+        int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+        int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+        int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+        /* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: */
+        int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *);
+        int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+        int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+        /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
+        int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+        /* internal functions */
+
+        /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that
+         * the same implementations of point operations can be used with different
+         * optimized implementations of expensive field operations: */
+        int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+        int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
+        int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
+        int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+} /* EC_METHOD */;
+
+
+struct ec_group_st {
+        const EC_METHOD *meth;
+
+        void *extra_data;
+        void *(*extra_data_dup_func)(void *);
+        void (*extra_data_free_func)(void *);
+        void (*extra_data_clear_free_func)(void *);
+
+        /* All members except 'meth' and 'extra_data...' are handled by
+         * the method functions, even if they appear generic */
+        
+        BIGNUM field; /* Field specification.
+                       * For curves over GF(p), this is the modulus. */
+
+        BIGNUM a, b; /* Curve coefficients.
+                      * (Here the assumption is that BIGNUMs can be used
+                      * or abused for all kinds of fields, not just GF(p).)
+                      * For characteristic  > 3,  the curve is defined
+                      * by a Weierstrass equation of the form
+                      *     y^2 = x^3 + a*x + b.
+                      */
+        int a_is_minus3; /* enable optimized point arithmetics for special case */
+
+        EC_POINT *generator; /* optional */
+        BIGNUM order, cofactor;
+
+        void *field_data1; /* method-specific (e.g., Montgomery structure) */
+        void *field_data2; /* method-specific */
+} /* EC_GROUP */;
+
+
+/* Basically a 'mixin' for extra data, but available for EC_GROUPs only
+ * (with visibility limited to 'package' level for now).
+ * We use the function pointers as index for retrieval; this obviates
+ * global ex_data-style index tables.
+ * (Currently, we have one slot only, but is is possible to extend this
+ * if necessary.) */
+int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void EC_GROUP_free_extra_data(EC_GROUP *);
+void EC_GROUP_clear_free_extra_data(EC_GROUP *);
+
+
+
+struct ec_point_st {
+        const EC_METHOD *meth;
+
+        /* All members except 'meth' are handled by the method functions,
+         * even if they appear generic */
+
+        BIGNUM X;
+        BIGNUM Y;
+        BIGNUM Z; /* Jacobian projective coordinates:
+                   * (X, Y, Z)  represents  (X/Z^2, Y/Z^3)  if  Z != 0 */
+        int Z_is_one; /* enable optimized point arithmetics for special case */
+} /* EC_POINT */;
+
+
+
+/* method functions in ecp_smpl.c */
+int ec_GFp_simple_group_init(EC_GROUP *);
+void ec_GFp_simple_group_finish(EC_GROUP *);
+void ec_GFp_simple_group_clear_finish(EC_GROUP *);
+int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_set_generator(EC_GROUP *, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *);
+int ec_GFp_simple_group_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+int ec_GFp_simple_point_init(EC_POINT *);
+void ec_GFp_simple_point_finish(EC_POINT *);
+void ec_GFp_simple_point_clear_finish(EC_POINT *);
+int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_mont.c */
+int ec_GFp_mont_group_init(EC_GROUP *);
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_mont_group_finish(EC_GROUP *);
+void ec_GFp_mont_group_clear_finish(EC_GROUP *);
+int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+
+
+/* method functions in ecp_recp.c */
+int ec_GFp_recp_group_init(EC_GROUP *);
+int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_recp_group_finish(EC_GROUP *);
+void ec_GFp_recp_group_clear_finish(EC_GROUP *);
+int ec_GFp_recp_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_recp_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_nist.c */
+int ec_GFp_nist_group_init(EC_GROUP *);
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_nist_group_finish(EC_GROUP *);
+void ec_GFp_nist_group_clear_finish(EC_GROUP *);
+int ec_GFp_nist_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
diff --git a/src/lib/libssl/src/crypto/ec/ec_lib.c b/src/lib/libssl/src/crypto/ec/ec_lib.c
new file mode 100644
index 0000000000..e0d78d67fb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec_lib.c
@@ -0,0 +1,646 @@
+/* crypto/ec/ec_lib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+
+#include "ec_lcl.h"
+
+static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+
+
+/* functions for EC_GROUP objects */
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
+        {
+        EC_GROUP *ret;
+
+        if (meth == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (meth->group_init == 0)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = meth;
+
+        ret->extra_data = NULL;
+        ret->extra_data_dup_func = 0;
+        ret->extra_data_free_func = 0;
+        ret->extra_data_clear_free_func = 0;
+        
+        if (!meth->group_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_GROUP_free(EC_GROUP *group)
+        {
+        if (group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_free_extra_data(group);
+
+        OPENSSL_free(group);
+        }
+ 
+
+void EC_GROUP_clear_free(EC_GROUP *group)
+        {
+        if (group->meth->group_clear_finish != 0)
+                group->meth->group_clear_finish(group);
+        else if (group->meth != NULL && group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_clear_free_extra_data(group);
+
+        memset(group, 0, sizeof *group);
+        OPENSSL_free(group);
+        }
+
+
+int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->meth->group_copy == 0)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        
+        EC_GROUP_clear_free_extra_data(dest);
+        if (src->extra_data_dup_func)
+                {
+                if (src->extra_data != NULL)
+                        {
+                        dest->extra_data = src->extra_data_dup_func(src->extra_data);
+                        if (dest->extra_data == NULL)
+                                return 0;
+                        }
+
+                dest->extra_data_dup_func = src->extra_data_dup_func;
+                dest->extra_data_free_func = src->extra_data_free_func;
+                dest->extra_data_clear_free_func = src->extra_data_clear_free_func;
+                }
+
+        return dest->meth->group_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group)
+        {
+        return group->meth;
+        }
+
+
+int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_set_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (group->meth->group_set_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_generator(group, generator, order, cofactor);
+        }
+
+
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
+        {
+        if (group->meth->group_get0_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET0_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get0_generator(group);
+        }
+
+
+int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_order == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_ORDER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_order(group, order, ctx);
+        }
+
+
+int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_cofactor == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_COFACTOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_cofactor(group, cofactor, ctx);
+        }
+
+
+/* this has 'package' visibility */
+int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data != NULL)
+                || (group->extra_data_dup_func != 0)
+                || (group->extra_data_free_func != 0)
+                || (group->extra_data_clear_free_func != 0))
+                {
+                ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL);
+                return 0;
+                }
+
+        group->extra_data = extra_data;
+        group->extra_data_dup_func = extra_data_dup_func;
+        group->extra_data_free_func = extra_data_free_func;
+        group->extra_data_clear_free_func = extra_data_clear_free_func;
+        return 1;
+        }
+
+
+/* this has 'package' visibility */
+void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data_dup_func != extra_data_dup_func)
+                || (group->extra_data_free_func != extra_data_free_func)
+                || (group->extra_data_clear_free_func != extra_data_clear_free_func))
+                {
+                ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA);
+                return NULL;
+                }
+
+        return group->extra_data;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_clear_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_clear_free_func)
+                group->extra_data_clear_free_func(group->extra_data);
+        else if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+
+/* functions for EC_POINT objects */
+
+EC_POINT *EC_POINT_new(const EC_GROUP *group)
+        {
+        EC_POINT *ret;
+
+        if (group == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (group->meth->point_init == 0)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = group->meth;
+        
+        if (!ret->meth->point_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_POINT_free(EC_POINT *point)
+        {
+        if (point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        OPENSSL_free(point);
+        }
+ 
+
+void EC_POINT_clear_free(EC_POINT *point)
+        {
+        if (point->meth->point_clear_finish != 0)
+                point->meth->point_clear_finish(point);
+        else if (point->meth != NULL && point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        memset(point, 0, sizeof *point);
+        OPENSSL_free(point);
+        }
+
+
+int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (dest->meth->point_copy == 0)
+                {
+                ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        return dest->meth->point_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
+        {
+        return point->meth;
+        }
+
+
+int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        if (group->meth->point_set_to_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_to_infinity(group, point);
+        }
+
+
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, int y_bit, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_compressed_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx);
+        }
+
+
+size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->point2oct == 0)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point2oct(group, point, form, buf, len, ctx);
+        }
+
+
+int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->oct2point == 0)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->oct2point(group, point, buf, len, ctx);
+        }
+
+
+int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->add == 0)
+                {
+                ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->add(group, r, a, b, ctx);
+        }
+
+
+int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth))
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->dbl(group, r, a, ctx);
+        }
+
+
+int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != a->meth)
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->invert(group, a, ctx);
+        }
+
+
+int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        if (group->meth->is_at_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_at_infinity(group, point);
+        }
+
+
+int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->is_on_curve == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_on_curve(group, point, ctx);
+        }
+
+
+int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->point_cmp == 0)
+                {
+                ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_cmp(group, a, b, ctx);
+        }
+
+
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->make_affine(group, point, ctx);
+        }
+
+
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        size_t i;
+
+        if (group->meth->points_make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+        return group->meth->points_make_affine(group, num, points, ctx);
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
new file mode 100644
index 0000000000..603ba31b81
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -0,0 +1,473 @@
+/* crypto/ec/ec_mult.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+/* TODO: optional precomputation of multiples of the generator */
+
+
+
+/*
+ * wNAF-based interleaving multi-exponentation method
+ * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>)
+ */
+
+
+/* Determine the width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+ * This is an array  r[]  of values that are either zero or odd with an
+ * absolute value less than  2^w  satisfying
+ *     scalar = \sum_j r[j]*2^j
+ * where at most one of any  w+1  consecutive digits is non-zero.
+ */
+static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, BN_CTX *ctx)
+        {
+        BIGNUM *c;
+        int ok = 0;
+        signed char *r = NULL;
+        int sign = 1;
+        int bit, next_bit, mask;
+        size_t len = 0, j;
+        
+        BN_CTX_start(ctx);
+        c = BN_CTX_get(ctx);
+        if (c == NULL) goto err;
+        
+        if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        bit = 1 << w; /* at most 128 */
+        next_bit = bit << 1; /* at most 256 */
+        mask = next_bit - 1; /* at most 255 */
+
+        if (!BN_copy(c, scalar)) goto err;
+        if (c->neg)
+                {
+                sign = -1;
+                c->neg = 0;
+                }
+
+        len = BN_num_bits(c) + 1; /* wNAF may be one digit longer than binary representation */
+        r = OPENSSL_malloc(len);
+        if (r == NULL) goto err;
+
+        j = 0;
+        while (!BN_is_zero(c))
+                {
+                int u = 0;
+
+                if (BN_is_odd(c)) 
+                        {
+                        if (c->d == NULL || c->top == 0)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        u = c->d[0] & mask;
+                        if (u & bit)
+                                {
+                                u -= next_bit;
+                                /* u < 0 */
+                                if (!BN_add_word(c, -u)) goto err;
+                                }
+                        else
+                                {
+                                /* u > 0 */
+                                if (!BN_sub_word(c, u)) goto err;
+                                }
+
+                        if (u <= -bit || u >= bit || !(u & 1) || c->neg)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        }
+
+                r[j++] = sign * u;
+                
+                if (BN_is_odd(c))
+                        {
+                        ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                if (!BN_rshift1(c, c)) goto err;
+                }
+
+        if (j > len)
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        len = j;
+        ok = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (!ok)
+                {
+                OPENSSL_free(r);
+                r = NULL;
+                }
+        if (ok)
+                *ret_len = len;
+        return r;
+        }
+
+
+/* TODO: table should be optimised for the wNAF-based implementation,
+ *       sometimes smaller windows will give better performance
+ *       (thus the boundaries should be increased)
+ */
+#define EC_window_bits_for_scalar_size(b) \
+                ((b) >= 2000 ? 6 : \
+                 (b) >=  800 ? 5 : \
+                 (b) >=  300 ? 4 : \
+                 (b) >=   70 ? 3 : \
+                 (b) >=   20 ? 2 : \
+                  1)
+
+/* Compute
+ *      \sum scalars[i]*points[i],
+ * also including
+ *      scalar*generator
+ * in the addition if scalar != NULL
+ */
+int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+        size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        EC_POINT *generator = NULL;
+        EC_POINT *tmp = NULL;
+        size_t totalnum;
+        size_t i, j;
+        int k;
+        int r_is_inverted = 0;
+        int r_is_at_infinity = 1;
+        size_t *wsize = NULL; /* individual window sizes */
+        signed char **wNAF = NULL; /* individual wNAFs */
+        size_t *wNAF_len = NULL;
+        size_t max_len = 0;
+        size_t num_val;
+        EC_POINT **val = NULL; /* precomputation */
+        EC_POINT **v;
+        EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
+        int ret = 0;
+        
+        if (scalar != NULL)
+                {
+                generator = EC_GROUP_get0_generator(group);
+                if (generator == NULL)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
+                        return 0;
+                        }
+                }
+        
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+
+        totalnum = num + (scalar != NULL);
+
+        wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
+        wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
+        wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]);
+        if (wNAF != NULL)
+                {
+                wNAF[0] = NULL; /* preliminary pivot */
+                }
+        if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err;
+
+        /* num_val := total number of points to precompute */
+        num_val = 0;
+        for (i = 0; i < totalnum; i++)
+                {
+                size_t bits;
+
+                bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+                wsize[i] = EC_window_bits_for_scalar_size(bits);
+                num_val += 1u << (wsize[i] - 1);
+                }
+
+        /* all precomputed points go into a single array 'val',
+         * 'val_sub[i]' is a pointer to the subarray for the i-th point */
+        val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
+        if (val == NULL) goto err;
+        val[num_val] = NULL; /* pivot element */
+
+        val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
+        if (val_sub == NULL) goto err;
+
+        /* allocate points for precomputation */
+        v = val;
+        for (i = 0; i < totalnum; i++)
+                {
+                val_sub[i] = v;
+                for (j = 0; j < (1u << (wsize[i] - 1)); j++)
+                        {
+                        *v = EC_POINT_new(group);
+                        if (*v == NULL) goto err;
+                        v++;
+                        }
+                }
+        if (!(v == val + num_val))
+                {
+                ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        goto err;
+                }
+        
+        tmp = EC_POINT_new(group);
+        if (tmp == NULL) goto err;
+
+        /* prepare precomputed values:
+         *    val_sub[i][0] :=     points[i]
+         *    val_sub[i][1] := 3 * points[i]
+         *    val_sub[i][2] := 5 * points[i]
+         *    ...
+         */
+        for (i = 0; i < totalnum; i++)
+                {
+                if (i < num)
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err;
+                        }
+                else
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
+                        }
+
+                if (wsize[i] > 1)
+                        {
+                        if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err;
+                        for (j = 1; j < (1u << (wsize[i] - 1)); j++)
+                                {
+                                if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
+                                }
+                        }
+
+                wNAF[i + 1] = NULL; /* make sure we always have a pivot */
+                wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i], ctx);
+                if (wNAF[i] == NULL) goto err;
+                if (wNAF_len[i] > max_len)
+                        max_len = wNAF_len[i];
+                }
+
+#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
+        if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err;
+#endif
+
+        r_is_at_infinity = 1;
+
+        for (k = max_len - 1; k >= 0; k--)
+                {
+                if (!r_is_at_infinity)
+                        {
+                        if (!EC_POINT_dbl(group, r, r, ctx)) goto err;
+                        }
+                
+                for (i = 0; i < totalnum; i++)
+                        {
+                        if (wNAF_len[i] > (size_t)k)
+                                {
+                                int digit = wNAF[i][k];
+                                int is_neg;
+
+                                if (digit) 
+                                        {
+                                        is_neg = digit < 0;
+
+                                        if (is_neg)
+                                                digit = -digit;
+
+                                        if (is_neg != r_is_inverted)
+                                                {
+                                                if (!r_is_at_infinity)
+                                                        {
+                                                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                                                        }
+                                                r_is_inverted = !r_is_inverted;
+                                                }
+
+                                        /* digit > 0 */
+
+                                        if (r_is_at_infinity)
+                                                {
+                                                if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) goto err;
+                                                r_is_at_infinity = 0;
+                                                }
+                                        else
+                                                {
+                                                if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) goto err;
+                                                }
+                                        }
+                                }
+                        }
+                }
+
+        if (r_is_at_infinity)
+                {
+                if (!EC_POINT_set_to_infinity(group, r)) goto err;
+                }
+        else
+                {
+                if (r_is_inverted)
+                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (tmp != NULL)
+                EC_POINT_free(tmp);
+        if (wsize != NULL)
+                OPENSSL_free(wsize);
+        if (wNAF_len != NULL)
+                OPENSSL_free(wNAF_len);
+        if (wNAF != NULL)
+                {
+                signed char **w;
+                
+                for (w = wNAF; *w != NULL; w++)
+                        OPENSSL_free(*w);
+                
+                OPENSSL_free(wNAF);
+                }
+        if (val != NULL)
+                {
+                for (v = val; *v != NULL; v++)
+                        EC_POINT_clear_free(*v);
+
+                OPENSSL_free(val);
+                }
+        if (val_sub != NULL)
+                {
+                OPENSSL_free(val_sub);
+                }
+        return ret;
+        }
+
+
+int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
+        {
+        const EC_POINT *points[1];
+        const BIGNUM *scalars[1];
+
+        points[0] = point;
+        scalars[0] = p_scalar;
+
+        return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
+        }
+
+
+int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+        {
+        const EC_POINT *generator;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *order;
+        int ret = 0;
+
+        generator = EC_GROUP_get0_generator(group);
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+        
+        BN_CTX_start(ctx);
+        order = BN_CTX_get(ctx);
+        if (order == NULL) goto err;
+        
+        if (!EC_GROUP_get_order(group, order, ctx)) return 0;
+        if (BN_is_zero(order))
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
+                goto err;
+                }
+
+        /* TODO */
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ecp_mont.c b/src/lib/libssl/src/crypto/ec/ecp_mont.c
new file mode 100644
index 0000000000..7b30d4c38a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ecp_mont.c
@@ -0,0 +1,304 @@
+/* crypto/ec/ecp_mont.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_mont_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_mont_group_init,
+                ec_GFp_mont_group_finish,
+                ec_GFp_mont_group_clear_finish,
+                ec_GFp_mont_group_copy,
+                ec_GFp_mont_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_mont_field_mul,
+                ec_GFp_mont_field_sqr,
+                ec_GFp_mont_field_encode,
+                ec_GFp_mont_field_decode,
+                ec_GFp_mont_field_set_to_one };
+
+        return &ret;
+        }
+
+
+int ec_GFp_mont_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        group->field_data2 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BN_MONT_CTX *mont = NULL;
+        BIGNUM *one = NULL;
+        int ret = 0;
+
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        mont = BN_MONT_CTX_new();
+        if (mont == NULL) goto err;
+        if (!BN_MONT_CTX_set(mont, p, ctx))
+                {
+                ECerr(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        one = BN_new();
+        if (one == NULL) goto err;
+        if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
+
+        group->field_data1 = mont;
+        mont = NULL;
+        group->field_data2 = one;
+        one = NULL;
+
+        ret = ec_GFp_simple_group_set_curve_GFp(group, p, a, b, ctx);
+
+        if (!ret)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (mont != NULL)
+                BN_MONT_CTX_free(mont);
+        return ret;
+        }
+
+
+void ec_GFp_mont_group_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_finish(group);
+        }
+
+
+void ec_GFp_mont_group_clear_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_clear_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_clear_finish(group);
+        }
+
+
+int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        if (dest->field_data2 != NULL)
+                {
+                BN_clear_free(dest->field_data2);
+                dest->field_data2 = NULL;
+                }
+
+        if (!ec_GFp_simple_group_copy(dest, src)) return 0;
+
+        if (src->field_data1 != NULL)
+                {
+                dest->field_data1 = BN_MONT_CTX_new();
+                if (dest->field_data1 == NULL) return 0;
+                if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1)) goto err;
+                }
+        if (src->field_data2 != NULL)
+                {
+                dest->field_data2 = BN_dup(src->field_data2);
+                if (dest->field_data2 == NULL) goto err;
+                }
+
+        return 1;
+
+ err:
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        return 0;       
+        }
+
+
+int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_MUL, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_ENCODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_from_montgomery(r, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
+        {
+        if (group->field_data2 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        if (!BN_copy(r, group->field_data2)) return 0;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ecp_nist.c b/src/lib/libssl/src/crypto/ec/ecp_nist.c
new file mode 100644
index 0000000000..ed07748675
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ecp_nist.c
@@ -0,0 +1,134 @@
+/* crypto/ec/ecp_nist.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+#if 0
+const EC_METHOD *EC_GFp_nist_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_nist_group_init,
+                ec_GFp_nist_group_finish,
+                ec_GFp_nist_group_clear_finish,
+                ec_GFp_nist_group_copy,
+                ec_GFp_nist_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_nist_field_mul,
+                ec_GFp_nist_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+#endif
+
+
+int ec_GFp_nist_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+void ec_GFp_nist_group_finish(EC_GROUP *group);
+/* TODO */
+
+
+void ec_GFp_nist_group_clear_finish(EC_GROUP *group);
+/* TODO */
+
+
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+/* TODO */
+
+
+int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/* TODO */
diff --git a/src/lib/libssl/src/crypto/ec/ecp_recp.c b/src/lib/libssl/src/crypto/ec/ecp_recp.c
new file mode 100644
index 0000000000..fec843b5c8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ecp_recp.c
@@ -0,0 +1,133 @@
+/* crypto/ec/ecp_recp.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+#if 0
+const EC_METHOD *EC_GFp_recp_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_recp_group_init,
+                ec_GFp_recp_group_finish,
+                ec_GFp_recp_group_clear_finish,
+                ec_GFp_recp_group_copy,
+                ec_GFp_recp_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_recp_field_mul,
+                ec_GFp_recp_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+#endif
+
+int ec_GFp_recp_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+void ec_GFp_recp_group_finish(EC_GROUP *group);
+/* TODO */
+
+
+void ec_GFp_recp_group_clear_finish(EC_GROUP *group);
+/* TODO */
+
+
+int ec_GFp_recp_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+/* TODO */
+
+
+int ec_GFp_recp_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+int ec_GFp_recp_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/* TODO */
diff --git a/src/lib/libssl/src/crypto/ec/ecp_smpl.c b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
new file mode 100644
index 0000000000..4666a052bf
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ecp_smpl.c
@@ -0,0 +1,1717 @@
+/* crypto/ec/ecp_smpl.c */
+/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_simple_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_simple_group_init,
+                ec_GFp_simple_group_finish,
+                ec_GFp_simple_group_clear_finish,
+                ec_GFp_simple_group_copy,
+                ec_GFp_simple_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_simple_field_mul,
+                ec_GFp_simple_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+
+
+int ec_GFp_simple_group_init(EC_GROUP *group)
+        {
+        BN_init(&group->field);
+        BN_init(&group->a);
+        BN_init(&group->b);
+        group->a_is_minus3 = 0;
+        group->generator = NULL;
+        BN_init(&group->order);
+        BN_init(&group->cofactor);
+        return 1;
+        }
+
+
+void ec_GFp_simple_group_finish(EC_GROUP *group)
+        {
+        BN_free(&group->field);
+        BN_free(&group->a);
+        BN_free(&group->b);
+        if (group->generator != NULL)
+                EC_POINT_free(group->generator);
+        BN_free(&group->order);
+        BN_free(&group->cofactor);
+        }
+
+
+void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
+        {
+        BN_clear_free(&group->field);
+        BN_clear_free(&group->a);
+        BN_clear_free(&group->b);
+        if (group->generator != NULL)
+                {
+                EC_POINT_clear_free(group->generator);
+                group->generator = NULL;
+                }
+        BN_clear_free(&group->order);
+        BN_clear_free(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (!BN_copy(&dest->field, &src->field)) return 0;
+        if (!BN_copy(&dest->a, &src->a)) return 0;
+        if (!BN_copy(&dest->b, &src->b)) return 0;
+
+        dest->a_is_minus3 = src->a_is_minus3;
+
+        if (src->generator != NULL)
+                {
+                if (dest->generator == NULL)
+                        {
+                        dest->generator = EC_POINT_new(dest);
+                        if (dest->generator == NULL) return 0;
+                        }
+                if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
+                }
+        else
+                {
+                /* src->generator == NULL */
+                if (dest->generator != NULL)
+                        {
+                        EC_POINT_clear_free(dest->generator);
+                        dest->generator = NULL;
+                        }
+                }
+
+        if (!BN_copy(&dest->order, &src->order)) return 0;
+        if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
+        const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp_a;
+        
+        /* p must be a prime > 3 */
+        if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp_a = BN_CTX_get(ctx);
+        if (tmp_a == NULL) goto err;
+
+        /* group->field */
+        if (!BN_copy(&group->field, p)) goto err;
+        group->field.neg = 0;
+
+        /* group->a */
+        if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }     
+        else
+                if (!BN_copy(&group->a, tmp_a)) goto err;
+        
+        /* group->b */
+        if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
+        
+        /* group->a_is_minus3 */
+        if (!BN_add_word(tmp_a, 3)) goto err;
+        group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        
+        if (p != NULL)
+                {
+                if (!BN_copy(p, &group->field)) return 0;
+                }
+
+        if (a != NULL || b != NULL)
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (ctx == NULL)
+                                {
+                                ctx = new_ctx = BN_CTX_new();
+                                if (ctx == NULL)
+                                        return 0;
+                                }
+                        if (a != NULL)
+                                {
+                                if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
+                                }
+                        }
+                else
+                        {
+                        if (a != NULL)
+                                {
+                                if (!BN_copy(a, &group->a)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!BN_copy(b, &group->b)) goto err;
+                                }
+                        }
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+
+int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
+                return 0   ;
+                }
+
+        if (group->generator == NULL)
+                {
+                group->generator = EC_POINT_new(group);
+                if (group->generator == NULL) return 0;
+                }
+        if (!EC_POINT_copy(group->generator, generator)) return 0;
+
+        if (order != NULL)
+                { if (!BN_copy(&group->order, order)) return 0; }       
+        else
+                { if (!BN_zero(&group->order)) return 0; }      
+
+        if (cofactor != NULL)
+                { if (!BN_copy(&group->cofactor, cofactor)) return 0; } 
+        else
+                { if (!BN_zero(&group->cofactor)) return 0; }   
+
+        return 1;
+        }
+
+
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group)
+        {
+        return group->generator;
+        }
+
+
+int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (!BN_copy(order, &group->order))
+                return 0;
+
+        return !BN_is_zero(&group->order);
+        }
+
+
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (!BN_copy(cofactor, &group->cofactor))
+                return 0;
+
+        return !BN_is_zero(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_point_init(EC_POINT *point)
+        {
+        BN_init(&point->X);
+        BN_init(&point->Y);
+        BN_init(&point->Z);
+        point->Z_is_one = 0;
+
+        return 1;
+        }
+
+
+void ec_GFp_simple_point_finish(EC_POINT *point)
+        {
+        BN_free(&point->X);
+        BN_free(&point->Y);
+        BN_free(&point->Z);
+        }
+
+
+void ec_GFp_simple_point_clear_finish(EC_POINT *point)
+        {
+        BN_clear_free(&point->X);
+        BN_clear_free(&point->Y);
+        BN_clear_free(&point->Z);
+        point->Z_is_one = 0;
+        }
+
+
+int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (!BN_copy(&dest->X, &src->X)) return 0;
+        if (!BN_copy(&dest->Y, &src->Y)) return 0;
+        if (!BN_copy(&dest->Z, &src->Z)) return 0;
+        dest->Z_is_one = src->Z_is_one;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        point->Z_is_one = 0;
+        return (BN_zero(&point->Z));
+        }
+
+
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        if (x != NULL)
+                {
+                if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
+                        }
+                }
+        
+        if (y != NULL)
+                {
+                if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
+                        }
+                }
+        
+        if (z != NULL)
+                {
+                int Z_is_one;
+
+                if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
+                Z_is_one = BN_is_one(&point->Z);
+                if (group->meth->field_encode)
+                        {
+                        if (Z_is_one && (group->meth->field_set_to_one != 0))
+                                {
+                                if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
+                                }
+                        }
+                point->Z_is_one = Z_is_one;
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (group->meth->field_decode != 0)
+                {
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                if (x != NULL)
+                        {
+                        if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
+                        }
+                }
+        else    
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, &point->X)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, &point->Y)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!BN_copy(z, &point->Z)) goto err;
+                        }
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (x == NULL || y == NULL)
+                {
+                /* unlike for projective coordinates, we do not tolerate this */
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+
+        return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
+        }
+
+
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
+        const BIGNUM *X_, *Y_, *Z_;
+        int ret = 0;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        X = BN_CTX_get(ctx);
+        Y = BN_CTX_get(ctx);
+        Z = BN_CTX_get(ctx);
+        Z_1 = BN_CTX_get(ctx);
+        Z_2 = BN_CTX_get(ctx);
+        Z_3 = BN_CTX_get(ctx);
+        if (Z_3 == NULL) goto err;
+
+        /* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */
+        
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
+                if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
+                if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
+                X_ = X; Y_ = Y; Z_ = Z;
+                }
+        else
+                {
+                X_ = &point->X;
+                Y_ = &point->Y;
+                Z_ = &point->Z;
+                }
+        
+        if (BN_is_one(Z_))
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, X_)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, Y_)) goto err;
+                        }
+                }
+        else
+                {
+                if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                
+                if (group->meth->field_encode == 0)
+                        {
+                        /* field_sqr works on standard representation */
+                        if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
+                        }
+        
+                if (x != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
+                                }
+                        }
+
+                if (y != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
+                                if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
+                                
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
+                                if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
+                                }
+                        }
+                }
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x_, int y_bit, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *x, *y;
+        int ret = 0;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        y_bit = (y_bit != 0);
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        /* Recover y.  We have a Weierstrass equation
+         *     y^2 = x^3 + a*x + b,
+         * so  y  is one of the square roots of  x^3 + a*x + b.
+         */
+
+        /* tmp1 := x^3 */
+        if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
+        if (group->meth->field_decode == 0)
+                {
+                /* field_{sqr,mul} work on standard representation */
+                if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
+                if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
+                if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + a*x */
+        if (group->a_is_minus3)
+                {
+                if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
+                if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
+                if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
+                        if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
+                        }
+                else
+                        {
+                        /* field_mul works on standard representation */
+                        if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
+                        }
+                
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + b */
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
+                }
+        
+        if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
+                {
+                unsigned long err = ERR_peek_error();
+                
+                if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
+                        {
+                        (void)ERR_get_error();
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        }
+                else
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        /* If tmp1 is not a square (i.e. there is no point on the curve with
+         * our x), then y now is a nonsense value too */
+
+        if (y_bit != BN_is_odd(y))
+                {
+                if (BN_is_zero(y))
+                        {
+                        int kron;
+
+                        kron = BN_kronecker(x, &group->field, ctx);
+                        if (kron == -2) goto err;
+
+                        if (kron == 1)
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
+                        else
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        goto err;
+                        }
+                if (!BN_usub(y, &group->field, y)) goto err;
+                }
+        if (y_bit != BN_is_odd(y))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        size_t ret;
+        BN_CTX *new_ctx = NULL;
+        int used_ctx = 0;
+        BIGNUM *x, *y;
+        size_t field_len, i, skip;
+
+        if ((form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
+                goto err;
+                }
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                /* encodes to a single 0 octet */
+                if (buf != NULL)
+                        {
+                        if (len < 1)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                                return 0;
+                                }
+                        buf[0] = 0;
+                        }
+                return 1;
+                }
+
+
+        /* ret := required output buffer length */
+        field_len = BN_num_bytes(&group->field);
+        ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        /* if 'buf' is NULL, just return required length */
+        if (buf != NULL)
+                {
+                if (len < ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                        goto err;
+                        }
+
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                BN_CTX_start(ctx);
+                used_ctx = 1;
+                x = BN_CTX_get(ctx);
+                y = BN_CTX_get(ctx);
+                if (y == NULL) goto err;
+
+                if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+                if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
+                        buf[0] = form + 1;
+                else
+                        buf[0] = form;
+        
+                i = 1;
+                
+                skip = field_len - BN_num_bytes(x);
+                if (skip > field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                while (skip > 0)
+                        {
+                        buf[i++] = 0;
+                        skip--;
+                        }
+                skip = BN_bn2bin(x, buf + i);
+                i += skip;
+                if (i != 1 + field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+
+                if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
+                        {
+                        skip = field_len - BN_num_bytes(y);
+                        if (skip > field_len)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        while (skip > 0)
+                                {
+                                buf[i++] = 0;
+                                skip--;
+                                }
+                        skip = BN_bn2bin(y, buf + i);
+                        i += skip;
+                        }
+
+                if (i != ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+
+ err:
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return 0;
+        }
+
+
+int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        point_conversion_form_t form;
+        int y_bit;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        size_t field_len, enc_len;
+        int ret = 0;
+
+        if (len == 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
+                return 0;
+                }
+        form = buf[0];
+        y_bit = form & 1;
+        form = form & ~1;
+        if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+        if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (form == 0)
+                {
+                if (len != 1)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        return 0;
+                        }
+
+                return EC_POINT_set_to_infinity(group, point);
+                }
+        
+        field_len = BN_num_bytes(&group->field);
+        enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        if (len != enc_len)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
+        if (BN_ucmp(x, &group->field) >= 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                goto err;
+                }
+
+        if (form == POINT_CONVERSION_COMPRESSED)
+                {
+                if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
+                if (BN_ucmp(y, &group->field) >= 0)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        goto err;
+                        }
+                if (form == POINT_CONVERSION_HYBRID)
+                        {
+                        if (y_bit != BN_is_odd(y))
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                                goto err;
+                                }
+                        }
+
+                if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+                }
+        
+        if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
+                goto err;
+                }
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
+        int ret = 0;
+        
+        if (a == b)
+                return EC_POINT_dbl(group, r, a, ctx);
+        if (EC_POINT_is_at_infinity(group, a))
+                return EC_POINT_copy(r, b);
+        if (EC_POINT_is_at_infinity(group, b))
+                return EC_POINT_copy(r, a);
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        n4 = BN_CTX_get(ctx);
+        n5 = BN_CTX_get(ctx);
+        n6 = BN_CTX_get(ctx);
+        if (n6 == NULL) goto end;
+
+        /* Note that in this function we must not read components of 'a' or 'b'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might be one of 'a' or 'b'.)
+         */
+
+        /* n1, n2 */
+        if (b->Z_is_one)
+                {
+                if (!BN_copy(n1, &a->X)) goto end;
+                if (!BN_copy(n2, &a->Y)) goto end;
+                /* n1 = X_a */
+                /* n2 = Y_a */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
+                /* n1 = X_a * Z_b^2 */
+
+                if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
+                /* n2 = Y_a * Z_b^3 */
+                }
+
+        /* n3, n4 */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n3, &b->X)) goto end;
+                if (!BN_copy(n4, &b->Y)) goto end;
+                /* n3 = X_b */
+                /* n4 = Y_b */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
+                /* n3 = X_b * Z_a^2 */
+
+                if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
+                /* n4 = Y_b * Z_a^3 */
+                }
+
+        /* n5, n6 */
+        if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
+        if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
+        /* n5 = n1 - n3 */
+        /* n6 = n2 - n4 */
+
+        if (BN_is_zero(n5))
+                {
+                if (BN_is_zero(n6))
+                        {
+                        /* a is the same point as b */
+                        BN_CTX_end(ctx);
+                        ret = EC_POINT_dbl(group, r, a, ctx);
+                        ctx = NULL;
+                        goto end;
+                        }
+                else
+                        {
+                        /* a is the inverse of b */
+                        if (!BN_zero(&r->Z)) goto end;
+                        r->Z_is_one = 0;
+                        ret = 1;
+                        goto end;
+                        }
+                }
+
+        /* 'n7', 'n8' */
+        if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
+        if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
+        /* 'n7' = n1 + n3 */
+        /* 'n8' = n2 + n4 */
+
+        /* Z_r */
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                if (!BN_copy(&r->Z, n5)) goto end;
+                }
+        else
+                {
+                if (a->Z_is_one)
+                        { if (!BN_copy(n0, &b->Z)) goto end; }
+                else if (b->Z_is_one)
+                        { if (!BN_copy(n0, &a->Z)) goto end; }
+                else
+                        { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
+                if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
+                }
+        r->Z_is_one = 0;
+        /* Z_r = Z_a * Z_b * n5 */
+
+        /* X_r */
+        if (!field_sqr(group, n0, n6, ctx)) goto end;
+        if (!field_sqr(group, n4, n5, ctx)) goto end;
+        if (!field_mul(group, n3, n1, n4, ctx)) goto end;
+        if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
+        /* X_r = n6^2 - n5^2 * 'n7' */
+        
+        /* 'n9' */
+        if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
+        if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
+        /* n9 = n5^2 * 'n7' - 2 * X_r */
+
+        /* Y_r */
+        if (!field_mul(group, n0, n0, n6, ctx)) goto end;
+        if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
+        if (!field_mul(group, n1, n2, n5, ctx)) goto end;
+        if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
+        if (BN_is_odd(n0))
+                if (!BN_add(n0, n0, p)) goto end;
+        /* now  0 <= n0 < 2*p,  and n0 is even */
+        if (!BN_rshift1(&r->Y, n0)) goto end;
+        /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
+
+        ret = 1;
+
+ end:
+        if (ctx) /* otherwise we already called BN_CTX_end */
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3;
+        int ret = 0;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                if (!BN_zero(&r->Z)) return 0;
+                r->Z_is_one = 0;
+                return 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        if (n3 == NULL) goto err;
+
+        /* Note that in this function we must not read components of 'a'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might the same as 'a'.)
+         */
+
+        /* n1 */
+        if (a->Z_is_one)
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve */
+                }
+        else if (group->a_is_minus3)
+                {
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
+                if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
+                if (!field_mul(group, n1, n0, n2, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
+                /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
+                 *    = 3 * X_a^2 - 3 * Z_a^4 */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!field_sqr(group, n1, n1, ctx)) goto err;
+                if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
+                if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
+                }
+
+        /* Z_r */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n0, &a->Y)) goto err;
+                }
+        else
+                {
+                if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
+                }
+        if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
+        r->Z_is_one = 0;
+        /* Z_r = 2 * Y_a * Z_a */
+
+        /* n2 */
+        if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
+        if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
+        /* n2 = 4 * X_a * Y_a^2 */
+
+        /* X_r */
+        if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
+        if (!field_sqr(group, &r->X, n1, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
+        /* X_r = n1^2 - 2 * n2 */
+        
+        /* n3 */
+        if (!field_sqr(group, n0, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
+        /* n3 = 8 * Y_a^4 */
+        
+        /* Y_r */
+        if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
+        if (!field_mul(group, n0, n1, n0, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
+        /* Y_r = n1 * (n2 - X_r) - n3 */
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+                /* point is its own inverse */
+                return 1;
+        
+        return BN_usub(&point->Y, &group->field, &point->Y);
+        }
+
+
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        return BN_is_zero(&point->Z);
+        }
+
+
+int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
+        int ret = -1;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                return 1;
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        rh = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Z4 = BN_CTX_get(ctx);
+        Z6 = BN_CTX_get(ctx);
+        if (Z6 == NULL) goto err;
+
+        /* We have a curve defined by a Weierstrass equation
+         *      y^2 = x^3 + a*x + b.
+         * The point to consider is given in Jacobian projective coordinates
+         * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
+         * Substituting this and multiplying by  Z^6  transforms the above equation into
+         *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
+         * To test this, we add up the right-hand side in 'rh'.
+         */
+
+        /* rh := X^3 */
+        if (!field_sqr(group, rh, &point->X, ctx)) goto err;
+        if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
+
+        if (!point->Z_is_one)
+                {
+                if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
+                if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
+                if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
+
+                /* rh := rh + a*X*Z^4 */
+                if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b*Z^6 */
+                if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
+                if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
+                }
+        else
+                {
+                /* point->Z_is_one */
+
+                /* rh := rh + a*X */
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b */
+                if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
+                }
+
+        /* 'lh' := Y^2 */
+        if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
+
+        ret = (0 == BN_cmp(tmp1, rh));
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        /* return values:
+         *  -1   error
+         *   0   equal (in affine coordinates)
+         *   1   not equal
+         */
+
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
+        const BIGNUM *tmp1_, *tmp2_;
+        int ret = -1;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
+                }
+        
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Za23 = BN_CTX_get(ctx);
+        Zb23 = BN_CTX_get(ctx);
+        if (Zb23 == NULL) goto end;
+
+        /* We have to decide whether
+         *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
+         * or equivalently, whether
+         *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
+         */
+
+        if (!b->Z_is_one)
+                {
+                if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
+                tmp1_ = tmp1;
+                }
+        else
+                tmp1_ = &a->X;
+        if (!a->Z_is_one)
+                {
+                if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
+                tmp2_ = tmp2;
+                }
+        else
+                tmp2_ = &b->X;
+        
+        /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+
+        if (!b->Z_is_one)
+                {
+                if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
+                /* tmp1_ = tmp1 */
+                }
+        else
+                tmp1_ = &a->Y;
+        if (!a->Z_is_one)
+                {
+                if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
+                /* tmp2_ = tmp2 */
+                }
+        else
+                tmp2_ = &b->Y;
+
+        /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+        /* points are equal */
+        ret = 0;
+
+ end:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        int ret = 0;
+
+        if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!point->Z_is_one)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp0, *tmp1;
+        size_t pow2 = 0;
+        BIGNUM **heap = NULL;
+        size_t i;
+        int ret = 0;
+
+        if (num == 0)
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp0 = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        if (tmp0  == NULL || tmp1 == NULL) goto err;
+
+        /* Before converting the individual points, compute inverses of all Z values.
+         * Modular inversion is rather slow, but luckily we can do with a single
+         * explicit inversion, plus about 3 multiplications per input value.
+         */
+
+        pow2 = 1;
+        while (num > pow2)
+                pow2 <<= 1;
+        /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
+         * We need twice that. */
+        pow2 <<= 1;
+
+        heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
+        if (heap == NULL) goto err;
+        
+        /* The array is used as a binary tree, exactly as in heapsort:
+         *
+         *                               heap[1]
+         *                 heap[2]                     heap[3]
+         *          heap[4]       heap[5]       heap[6]       heap[7]
+         *   heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
+         *
+         * We put the Z's in the last line;
+         * then we set each other node to the product of its two child-nodes (where
+         * empty or 0 entries are treated as ones);
+         * then we invert heap[1];
+         * then we invert each other node by replacing it by the product of its
+         * parent (after inversion) and its sibling (before inversion).
+         */
+        heap[0] = NULL;
+        for (i = pow2/2 - 1; i > 0; i--)
+                heap[i] = NULL;
+        for (i = 0; i < num; i++)
+                heap[pow2/2 + i] = &points[i]->Z;
+        for (i = pow2/2 + num; i < pow2; i++)
+                heap[i] = NULL;
+        
+        /* set each node to the product of its children */
+        for (i = pow2/2 - 1; i > 0; i--)
+                {
+                heap[i] = BN_new();
+                if (heap[i] == NULL) goto err;
+                
+                if (heap[2*i] != NULL)
+                        {
+                        if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
+                                {
+                                if (!BN_copy(heap[i], heap[2*i])) goto err;
+                                }
+                        else
+                                {
+                                if (BN_is_zero(heap[2*i]))
+                                        {
+                                        if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
+                                        }
+                                else
+                                        {
+                                        if (!group->meth->field_mul(group, heap[i],
+                                                heap[2*i], heap[2*i + 1], ctx)) goto err;
+                                        }
+                                }
+                        }
+                }
+
+        /* invert heap[1] */
+        if (!BN_is_zero(heap[1]))
+                {
+                if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                }
+        if (group->meth->field_encode != 0)
+                {
+                /* in the Montgomery case, we just turned  R*H  (representing H)
+                 * into  1/(R*H),  but we need  R*(1/H)  (representing 1/H);
+                 * i.e. we have need to multiply by the Montgomery factor twice */
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                }
+
+        /* set other heap[i]'s to their inverses */
+        for (i = 2; i < pow2/2 + num; i += 2)
+                {
+                /* i is even */
+                if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
+                        {
+                        if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
+                        if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
+                        if (!BN_copy(heap[i], tmp0)) goto err;
+                        if (!BN_copy(heap[i + 1], tmp1)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_copy(heap[i], heap[i/2])) goto err;
+                        }
+                }
+
+        /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
+        for (i = 0; i < num; i++)
+                {
+                EC_POINT *p = points[i];
+                
+                if (!BN_is_zero(&p->Z))
+                        {
+                        /* turn  (X, Y, 1/Z)  into  (X/Z^2, Y/Z^3, 1) */
+
+                        if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
+
+                        if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
+                
+                        if (group->meth->field_set_to_one != 0)
+                                {
+                                if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_one(&p->Z)) goto err;
+                                }
+                        p->Z_is_one = 1;
+                        }
+                }
+
+        ret = 1;
+                
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (heap != NULL)
+                {
+                /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
+                for (i = pow2/2 - 1; i > 0; i--)
+                        {
+                        if (heap[i] != NULL)
+                                BN_clear_free(heap[i]);
+                        }
+                OPENSSL_free(heap);
+                }
+        return ret;
+        }
+
+
+int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        return BN_mod_mul(r, a, b, &group->field, ctx);
+        }
+
+
+int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        return BN_mod_sqr(r, a, &group->field, ctx);
+        }
diff --git a/src/lib/libssl/src/crypto/ec/ectest.c b/src/lib/libssl/src/crypto/ec/ectest.c
new file mode 100644
index 0000000000..243cd83fb5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ec/ectest.c
@@ -0,0 +1,634 @@
+/* crypto/ec/ectest.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+
+#ifdef OPENSSL_NO_EC
+int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
+#else
+
+
+#include <openssl/ec.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+
+#define ABORT do { \
+        fflush(stdout); \
+        fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
+        ERR_print_errors_fp(stderr); \
+        exit(1); \
+} while (0)
+
+
+void timings(EC_GROUP *group, int multi, BN_CTX *ctx)
+        {
+        clock_t clck;
+        int i, j;
+        BIGNUM *s, *s0;
+        EC_POINT *P;
+                
+        s = BN_new();
+        s0 = BN_new();
+        if (s == NULL || s0 == NULL) ABORT;
+
+        if (!EC_GROUP_get_curve_GFp(group, s, NULL, NULL, ctx)) ABORT;
+        fprintf(stdout, "Timings for %d bit prime, ", (int)BN_num_bits(s));
+        if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
+        fprintf(stdout, "%d bit scalars ", (int)BN_num_bits(s));
+        fflush(stdout);
+
+        P = EC_POINT_new(group);
+        if (P == NULL) ABORT;
+        EC_POINT_copy(P, EC_GROUP_get0_generator(group));
+
+        clck = clock();
+        for (i = 0; i < 10; i++)
+                {
+                if (!BN_pseudo_rand(s, BN_num_bits(s), 0, 0)) ABORT;
+                if (multi)
+                        {
+                        if (!BN_pseudo_rand(s0, BN_num_bits(s), 0, 0)) ABORT;
+                        }
+                for (j = 0; j < 10; j++)
+                        {
+                        if (!EC_POINT_mul(group, P, s, multi ? P : NULL, multi ? s0 : NULL, ctx)) ABORT;
+                        }
+                fprintf(stdout, ".");
+                fflush(stdout);
+                }
+        fprintf(stdout, "\n");
+        
+        clck = clock() - clck;
+
+#ifdef CLOCKS_PER_SEC
+        /* "To determine the time in seconds, the value returned
+         * by the clock function should be divided by the value
+         * of the macro CLOCKS_PER_SEC."
+         *                                       -- ISO/IEC 9899 */
+#       define UNIT "s"
+#else
+        /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
+         *                            -- cc on NeXTstep/OpenStep */
+#       define UNIT "units"
+#       define CLOCKS_PER_SEC 1
+#endif
+
+        fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
+                multi ? "s*P+t*Q operations" : "point multiplications",
+                (double)clck/CLOCKS_PER_SEC);
+        fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
+
+        EC_POINT_free(P);
+        BN_free(s);
+        BN_free(s0);
+        }
+
+
+int main(int argc, char *argv[])
+        {       
+        BN_CTX *ctx = NULL;
+        BIGNUM *p, *a, *b;
+        EC_GROUP *group;
+        EC_GROUP *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
+        EC_POINT *P, *Q, *R;
+        BIGNUM *x, *y, *z;
+        unsigned char buf[100];
+        size_t i, len;
+        int k;
+        
+        /* enable memory leak checking unless explicitly disabled */
+        if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+                {
+                CRYPTO_malloc_debug_init();
+                CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+                }
+        else
+                {
+                /* OPENSSL_DEBUG_MEMORY=off */
+                CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+                }
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+        ERR_load_crypto_strings();
+
+#if 1 /* optional */
+        ctx = BN_CTX_new();
+        if (!ctx) ABORT;
+#endif
+
+        p = BN_new();
+        a = BN_new();
+        b = BN_new();
+        if (!p || !a || !b) ABORT;
+
+        if (!BN_hex2bn(&p, "17")) ABORT;
+        if (!BN_hex2bn(&a, "1")) ABORT;
+        if (!BN_hex2bn(&b, "1")) ABORT;
+        
+        group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
+                                                     * so that the library gets to choose the EC_METHOD */
+        if (!group) ABORT;
+
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        {
+                EC_GROUP *tmp;
+                tmp = EC_GROUP_new(EC_GROUP_method_of(group));
+                if (!tmp) ABORT;
+                if (!EC_GROUP_copy(tmp, group));
+                EC_GROUP_free(group);
+                group = tmp;
+        }
+        
+        if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        fprintf(stdout, "Curve defined by Weierstrass equation\n     y^2 = x^3 + a*x + b  (mod 0x");
+        BN_print_fp(stdout, p);
+        fprintf(stdout, ")\n     a = 0x");
+        BN_print_fp(stdout, a);
+        fprintf(stdout, "\n     b = 0x");
+        BN_print_fp(stdout, b);
+        fprintf(stdout, "\n");
+
+        P = EC_POINT_new(group);
+        Q = EC_POINT_new(group);
+        R = EC_POINT_new(group);
+        if (!P || !Q || !R) ABORT;
+        
+        if (!EC_POINT_set_to_infinity(group, P)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        buf[0] = 0;
+        if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
+
+        if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        x = BN_new();
+        y = BN_new();
+        z = BN_new();
+        if (!x || !y || !z) ABORT;
+
+        if (!BN_hex2bn(&x, "D")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, Q, ctx))
+                {
+                if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
+                fprintf(stderr, "Point is not on curve: x = 0x");
+                BN_print_fp(stderr, x);
+                fprintf(stderr, ", y = 0x");
+                BN_print_fp(stderr, y);
+                fprintf(stderr, "\n");
+                ABORT;
+                }
+
+        fprintf(stdout, "A cyclic subgroup:\n");
+        k = 100;
+        do
+                {
+                if (k-- == 0) ABORT;
+
+                if (EC_POINT_is_at_infinity(group, P))
+                        fprintf(stdout, "     point at infinity\n");
+                else
+                        {
+                        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+
+                        fprintf(stdout, "     x = 0x");
+                        BN_print_fp(stdout, x);
+                        fprintf(stdout, ", y = 0x");
+                        BN_print_fp(stdout, y);
+                        fprintf(stdout, "\n");
+                        }
+                
+                if (!EC_POINT_copy(R, P)) ABORT;
+                if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+
+#if 0 /* optional */
+                {
+                        EC_POINT *points[3];
+                
+                        points[0] = R;
+                        points[1] = Q;
+                        points[2] = P;
+                        if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT;
+                }
+#endif
+
+                }
+        while (!EC_POINT_is_at_infinity(group, P));
+
+        if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "Generator as octect string, compressed form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "\nGenerator as octect string, hybrid form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
+        fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n     X = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, ", Y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, ", Z = 0x");
+        BN_print_fp(stdout, z);
+        fprintf(stdout, "\n");
+
+        if (!EC_POINT_invert(group, P, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+
+
+        /* Curve P-192 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-192 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_192, group)) ABORT;
+
+
+        /* Curve P-224 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
+        if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-224 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_224, group)) ABORT;
+
+
+        /* Curve P-256 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
+                "84F3B9CAC2FC632551")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-256 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_256, group)) ABORT;
+
+
+        /* Curve P-384 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
+                "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
+                "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-384 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
+                "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_384, group)) ABORT;
+
+
+        /* Curve P-521 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
+                "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
+                "DF883D2C34F1EF451FD46B503F00")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
+                "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
+                "3C1856A429BF97E7E31C2E5BD66")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
+                "C9B8899C47AEBB6FB71E91386409")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-521 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
+                "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
+                "7086A272C24088BE94769FD16650")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_521, group)) ABORT;
+
+
+        /* more tests using the last curve */
+
+        if (!EC_POINT_copy(Q, P)) ABORT;
+        if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+        if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
+
+        if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
+        if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
+
+        {
+                const EC_POINT *points[3];
+                const BIGNUM *scalars[3];
+        
+                if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+                points[0] = Q;
+                points[1] = Q;
+                points[2] = Q;
+
+                if (!BN_add(y, z, BN_value_one())) ABORT;
+                if (BN_is_odd(y)) ABORT;
+                if (!BN_rshift1(y, y)) ABORT;
+                scalars[0] = y; /* (group order + 1)/2,  so  y*Q + y*Q = Q */
+                scalars[1] = y;
+
+                fprintf(stdout, "combined multiplication ...");
+                fflush(stdout);
+
+                /* z is still the group order */
+                if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+                if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
+                if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+                if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
+
+                fprintf(stdout, ".");
+                fflush(stdout);
+
+                if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
+                if (!BN_add(z, z, y)) ABORT;
+                z->neg = 1;
+                scalars[0] = y;
+                scalars[1] = z; /* z = -(order + y) */
+
+                if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+                if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+                fprintf(stdout, ".");
+                fflush(stdout);
+
+                if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
+                if (!BN_add(z, x, y)) ABORT;
+                z->neg = 1;
+                scalars[0] = x;
+                scalars[1] = y;
+                scalars[2] = z; /* z = -(x+y) */
+
+                if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
+                if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+                fprintf(stdout, " ok\n\n");
+        }
+
+
+#if 0
+        timings(P_192, 0, ctx);
+        timings(P_192, 1, ctx);
+        timings(P_224, 0, ctx);
+        timings(P_224, 1, ctx);
+        timings(P_256, 0, ctx);
+        timings(P_256, 1, ctx);
+        timings(P_384, 0, ctx);
+        timings(P_384, 1, ctx);
+        timings(P_521, 0, ctx);
+        timings(P_521, 1, ctx);
+#endif
+
+
+        if (ctx)
+                BN_CTX_free(ctx);
+        BN_free(p); BN_free(a); BN_free(b);
+        EC_GROUP_free(group);
+        EC_POINT_free(P);
+        EC_POINT_free(Q);
+        EC_POINT_free(R);
+        BN_free(x); BN_free(y); BN_free(z);
+
+        if (P_192) EC_GROUP_free(P_192);
+        if (P_224) EC_GROUP_free(P_224);
+        if (P_256) EC_GROUP_free(P_256);
+        if (P_384) EC_GROUP_free(P_384);
+        if (P_521) EC_GROUP_free(P_521);
+
+        ENGINE_cleanup();
+        CRYPTO_cleanup_all_ex_data();
+        ERR_free_strings();
+        ERR_remove_state(0);
+        CRYPTO_mem_leaks_fp(stderr);
+        
+        return 0;
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/README b/src/lib/libssl/src/crypto/engine/README
new file mode 100644
index 0000000000..96595e6f35
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/README
@@ -0,0 +1,278 @@
+NOTES, THOUGHTS, and EVERYTHING
+-------------------------------
+
+(1) Concurrency and locking ... I made a change to the ENGINE_free code
+    because I spotted a potential hold-up in proceedings (doing too
+    much inside a lock including calling a callback), there may be
+    other bits like this. What do the speed/optimisation freaks think
+    of this aspect of the code and design? There's lots of locking for
+    manipulation functions and I need that to keep things nice and
+    solid, but this manipulation is mostly (de)initialisation, I would
+    think that most run-time locking is purely in the ENGINE_init and
+    ENGINE_finish calls that might be made when getting handles for
+    RSA (and friends') structures. These would be mostly reference
+    count operations as the functional references should always be 1
+    or greater at run-time to prevent init/deinit thrashing.
+
+(2) nCipher support, via the HWCryptoHook API, is now in the code.
+    Apparently this hasn't been tested too much yet, but it looks
+    good. :-) Atalla support has been added too, but shares a lot in
+    common with Ben's original hooks in bn_exp.c (although it has been
+    ENGINE-ified, and error handling wrapped around it) and it's also
+    had some low-volume testing, so it should be usable.
+
+(3) Of more concern, we need to work out (a) how to put together usable
+    RAND_METHODs for units that just have one "get n or less random
+    bytes" function, (b) we also need to determine how to hook the code
+    in crypto/rand/ to use the ENGINE defaults in a way similar to what
+    has been done in crypto/rsa/, crypto/dsa/, etc.
+
+(4) ENGINE should really grow to encompass more than 3 public key
+    algorithms and randomness gathering. The structure/data level of
+    the engine code is hidden from code outside the crypto/engine/
+    directory so change shouldn't be too viral. More important though
+    is how things should evolve ... this needs thought and discussion.
+
+
+-----------------------------------==*==-----------------------------------
+
+More notes 2000-08-01
+---------------------
+
+Geoff Thorpe, who designed the engine part, wrote a pretty good description
+of the thoughts he had when he built it, good enough to include verbatim here
+(with his permission)                                   -- Richard Levitte
+
+
+Date: Tue, 1 Aug 2000 16:54:08 +0100 (BST)
+From: Geoff Thorpe
+Subject: Re: The thoughts to merge BRANCH_engine into the main trunk are
+ emerging
+
+Hi there,
+
+I'm going to try and do some justice to this, but I'm a little short on
+time and the there is an endless amount that could be discussed on this
+subject. sigh ... please bear with me :-)
+
+> The changes in BRANCH_engine dig deep into the core of OpenSSL, for example
+> into the RSA and RAND routines, adding a level of indirection which is needed
+> to keep the abstraction, as far as I understand.  It would be a good thing if
+> those who do play with those things took a look at the changes that have been
+> done in the branch and say out loud how much (or hopefully little) we've made
+> fools of ourselves.
+
+The point here is that the code that has emerged in the BRANCH_engine
+branch was based on some initial requirements of mine that I went in and
+addressed, and Richard has picked up the ball and run with it too. It
+would be really useful to get some review of the approach we've taken, but
+first I think I need to describe as best I can the reasons behind what has
+been done so far, in particular what issues we have tried to address when
+doing this, and what issues we have intentionally (or necessarily) tried
+to avoid.
+
+methods, engines, and evps
+--------------------------
+
+There has been some dicussion, particularly with Steve, about where this
+ENGINE stuff might fit into the conceptual picture as/when we start to
+abstract algorithms a little bit to make the library more extensible. In
+particular, it would desirable to have algorithms (symmetric, hash, pkc,
+etc) abstracted in some way that allows them to be just objects sitting in
+a list (or database) ... it'll just happen that the "DSA" object doesn't
+support encryption whereas the "RSA" object does. This requires a lot of
+consideration to begin to know how to tackle it; in particular how
+encapsulated should these things be? If the objects also understand their
+own ASN1 encodings and what-not, then it would for example be possible to
+add support for elliptic-curve DSA in as a new algorithm and automatically
+have ECC-DSA certificates supported in SSL applications. Possible, but not
+easy. :-)
+
+Whatever, it seems that the way to go (if I've grok'd Steve's comments on
+this in the past) is to amalgamate these things in EVP as is already done
+(I think) for ciphers or hashes (Steve, please correct/elaborate). I
+certainly think something should be done in this direction because right
+now we have different source directories, types, functions, and methods
+for each algorithm - even when conceptually they are very much different
+feathers of the same bird. (This is certainly all true for the public-key
+stuff, and may be partially true for the other parts.)
+
+ENGINE was *not* conceived as a way of solving this, far from it. Nor was
+it conceived as a way of replacing the various "***_METHOD"s. It was
+conceived as an abstraction of a sort of "virtual crypto device". If we
+lived in a world where "EVP_ALGO"s (or something like them) encapsulated
+particular algorithms like RSA,DSA,MD5,RC4,etc, and "***_METHOD"s
+encapsulated interfaces to algorithms (eg. some algo's might support a
+PKC_METHOD, a HASH_METHOD, or a CIPHER_METHOD, who knows?), then I would
+think that ENGINE would encapsulate an implementation of arbitrarily many
+of those algorithms - perhaps as alternatives to existing algorithms
+and/or perhaps as new previously unimplemented algorithms. An ENGINE could
+be used to contain an alternative software implementation, a wrapper for a
+hardware acceleration and/or key-management unit, a comms-wrapper for
+distributing cryptographic operations to remote machines, or any other
+"devices" your imagination can dream up.
+
+However, what has been done in the ENGINE branch so far is nothing more
+than starting to get our toes wet. I had a couple of self-imposed
+requirements when putting the initial abstraction together, and I may have
+already posed these in one form or another on the list, but briefly;
+
+   (i) only bother with public key algorithms for now, and maybe RAND too
+       (motivated by the need to get hardware support going and the fact
+       this was a comparitively easy subset to address to begin with).
+
+  (ii) don't change (if at all possible) the existing crypto code, ie. the
+       implementations, the way the ***_METHODs work, etc.
+
+ (iii) ensure that if no function from the ENGINE code is ever called then
+       things work the way they always did, and there is no memory
+       allocation (otherwise the failure to cleanup would be a problem -
+       this is part of the reason no STACKs were used, the other part of
+       the reason being I found them inappropriate).
+
+  (iv) ensure that all the built-in crypto was encapsulated by one of
+       these "ENGINE"s and that this engine was automatically selected as
+       the default.
+
+   (v) provide the minimum hooking possible in the existing crypto code
+       so that global functions (eg. RSA_public_encrypt) do not need any
+       extra parameter, yet will use whatever the current default ENGINE
+       for that RSA key is, and that the default can be set "per-key"
+       and globally (new keys will assume the global default, and keys
+       without their own default will be operated on using the global
+       default). NB: Try and make (v) conflict as little as possible with
+       (ii). :-)
+
+  (vi) wrap the ENGINE code up in duct tape so you can't even see the
+       corners. Ie. expose no structures at all, just black-box pointers.
+
+   (v) maintain internally a list of ENGINEs on which a calling
+       application can iterate, interrogate, etc. Allow a calling
+       application to hook in new ENGINEs, remove ENGINEs from the list,
+       and enforce uniqueness within the global list of each ENGINE's
+       "unique id".
+
+  (vi) keep reference counts for everything - eg. this includes storing a
+       reference inside each RSA structure to the ENGINE that it uses.
+       This is freed when the RSA structure is destroyed, or has its
+       ENGINE explicitly changed. The net effect needs to be that at any
+       time, it is deterministic to know whether an ENGINE is in use or
+       can be safely removed (or unloaded in the case of the other type
+       of reference) without invalidating function pointers that may or
+       may not be used indavertently in the future. This was actually
+       one of the biggest problems to overcome in the existing OpenSSL
+       code - implementations had always been assumed to be ever-present,
+       so there was no trivial way to get round this.
+
+ (vii) distinguish between structural references and functional
+       references.
+
+A *little* detail
+-----------------
+
+While my mind is on it; I'll illustrate the bit in item (vii). This idea
+turned out to be very handy - the ENGINEs themselves need to be operated
+on and manipulated simply as objects without necessarily trying to
+"enable" them for use. Eg. most host machines will not have the necessary
+hardware or software to support all the engines one might compile into
+OpenSSL, yet it needs to be possible to iterate across the ENGINEs,
+querying their names, properties, etc - all happening in a thread-safe
+manner that uses reference counts (if you imagine two threads iterating
+through a list and one thread removing the ENGINE the other is currently
+looking at - you can see the gotcha waiting to happen). For all of this,
+*structural references* are used and operate much like the other reference
+counts in OpenSSL.
+
+The other kind of reference count is for *functional* references - these
+indicate a reference on which the caller can actually assume the
+particular ENGINE to be initialised and usable to perform the operations
+it implements. Any increment or decrement of the functional reference
+count automatically invokes a corresponding change in the structural
+reference count, as it is fairly obvious that a functional reference is a
+restricted case of a structural reference. So struct_ref >= funct_ref at
+all times. NB: functional references are usually obtained by a call to
+ENGINE_init(), but can also be created implicitly by calls that require a
+new functional reference to be created, eg. ENGINE_set_default(). Either
+way the only time the underlying ENGINE's "init" function is really called
+is when the (functional) reference count increases to 1, similarly the
+underlying "finish" handler is only called as the count goes down to 0.
+The effect of this, for example, is that if you set the default ENGINE for
+RSA operations to be "cswift", then its functional reference count will
+already be at least 1 so the CryptoSwift shared-library and the card will
+stay loaded and initialised until such time as all RSA keys using the
+cswift ENGINE are changed or destroyed and the default ENGINE for RSA
+operations has been changed. This prevents repeated thrashing of init and
+finish handling if the count keeps getting down as far as zero.
+
+Otherwise, the way the ENGINE code has been put together I think pretty
+much reflects the above points. The reason for the ENGINE structure having
+individual RSA_METHOD, DSA_METHOD, etc pointers is simply that it was the
+easiest way to go about things for now, to hook it all into the raw
+RSA,DSA,etc code, and I was trying to the keep the structure invisible
+anyway so that the way this is internally managed could be easily changed
+later on when we start to work out what's to be done about these other
+abstractions.
+
+Down the line, if some EVP-based technique emerges for adequately
+encapsulating algorithms and all their various bits and pieces, then I can
+imagine that "ENGINE" would turn into a reference-counting database of
+these EVP things, of which the default "openssl" ENGINE would be the
+library's own object database of pre-built software implemented algorithms
+(and such). It would also be cool to see the idea of "METHOD"s detached
+from the algorithms themselves ... so RSA, DSA, ElGamal, etc can all
+expose essentially the same METHOD (aka interface), which would include
+any querying/flagging stuff to identify what the algorithm can/can't do,
+its name, and other stuff like max/min block sizes, key sizes, etc. This
+would result in ENGINE similarly detaching its internal database of
+algorithm implementations from the function definitions that return
+interfaces to them. I think ...
+
+As for DSOs etc. Well the DSO code is pretty handy (but could be made much
+more so) for loading vendor's driver-libraries and talking to them in some
+generic way, but right now there's still big problems associated with
+actually putting OpenSSL code (ie. new ENGINEs, or anything else for that
+matter) in dynamically loadable libraries. These problems won't go away in
+a hurry so I don't think we should expect to have any kind of
+shared-library extensions any time soon - but solving the problems is a
+good thing to aim for, and would as a side-effect probably help make
+OpenSSL more usable as a shared-library itself (looking at the things
+needed to do this will show you why).
+
+One of the problems is that if you look at any of the ENGINE
+implementations, eg. hw_cswift.c or hw_ncipher.c, you'll see how it needs
+a variety of functionality and definitions from various areas of OpenSSL,
+including crypto/bn/, crypto/err/, crypto/ itself (locking for example),
+crypto/dso/, crypto/engine/, crypto/rsa, etc etc etc. So if similar code
+were to be suctioned off into shared libraries, the shared libraries would
+either have to duplicate all the definitions and code and avoid loader
+conflicts, or OpenSSL would have to somehow expose all that functionality
+to the shared-library. If this isn't a big enough problem, the issue of
+binary compatibility will be - anyone writing Apache modules can tell you
+that (Ralf? Ben? :-). However, I don't think OpenSSL would need to be
+quite so forgiving as Apache should be, so OpenSSL could simply tell its
+version to the DSO and leave the DSO with the problem of deciding whether
+to proceed or bail out for fear of binary incompatibilities.
+
+Certainly one thing that would go a long way to addressing this is to
+embark on a bit of an opaqueness mission. I've set the ENGINE code up with
+this in mind - it's so draconian that even to declare your own ENGINE, you
+have to get the engine code to create the underlying ENGINE structure, and
+then feed in the new ENGINE's function/method pointers through various
+"set" functions. The more of the code that takes on such a black-box
+approach, the more of the code that will be (a) easy to expose to shared
+libraries that need it, and (b) easy to expose to applications wanting to
+use OpenSSL itself as a shared-library. From my own explorations in
+OpenSSL, the biggest leviathan I've seen that is a problem in this respect
+is the BIGNUM code. Trying to "expose" the bignum code through any kind of
+organised "METHODs", let alone do all the necessary bignum operations
+solely through functions rather than direct access to the structures and
+macros, will be a massive pain in the "r"s.
+
+Anyway, I'm done for now - hope it was readable. Thoughts?
+
+Cheers,
+Geoff
+
+
+-----------------------------------==*==-----------------------------------
+
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
new file mode 100644
index 0000000000..a35b3db9e8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -0,0 +1,118 @@
+/* crypto/engine/eng_all.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+#ifdef __OpenBSD__
+static int openbsd_default_loaded = 0;
+#endif
+
+void ENGINE_load_builtin_engines(void)
+        {
+        /* There's no longer any need for an "openssl" ENGINE unless, one day,
+         * it is the *only* way for standard builtin implementations to be be
+         * accessed (ie. it would be possible to statically link binaries with
+         * *no* builtin implementations). */
+#if 0
+        ENGINE_load_openssl();
+#endif
+        ENGINE_load_dynamic();
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CSWIFT
+        ENGINE_load_cswift();
+#endif
+#ifndef OPENSSL_NO_HW_NCIPHER
+        ENGINE_load_chil();
+#endif
+#ifndef OPENSSL_NO_HW_ATALLA
+        ENGINE_load_atalla();
+#endif
+#ifndef OPENSSL_NO_HW_NURON
+        ENGINE_load_nuron();
+#endif
+#ifndef OPENSSL_NO_HW_UBSEC
+        ENGINE_load_ubsec();
+#endif
+#ifndef OPENSSL_NO_HW_AEP
+        ENGINE_load_aep();
+#endif
+#ifndef OPENSSL_NO_HW_SUREWARE
+        ENGINE_load_sureware();
+#endif
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+        ENGINE_load_openbsd_dev_crypto();
+#endif
+#ifdef __OpenBSD__
+        ENGINE_load_cryptodev();
+#endif
+#endif
+        }
+
+#ifdef __OpenBSD__
+void ENGINE_setup_openbsd(void) {
+        if (!openbsd_default_loaded) {
+                ENGINE_load_cryptodev();
+                ENGINE_register_all_complete();
+        }
+        openbsd_default_loaded=1;
+}
+#endif
+
+
diff --git a/src/lib/libssl/src/crypto/engine/eng_cnf.c b/src/lib/libssl/src/crypto/engine/eng_cnf.c
new file mode 100644
index 0000000000..8c0ae8a1ad
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_cnf.c
@@ -0,0 +1,242 @@
+/* eng_cnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+/* #define ENGINE_CONF_DEBUG */
+
+/* ENGINE config module */
+
+static char *skip_dot(char *name)
+        {
+        char *p;
+        p = strchr(name, '.');
+        if (p)
+                return p + 1;
+        return name;
+        }
+
+static STACK_OF(ENGINE) *initialized_engines = NULL;
+
+static int int_engine_init(ENGINE *e)
+        {
+        if (!ENGINE_init(e))
+                return 0;
+        if (!initialized_engines)
+                initialized_engines = sk_ENGINE_new_null();
+        if (!initialized_engines || !sk_ENGINE_push(initialized_engines, e))
+                {
+                ENGINE_finish(e);
+                return 0;
+                }
+        return 1;
+        }
+        
+
+int int_engine_configure(char *name, char *value, const CONF *cnf)
+        {
+        int i;
+        int ret = 0;
+        long do_init = -1;
+        STACK_OF(CONF_VALUE) *ecmds;
+        CONF_VALUE *ecmd;
+        char *ctrlname, *ctrlvalue;
+        ENGINE *e = NULL;
+        name = skip_dot(name);
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Configuring engine %s\n", name);
+#endif
+        /* Value is a section containing ENGINE commands */
+        ecmds = NCONF_get_section(cnf, value);
+
+        if (!ecmds)
+                {
+                ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++)
+                {
+                ecmd = sk_CONF_VALUE_value(ecmds, i);
+                ctrlname = skip_dot(ecmd->name);
+                ctrlvalue = ecmd->value;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "ENGINE conf: doing ctrl(%s,%s)\n", ctrlname, ctrlvalue);
+#endif
+
+                /* First handle some special pseudo ctrls */
+
+                /* Override engine name to use */
+                if (!strcmp(ctrlname, "engine_id"))
+                        name = ctrlvalue;
+                /* Load a dynamic ENGINE */
+                else if (!strcmp(ctrlname, "dynamic_path"))
+                        {
+                        e = ENGINE_by_id("dynamic");
+                        if (!e)
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", ctrlvalue, 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "2", 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
+                                goto err;
+                        }
+                /* ... add other pseudos here ... */
+                else
+                        {
+                        /* At this point we need an ENGINE structural reference
+                         * if we don't already have one.
+                         */
+                        if (!e)
+                                {
+                                e = ENGINE_by_id(name);
+                                if (!e)
+                                        return 0;
+                                }
+                        /* Allow "EMPTY" to mean no value: this allows a valid
+                         * "value" to be passed to ctrls of type NO_INPUT
+                         */
+                        if (!strcmp(ctrlvalue, "EMPTY"))
+                                ctrlvalue = NULL;
+                        else if (!strcmp(ctrlname, "init"))
+                                {
+                                if (!NCONF_get_number_e(cnf, value, "init", &do_init))
+                                        goto err;
+                                if (do_init == 1)
+                                        {
+                                        if (!int_engine_init(e))
+                                                goto err;
+                                        }
+                                else if (do_init != 0)
+                                        {
+                                        ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_INVALID_INIT_VALUE);
+                                        goto err;
+                                        }
+                                }
+                        else if (!strcmp(ctrlname, "default_algorithms"))
+                                {
+                                if (!ENGINE_set_default_string(e, ctrlvalue))
+                                        goto err;
+                                }
+                        else if (!ENGINE_ctrl_cmd_string(e,
+                                        ctrlname, ctrlvalue, 0))
+                                return 0;
+                        }
+
+
+
+                }
+        if (e && (do_init == -1) && !int_engine_init(e))
+                goto err;
+        ret = 1;
+        err:
+        if (e)
+                ENGINE_free(e);
+        return ret;
+        }
+
+
+static int int_engine_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        STACK_OF(CONF_VALUE) *elist;
+        CONF_VALUE *cval;
+        int i;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Called engine module: name %s, value %s\n",
+                        CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+#endif
+        /* Value is a section containing ENGINEs to configure */
+        elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
+
+        if (!elist)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(elist); i++)
+                {
+                cval = sk_CONF_VALUE_value(elist, i);
+                if (!int_engine_configure(cval->name, cval->value, cnf))
+                        return 0;
+                }
+
+        return 1;
+        }
+
+static void int_engine_module_finish(CONF_IMODULE *md)
+        {
+        ENGINE *e;
+        while ((e = sk_ENGINE_pop(initialized_engines)))
+                ENGINE_finish(e);
+        sk_ENGINE_free(initialized_engines);
+        initialized_engines = NULL;
+        }
+        
+
+void ENGINE_add_conf_module(void)
+        {
+        CONF_module_add("engines",
+                        int_engine_module_init,
+                        int_engine_module_finish);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_ctrl.c b/src/lib/libssl/src/crypto/engine/eng_ctrl.c
new file mode 100644
index 0000000000..ad3858395b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_ctrl.c
@@ -0,0 +1,387 @@
+/* crypto/engine/eng_ctrl.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* When querying a ENGINE-specific control command's 'description', this string
+ * is used if the ENGINE_CMD_DEFN has cmd_desc set to NULL. */
+static const char *int_no_description = "";
+
+/* These internal functions handle 'CMD'-related control commands when the
+ * ENGINE in question has asked us to take care of it (ie. the ENGINE did not
+ * set the ENGINE_FLAGS_MANUAL_CMD_CTRL flag. */
+
+static int int_ctrl_cmd_is_null(const ENGINE_CMD_DEFN *defn)
+        {
+        if((defn->cmd_num == 0) || (defn->cmd_name == NULL))
+                return 1;
+        return 0;
+        }
+
+static int int_ctrl_cmd_by_name(const ENGINE_CMD_DEFN *defn, const char *s)
+        {
+        int idx = 0;
+        while(!int_ctrl_cmd_is_null(defn) && (strcmp(defn->cmd_name, s) != 0))
+                {
+                idx++;
+                defn++;
+                }
+        if(int_ctrl_cmd_is_null(defn))
+                /* The given name wasn't found */
+                return -1;
+        return idx;
+        }
+
+static int int_ctrl_cmd_by_num(const ENGINE_CMD_DEFN *defn, unsigned int num)
+        {
+        int idx = 0;
+        /* NB: It is stipulated that 'cmd_defn' lists are ordered by cmd_num. So
+         * our searches don't need to take any longer than necessary. */
+        while(!int_ctrl_cmd_is_null(defn) && (defn->cmd_num < num))
+                {
+                idx++;
+                defn++;
+                }
+        if(defn->cmd_num == num)
+                return idx;
+        /* The given cmd_num wasn't found */
+        return -1;
+        }
+
+static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int idx;
+        char *s = (char *)p;
+        /* Take care of the easy one first (eg. it requires no searches) */
+        if(cmd == ENGINE_CTRL_GET_FIRST_CMD_TYPE)
+                {
+                if((e->cmd_defns == NULL) || int_ctrl_cmd_is_null(e->cmd_defns))
+                        return 0;
+                return e->cmd_defns->cmd_num;
+                }
+        /* One or two commands require that "p" be a valid string buffer */
+        if((cmd == ENGINE_CTRL_GET_CMD_FROM_NAME) ||
+                        (cmd == ENGINE_CTRL_GET_NAME_FROM_CMD) ||
+                        (cmd == ENGINE_CTRL_GET_DESC_FROM_CMD))
+                {
+                if(s == NULL)
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                        return -1;
+                        }
+                }
+        /* Now handle cmd_name -> cmd_num conversion */
+        if(cmd == ENGINE_CTRL_GET_CMD_FROM_NAME)
+                {
+                if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_name(
+                                                e->cmd_defns, s)) < 0))
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ENGINE_R_INVALID_CMD_NAME);
+                        return -1;
+                        }
+                return e->cmd_defns[idx].cmd_num;
+                }
+        /* For the rest of the commands, the 'long' argument must specify a
+         * valie command number - so we need to conduct a search. */
+        if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_num(e->cmd_defns,
+                                        (unsigned int)i)) < 0))
+                {
+                ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return -1;
+                }
+        /* Now the logic splits depending on command type */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+                idx++;
+                if(int_ctrl_cmd_is_null(e->cmd_defns + idx))
+                        /* end-of-list */
+                        return 0;
+                else
+                        return e->cmd_defns[idx].cmd_num;
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+                return strlen(e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+                return sprintf(s, "%s", e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return strlen(e->cmd_defns[idx].cmd_desc);
+                return strlen(int_no_description);
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc);
+                return sprintf(s, "%s", int_no_description);
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                return e->cmd_defns[idx].cmd_flags;
+                }
+        /* Shouldn't really be here ... */
+        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,ENGINE_R_INTERNAL_LIST_ERROR);
+        return -1;
+        }
+
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int ctrl_exists, ref_exists;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ref_exists = ((e->struct_ref > 0) ? 1 : 0);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        ctrl_exists = ((e->ctrl == NULL) ? 0 : 1);
+        if(!ref_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE);
+                return 0;
+                }
+        /* Intercept any "root-level" commands before trying to hand them on to
+         * ctrl() handlers. */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_HAS_CTRL_FUNCTION:
+                return ctrl_exists;
+        case ENGINE_CTRL_GET_FIRST_CMD_TYPE:
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+        case ENGINE_CTRL_GET_CMD_FROM_NAME:
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                if(ctrl_exists && !(e->flags & ENGINE_FLAGS_MANUAL_CMD_CTRL))
+                        return int_ctrl_helper(e,cmd,i,p,f);
+                if(!ctrl_exists)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                        /* For these cmd-related functions, failure is indicated
+                         * by a -1 return value (because 0 is used as a valid
+                         * return in some places). */
+                        return -1;
+                        }
+        default:
+                break;
+                }
+        /* Anything else requires a ctrl() handler to exist. */
+        if(!ctrl_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                return 0;
+                }
+        return e->ctrl(e, cmd, i, p, f);
+        }
+
+int ENGINE_cmd_is_executable(ENGINE *e, int cmd)
+        {
+        int flags;
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, cmd, NULL, NULL)) < 0)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return 0;
+                }
+        if(!(flags & ENGINE_CMD_FLAG_NO_INPUT) &&
+                        !(flags & ENGINE_CMD_FLAG_NUMERIC) &&
+                        !(flags & ENGINE_CMD_FLAG_STRING))
+                return 0;
+        return 1;
+        }
+
+int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
+        long i, void *p, void (*f)(), int cmd_optional)
+        {
+        int num;
+
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if (ENGINE_ctrl(e, num, i, p, f))
+                return 1;
+        return 0;
+        }
+
+int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
+                                int cmd_optional)
+        {
+        int num, flags;
+        long l;
+        char *ptr;
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        if(!ENGINE_cmd_is_executable(e, num))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_CMD_NOT_EXECUTABLE);
+                return 0;
+                }
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, NULL, NULL)) < 0)
+                {
+                /* Shouldn't happen, given that ENGINE_cmd_is_executable()
+                 * returned success. */
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        /* If the command takes no input, there must be no input. And vice
+         * versa. */
+        if(flags & ENGINE_CMD_FLAG_NO_INPUT)
+                {
+                if(arg != NULL)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                                ENGINE_R_COMMAND_TAKES_NO_INPUT);
+                        return 0;
+                        }
+                /* We deliberately force the result of ENGINE_ctrl() to 0 or 1
+                 * rather than returning it as "return data". This is to ensure
+                 * usage of these commands is consistent across applications and
+                 * that certain applications don't understand it one way, and
+                 * others another. */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* So, we require input */
+        if(arg == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_COMMAND_TAKES_INPUT);
+                return 0;
+                }
+        /* If it takes string input, that's easy */
+        if(flags & ENGINE_CMD_FLAG_STRING)
+                {
+                /* Same explanation as above */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* If it doesn't take numeric either, then it is unsupported for use in
+         * a config-setting situation, which is what this function is for. This
+         * should never happen though, because ENGINE_cmd_is_executable() was
+         * used. */
+        if(!(flags & ENGINE_CMD_FLAG_NUMERIC))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        l = strtol(arg, &ptr, 10);
+        if((arg == ptr) || (*ptr != '\0'))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if(ENGINE_ctrl(e, num, l, NULL, NULL))
+                return 1;
+        return 0;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_dyn.c b/src/lib/libssl/src/crypto/engine/eng_dyn.c
new file mode 100644
index 0000000000..4fefcc0cae
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_dyn.c
@@ -0,0 +1,446 @@
+/* crypto/engine/eng_dyn.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+
+/* Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE loader
+ * should implement the hook-up functions with the following prototypes. */
+
+/* Our ENGINE handlers */
+static int dynamic_init(ENGINE *e);
+static int dynamic_finish(ENGINE *e);
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+/* Predeclare our context type */
+typedef struct st_dynamic_data_ctx dynamic_data_ctx;
+/* The implementation for the important control command */
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
+
+#define DYNAMIC_CMD_SO_PATH             ENGINE_CMD_BASE
+#define DYNAMIC_CMD_NO_VCHECK           (ENGINE_CMD_BASE + 1)
+#define DYNAMIC_CMD_ID                  (ENGINE_CMD_BASE + 2)
+#define DYNAMIC_CMD_LIST_ADD            (ENGINE_CMD_BASE + 3)
+#define DYNAMIC_CMD_LOAD                (ENGINE_CMD_BASE + 4)
+
+/* The constants used when creating the ENGINE */
+static const char *engine_dynamic_id = "dynamic";
+static const char *engine_dynamic_name = "Dynamic engine loading support";
+static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
+        {DYNAMIC_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the new ENGINE shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_NO_VCHECK,
+                "NO_VCHECK",
+                "Specifies to continue even if version checking fails (boolean)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_ID,
+                "ID",
+                "Specifies an ENGINE id name for loading",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_LIST_ADD,
+                "LIST_ADD",
+                "Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_LOAD,
+                "LOAD",
+                "Load up the ENGINE specified by other settings",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {0, NULL, NULL, 0}
+        };
+static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
+        {0, NULL, NULL, 0}
+        };
+
+/* Loading code stores state inside the ENGINE structure via the "ex_data"
+ * element. We load all our state into a single structure and use that as a
+ * single context in the "ex_data" stack. */
+struct st_dynamic_data_ctx
+        {
+        /* The DSO object we load that supplies the ENGINE code */
+        DSO *dynamic_dso;
+        /* The function pointer to the version checking shared library function */
+        dynamic_v_check_fn v_check;
+        /* The function pointer to the engine-binding shared library function */
+        dynamic_bind_engine bind_engine;
+        /* The default name/path for loading the shared library */
+        const char *DYNAMIC_LIBNAME;
+        /* Whether to continue loading on a version check failure */
+        int no_vcheck;
+        /* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */
+        const char *engine_id;
+        /* If non-zero, a successfully loaded ENGINE should be added to the internal
+         * ENGINE list. If 2, the add must succeed or the entire load should fail. */
+        int list_add_value;
+        /* The symbol name for the version checking function */
+        const char *DYNAMIC_F1;
+        /* The symbol name for the "initialise ENGINE structure" function */
+        const char *DYNAMIC_F2;
+        };
+
+/* This is the "ex_data" index we obtain and reserve for use with our context
+ * structure. */
+static int dynamic_ex_data_idx = -1;
+
+/* Because our ex_data element may or may not get allocated depending on whether
+ * a "first-use" occurs before the ENGINE is freed, we have a memory leak
+ * problem to solve. We can't declare a "new" handler for the ex_data as we
+ * don't want a dynamic_data_ctx in *all* ENGINE structures of all types (this
+ * is a bug in the design of CRYPTO_EX_DATA). As such, we just declare a "free"
+ * handler and that will get called if an ENGINE is being destroyed and there
+ * was an ex_data element corresponding to our context type. */
+static void dynamic_data_ctx_free_func(void *parent, void *ptr,
+                        CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
+        {
+        if(ptr)
+                {
+                dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
+                if(ctx->dynamic_dso)
+                        DSO_free(ctx->dynamic_dso);
+                OPENSSL_free(ctx);
+                }
+        }
+
+/* Construct the per-ENGINE context. We create it blindly and then use a lock to
+ * check for a race - if so, all but one of the threads "racing" will have
+ * wasted their time. The alternative involves creating everything inside the
+ * lock which is far worse. */
+static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
+        {
+        dynamic_data_ctx *c;
+        c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        memset(c, 0, sizeof(dynamic_data_ctx));
+        c->dynamic_dso = NULL;
+        c->v_check = NULL;
+        c->bind_engine = NULL;
+        c->DYNAMIC_LIBNAME = NULL;
+        c->no_vcheck = 0;
+        c->engine_id = NULL;
+        c->list_add_value = 0;
+        c->DYNAMIC_F1 = "v_check";
+        c->DYNAMIC_F2 = "bind_engine";
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
+                                dynamic_ex_data_idx)) == NULL)
+                {
+                /* Good, we're the first */
+                ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
+                *ctx = c;
+                c = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* If we lost the race to set the context, c is non-NULL and *ctx is the
+         * context of the thread that won. */
+        if(c)
+                OPENSSL_free(c);
+        return 1;
+        }
+
+/* This function retrieves the context structure from an ENGINE's "ex_data", or
+ * if it doesn't exist yet, sets it up. */
+static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
+        {
+        dynamic_data_ctx *ctx;
+        if(dynamic_ex_data_idx < 0)
+                {
+                /* Create and register the ENGINE ex_data, and associate our
+                 * "free" function with it to ensure any allocated contexts get
+                 * freed when an ENGINE goes underground. */
+                int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
+                                        dynamic_data_ctx_free_func);
+                if(new_idx == -1)
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_GET_DATA_CTX,ENGINE_R_NO_INDEX);
+                        return NULL;
+                        }
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                /* Avoid a race by checking again inside this lock */
+                if(dynamic_ex_data_idx < 0)
+                        {
+                        /* Good, someone didn't beat us to it */
+                        dynamic_ex_data_idx = new_idx;
+                        new_idx = -1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                /* In theory we could "give back" the index here if
+                 * (new_idx>-1), but it's not possible and wouldn't gain us much
+                 * if it were. */
+                }
+        ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
+        /* Check if the context needs to be created */
+        if((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
+                /* "set_data" will set errors if necessary */
+                return NULL;
+        return ctx;
+        }
+
+static ENGINE *engine_dynamic(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!ENGINE_set_id(ret, engine_dynamic_id) ||
+                        !ENGINE_set_name(ret, engine_dynamic_name) ||
+                        !ENGINE_set_init_function(ret, dynamic_init) ||
+                        !ENGINE_set_finish_function(ret, dynamic_finish) ||
+                        !ENGINE_set_ctrl_function(ret, dynamic_ctrl) ||
+                        !ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) ||
+                        !ENGINE_set_cmd_defns(ret, dynamic_cmd_defns))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_dynamic(void)
+        {
+        ENGINE *toadd = engine_dynamic();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        /* If the "add" didn't work, it was probably a conflict because it was
+         * already added (eg. someone calling ENGINE_load_blah then calling
+         * ENGINE_load_builtin_engines() perhaps). */
+        ERR_clear_error();
+        }
+
+static int dynamic_init(ENGINE *e)
+        {
+        /* We always return failure - the "dyanamic" engine itself can't be used
+         * for anything. */
+        return 0;
+        }
+
+static int dynamic_finish(ENGINE *e)
+        {
+        /* This should never be called on account of "dynamic_init" always
+         * failing. */
+        return 0;
+        }
+
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
+        int initialised;
+        
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_NOT_LOADED);
+                return 0;
+                }
+        initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1);
+        /* All our control commands require the ENGINE to be uninitialised */
+        if(initialised)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                        ENGINE_R_ALREADY_LOADED);
+                return 0;
+                }
+        switch(cmd)
+                {
+        case DYNAMIC_CMD_SO_PATH:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->DYNAMIC_LIBNAME = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_NO_VCHECK:
+                ctx->no_vcheck = ((i == 0) ? 0 : 1);
+                return 1;
+        case DYNAMIC_CMD_ID:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->engine_id = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_LIST_ADD:
+                if((i < 0) || (i > 2))
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                                ENGINE_R_INVALID_ARGUMENT);
+                        return 0;
+                        }
+                ctx->list_add_value = (int)i;
+                return 1;
+        case DYNAMIC_CMD_LOAD:
+                return dynamic_load(e, ctx);
+        default:
+                break;
+                }
+        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
+        {
+        ENGINE cpy;
+        dynamic_fns fns;
+
+        if(!ctx->DYNAMIC_LIBNAME || ((ctx->dynamic_dso = DSO_load(NULL,
+                                ctx->DYNAMIC_LIBNAME, NULL, 0)) == NULL))
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_NOT_FOUND);
+                return 0;
+                }
+        /* We have to find a bind function otherwise it'll always end badly */
+        if(!(ctx->bind_engine = (dynamic_bind_engine)DSO_bind_func(
+                                        ctx->dynamic_dso, ctx->DYNAMIC_F2)))
+                {
+                ctx->bind_engine = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_FAILURE);
+                return 0;
+                }
+        /* Do we perform version checking? */
+        if(!ctx->no_vcheck)
+                {
+                unsigned long vcheck_res = 0;
+                /* Now we try to find a version checking function and decide how
+                 * to cope with failure if/when it fails. */
+                ctx->v_check = (dynamic_v_check_fn)DSO_bind_func(
+                                ctx->dynamic_dso, ctx->DYNAMIC_F1);
+                if(ctx->v_check)
+                        vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION);
+                /* We fail if the version checker veto'd the load *or* if it is
+                 * deferring to us (by returning its version) and we think it is
+                 * too old. */
+                if(vcheck_res < OSSL_DYNAMIC_OLDEST)
+                        {
+                        /* Fail */
+                        ctx->bind_engine = NULL;
+                        ctx->v_check = NULL;
+                        DSO_free(ctx->dynamic_dso);
+                        ctx->dynamic_dso = NULL;
+                        ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                ENGINE_R_VERSION_INCOMPATIBILITY);
+                        return 0;
+                        }
+                }
+        /* First binary copy the ENGINE structure so that we can roll back if
+         * the hand-over fails */
+        memcpy(&cpy, e, sizeof(ENGINE));
+        /* Provide the ERR, "ex_data", memory, and locking callbacks so the
+         * loaded library uses our state rather than its own. FIXME: As noted in
+         * engine.h, much of this would be simplified if each area of code
+         * provided its own "summary" structure of all related callbacks. It
+         * would also increase opaqueness. */
+        fns.err_fns = ERR_get_implementation();
+        fns.ex_data_fns = CRYPTO_get_ex_data_implementation();
+        CRYPTO_get_mem_functions(&fns.mem_fns.malloc_cb,
+                                &fns.mem_fns.realloc_cb,
+                                &fns.mem_fns.free_cb);
+        fns.lock_fns.lock_locking_cb = CRYPTO_get_locking_callback();
+        fns.lock_fns.lock_add_lock_cb = CRYPTO_get_add_lock_callback();
+        fns.lock_fns.dynlock_create_cb = CRYPTO_get_dynlock_create_callback();
+        fns.lock_fns.dynlock_lock_cb = CRYPTO_get_dynlock_lock_callback();
+        fns.lock_fns.dynlock_destroy_cb = CRYPTO_get_dynlock_destroy_callback();
+        /* Now that we've loaded the dynamic engine, make sure no "dynamic"
+         * ENGINE elements will show through. */
+        engine_set_all_null(e);
+
+        /* Try to bind the ENGINE onto our own ENGINE structure */
+        if(!ctx->bind_engine(e, ctx->engine_id, &fns))
+                {
+                ctx->bind_engine = NULL;
+                ctx->v_check = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,ENGINE_R_INIT_FAILED);
+                /* Copy the original ENGINE structure back */
+                memcpy(e, &cpy, sizeof(ENGINE));
+                return 0;
+                }
+        /* Do we try to add this ENGINE to the internal list too? */
+        if(ctx->list_add_value > 0)
+                {
+                if(!ENGINE_add(e))
+                        {
+                        /* Do we tolerate this or fail? */
+                        if(ctx->list_add_value > 1)
+                                {
+                                /* Fail - NB: By this time, it's too late to
+                                 * rollback, and trying to do so allows the
+                                 * bind_engine() code to have created leaks. We
+                                 * just have to fail where we are, after the
+                                 * ENGINE has changed. */
+                                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                                return 0;
+                                }
+                        /* Tolerate */
+                        ERR_clear_error();
+                        }
+                }
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_err.c b/src/lib/libssl/src/crypto/engine/eng_err.c
new file mode 100644
index 0000000000..f6c5630395
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_err.c
@@ -0,0 +1,165 @@
+/* crypto/engine/eng_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ENGINE_str_functs[]=
+        {
+{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),   "DYNAMIC_CTRL"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),   "DYNAMIC_GET_DATA_CTX"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),   "DYNAMIC_LOAD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),     "ENGINE_add"},
+{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),   "ENGINE_by_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),       "ENGINE_cmd_is_executable"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),    "ENGINE_ctrl"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),        "ENGINE_ctrl_cmd"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0), "ENGINE_ctrl_cmd_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),  "ENGINE_finish"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),    "ENGINE_free"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),      "ENGINE_get_cipher"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),        "ENGINE_GET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),      "ENGINE_get_digest"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),        "ENGINE_get_next"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),        "ENGINE_get_prev"},
+{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),    "ENGINE_init"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),        "ENGINE_LIST_ADD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),     "ENGINE_LIST_REMOVE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),        "ENGINE_load_private_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0), "ENGINE_load_public_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),     "ENGINE_MODULE_INIT"},
+{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),     "ENGINE_new"},
+{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),  "ENGINE_remove"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),      "ENGINE_set_default_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),        "ENGINE_SET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),  "ENGINE_set_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
+{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
+{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
+{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
+{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),   "SET_DATA_CTX"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ENGINE_str_reasons[]=
+        {
+{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
+{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
+{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
+{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
+{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
+{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
+{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
+{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
+{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
+{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
+{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
+{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
+{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
+{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
+{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
+{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
+{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
+{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
+{ENGINE_R_INIT_FAILED                    ,"init failed"},
+{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
+{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
+{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
+{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
+{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
+{ENGINE_R_INVALID_STRING                 ,"invalid string"},
+{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
+{ENGINE_R_NOT_LOADED                     ,"not loaded"},
+{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
+{ENGINE_R_NO_INDEX                       ,"no index"},
+{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
+{ENGINE_R_NO_REFERENCE                   ,"no reference"},
+{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
+{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
+{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
+{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
+{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
+{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
+{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_ENGINE_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_fat.c b/src/lib/libssl/src/crypto/engine/eng_fat.c
new file mode 100644
index 0000000000..af918b1499
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_fat.c
@@ -0,0 +1,148 @@
+/* crypto/engine/eng_fat.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+
+int ENGINE_set_default(ENGINE *e, unsigned int flags)
+        {
+        if((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e))
+                return 0;
+        if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
+                return 0;
+#ifndef OPENSSL_NO_RSA
+        if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DSA
+        if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DH
+        if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+                return 0;
+#endif
+        if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+                return 0;
+        return 1;
+        }
+
+/* Set default algorithms using a string */
+
+int int_def_cb(const char *alg, int len, void *arg)
+        {
+        unsigned int *pflags = arg;
+        if (!strncmp(alg, "ALL", len))
+                *pflags |= ENGINE_METHOD_ALL;
+        else if (!strncmp(alg, "RSA", len))
+                *pflags |= ENGINE_METHOD_RSA;
+        else if (!strncmp(alg, "DSA", len))
+                *pflags |= ENGINE_METHOD_DSA;
+        else if (!strncmp(alg, "DH", len))
+                *pflags |= ENGINE_METHOD_DH;
+        else if (!strncmp(alg, "RAND", len))
+                *pflags |= ENGINE_METHOD_RAND;
+        else if (!strncmp(alg, "CIPHERS", len))
+                *pflags |= ENGINE_METHOD_CIPHERS;
+        else if (!strncmp(alg, "DIGESTS", len))
+                *pflags |= ENGINE_METHOD_DIGESTS;
+        else
+                return 0;
+        return 1;
+        }
+
+
+int ENGINE_set_default_string(ENGINE *e, const char *list)
+        {
+        unsigned int flags = 0;
+        if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING,
+                                        ENGINE_R_INVALID_STRING);
+                ERR_add_error_data(2, "str=",list);
+                return 0;
+                }
+        return ENGINE_set_default(e, flags);
+        }
+
+int ENGINE_register_complete(ENGINE *e)
+        {
+        ENGINE_register_ciphers(e);
+        ENGINE_register_digests(e);
+#ifndef OPENSSL_NO_RSA
+        ENGINE_register_RSA(e);
+#endif
+#ifndef OPENSSL_NO_DSA
+        ENGINE_register_DSA(e);
+#endif
+#ifndef OPENSSL_NO_DH
+        ENGINE_register_DH(e);
+#endif
+        ENGINE_register_RAND(e);
+        return 1;
+        }
+
+int ENGINE_register_all_complete(void)
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) {
+                ENGINE_register_complete(e);
+        }
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_init.c b/src/lib/libssl/src/crypto/engine/eng_init.c
new file mode 100644
index 0000000000..cc9396e863
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_init.c
@@ -0,0 +1,158 @@
+/* crypto/engine/eng_init.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Initialise a engine type for use (or up its functional reference count
+ * if it's already in use). This version is only used internally. */
+int engine_unlocked_init(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if((e->funct_ref == 0) && e->init)
+                /* This is the first functional reference and the engine
+                 * requires initialisation so we do it now. */
+                to_return = e->init(e);
+        if(to_return)
+                {
+                /* OK, we return a functional reference which is also a
+                 * structural reference. */
+                e->struct_ref++;
+                e->funct_ref++;
+                engine_ref_debug(e, 0, 1)
+                engine_ref_debug(e, 1, 1)
+                }
+        return to_return;
+        }
+
+/* Free a functional reference to a engine type. This version is only used
+ * internally. */
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers)
+        {
+        int to_return = 1;
+
+        /* Reduce the functional reference count here so if it's the terminating
+         * case, we can release the lock safely and call the finish() handler
+         * without risk of a race. We get a race if we leave the count until
+         * after and something else is calling "finish" at the same time -
+         * there's a chance that both threads will together take the count from
+         * 2 to 0 without either calling finish(). */
+        e->funct_ref--;
+        engine_ref_debug(e, 1, -1);
+        if((e->funct_ref == 0) && e->finish)
+                {
+                if(unlock_for_handlers)
+                        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                to_return = e->finish(e);
+                if(unlock_for_handlers)
+                        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                if(!to_return)
+                        return 0;
+                }
+#ifdef REF_CHECK
+        if(e->funct_ref < 0)
+                {
+                fprintf(stderr,"ENGINE_finish, bad functional reference count\n");
+                abort();
+                }
+#endif
+        /* Release the structural reference too */
+        if(!engine_free_util(e, 0))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
+/* The API (locked) version of "init" */
+int ENGINE_init(ENGINE *e)
+        {
+        int ret;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_INIT,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_unlocked_init(e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* The API (locked) version of "finish" */
+int ENGINE_finish(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        to_return = engine_unlocked_finish(e, 1);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if(!to_return)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
diff --git a/src/lib/libssl/src/crypto/engine/eng_int.h b/src/lib/libssl/src/crypto/engine/eng_int.h
new file mode 100644
index 0000000000..38335f99cd
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_int.h
@@ -0,0 +1,185 @@
+/* crypto/engine/eng_int.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_INT_H
+#define HEADER_ENGINE_INT_H
+
+/* Take public definitions from engine.h */
+#include <openssl/engine.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* If we compile with this symbol defined, then both reference counts in the
+ * ENGINE structure will be monitored with a line of output on stderr for each
+ * change. This prints the engine's pointer address (truncated to unsigned int),
+ * "struct" or "funct" to indicate the reference type, the before and after
+ * reference count, and the file:line-number pair. The "engine_ref_debug"
+ * statements must come *after* the change. */
+#ifdef ENGINE_REF_COUNT_DEBUG
+
+#define engine_ref_debug(e, isfunct, diff) \
+        fprintf(stderr, "engine: %08x %s from %d to %d (%s:%d)\n", \
+                (unsigned int)(e), (isfunct ? "funct" : "struct"), \
+                ((isfunct) ? ((e)->funct_ref - (diff)) : ((e)->struct_ref - (diff))), \
+                ((isfunct) ? (e)->funct_ref : (e)->struct_ref), \
+                (__FILE__), (__LINE__));
+
+#else
+
+#define engine_ref_debug(e, isfunct, diff)
+
+#endif
+
+/* Any code that will need cleanup operations should use these functions to
+ * register callbacks. ENGINE_cleanup() will call all registered callbacks in
+ * order. NB: both the "add" functions assume CRYPTO_LOCK_ENGINE to already be
+ * held (in "write" mode). */
+typedef void (ENGINE_CLEANUP_CB)(void);
+typedef struct st_engine_cleanup_item
+        {
+        ENGINE_CLEANUP_CB *cb;
+        } ENGINE_CLEANUP_ITEM;
+DECLARE_STACK_OF(ENGINE_CLEANUP_ITEM)
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
+
+/* We need stacks of ENGINEs for use in eng_table.c */
+DECLARE_STACK_OF(ENGINE)
+
+/* If this symbol is defined then engine_table_select(), the function that is
+ * used by RSA, DSA (etc) code to select registered ENGINEs, cache defaults and
+ * functional references (etc), will display debugging summaries to stderr. */
+/* #define ENGINE_TABLE_DEBUG */
+
+/* This represents an implementation table. Dependent code should instantiate it
+ * as a (ENGINE_TABLE *) pointer value set initially to NULL. */
+typedef struct st_engine_table ENGINE_TABLE;
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault);
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e);
+void engine_table_cleanup(ENGINE_TABLE **table);
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid);
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l);
+#define engine_table_select(t,n) engine_table_select_tmp(t,n,__FILE__,__LINE__)
+#endif
+
+/* Internal versions of API functions that have control over locking. These are
+ * used between C files when functionality needs to be shared but the caller may
+ * already be controlling of the CRYPTO_LOCK_ENGINE lock. */
+int engine_unlocked_init(ENGINE *e);
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers);
+int engine_free_util(ENGINE *e, int locked);
+
+/* This function will reset all "set"able values in an ENGINE to NULL. This
+ * won't touch reference counts or ex_data, but is equivalent to calling all the
+ * ENGINE_set_***() functions with a NULL value. */
+void engine_set_all_null(ENGINE *e);
+
+/* NB: Bitwise OR-able values for the "flags" variable in ENGINE are now exposed
+ * in engine.h. */
+
+/* This is a structure for storing implementations of various crypto
+ * algorithms and functions. */
+struct engine_st
+        {
+        const char *id;
+        const char *name;
+        const RSA_METHOD *rsa_meth;
+        const DSA_METHOD *dsa_meth;
+        const DH_METHOD *dh_meth;
+        const RAND_METHOD *rand_meth;
+        /* Cipher handling is via this callback */
+        ENGINE_CIPHERS_PTR ciphers;
+        /* Digest handling is via this callback */
+        ENGINE_DIGESTS_PTR digests;
+
+
+        ENGINE_GEN_INT_FUNC_PTR destroy;
+
+        ENGINE_GEN_INT_FUNC_PTR init;
+        ENGINE_GEN_INT_FUNC_PTR finish;
+        ENGINE_CTRL_FUNC_PTR ctrl;
+        ENGINE_LOAD_KEY_PTR load_privkey;
+        ENGINE_LOAD_KEY_PTR load_pubkey;
+
+        const ENGINE_CMD_DEFN *cmd_defns;
+        int flags;
+        /* reference count on the structure itself */
+        int struct_ref;
+        /* reference count on usability of the engine type. NB: This
+         * controls the loading and initialisation of any functionlity
+         * required by this engine, whereas the previous count is
+         * simply to cope with (de)allocation of this structure. Hence,
+         * running_ref <= struct_ref at all times. */
+        int funct_ref;
+        /* A place to store per-ENGINE data */
+        CRYPTO_EX_DATA ex_data;
+        /* Used to maintain the linked-list of engines. */
+        struct engine_st *prev;
+        struct engine_st *next;
+        };
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ENGINE_INT_H */
diff --git a/src/lib/libssl/src/crypto/engine/eng_lib.c b/src/lib/libssl/src/crypto/engine/eng_lib.c
new file mode 100644
index 0000000000..a66d0f08af
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_lib.c
@@ -0,0 +1,321 @@
+/* crypto/engine/eng_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/rand.h> /* FIXME: This shouldn't be needed */
+#include <openssl/engine.h>
+
+/* The "new"/"free" stuff first */
+
+ENGINE *ENGINE_new(void)
+        {
+        ENGINE *ret;
+
+        ret = (ENGINE *)OPENSSL_malloc(sizeof(ENGINE));
+        if(ret == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        memset(ret, 0, sizeof(ENGINE));
+        ret->struct_ref = 1;
+        engine_ref_debug(ret, 0, 1)
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ENGINE, ret, &ret->ex_data);
+        return ret;
+        }
+
+/* Placed here (close proximity to ENGINE_new) so that modifications to the
+ * elements of the ENGINE structure are more likely to be caught and changed
+ * here. */
+void engine_set_all_null(ENGINE *e)
+        {
+        e->id = NULL;
+        e->name = NULL;
+        e->rsa_meth = NULL;
+        e->dsa_meth = NULL;
+        e->dh_meth = NULL;
+        e->rand_meth = NULL;
+        e->ciphers = NULL;
+        e->digests = NULL;
+        e->destroy = NULL;
+        e->init = NULL;
+        e->finish = NULL;
+        e->ctrl = NULL;
+        e->load_privkey = NULL;
+        e->load_pubkey = NULL;
+        e->cmd_defns = NULL;
+        e->flags = 0;
+        }
+
+int engine_free_util(ENGINE *e, int locked)
+        {
+        int i;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FREE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if(locked)
+                i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+        else
+                i = --e->struct_ref;
+        engine_ref_debug(e, 0, -1)
+        if (i > 0) return 1;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"ENGINE_free, bad structural reference count\n");
+                abort();
+                }
+#endif
+        /* Give the ENGINE a chance to do any structural cleanup corresponding
+         * to allocation it did in its constructor (eg. unload error strings) */
+        if(e->destroy)
+                e->destroy(e);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
+        OPENSSL_free(e);
+        return 1;
+        }
+
+int ENGINE_free(ENGINE *e)
+        {
+        return engine_free_util(e, 1);
+        }
+
+/* Cleanup stuff */
+
+/* ENGINE_cleanup() is coded such that anything that does work that will need
+ * cleanup can register a "cleanup" callback here. That way we don't get linker
+ * bloat by referring to all *possible* cleanups, but any linker bloat into code
+ * "X" will cause X's cleanup function to end up here. */
+static STACK_OF(ENGINE_CLEANUP_ITEM) *cleanup_stack = NULL;
+static int int_cleanup_check(int create)
+        {
+        if(cleanup_stack) return 1;
+        if(!create) return 0;
+        cleanup_stack = sk_ENGINE_CLEANUP_ITEM_new_null();
+        return (cleanup_stack ? 1 : 0);
+        }
+static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item = OPENSSL_malloc(sizeof(
+                                        ENGINE_CLEANUP_ITEM));
+        if(!item) return NULL;
+        item->cb = cb;
+        return item;
+        }
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0);
+        }
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item);
+        }
+/* The API function that performs all cleanup */
+static void engine_cleanup_cb_free(ENGINE_CLEANUP_ITEM *item)
+        {
+        (*(item->cb))();
+        OPENSSL_free(item);
+        }
+void ENGINE_cleanup(void)
+        {
+        if(int_cleanup_check(0))
+                {
+                sk_ENGINE_CLEANUP_ITEM_pop_free(cleanup_stack,
+                        engine_cleanup_cb_free);
+                cleanup_stack = NULL;
+                }
+        /* FIXME: This should be handled (somehow) through RAND, eg. by it
+         * registering a cleanup callback. */
+        RAND_set_rand_method(NULL);
+        }
+
+/* Now the "ex_data" support */
+
+int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ENGINE, argl, argp,
+                        new_func, dup_func, free_func);
+        }
+
+int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&e->ex_data, idx, arg));
+        }
+
+void *ENGINE_get_ex_data(const ENGINE *e, int idx)
+        {
+        return(CRYPTO_get_ex_data(&e->ex_data, idx));
+        }
+
+/* Functions to get/set an ENGINE's elements - mainly to avoid exposing the
+ * ENGINE structure itself. */
+
+int ENGINE_set_id(ENGINE *e, const char *id)
+        {
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->id = id;
+        return 1;
+        }
+
+int ENGINE_set_name(ENGINE *e, const char *name)
+        {
+        if(name == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_NAME,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->name = name;
+        return 1;
+        }
+
+int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f)
+        {
+        e->destroy = destroy_f;
+        return 1;
+        }
+
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f)
+        {
+        e->init = init_f;
+        return 1;
+        }
+
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f)
+        {
+        e->finish = finish_f;
+        return 1;
+        }
+
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f)
+        {
+        e->ctrl = ctrl_f;
+        return 1;
+        }
+
+int ENGINE_set_flags(ENGINE *e, int flags)
+        {
+        e->flags = flags;
+        return 1;
+        }
+
+int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns)
+        {
+        e->cmd_defns = defns;
+        return 1;
+        }
+
+const char *ENGINE_get_id(const ENGINE *e)
+        {
+        return e->id;
+        }
+
+const char *ENGINE_get_name(const ENGINE *e)
+        {
+        return e->name;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e)
+        {
+        return e->destroy;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e)
+        {
+        return e->init;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e)
+        {
+        return e->finish;
+        }
+
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e)
+        {
+        return e->ctrl;
+        }
+
+int ENGINE_get_flags(const ENGINE *e)
+        {
+        return e->flags;
+        }
+
+const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e)
+        {
+        return e->cmd_defns;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_list.c b/src/lib/libssl/src/crypto/engine/eng_list.c
new file mode 100644
index 0000000000..ce48d2255a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_list.c
@@ -0,0 +1,383 @@
+/* crypto/engine/eng_list.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* The linked-list of pointers to engine types. engine_list_head
+ * incorporates an implicit structural reference but engine_list_tail
+ * does not - the latter is a computational niceity and only points
+ * to something that is already pointed to by its predecessor in the
+ * list (or engine_list_head itself). In the same way, the use of the
+ * "prev" pointer in each ENGINE is to save excessive list iteration,
+ * it doesn't correspond to an extra structural reference. Hence,
+ * engine_list_head, and each non-null "next" pointer account for
+ * the list itself assuming exactly 1 structural reference on each
+ * list member. */
+static ENGINE *engine_list_head = NULL;
+static ENGINE *engine_list_tail = NULL;
+
+/* This cleanup function is only needed internally. If it should be called, we
+ * register it with the "ENGINE_cleanup()" stack to be called during cleanup. */
+
+static void engine_list_cleanup(void)
+        {
+        ENGINE *iterator = engine_list_head;
+
+        while(iterator != NULL)
+                {
+                ENGINE_remove(iterator);
+                iterator = engine_list_head;
+                }
+        return;
+        }
+
+/* These static functions starting with a lower case "engine_" always
+ * take place when CRYPTO_LOCK_ENGINE has been locked up. */
+static int engine_list_add(ENGINE *e)
+        {
+        int conflict = 0;
+        ENGINE *iterator = NULL;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        iterator = engine_list_head;
+        while(iterator && !conflict)
+                {
+                conflict = (strcmp(iterator->id, e->id) == 0);
+                iterator = iterator->next;
+                }
+        if(conflict)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                return 0;
+                }
+        if(engine_list_head == NULL)
+                {
+                /* We are adding to an empty list. */
+                if(engine_list_tail)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_head = e;
+                e->prev = NULL;
+                /* The first time the list allocates, we should register the
+                 * cleanup. */
+                engine_cleanup_add_last(engine_list_cleanup);
+                }
+        else
+                {
+                /* We are adding to the tail of an existing list. */
+                if((engine_list_tail == NULL) ||
+                                (engine_list_tail->next != NULL))
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_tail->next = e;
+                e->prev = engine_list_tail;
+                }
+        /* Having the engine in the list assumes a structural
+         * reference. */
+        e->struct_ref++;
+        engine_ref_debug(e, 0, 1)
+        /* However it came to be, e is the last item in the list. */
+        engine_list_tail = e;
+        e->next = NULL;
+        return 1;
+        }
+
+static int engine_list_remove(ENGINE *e)
+        {
+        ENGINE *iterator;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        /* We need to check that e is in our linked list! */
+        iterator = engine_list_head;
+        while(iterator && (iterator != e))
+                iterator = iterator->next;
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ENGINE_R_ENGINE_IS_NOT_IN_LIST);
+                return 0;
+                }
+        /* un-link e from the chain. */
+        if(e->next)
+                e->next->prev = e->prev;
+        if(e->prev)
+                e->prev->next = e->next;
+        /* Correct our head/tail if necessary. */
+        if(engine_list_head == e)
+                engine_list_head = e->next;
+        if(engine_list_tail == e)
+                engine_list_tail = e->prev;
+        engine_free_util(e, 0);
+        return 1;
+        }
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_list_head;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_last(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+                ret = engine_list_tail;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_NEXT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->next;
+        if(ret)
+                {
+                /* Return a valid structural refernce to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_prev(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_PREV,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->prev;
+        if(ret)
+                {
+                /* Return a valid structural reference to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+/* Add another "ENGINE" type into the list. */
+int ENGINE_add(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->id == NULL) || (e->name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_ID_OR_NAME_MISSING);
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_add(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_remove(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+static void engine_cpy(ENGINE *dest, const ENGINE *src)
+        {
+        dest->id = src->id;
+        dest->name = src->name;
+#ifndef OPENSSL_NO_RSA
+        dest->rsa_meth = src->rsa_meth;
+#endif
+#ifndef OPENSSL_NO_DSA
+        dest->dsa_meth = src->dsa_meth;
+#endif
+#ifndef OPENSSL_NO_DH
+        dest->dh_meth = src->dh_meth;
+#endif
+        dest->rand_meth = src->rand_meth;
+        dest->ciphers = src->ciphers;
+        dest->digests = src->digests;
+        dest->destroy = src->destroy;
+        dest->init = src->init;
+        dest->finish = src->finish;
+        dest->ctrl = src->ctrl;
+        dest->load_privkey = src->load_privkey;
+        dest->load_pubkey = src->load_pubkey;
+        dest->cmd_defns = src->cmd_defns;
+        dest->flags = src->flags;
+        }
+
+ENGINE *ENGINE_by_id(const char *id)
+        {
+        ENGINE *iterator;
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        iterator = engine_list_head;
+        while(iterator && (strcmp(id, iterator->id) != 0)) 
+                iterator = iterator->next;
+        if(iterator)
+                {
+                /* We need to return a structural reference. If this is an
+                 * ENGINE type that returns copies, make a duplicate - otherwise
+                 * increment the existing ENGINE's reference count. */
+                if(iterator->flags & ENGINE_FLAGS_BY_ID_COPY)
+                        {
+                        ENGINE *cp = ENGINE_new();
+                        if(!cp)
+                                iterator = NULL;
+                        else
+                                {
+                                engine_cpy(cp, iterator);
+                                iterator = cp;
+                                }
+                        }
+                else
+                        {
+                        iterator->struct_ref++;
+                        engine_ref_debug(iterator, 0, 1)
+                        }
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ENGINE_R_NO_SUCH_ENGINE);
+                ERR_add_error_data(2, "id=", id);
+                }
+        return iterator;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_openssl.c b/src/lib/libssl/src/crypto/engine/eng_openssl.c
new file mode 100644
index 0000000000..e9d976f46b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_openssl.c
@@ -0,0 +1,347 @@
+/* crypto/engine/eng_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+#include <openssl/pem.h>
+
+/* This testing gunk is implemented (and explained) lower down. It also assumes
+ * the application explicitly calls "ENGINE_load_openssl()" because this is no
+ * longer automatic in ENGINE_load_builtin_engines(). */
+#define TEST_ENG_OPENSSL_RC4
+#define TEST_ENG_OPENSSL_PKEY
+/* #define TEST_ENG_OPENSSL_RC4_OTHERS */
+#define TEST_ENG_OPENSSL_RC4_P_INIT
+/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
+#define TEST_ENG_OPENSSL_SHA
+/* #define TEST_ENG_OPENSSL_SHA_OTHERS */
+/* #define TEST_ENG_OPENSSL_SHA_P_INIT */
+/* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */
+/* #define TEST_ENG_OPENSSL_SHA_P_FINAL */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                                const int **nids, int nid);
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                                const int **nids, int nid);
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+#endif
+
+/* The constants used when creating the ENGINE */
+static const char *engine_openssl_id = "openssl";
+static const char *engine_openssl_name = "Software engine support";
+
+/* This internal function is used by ENGINE_openssl() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+        if(!ENGINE_set_id(e, engine_openssl_id)
+                        || !ENGINE_set_name(e, engine_openssl_name)
+#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
+#ifndef OPENSSL_NO_RSA
+                        || !ENGINE_set_RSA(e, RSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DSA
+                        || !ENGINE_set_DSA(e, DSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DH
+                        || !ENGINE_set_DH(e, DH_get_default_method())
+#endif
+                        || !ENGINE_set_RAND(e, RAND_SSLeay())
+#ifdef TEST_ENG_OPENSSL_RC4
+                        || !ENGINE_set_ciphers(e, openssl_ciphers)
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+                        || !ENGINE_set_digests(e, openssl_digests)
+#endif
+#endif
+#ifdef TEST_ENG_OPENSSL_PKEY
+                        || !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
+#endif
+                        )
+                return 0;
+        /* If we add errors to this ENGINE, ensure the error handling is setup here */
+        /* openssl_load_error_strings(); */
+        return 1;
+        }
+
+static ENGINE *engine_openssl(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_openssl(void)
+        {
+        ENGINE *toadd = engine_openssl();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_openssl_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+/* This section of code compiles an "alternative implementation" of two modes of
+ * RC4 into this ENGINE. The result is that EVP_CIPHER operation for "rc4"
+ * should under normal circumstances go via this support rather than the default
+ * EVP support. There are other symbols to tweak the testing;
+ *    TEST_ENC_OPENSSL_RC4_OTHERS - print a one line message to stderr each time
+ *        we're asked for a cipher we don't support (should not happen).
+ *    TEST_ENG_OPENSSL_RC4_P_INIT - print a one line message to stderr each time
+ *        the "init_key" handler is called.
+ *    TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler.
+ */
+#include <openssl/evp.h>
+#include <openssl/rc4.h>
+#define TEST_RC4_KEY_SIZE               16
+static int test_cipher_nids[] = {NID_rc4,NID_rc4_40};
+static int test_cipher_nids_number = 2;
+typedef struct {
+        unsigned char key[TEST_RC4_KEY_SIZE];
+        RC4_KEY ks;
+        } TEST_RC4_KEY;
+#define test(ctx) ((TEST_RC4_KEY *)(ctx)->cipher_data)
+static int test_rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_init_key() called\n");
+#endif
+        memcpy(&test(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
+        RC4_set_key(&test(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                test(ctx)->key);
+        return 1;
+        }
+static int test_rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                      const unsigned char *in, unsigned int inl)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_CIPHER
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_cipher() called\n");
+#endif
+        RC4(&test(ctx)->ks,inl,in,out);
+        return 1;
+        }
+static const EVP_CIPHER test_r4_cipher=
+        {
+        NID_rc4,
+        1,TEST_RC4_KEY_SIZE,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL,
+        NULL,
+        NULL
+        };
+static const EVP_CIPHER test_r4_40_cipher=
+        {
+        NID_rc4_40,
+        1,5 /* 40 bit */,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL, 
+        NULL,
+        NULL
+        };
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                        const int **nids, int nid)
+        {
+        if(!cipher)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_cipher_nids;
+                return test_cipher_nids_number;
+                }
+        /* We are being asked for a specific cipher */
+        if(nid == NID_rc4)
+                *cipher = &test_r4_cipher;
+        else if(nid == NID_rc4_40)
+                *cipher = &test_r4_40_cipher;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_RC4_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *cipher = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_SHA
+/* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+static int test_digest_nids[] = {NID_sha1};
+static int test_digest_nids_number = 1;
+static int test_sha1_init(EVP_MD_CTX *ctx)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_init() called\n");
+#endif
+        return SHA1_Init(ctx->md_data);
+        }
+static int test_sha1_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_UPDATE
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_update() called\n");
+#endif
+        return SHA1_Update(ctx->md_data,data,count);
+        }
+static int test_sha1_final(EVP_MD_CTX *ctx,unsigned char *md)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_FINAL
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_final() called\n");
+#endif
+        return SHA1_Final(md,ctx->md_data);
+        }
+static const EVP_MD test_sha_md=
+        {
+        NID_sha1,
+        NID_sha1WithRSAEncryption,
+        SHA_DIGEST_LENGTH,
+        0,
+        test_sha1_init,
+        test_sha1_update,
+        test_sha1_final,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA_CTX),
+        };
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                        const int **nids, int nid)
+        {
+        if(!digest)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_digest_nids;
+                return test_digest_nids_number;
+                }
+        /* We are being asked for a specific digest */
+        if(nid == NID_sha1)
+                *digest = &test_sha_md;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_SHA_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *digest = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        BIO *in;
+        EVP_PKEY *key;
+        fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
+        in = BIO_new_file(key_id, "r");
+        if (!in)
+                return NULL;
+        key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
+        BIO_free(in);
+        return key;
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/eng_pkey.c b/src/lib/libssl/src/crypto/engine/eng_pkey.c
new file mode 100644
index 0000000000..8c69171511
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_pkey.c
@@ -0,0 +1,157 @@
+/* crypto/engine/eng_pkey.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Basic get/set stuff */
+
+int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f)
+        {
+        e->load_privkey = loadpriv_f;
+        return 1;
+        }
+
+int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
+        {
+        e->load_pubkey = loadpub_f;
+        return 1;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
+        {
+        return e->load_privkey;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
+        {
+        return e->load_pubkey;
+        }
+
+/* API functions to load public/private keys */
+
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_privkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_privkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+                return 0;
+                }
+        return pkey;
+        }
+
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_pubkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_pubkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                return 0;
+                }
+        return pkey;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/eng_table.c b/src/lib/libssl/src/crypto/engine/eng_table.c
new file mode 100644
index 0000000000..c69a84a8bf
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/eng_table.c
@@ -0,0 +1,361 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* This is the type of item in the 'implementation' table. Each 'nid' hashes to
+ * a (potentially NULL) ENGINE_PILE structure which contains a stack of ENGINE*
+ * pointers. These pointers aren't references, because they're inserted and
+ * removed during ENGINE creation and ENGINE destruction. They point to ENGINEs
+ * that *exist* (ie. have a structural reference count greater than zero) rather
+ * than ENGINEs that are *functional*. Each pointer in those stacks are to
+ * ENGINEs that implements the algorithm corresponding to each 'nid'. */
+
+/* The type of the items in the table */
+typedef struct st_engine_pile
+        {
+        /* The 'nid' of the algorithm/mode this ENGINE_PILE structure represents
+         * */
+        int nid;
+        /* A stack of ENGINE pointers for ENGINEs that support this
+         * algorithm/mode. In the event that 'funct' is NULL, the first entry in
+         * this stack that initialises will be set as 'funct' and assumed as the
+         * default for operations of this type. */
+        STACK_OF(ENGINE) *sk;
+        /* The default ENGINE to perform this algorithm/mode. */
+        ENGINE *funct;
+        /* This value optimises engine_table_select(). If it is called it sets
+         * this value to 1. Any changes to this ENGINE_PILE resets it to zero.
+         * As such, no ENGINE_init() thrashing is done unless ENGINEs
+         * continually register (and/or unregister). */
+        int uptodate;
+        } ENGINE_PILE;
+
+/* The type of the hash table of ENGINE_PILE structures such that each are
+ * unique and keyed by the 'nid' value. */
+struct st_engine_table
+        {
+        LHASH piles;
+        }; /* ENGINE_TABLE */
+
+/* This value stores global options controlling behaviour of (mostly) the
+ * engine_table_select() function. It's a bitmask of flag values of the form
+ * ENGINE_TABLE_FLAG_*** (as defined in engine.h) and is controlled by the
+ * ENGINE_[get|set]_table_flags() function. */
+static unsigned int table_flags = 0;
+
+/* API function manipulating 'table_flags' */
+unsigned int ENGINE_get_table_flags(void)
+        {
+        return table_flags;
+        }
+void ENGINE_set_table_flags(unsigned int flags)
+        {
+        table_flags = flags;
+        }
+
+/* Internal functions for the "piles" hash table */
+static unsigned long engine_pile_hash(const ENGINE_PILE *c)
+        {
+        return c->nid;
+        }
+static int engine_pile_cmp(const ENGINE_PILE *a, const ENGINE_PILE *b)
+        {
+        return a->nid - b->nid;
+        }
+static IMPLEMENT_LHASH_HASH_FN(engine_pile_hash, const ENGINE_PILE *)
+static IMPLEMENT_LHASH_COMP_FN(engine_pile_cmp, const ENGINE_PILE *)
+static int int_table_check(ENGINE_TABLE **t, int create)
+        {
+        LHASH *lh;
+        if(*t)
+                return 1;
+        if(!create)
+                return 0;
+        if((lh = lh_new(LHASH_HASH_FN(engine_pile_hash),
+                        LHASH_COMP_FN(engine_pile_cmp))) == NULL)
+                return 0;
+        *t = (ENGINE_TABLE *)lh;
+        return 1;
+        }
+
+/* Privately exposed (via eng_int.h) functions for adding and/or removing
+ * ENGINEs from the implementation table */
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault)
+        {
+        int ret = 0, added = 0;
+        ENGINE_PILE tmplate, *fnd;
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!(*table))
+                added = 1;
+        if(!int_table_check(table, 1))
+                goto end;
+        if(added)
+                /* The cleanup callback needs to be added */
+                engine_cleanup_add_first(cleanup);
+        while(num_nids--)
+                {
+                tmplate.nid = *nids;
+                fnd = lh_retrieve(&(*table)->piles, &tmplate);
+                if(!fnd)
+                        {
+                        fnd = OPENSSL_malloc(sizeof(ENGINE_PILE));
+                        if(!fnd)
+                                goto end;
+                        fnd->uptodate = 1;
+                        fnd->nid = *nids;
+                        fnd->sk = sk_ENGINE_new_null();
+                        if(!fnd->sk)
+                                {
+                                OPENSSL_free(fnd);
+                                goto end;
+                                }
+                        fnd->funct= NULL;
+                        lh_insert(&(*table)->piles, fnd);
+                        }
+                /* A registration shouldn't add duplciate entries */
+                sk_ENGINE_delete_ptr(fnd->sk, e);
+                /* if 'setdefault', this ENGINE goes to the head of the list */
+                if(!sk_ENGINE_push(fnd->sk, e))
+                        goto end;
+                /* "touch" this ENGINE_PILE */
+                fnd->uptodate = 0;
+                if(setdefault)
+                        {
+                        if(!engine_unlocked_init(e))
+                                {
+                                ENGINEerr(ENGINE_F_ENGINE_TABLE_REGISTER,
+                                                ENGINE_R_INIT_FAILED);
+                                goto end;
+                                }
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        fnd->funct = e;
+                        }
+                nids++;
+                }
+        ret = 1;
+end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+static void int_unregister_cb(ENGINE_PILE *pile, ENGINE *e)
+        {
+        int n;
+        /* Iterate the 'c->sk' stack removing any occurance of 'e' */
+        while((n = sk_ENGINE_find(pile->sk, e)) >= 0)
+                {
+                sk_ENGINE_delete(pile->sk, n);
+                /* "touch" this ENGINE_CIPHER */
+                pile->uptodate = 0;
+                }
+        if(pile->funct == e)
+                {
+                engine_unlocked_finish(e, 0);
+                pile->funct = NULL;
+                }
+        }
+static IMPLEMENT_LHASH_DOALL_ARG_FN(int_unregister_cb,ENGINE_PILE *,ENGINE *)
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(int_table_check(table, 0))
+                lh_doall_arg(&(*table)->piles,
+                        LHASH_DOALL_ARG_FN(int_unregister_cb), e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+static void int_cleanup_cb(ENGINE_PILE *p)
+        {
+        sk_ENGINE_free(p->sk);
+        if(p->funct)
+                engine_unlocked_finish(p->funct, 0);
+        OPENSSL_free(p);
+        }
+static IMPLEMENT_LHASH_DOALL_FN(int_cleanup_cb,ENGINE_PILE *)
+void engine_table_cleanup(ENGINE_TABLE **table)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(*table)
+                {
+                lh_doall(&(*table)->piles, LHASH_DOALL_FN(int_cleanup_cb));
+                lh_free(&(*table)->piles);
+                *table = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid)
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l)
+#endif
+        {
+        ENGINE *ret = NULL;
+        ENGINE_PILE tmplate, *fnd=NULL;
+        int initres, loop = 0;
+
+        /* If 'engine_ciphers' is NULL, then it's absolutely *sure* that no
+         * ENGINEs have registered any implementations! */
+        if(!(*table))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                        "registered for anything!\n", f, l, nid);
+#endif
+                return NULL;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        /* Check again inside the lock otherwise we could race against cleanup
+         * operations. But don't worry about a fprintf(stderr). */
+        if(!int_table_check(table, 0))
+                goto end;
+        tmplate.nid = nid;
+        fnd = lh_retrieve(&(*table)->piles, &tmplate);
+        if(!fnd)
+                goto end;
+        if(fnd->funct && engine_unlocked_init(fnd->funct))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                        "ENGINE '%s' cached\n", f, l, nid, fnd->funct->id);
+#endif
+                ret = fnd->funct;
+                goto end;
+                }
+        if(fnd->uptodate)
+                {
+                ret = fnd->funct;
+                goto end;
+                }
+trynext:
+        ret = sk_ENGINE_value(fnd->sk, loop++);
+        if(!ret)
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                                "registered implementations would initialise\n",
+                                f, l, nid);
+#endif
+                goto end;
+                }
+#if 0
+        /* Don't need to get a reference if we hold the lock. If the locking has
+         * to change in future, that would be different ... */
+        ret->struct_ref++; engine_ref_debug(ret, 0, 1)
+#endif
+        /* Try and initialise the ENGINE if it's already functional *or* if the
+         * ENGINE_TABLE_FLAG_NOINIT flag is not set. */
+        if((ret->funct_ref > 0) || !(table_flags & ENGINE_TABLE_FLAG_NOINIT))
+                initres = engine_unlocked_init(ret);
+        else
+                initres = 0;
+#if 0
+        /* Release the structural reference */
+        ret->struct_ref--; engine_ref_debug(ret, 0, -1);
+#endif
+        if(initres)
+                {
+                /* If we didn't have a default (functional reference) for this
+                 * 'nid' (or we had one but for whatever reason we're now
+                 * initialising a different one), use this opportunity to set
+                 * 'funct'. */
+                if((fnd->funct != ret) && engine_unlocked_init(ret))
+                        {
+                        /* If there was a previous default we release it. */
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        /* We got an extra functional reference for the
+                         * per-'nid' default */
+                        fnd->funct = ret;
+#ifdef ENGINE_TABLE_DEBUG
+                        fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, "
+                                "setting default to '%s'\n", f, l, nid, ret->id);
+#endif
+                        }
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                                "newly initialised '%s'\n", f, l, nid, ret->id);
+#endif
+                goto end;
+                }
+        goto trynext;
+end:
+        /* Whatever happened - we should "untouch" our uptodate file seeing as
+         * we have tried our best to find a functional reference for 'nid'. If
+         * it failed, it is unlikely to succeed again until some future
+         * registrations (or unregistrations) have taken place that affect that
+         * 'nid'. */
+        if(fnd)
+                fnd->uptodate = 1;
+#ifdef ENGINE_TABLE_DEBUG
+        if(ret)
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "ENGINE '%s'\n", f, l, nid, ret->id);
+        else
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "'no matching ENGINE'\n", f, l, nid);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* Whatever happened, any failed init()s are not failures in this
+         * context, so clear our error state. */
+        ERR_clear_error();
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
new file mode 100644
index 0000000000..2983f47034
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -0,0 +1,398 @@
+/* openssl/engine.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_H
+#define HEADER_ENGINE_H
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* These flags are used to control combinations of algorithm (methods)
+ * by bitwise "OR"ing. */
+#define ENGINE_METHOD_RSA               (unsigned int)0x0001
+#define ENGINE_METHOD_DSA               (unsigned int)0x0002
+#define ENGINE_METHOD_DH                (unsigned int)0x0004
+#define ENGINE_METHOD_RAND              (unsigned int)0x0008
+#define ENGINE_METHOD_BN_MOD_EXP        (unsigned int)0x0010
+#define ENGINE_METHOD_BN_MOD_EXP_CRT    (unsigned int)0x0020
+/* Obvious all-or-nothing cases. */
+#define ENGINE_METHOD_ALL               (unsigned int)0xFFFF
+#define ENGINE_METHOD_NONE              (unsigned int)0x0000
+
+/* These flags are used to tell the ctrl function what should be done.
+ * All command numbers are shared between all engines, even if some don't
+ * make sense to some engines.  In such a case, they do nothing but return
+ * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */
+#define ENGINE_CTRL_SET_LOGSTREAM               1
+#define ENGINE_CTRL_SET_PASSWORD_CALLBACK       2
+/* Flags specific to the nCipher "chil" engine */
+#define ENGINE_CTRL_CHIL_SET_FORKCHECK          100
+        /* Depending on the value of the (long)i argument, this sets or
+         * unsets the SimpleForkCheck flag in the CHIL API to enable or
+         * disable checking and workarounds for applications that fork().
+         */
+#define ENGINE_CTRL_CHIL_NO_LOCKING             101
+        /* This prevents the initialisation function from providing mutex
+         * callbacks to the nCipher library. */
+
+/* As we're missing a BIGNUM_METHOD, we need a couple of locally
+ * defined function types that engines can implement. */
+
+#ifndef HEADER_ENGINE_INT_H
+/* mod_exp operation, calculates; r = a ^ p mod m
+ * NB: ctx can be NULL, but if supplied, the implementation may use
+ * it if it wishes. */
+typedef int (*BN_MOD_EXP)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+
+/* private key operation for RSA, provided seperately in case other
+ * RSA implementations wish to use it. */
+typedef int (*BN_MOD_EXP_CRT)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+                const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* Generic function pointer */
+typedef void (*ENGINE_GEN_FUNC_PTR)();
+/* Generic function pointer taking no arguments */
+typedef void (*ENGINE_GEN_INT_FUNC_PTR)(void);
+/* Specific control function pointer */
+typedef int (*ENGINE_CTRL_FUNC_PTR)(int cmd, long i, void *p, void (*f)());
+
+/* The list of "engine" types is a static array of (const ENGINE*)
+ * pointers (not dynamic because static is fine for now and we otherwise
+ * have to hook an appropriate load/unload function in to initialise and
+ * cleanup). */
+typedef struct engine_st ENGINE;
+#endif
+
+/* STRUCTURE functions ... all of these functions deal with pointers to
+ * ENGINE structures where the pointers have a "structural reference".
+ * This means that their reference is to allow access to the structure
+ * but it does not imply that the structure is functional. To simply
+ * increment or decrement the structural reference count, use ENGINE_new
+ * and ENGINE_free. NB: This is not required when iterating using
+ * ENGINE_get_next as it will automatically decrement the structural
+ * reference count of the "current" ENGINE and increment the structural
+ * reference count of the ENGINE it returns (unless it is NULL). */
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void);
+ENGINE *ENGINE_get_last(void);
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e);
+ENGINE *ENGINE_get_prev(ENGINE *e);
+/* Add another "ENGINE" type into the array. */
+int ENGINE_add(ENGINE *e);
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e);
+/* Retrieve an engine from the list by its unique "id" value. */
+ENGINE *ENGINE_by_id(const char *id);
+
+/* These functions are useful for manufacturing new ENGINE
+ * structures. They don't address reference counting at all -
+ * one uses them to populate an ENGINE structure with personalised
+ * implementations of things prior to using it directly or adding
+ * it to the builtin ENGINE list in OpenSSL. These are also here
+ * so that the ENGINE structure doesn't have to be exposed and
+ * break binary compatibility!
+ *
+ * NB: I'm changing ENGINE_new to force the ENGINE structure to
+ * be allocated from within OpenSSL. See the comment for
+ * ENGINE_get_struct_size().
+ */
+#if 0
+ENGINE *ENGINE_new(ENGINE *e);
+#else
+ENGINE *ENGINE_new(void);
+#endif
+int ENGINE_free(ENGINE *e);
+int ENGINE_set_id(ENGINE *e, const char *id);
+int ENGINE_set_name(ENGINE *e, const char *name);
+int ENGINE_set_RSA(ENGINE *e, RSA_METHOD *rsa_meth);
+int ENGINE_set_DSA(ENGINE *e, DSA_METHOD *dsa_meth);
+int ENGINE_set_DH(ENGINE *e, DH_METHOD *dh_meth);
+int ENGINE_set_RAND(ENGINE *e, RAND_METHOD *rand_meth);
+int ENGINE_set_BN_mod_exp(ENGINE *e, BN_MOD_EXP bn_mod_exp);
+int ENGINE_set_BN_mod_exp_crt(ENGINE *e, BN_MOD_EXP_CRT bn_mod_exp_crt);
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
+
+/* These return values from within the ENGINE structure. These can
+ * be useful with functional references as well as structural
+ * references - it depends which you obtained. Using the result
+ * for functional purposes if you only obtained a structural
+ * reference may be problematic! */
+const char *ENGINE_get_id(ENGINE *e);
+const char *ENGINE_get_name(ENGINE *e);
+RSA_METHOD *ENGINE_get_RSA(ENGINE *e);
+DSA_METHOD *ENGINE_get_DSA(ENGINE *e);
+DH_METHOD *ENGINE_get_DH(ENGINE *e);
+RAND_METHOD *ENGINE_get_RAND(ENGINE *e);
+BN_MOD_EXP ENGINE_get_BN_mod_exp(ENGINE *e);
+BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(ENGINE *e);
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(ENGINE *e);
+
+/* ENGINE_new is normally passed a NULL in the first parameter because
+ * the calling code doesn't have access to the definition of the ENGINE
+ * structure (for good reason). However, if the caller wishes to use
+ * its own memory allocation or use a static array, the following call
+ * should be used to check the amount of memory the ENGINE structure
+ * will occupy. This will make the code more future-proof.
+ *
+ * NB: I'm "#if 0"-ing this out because it's better to force the use of
+ * internally allocated memory. See similar change in ENGINE_new().
+ */
+#if 0
+int ENGINE_get_struct_size(void);
+#endif
+
+/* FUNCTIONAL functions. These functions deal with ENGINE structures
+ * that have (or will) be initialised for use. Broadly speaking, the
+ * structural functions are useful for iterating the list of available
+ * engine types, creating new engine types, and other "list" operations.
+ * These functions actually deal with ENGINEs that are to be used. As
+ * such these functions can fail (if applicable) when particular
+ * engines are unavailable - eg. if a hardware accelerator is not
+ * attached or not functioning correctly. Each ENGINE has 2 reference
+ * counts; structural and functional. Every time a functional reference
+ * is obtained or released, a corresponding structural reference is
+ * automatically obtained or released too. */
+
+/* Initialise a engine type for use (or up its reference count if it's
+ * already in use). This will fail if the engine is not currently
+ * operational and cannot initialise. */
+int ENGINE_init(ENGINE *e);
+/* Free a functional reference to a engine type. This does not require
+ * a corresponding call to ENGINE_free as it also releases a structural
+ * reference. */
+int ENGINE_finish(ENGINE *e);
+/* Send control parametrised commands to the engine.  The possibilities
+ * to send down an integer, a pointer to data or a function pointer are
+ * provided.  Any of the parameters may or may not be NULL, depending
+ * on the command number */
+/* WARNING: This is currently experimental and may change radically! */
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* The following functions handle keys that are stored in some secondary
+ * location, handled by the engine.  The storage may be on a card or
+ * whatever. */
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+        const char *passphrase);
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+        const char *passphrase);
+
+/* This returns a pointer for the current ENGINE structure that
+ * is (by default) performing any RSA operations. The value returned
+ * is an incremented reference, so it should be free'd (ENGINE_finish)
+ * before it is discarded. */
+ENGINE *ENGINE_get_default_RSA(void);
+/* Same for the other "methods" */
+ENGINE *ENGINE_get_default_DSA(void);
+ENGINE *ENGINE_get_default_DH(void);
+ENGINE *ENGINE_get_default_RAND(void);
+ENGINE *ENGINE_get_default_BN_mod_exp(void);
+ENGINE *ENGINE_get_default_BN_mod_exp_crt(void);
+
+/* This sets a new default ENGINE structure for performing RSA
+ * operations. If the result is non-zero (success) then the ENGINE
+ * structure will have had its reference count up'd so the caller
+ * should still free their own reference 'e'. */
+int ENGINE_set_default_RSA(ENGINE *e);
+/* Same for the other "methods" */
+int ENGINE_set_default_DSA(ENGINE *e);
+int ENGINE_set_default_DH(ENGINE *e);
+int ENGINE_set_default_RAND(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp(ENGINE *e);
+int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e);
+
+/* The combination "set" - the flags are bitwise "OR"d from the
+ * ENGINE_METHOD_*** defines above. */
+int ENGINE_set_default(ENGINE *e, unsigned int flags);
+
+/* Obligatory error function. */
+void ERR_load_ENGINE_strings(void);
+
+/*
+ * Error codes for all engine functions. NB: We use "generic"
+ * function names instead of per-implementation ones because this
+ * levels the playing field for externally implemented bootstrapped
+ * support code. As the filename and line number is included, it's
+ * more important to indicate the type of function, so that
+ * bootstrapped code (that can't easily add its own errors in) can
+ * use the same error codes too.
+ */
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the ENGINE functions. */
+
+/* Function codes. */
+#define ENGINE_F_ATALLA_FINISH                           135
+#define ENGINE_F_ATALLA_INIT                             136
+#define ENGINE_F_ATALLA_MOD_EXP                          137
+#define ENGINE_F_ATALLA_RSA_MOD_EXP                      138
+#define ENGINE_F_CSWIFT_DSA_SIGN                         133
+#define ENGINE_F_CSWIFT_DSA_VERIFY                       134
+#define ENGINE_F_CSWIFT_FINISH                           100
+#define ENGINE_F_CSWIFT_INIT                             101
+#define ENGINE_F_CSWIFT_MOD_EXP                          102
+#define ENGINE_F_CSWIFT_MOD_EXP_CRT                      103
+#define ENGINE_F_CSWIFT_RSA_MOD_EXP                      104
+#define ENGINE_F_ENGINE_ADD                              105
+#define ENGINE_F_ENGINE_BY_ID                            106
+#define ENGINE_F_ENGINE_CTRL                             142
+#define ENGINE_F_ENGINE_FINISH                           107
+#define ENGINE_F_ENGINE_FREE                             108
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP                   109
+#define ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT               110
+#define ENGINE_F_ENGINE_GET_CTRL_FUNCTION                144
+#define ENGINE_F_ENGINE_GET_DH                           111
+#define ENGINE_F_ENGINE_GET_DSA                          112
+#define ENGINE_F_ENGINE_GET_FINISH_FUNCTION              145
+#define ENGINE_F_ENGINE_GET_ID                           113
+#define ENGINE_F_ENGINE_GET_INIT_FUNCTION                146
+#define ENGINE_F_ENGINE_GET_NAME                         114
+#define ENGINE_F_ENGINE_GET_NEXT                         115
+#define ENGINE_F_ENGINE_GET_PREV                         116
+#define ENGINE_F_ENGINE_GET_RAND                         117
+#define ENGINE_F_ENGINE_GET_RSA                          118
+#define ENGINE_F_ENGINE_INIT                             119
+#define ENGINE_F_ENGINE_LIST_ADD                         120
+#define ENGINE_F_ENGINE_LIST_REMOVE                      121
+#define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
+#define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_NEW                              122
+#define ENGINE_F_ENGINE_REMOVE                           123
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP                   124
+#define ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT               125
+#define ENGINE_F_ENGINE_SET_CTRL_FUNCTION                147
+#define ENGINE_F_ENGINE_SET_DEFAULT_TYPE                 126
+#define ENGINE_F_ENGINE_SET_DH                           127
+#define ENGINE_F_ENGINE_SET_DSA                          128
+#define ENGINE_F_ENGINE_SET_FINISH_FUNCTION              148
+#define ENGINE_F_ENGINE_SET_ID                           129
+#define ENGINE_F_ENGINE_SET_INIT_FUNCTION                149
+#define ENGINE_F_ENGINE_SET_NAME                         130
+#define ENGINE_F_ENGINE_SET_RAND                         131
+#define ENGINE_F_ENGINE_SET_RSA                          132
+#define ENGINE_F_ENGINE_UNLOAD_KEY                       152
+#define ENGINE_F_HWCRHK_CTRL                             143
+#define ENGINE_F_HWCRHK_FINISH                           135
+#define ENGINE_F_HWCRHK_GET_PASS                         155
+#define ENGINE_F_HWCRHK_INIT                             136
+#define ENGINE_F_HWCRHK_LOAD_PRIVKEY                     153
+#define ENGINE_F_HWCRHK_LOAD_PUBKEY                      154
+#define ENGINE_F_HWCRHK_MOD_EXP                          137
+#define ENGINE_F_HWCRHK_MOD_EXP_CRT                      138
+#define ENGINE_F_HWCRHK_RAND_BYTES                       139
+#define ENGINE_F_HWCRHK_RSA_MOD_EXP                      140
+#define ENGINE_F_LOG_MESSAGE                             141
+
+/* Reason codes. */
+#define ENGINE_R_ALREADY_LOADED                          100
+#define ENGINE_R_BIO_WAS_FREED                           121
+#define ENGINE_R_BN_CTX_FULL                             101
+#define ENGINE_R_BN_EXPAND_FAIL                          102
+#define ENGINE_R_CHIL_ERROR                              123
+#define ENGINE_R_CONFLICTING_ENGINE_ID                   103
+#define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED            119
+#define ENGINE_R_DSO_FAILURE                             104
+#define ENGINE_R_ENGINE_IS_NOT_IN_LIST                   105
+#define ENGINE_R_FAILED_LOADING_PRIVATE_KEY              128
+#define ENGINE_R_FAILED_LOADING_PUBLIC_KEY               129
+#define ENGINE_R_FINISH_FAILED                           106
+#define ENGINE_R_GET_HANDLE_FAILED                       107
+#define ENGINE_R_ID_OR_NAME_MISSING                      108
+#define ENGINE_R_INIT_FAILED                             109
+#define ENGINE_R_INTERNAL_LIST_ERROR                     110
+#define ENGINE_R_MISSING_KEY_COMPONENTS                  111
+#define ENGINE_R_NOT_INITIALISED                         117
+#define ENGINE_R_NOT_LOADED                              112
+#define ENGINE_R_NO_CALLBACK                             127
+#define ENGINE_R_NO_CONTROL_FUNCTION                     120
+#define ENGINE_R_NO_KEY                                  124
+#define ENGINE_R_NO_LOAD_FUNCTION                        125
+#define ENGINE_R_NO_REFERENCE                            130
+#define ENGINE_R_NO_SUCH_ENGINE                          116
+#define ENGINE_R_NO_UNLOAD_FUNCTION                      126
+#define ENGINE_R_PROVIDE_PARAMETERS                      113
+#define ENGINE_R_REQUEST_FAILED                          114
+#define ENGINE_R_REQUEST_FALLBACK                        118
+#define ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL             122
+#define ENGINE_R_UNIT_FAILURE                            115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/engine/enginetest.c b/src/lib/libssl/src/crypto/engine/enginetest.c
new file mode 100644
index 0000000000..a5a3c47fcb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/enginetest.c
@@ -0,0 +1,251 @@
+/* crypto/engine/enginetest.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+
+static void display_engine_list()
+        {
+        ENGINE *h;
+        int loop;
+
+        h = ENGINE_get_first();
+        loop = 0;
+        printf("listing available engine types\n");
+        while(h)
+                {
+                printf("engine %i, id = \"%s\", name = \"%s\"\n",
+                        loop++, ENGINE_get_id(h), ENGINE_get_name(h));
+                h = ENGINE_get_next(h);
+                }
+        printf("end of list\n");
+        }
+
+int main(int argc, char *argv[])
+        {
+        ENGINE *block[512];
+        char buf[256];
+        const char *id, *name;
+        ENGINE *ptr;
+        int loop;
+        int to_return = 1;
+        ENGINE *new_h1 = NULL;
+        ENGINE *new_h2 = NULL;
+        ENGINE *new_h3 = NULL;
+        ENGINE *new_h4 = NULL;
+
+        ERR_load_crypto_strings();
+
+        memset(block, 0, 512 * sizeof(ENGINE *));
+        if(((new_h1 = ENGINE_new()) == NULL) ||
+                        !ENGINE_set_id(new_h1, "test_id0") ||
+                        !ENGINE_set_name(new_h1, "First test item") ||
+                        ((new_h2 = ENGINE_new()) == NULL) ||
+                        !ENGINE_set_id(new_h2, "test_id1") ||
+                        !ENGINE_set_name(new_h2, "Second test item") ||
+                        ((new_h3 = ENGINE_new()) == NULL) ||
+                        !ENGINE_set_id(new_h3, "test_id2") ||
+                        !ENGINE_set_name(new_h3, "Third test item") ||
+                        ((new_h4 = ENGINE_new()) == NULL) ||
+                        !ENGINE_set_id(new_h4, "test_id3") ||
+                        !ENGINE_set_name(new_h4, "Fourth test item"))
+                {
+                printf("Couldn't set up test ENGINE structures\n");
+                goto end;
+                }
+        printf("\nenginetest beginning\n\n");
+        display_engine_list();
+        if(!ENGINE_add(new_h1))
+                {
+                printf("Add failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        ptr = ENGINE_get_first();
+        if(!ENGINE_remove(ptr))
+                {
+                printf("Remove failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(!ENGINE_add(new_h3) || !ENGINE_add(new_h2))
+                {
+                printf("Add failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(!ENGINE_remove(new_h2))
+                {
+                printf("Remove failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(!ENGINE_add(new_h4))
+                {
+                printf("Add failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(ENGINE_add(new_h3))
+                {
+                printf("Add *should* have failed but didn't!\n");
+                goto end;
+                }
+        else
+                printf("Add that should fail did.\n");
+        ERR_clear_error();
+        if(ENGINE_remove(new_h2))
+                {
+                printf("Remove *should* have failed but didn't!\n");
+                goto end;
+                }
+        else
+                printf("Remove that should fail did.\n");
+        if(!ENGINE_remove(new_h1))
+                {
+                printf("Remove failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(!ENGINE_remove(new_h3))
+                {
+                printf("Remove failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        if(!ENGINE_remove(new_h4))
+                {
+                printf("Remove failed!\n");
+                goto end;
+                }
+        display_engine_list();
+        /* Depending on whether there's any hardware support compiled
+         * in, this remove may be destined to fail. */
+        ptr = ENGINE_get_first();
+        if(ptr)
+                if(!ENGINE_remove(ptr))
+                        printf("Remove failed!i - probably no hardware "
+                                "support present.\n");
+        display_engine_list();
+        if(!ENGINE_add(new_h1) || !ENGINE_remove(new_h1))
+                {
+                printf("Couldn't add and remove to an empty list!\n");
+                goto end;
+                }
+        else
+                printf("Successfully added and removed to an empty list!\n");
+        printf("About to beef up the engine-type list\n");
+        for(loop = 0; loop < 512; loop++)
+                {
+                sprintf(buf, "id%i", loop);
+                id = strdup(buf);
+                sprintf(buf, "Fake engine type %i", loop);
+                name = strdup(buf);
+                if(((block[loop] = ENGINE_new()) == NULL) ||
+                                !ENGINE_set_id(block[loop], id) ||
+                                !ENGINE_set_name(block[loop], name))
+                        {
+                        printf("Couldn't create block of ENGINE structures.\n"
+                                "I'll probably also core-dump now, damn.\n");
+                        goto end;
+                        }
+                }
+        for(loop = 0; loop < 512; loop++)
+                {
+                if(!ENGINE_add(block[loop]))
+                        {
+                        printf("\nAdding stopped at %i, (%s,%s)\n",
+                                loop, ENGINE_get_id(block[loop]),
+                                ENGINE_get_name(block[loop]));
+                        goto cleanup_loop;
+                        }
+                else
+                        printf("."); fflush(stdout);
+                }
+cleanup_loop:
+        printf("\nAbout to empty the engine-type list\n");
+        while((ptr = ENGINE_get_first()) != NULL)
+                {
+                if(!ENGINE_remove(ptr))
+                        {
+                        printf("\nRemove failed!\n");
+                        goto end;
+                        }
+                printf("."); fflush(stdout);
+                }
+        for(loop = 0; loop < 512; loop++)
+                {
+                free((char *)(ENGINE_get_id(block[loop])));
+                free((char *)(ENGINE_get_name(block[loop])));
+                }
+        printf("\nTests completed happily\n");
+        to_return = 0;
+end:
+        if(to_return)
+                ERR_print_errors_fp(stderr);
+        if(new_h1) ENGINE_free(new_h1);
+        if(new_h2) ENGINE_free(new_h2);
+        if(new_h3) ENGINE_free(new_h3);
+        if(new_h4) ENGINE_free(new_h4);
+        for(loop = 0; loop < 512; loop++)
+                if(block[loop])
+                        ENGINE_free(block[loop]);
+        return to_return;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw.ec b/src/lib/libssl/src/crypto/engine/hw.ec
new file mode 100644
index 0000000000..5481a43918
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw.ec
@@ -0,0 +1,8 @@
+L AEPHK         hw_aep_err.h                    hw_aep_err.c
+L ATALLA        hw_atalla_err.h                 hw_atalla_err.c
+L CSWIFT        hw_cswift_err.h                 hw_cswift_err.c
+L HWCRHK        hw_ncipher_err.h                hw_ncipher_err.c
+L NURON         hw_nuron_err.h                  hw_nuron_err.c
+L SUREWARE      hw_sureware_err.h               hw_sureware_err.c
+L UBSEC         hw_ubsec_err.h                  hw_ubsec_err.c
+L CCA4758       hw_4758_cca_err.h               hw_4758_cca_err.c
diff --git a/src/lib/libssl/src/crypto/engine/hw_4758_cca.c b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c
new file mode 100644
index 0000000000..959d8f1a61
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_4758_cca.c
@@ -0,0 +1,950 @@
+/* Author: Maurice Gittens <maurice@gittens.nl>                       */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+/* #include <openssl/pem.h> */
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_4758_CCA
+
+#ifdef FLAT_INC
+#include "hw_4758_cca.h"
+#else
+#include "vendor_defns/hw_4758_cca.h"
+#endif
+
+#include "hw_4758_cca_err.c"
+
+static int ibm_4758_cca_destroy(ENGINE *e);
+static int ibm_4758_cca_init(ENGINE *e);
+static int ibm_4758_cca_finish(ENGINE *e);
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* rsa functions */
+/*---------------*/
+#ifndef OPENSSL_NO_RSA
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+static int cca_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
+
+/* utility functions */
+/*-----------------------*/
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE*, const char*,
+                UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE*, const char*,
+                UI_METHOD *ui_method, void *callback_data);
+
+static int getModulusAndExponent(const unsigned char *token, long *exponentLength,
+                unsigned char *exponent, long *modulusLength,
+                long *modulusFieldLength, unsigned char *modulus);
+#endif
+
+/* RAND number functions */
+/*-----------------------*/
+static int cca_get_random_bytes(unsigned char*, int );
+static int cca_random_status(void);
+
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+                int idx,long argl, void *argp);
+
+/* Function pointers for CCA verbs */
+/*---------------------------------*/
+#ifndef OPENSSL_NO_RSA
+static F_KEYRECORDREAD keyRecordRead;
+static F_DIGITALSIGNATUREGENERATE digitalSignatureGenerate;
+static F_DIGITALSIGNATUREVERIFY digitalSignatureVerify;
+static F_PUBLICKEYEXTRACT publicKeyExtract;
+static F_PKAENCRYPT pkaEncrypt;
+static F_PKADECRYPT pkaDecrypt;
+#endif
+static F_RANDOMNUMBERGENERATE randomNumberGenerate;
+
+/* static variables */
+/*------------------*/
+static const char def_CCA4758_LIB_NAME[] = CCA_LIB_NAME;
+static const char *CCA4758_LIB_NAME = def_CCA4758_LIB_NAME;
+#ifndef OPENSSL_NO_RSA
+static const char* n_keyRecordRead = CSNDKRR;
+static const char* n_digitalSignatureGenerate = CSNDDSG;
+static const char* n_digitalSignatureVerify = CSNDDSV;
+static const char* n_publicKeyExtract = CSNDPKX;
+static const char* n_pkaEncrypt = CSNDPKE;
+static const char* n_pkaDecrypt = CSNDPKD;
+#endif
+static const char* n_randomNumberGenerate = CSNBRNG;
+
+static int hndidx = -1;
+static DSO *dso = NULL;
+
+/* openssl engine initialization structures */
+/*------------------------------------------*/
+
+#define CCA4758_CMD_SO_PATH             ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN    cca4758_cmd_defns[] = {
+        {CCA4758_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the '4758cca' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD ibm_4758_cca_rsa =
+        {
+        "IBM 4758 CCA RSA method",
+        cca_rsa_pub_enc,
+        NULL,
+        NULL,
+        cca_rsa_priv_dec,
+        NULL, /*rsa_mod_exp,*/
+        NULL, /*mod_exp_mont,*/
+        NULL, /* init */
+        NULL, /* finish */
+        RSA_FLAG_SIGN_VER,        /* flags */
+        NULL, /* app_data */
+        cca_rsa_sign, /* rsa_sign */
+        cca_rsa_verify  /* rsa_verify */
+        };
+#endif
+
+static RAND_METHOD ibm_4758_cca_rand =
+        {
+        /* "IBM 4758 RAND method", */
+        NULL, /* seed */
+        cca_get_random_bytes, /* get random bytes from the card */
+        NULL, /* cleanup */
+        NULL, /* add */
+        cca_get_random_bytes, /* pseudo rand */
+        cca_random_status, /* status */
+        };
+
+static const char *engine_4758_cca_id = "4758cca";
+static const char *engine_4758_cca_name = "IBM 4758 CCA hardware engine support";
+
+/* engine implementation */
+/*-----------------------*/
+static int bind_helper(ENGINE *e)
+        {
+        if(!ENGINE_set_id(e, engine_4758_cca_id) ||
+                        !ENGINE_set_name(e, engine_4758_cca_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &ibm_4758_cca_rsa) ||
+#endif
+                        !ENGINE_set_RAND(e, &ibm_4758_cca_rand) ||
+                        !ENGINE_set_destroy_function(e, ibm_4758_cca_destroy) ||
+                        !ENGINE_set_init_function(e, ibm_4758_cca_init) ||
+                        !ENGINE_set_finish_function(e, ibm_4758_cca_finish) ||
+                        !ENGINE_set_ctrl_function(e, ibm_4758_cca_ctrl) ||
+                        !ENGINE_set_load_privkey_function(e, ibm_4758_load_privkey) ||
+                        !ENGINE_set_load_pubkey_function(e, ibm_4758_load_pubkey) ||
+                        !ENGINE_set_cmd_defns(e, cca4758_cmd_defns))
+                return 0;
+        /* Ensure the error handling is set up */
+        ERR_load_CCA4758_strings();
+        return 1;
+        }
+
+static ENGINE *engine_4758_cca(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_4758cca(void)
+        {
+        ENGINE *e_4758 = engine_4758_cca();
+        if (!e_4758) return;
+        ENGINE_add(e_4758);
+        ENGINE_free(e_4758);
+        ERR_clear_error();   
+        }
+
+static int ibm_4758_cca_destroy(ENGINE *e)
+        {
+        ERR_unload_CCA4758_strings();
+        return 1;
+        }
+
+static int ibm_4758_cca_init(ENGINE *e)
+        {
+        if(dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_ALREADY_LOADED);
+                goto err;
+                }
+
+        dso = DSO_load(NULL, CCA4758_LIB_NAME , NULL, 0);
+        if(!dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+
+#ifndef OPENSSL_NO_RSA
+        if(!(keyRecordRead = (F_KEYRECORDREAD)
+                                DSO_bind_func(dso, n_keyRecordRead)) ||
+                        !(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+                                DSO_bind_func(dso, n_randomNumberGenerate)) ||
+                        !(digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)
+                                DSO_bind_func(dso, n_digitalSignatureGenerate)) ||
+                        !(digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)
+                                DSO_bind_func(dso, n_digitalSignatureVerify)) ||
+                        !(publicKeyExtract = (F_PUBLICKEYEXTRACT)
+                                DSO_bind_func(dso, n_publicKeyExtract)) ||
+                        !(pkaEncrypt = (F_PKAENCRYPT)
+                                DSO_bind_func(dso, n_pkaEncrypt)) ||
+                        !(pkaDecrypt = (F_PKADECRYPT)
+                                DSO_bind_func(dso, n_pkaDecrypt)))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+#else
+        if(!(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+                                DSO_bind_func(dso, n_randomNumberGenerate)))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+#endif
+
+        hndidx = RSA_get_ex_new_index(0, "IBM 4758 CCA RSA key handle",
+                NULL, NULL, cca_ex_free);
+
+        return 1;
+err:
+        if(dso)
+                DSO_free(dso);
+        dso = NULL;
+
+        keyRecordRead = (F_KEYRECORDREAD)NULL;
+        randomNumberGenerate = (F_RANDOMNUMBERGENERATE)NULL;
+        digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)NULL;
+        digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)NULL;
+        publicKeyExtract = (F_PUBLICKEYEXTRACT)NULL;
+        pkaEncrypt = (F_PKAENCRYPT)NULL;
+        pkaDecrypt = (F_PKADECRYPT)NULL;
+        return 0;
+        }
+
+static int ibm_4758_cca_finish(ENGINE *e)
+        {
+        if(dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+                                CCA4758_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(dso))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+                                CCA4758_R_UNIT_FAILURE);
+                return 0;
+                }
+        dso = NULL;
+        keyRecordRead = (F_KEYRECORDREAD)NULL;
+        randomNumberGenerate = (F_RANDOMNUMBERGENERATE)NULL;
+        digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)NULL;
+        digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)NULL;
+        publicKeyExtract = (F_PUBLICKEYEXTRACT)NULL;
+        pkaEncrypt = (F_PKAENCRYPT)NULL;
+        pkaDecrypt = (F_PKADECRYPT)NULL;
+        return 1;
+        }
+
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case CCA4758_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                                        ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                                        CCA4758_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                CCA4758_LIB_NAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                        CCA4758_R_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+#ifndef OPENSSL_NO_RSA
+
+#define MAX_CCA_PKA_TOKEN_SIZE 2500
+
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE* e, const char* key_id,
+                        UI_METHOD *ui_method, void *callback_data)
+        {
+        RSA *rtmp = NULL;
+        EVP_PKEY *res = NULL;
+        unsigned char* keyToken = NULL;
+        unsigned char pubKeyToken[MAX_CCA_PKA_TOKEN_SIZE];
+        long pubKeyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        long ruleArrayLength = 0;
+        unsigned char exitData[8];
+        unsigned char ruleArray[8];
+        unsigned char keyLabel[64];
+        long keyLabelLength = strlen(key_id);
+        unsigned char modulus[256];
+        long modulusFieldLength = sizeof(modulus);
+        long modulusLength = 0;
+        unsigned char exponent[256];
+        long exponentLength = sizeof(exponent);
+
+        if (keyLabelLength > sizeof(keyLabel))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return NULL;
+                }
+
+        memset(keyLabel,' ', sizeof(keyLabel));
+        memcpy(keyLabel, key_id, keyLabelLength);
+
+        keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+        if (!keyToken)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        keyRecordRead(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, keyLabel,
+                &keyTokenLength, keyToken+sizeof(long));
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        publicKeyExtract(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken+sizeof(long), &pubKeyTokenLength, pubKeyToken);
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        if (!getModulusAndExponent(pubKeyToken, &exponentLength,
+                        exponent, &modulusLength, &modulusFieldLength,
+                        modulus))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        (*(long*)keyToken) = keyTokenLength;
+        rtmp = RSA_new_method(e);
+        RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+
+        rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+        rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+        rtmp->flags |= RSA_FLAG_EXT_PKEY;
+
+        res = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(res, rtmp);
+
+        return res;
+err:
+        if (keyToken)
+                OPENSSL_free(keyToken);
+        if (res)
+                EVP_PKEY_free(res);
+        if (rtmp)
+                RSA_free(rtmp);
+        return NULL;
+        }
+
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE* e, const char* key_id,
+                        UI_METHOD *ui_method, void *callback_data)
+        {
+        RSA *rtmp = NULL;
+        EVP_PKEY *res = NULL;
+        unsigned char* keyToken = NULL;
+        long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        long ruleArrayLength = 0;
+        unsigned char exitData[8];
+        unsigned char ruleArray[8];
+        unsigned char keyLabel[64];
+        long keyLabelLength = strlen(key_id);
+        unsigned char modulus[512];
+        long modulusFieldLength = sizeof(modulus);
+        long modulusLength = 0;
+        unsigned char exponent[512];
+        long exponentLength = sizeof(exponent);
+
+        if (keyLabelLength > sizeof(keyLabel))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return NULL;
+                }
+
+        memset(keyLabel,' ', sizeof(keyLabel));
+        memcpy(keyLabel, key_id, keyLabelLength);
+
+        keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+        if (!keyToken)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        keyRecordRead(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, keyLabel, &keyTokenLength,
+                keyToken+sizeof(long));
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        if (!getModulusAndExponent(keyToken+sizeof(long), &exponentLength,
+                        exponent, &modulusLength, &modulusFieldLength, modulus))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PUBLIC_KEY);
+                goto err;
+                }
+
+        (*(long*)keyToken) = keyTokenLength;
+        rtmp = RSA_new_method(e);
+        RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+        rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+        rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+        rtmp->flags |= RSA_FLAG_EXT_PKEY;
+        res = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(res, rtmp);
+
+        return res;
+err:
+        if (keyToken)
+                OPENSSL_free(keyToken);
+        if (res)
+                EVP_PKEY_free(res);
+        if (rtmp)
+                RSA_free(rtmp);
+        return NULL;
+        }
+
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa,int padding)
+        {
+        long returnCode;
+        long reasonCode;
+        long lflen = flen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.2";
+        long dataStructureLength = 0;
+        unsigned char dataStructure[8];
+        long outputLength = RSA_size(rsa);
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        pkaEncrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+                &dataStructureLength, dataStructure, &keyTokenLength,
+                keyToken, &outputLength, to);
+
+        if (returnCode || reasonCode)
+                return -(returnCode << 16 | reasonCode);
+        return outputLength;
+        }
+
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa,int padding)
+        {
+        long returnCode;
+        long reasonCode;
+        long lflen = flen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.2";
+        long dataStructureLength = 0;
+        unsigned char dataStructure[8];
+        long outputLength = RSA_size(rsa);
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        pkaDecrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+                &dataStructureLength, dataStructure, &keyTokenLength,
+                keyToken, &outputLength, to);
+
+        return (returnCode | reasonCode) ? 0 : 1;
+        }
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigbuf, unsigned int siglen, const RSA *rsa)
+        {
+        long returnCode;
+        long reasonCode;
+        long lsiglen = siglen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.1";
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+        long length = SSL_SIG_LEN;
+        long keyLength ;
+        unsigned char *hashBuffer = NULL;
+        X509_SIG sig;
+        ASN1_TYPE parameter;
+        X509_ALGOR algorithm;
+        ASN1_OCTET_STRING digest;
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        if (type == NID_md5 || type == NID_sha1)
+                {
+                sig.algor = &algorithm;
+                algorithm.algorithm = OBJ_nid2obj(type);
+
+                if (!algorithm.algorithm)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+                        return 0;
+                        }
+
+                if (!algorithm.algorithm->length)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+                        return 0;
+                        }
+
+                parameter.type = V_ASN1_NULL;
+                parameter.value.ptr = NULL;
+                algorithm.parameter = &parameter;
+
+                sig.digest = &digest;
+                sig.digest->data = (unsigned char*)m;
+                sig.digest->length = m_len;
+
+                length = i2d_X509_SIG(&sig, NULL);
+                }
+
+        keyLength = RSA_size(rsa);
+
+        if (length - RSA_PKCS1_PADDING > keyLength)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return 0;
+                }
+
+        switch (type)
+                {
+                case NID_md5_sha1 :
+                        if (m_len != SSL_SIG_LEN)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                                return 0;
+                                }
+
+                        hashBuffer = (unsigned char *)m;
+                        length = m_len;
+                        break;
+                case NID_md5 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                case NID_sha1 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                default:
+                        return 0;
+                }
+
+        digitalSignatureVerify(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken, &length, hashBuffer, &lsiglen, sigbuf);
+
+        if (type == NID_sha1 || type == NID_md5)
+                {
+                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_free(hashBuffer);
+                }
+
+        return ((returnCode || reasonCode) ? 0 : 1);
+        }
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
+        {
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.1";
+        long outputLength=256;
+        long outputBitLength;
+        long keyTokenLength;
+        unsigned char *hashBuffer = NULL;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+        long length = SSL_SIG_LEN;
+        long keyLength ;
+        X509_SIG sig;
+        ASN1_TYPE parameter;
+        X509_ALGOR algorithm;
+        ASN1_OCTET_STRING digest;
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        if (type == NID_md5 || type == NID_sha1)
+                {
+                sig.algor = &algorithm;
+                algorithm.algorithm = OBJ_nid2obj(type);
+
+                if (!algorithm.algorithm)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+                        return 0;
+                        }
+
+                if (!algorithm.algorithm->length)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+                        return 0;
+                        }
+
+                parameter.type = V_ASN1_NULL;
+                parameter.value.ptr = NULL;
+                algorithm.parameter = &parameter;
+
+                sig.digest = &digest;
+                sig.digest->data = (unsigned char*)m;
+                sig.digest->length = m_len;
+
+                length = i2d_X509_SIG(&sig, NULL);
+                }
+
+        keyLength = RSA_size(rsa);
+
+        if (length - RSA_PKCS1_PADDING > keyLength)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return 0;
+                }
+
+        switch (type)
+                {
+                case NID_md5_sha1 :
+                        if (m_len != SSL_SIG_LEN)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                                return 0;
+                                }
+                        hashBuffer = (unsigned char*)m;
+                        length = m_len;
+                        break;
+                case NID_md5 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                case NID_sha1 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                default:
+                        return 0;
+                }
+
+        digitalSignatureGenerate(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken, &length, hashBuffer, &outputLength, &outputBitLength,
+                sigret);
+
+        if (type == NID_sha1 || type == NID_md5)
+                {
+                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_free(hashBuffer);
+                }
+
+        *siglen = outputLength;
+
+        return ((returnCode || reasonCode) ? 0 : 1);
+        }
+
+static int getModulusAndExponent(const unsigned char*token, long *exponentLength,
+                unsigned char *exponent, long *modulusLength, long *modulusFieldLength,
+                unsigned char *modulus)
+        {
+        unsigned long len;
+
+        if (*token++ != (char)0x1E) /* internal PKA token? */
+                return 0;
+
+        if (*token++) /* token version must be zero */
+                return 0;
+
+        len = *token++;
+        len = len << 8;
+        len |= (unsigned char)*token++;
+
+        token += 4; /* skip reserved bytes */
+
+        if (*token++ == (char)0x04)
+                {
+                if (*token++) /* token version must be zero */
+                        return 0;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                token+=2; /* skip reserved section */
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *exponentLength = len;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *modulusLength = len;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *modulusFieldLength = len;
+
+                memcpy(exponent, token, *exponentLength);
+                token+= *exponentLength;
+
+                memcpy(modulus, token, *modulusFieldLength);
+                return 1;
+                }
+        return 0;
+        }
+
+#endif /* OPENSSL_NO_RSA */
+
+static int cca_random_status(void)
+        {
+        return 1;
+        }
+
+static int cca_get_random_bytes(unsigned char* buf, int num)
+        {
+        long ret_code;
+        long reason_code;
+        long exit_data_length;
+        unsigned char exit_data[4];
+        unsigned char form[] = "RANDOM  ";
+        unsigned char rand_buf[8];
+
+        while(num >= sizeof(rand_buf))
+                {
+                randomNumberGenerate(&ret_code, &reason_code, &exit_data_length,
+                        exit_data, form, rand_buf);
+                if (ret_code)
+                        return 0;
+                num -= sizeof(rand_buf);
+                memcpy(buf, rand_buf, sizeof(rand_buf));
+                buf += sizeof(rand_buf);
+                }
+
+        if (num)
+                {
+                randomNumberGenerate(&ret_code, &reason_code, NULL, NULL,
+                        form, rand_buf);
+                if (ret_code)
+                        return 0;
+                memcpy(buf, rand_buf, num);
+                }
+
+        return 1;
+        }
+
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, int idx,
+                long argl, void *argp)
+        {
+        if (item)
+                OPENSSL_free(item);
+        }
+
+/* Goo to handle building as a dynamic engine */
+#ifdef ENGINE_DYNAMIC_SUPPORT 
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_cswift_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_4758_CCA */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.c b/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.c
new file mode 100644
index 0000000000..7ea5c63707
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.c
@@ -0,0 +1,149 @@
+/* hw_4758_cca_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_4758_cca_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA CCA4758_str_functs[]=
+        {
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_CTRL,0),     "IBM_4758_CCA_CTRL"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_FINISH,0),   "IBM_4758_CCA_FINISH"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_INIT,0),     "IBM_4758_CCA_INIT"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,0),     "IBM_4758_CCA_LOAD_PRIVKEY"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY,0),      "IBM_4758_CCA_LOAD_PUBKEY"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_SIGN,0),     "IBM_4758_CCA_SIGN"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_VERIFY,0),   "IBM_4758_CCA_VERIFY"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA CCA4758_str_reasons[]=
+        {
+{CCA4758_R_ALREADY_LOADED                ,"already loaded"},
+{CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD       ,"asn1 oid unknown for md"},
+{CCA4758_R_COMMAND_NOT_IMPLEMENTED       ,"command not implemented"},
+{CCA4758_R_DSO_FAILURE                   ,"dso failure"},
+{CCA4758_R_FAILED_LOADING_PRIVATE_KEY    ,"failed loading private key"},
+{CCA4758_R_FAILED_LOADING_PUBLIC_KEY     ,"failed loading public key"},
+{CCA4758_R_NOT_LOADED                    ,"not loaded"},
+{CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL   ,"size too large or too small"},
+{CCA4758_R_UNIT_FAILURE                  ,"unit failure"},
+{CCA4758_R_UNKNOWN_ALGORITHM_TYPE        ,"unknown algorithm type"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef CCA4758_LIB_NAME
+static ERR_STRING_DATA CCA4758_lib_name[]=
+        {
+{0      ,CCA4758_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int CCA4758_lib_error_code=0;
+static int CCA4758_error_init=1;
+
+static void ERR_load_CCA4758_strings(void)
+        {
+        if (CCA4758_lib_error_code == 0)
+                CCA4758_lib_error_code=ERR_get_next_error_library();
+
+        if (CCA4758_error_init)
+                {
+                CCA4758_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+                ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+                CCA4758_lib_name->error = ERR_PACK(CCA4758_lib_error_code,0,0);
+                ERR_load_strings(0,CCA4758_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_CCA4758_strings(void)
+        {
+        if (CCA4758_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+                ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+                ERR_unload_strings(0,CCA4758_lib_name);
+#endif
+                CCA4758_error_init=1;
+                }
+        }
+
+static void ERR_CCA4758_error(int function, int reason, char *file, int line)
+        {
+        if (CCA4758_lib_error_code == 0)
+                CCA4758_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(CCA4758_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.h b/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.h
new file mode 100644
index 0000000000..2fc563ab11
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_4758_cca_err.h
@@ -0,0 +1,93 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CCA4758_ERR_H
+#define HEADER_CCA4758_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CCA4758_strings(void);
+static void ERR_unload_CCA4758_strings(void);
+static void ERR_CCA4758_error(int function, int reason, char *file, int line);
+#define CCA4758err(f,r) ERR_CCA4758_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CCA4758 functions. */
+
+/* Function codes. */
+#define CCA4758_F_IBM_4758_CCA_CTRL                      100
+#define CCA4758_F_IBM_4758_CCA_FINISH                    101
+#define CCA4758_F_IBM_4758_CCA_INIT                      102
+#define CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY              103
+#define CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY               104
+#define CCA4758_F_IBM_4758_CCA_SIGN                      105
+#define CCA4758_F_IBM_4758_CCA_VERIFY                    106
+
+/* Reason codes. */
+#define CCA4758_R_ALREADY_LOADED                         100
+#define CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD                101
+#define CCA4758_R_COMMAND_NOT_IMPLEMENTED                102
+#define CCA4758_R_DSO_FAILURE                            103
+#define CCA4758_R_FAILED_LOADING_PRIVATE_KEY             104
+#define CCA4758_R_FAILED_LOADING_PUBLIC_KEY              105
+#define CCA4758_R_NOT_LOADED                             106
+#define CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL            107
+#define CCA4758_R_UNIT_FAILURE                           108
+#define CCA4758_R_UNKNOWN_ALGORITHM_TYPE                 109
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_aep.c b/src/lib/libssl/src/crypto/engine/hw_aep.c
new file mode 100644
index 0000000000..cf4507cff1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_aep.c
@@ -0,0 +1,1101 @@
+/* crypto/engine/hw_aep.c */
+/*
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <string.h>
+
+#include <openssl/e_os2.h>
+#ifndef OPENSSL_SYS_MSDOS
+#include <sys/types.h>
+#include <unistd.h>
+#else
+#include <process.h>
+typedef int pid_t;
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_AEP
+#ifdef FLAT_INC
+#include "aep.h"
+#else
+#include "vendor_defns/aep.h"
+#endif
+
+#define AEP_LIB_NAME "aep engine"
+#define FAIL_TO_SW 0x10101010
+
+#include "hw_aep_err.c"
+
+static int aep_init(ENGINE *e);
+static int aep_finish(ENGINE *e);
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int aep_destroy(ENGINE *e);
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR hConnection);
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use);
+
+/* BIGNUM stuff */
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx);
+
+static AEP_RV aep_mod_exp_crt(BIGNUM *r,const  BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *q, const BIGNUM *dmp1,const BIGNUM *dmq1,
+        const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* RSA stuff */
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+        BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+        BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx);
+#endif
+
+/* DH stuff */
+/* This function is aliased to mod_exp (with the DH and mont dropped). */
+#ifndef OPENSSL_NO_DH
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* rand stuff   */
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf, int num);
+static int aep_rand_status(void);
+#endif
+
+/* Bignum conversion stuff */
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize);
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum);
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum);
+
+/* The definitions for control commands specific to this engine */
+#define AEP_CMD_SO_PATH         ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN aep_cmd_defns[] =
+        {
+        { AEP_CMD_SO_PATH,
+          "SO_PATH",
+          "Specifies the path to the 'aep' shared library",
+          ENGINE_CMD_FLAG_STRING
+        },
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD aep_rsa =
+        {
+        "Aep RSA method",
+        NULL,                /*rsa_pub_encrypt*/
+        NULL,                /*rsa_pub_decrypt*/
+        NULL,                /*rsa_priv_encrypt*/
+        NULL,                /*rsa_priv_encrypt*/
+        aep_rsa_mod_exp,     /*rsa_mod_exp*/
+        aep_mod_exp_mont,    /*bn_mod_exp*/
+        NULL,                /*init*/
+        NULL,                /*finish*/
+        0,                   /*flags*/
+        NULL,                /*app_data*/
+        NULL,                /*rsa_sign*/
+        NULL                 /*rsa_verify*/
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD aep_dsa =
+        {
+        "Aep DSA method",
+        NULL,                /* dsa_do_sign */
+        NULL,                /* dsa_sign_setup */
+        NULL,                /* dsa_do_verify */
+        aep_dsa_mod_exp,     /* dsa_mod_exp */
+        aep_mod_exp_dsa,     /* bn_mod_exp */
+        NULL,                /* init */
+        NULL,                /* finish */
+        0,                   /* flags */
+        NULL                 /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD aep_dh =
+        {
+        "Aep DH method",
+        NULL,
+        NULL,
+        aep_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+#ifdef AEPRAND
+/* our internal RAND_method that we provide pointers to  */
+static RAND_METHOD aep_random =
+        {
+        /*"AEP RAND method", */
+        NULL,
+        aep_rand,
+        NULL,
+        NULL,
+        aep_rand,
+        aep_rand_status,
+        };
+#endif
+
+/*Define an array of structures to hold connections*/
+static AEP_CONNECTION_ENTRY aep_app_conn_table[MAX_PROCESS_CONNECTIONS];
+
+/*Used to determine if this is a new process*/
+static pid_t    recorded_pid = 0;
+
+#ifdef AEPRAND
+static AEP_U8   rand_block[RAND_BLK_SIZE];
+static AEP_U32  rand_block_bytes = 0;
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_aep_id = "aep";
+static const char *engine_aep_name = "Aep hardware engine support";
+
+static int max_key_len = 2176;
+
+
+/* This internal function is used by ENGINE_aep() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_aep(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD  *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD  *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD   *meth3;
+#endif
+
+        if(!ENGINE_set_id(e, engine_aep_id) ||
+                !ENGINE_set_name(e, engine_aep_name) ||
+#ifndef OPENSSL_NO_RSA
+                !ENGINE_set_RSA(e, &aep_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                !ENGINE_set_DSA(e, &aep_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                !ENGINE_set_DH(e, &aep_dh) ||
+#endif
+#ifdef AEPRAND
+                !ENGINE_set_RAND(e, &aep_random) ||
+#endif
+                !ENGINE_set_init_function(e, aep_init) ||
+                !ENGINE_set_destroy_function(e, aep_destroy) ||
+                !ENGINE_set_finish_function(e, aep_finish) ||
+                !ENGINE_set_ctrl_function(e, aep_ctrl) ||
+                !ENGINE_set_cmd_defns(e, aep_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the aep-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */
+        meth1 = RSA_PKCS1_SSLeay();
+        aep_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        aep_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        aep_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        aep_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+
+#ifndef OPENSSL_NO_DSA
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2 = DSA_OpenSSL();
+        aep_dsa.dsa_do_sign    = meth2->dsa_do_sign;
+        aep_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+        aep_dsa.dsa_do_verify  = meth2->dsa_do_verify;
+
+        aep_dsa = *DSA_get_default_method(); 
+        aep_dsa.dsa_mod_exp = aep_dsa_mod_exp; 
+        aep_dsa.bn_mod_exp = aep_mod_exp_dsa;
+#endif
+
+#ifndef OPENSSL_NO_DH
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        aep_dh.generate_key = meth3->generate_key;
+        aep_dh.compute_key  = meth3->compute_key;
+        aep_dh.bn_mod_exp   = meth3->bn_mod_exp;
+#endif
+
+        /* Ensure the aep error handling is set up */
+        ERR_load_AEPHK_strings();
+
+        return 1;
+}
+
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_helper(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_aep_id) != 0))
+                return 0;
+        if(!bind_aep(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_aep(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_aep(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_aep(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_aep();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Aep library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *aep_dso = NULL;
+
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+*/
+static const char *AEP_LIBNAME = "aep";
+
+static const char *AEP_F1    = "AEP_ModExp";
+static const char *AEP_F2    = "AEP_ModExpCrt";
+#ifdef AEPRAND
+static const char *AEP_F3    = "AEP_GenRandom";
+#endif
+static const char *AEP_F4    = "AEP_Finalize";
+static const char *AEP_F5    = "AEP_Initialize";
+static const char *AEP_F6    = "AEP_OpenConnection";
+static const char *AEP_F7    = "AEP_SetBNCallBacks";
+static const char *AEP_F8    = "AEP_CloseConnection";
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static t_AEP_OpenConnection    *p_AEP_OpenConnection  = NULL;
+static t_AEP_CloseConnection   *p_AEP_CloseConnection = NULL;
+static t_AEP_ModExp            *p_AEP_ModExp          = NULL;
+static t_AEP_ModExpCrt         *p_AEP_ModExpCrt       = NULL;
+#ifdef AEPRAND
+static t_AEP_GenRandom         *p_AEP_GenRandom       = NULL;
+#endif
+static t_AEP_Initialize        *p_AEP_Initialize      = NULL;
+static t_AEP_Finalize          *p_AEP_Finalize        = NULL;
+static t_AEP_SetBNCallBacks    *p_AEP_SetBNCallBacks  = NULL;
+
+/* (de)initialisation functions. */
+static int aep_init(ENGINE *e)
+        {
+        t_AEP_ModExp          *p1;
+        t_AEP_ModExpCrt       *p2;
+#ifdef AEPRAND
+        t_AEP_GenRandom       *p3;
+#endif
+        t_AEP_Finalize        *p4;
+        t_AEP_Initialize      *p5;
+        t_AEP_OpenConnection  *p6;
+        t_AEP_SetBNCallBacks  *p7;
+        t_AEP_CloseConnection *p8;
+
+        int to_return = 0;
+ 
+        if(aep_dso != NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* Attempt to load libaep.so. */
+
+        aep_dso = DSO_load(NULL, AEP_LIBNAME, NULL, 0);
+  
+        if(aep_dso == NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        if(     !(p1 = (t_AEP_ModExp *)     DSO_bind_func( aep_dso,AEP_F1))  ||
+                !(p2 = (t_AEP_ModExpCrt*)   DSO_bind_func( aep_dso,AEP_F2))  ||
+#ifdef AEPRAND
+                !(p3 = (t_AEP_GenRandom*)   DSO_bind_func( aep_dso,AEP_F3))  ||
+#endif
+                !(p4 = (t_AEP_Finalize*)    DSO_bind_func( aep_dso,AEP_F4))  ||
+                !(p5 = (t_AEP_Initialize*)  DSO_bind_func( aep_dso,AEP_F5))  ||
+                !(p6 = (t_AEP_OpenConnection*) DSO_bind_func( aep_dso,AEP_F6))  ||
+                !(p7 = (t_AEP_SetBNCallBacks*) DSO_bind_func( aep_dso,AEP_F7))  ||
+                !(p8 = (t_AEP_CloseConnection*) DSO_bind_func( aep_dso,AEP_F8)))
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        /* Copy the pointers */
+  
+        p_AEP_ModExp           = p1;
+        p_AEP_ModExpCrt        = p2;
+#ifdef AEPRAND
+        p_AEP_GenRandom        = p3;
+#endif
+        p_AEP_Finalize         = p4;
+        p_AEP_Initialize       = p5;
+        p_AEP_OpenConnection   = p6;
+        p_AEP_SetBNCallBacks   = p7;
+        p_AEP_CloseConnection  = p8;
+ 
+        to_return = 1;
+ 
+        return to_return;
+
+ err: 
+
+        if(aep_dso)
+                DSO_free(aep_dso);
+                
+        p_AEP_OpenConnection    = NULL;
+        p_AEP_ModExp            = NULL;
+        p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+        p_AEP_GenRandom         = NULL;
+#endif
+        p_AEP_Initialize        = NULL;
+        p_AEP_Finalize          = NULL;
+        p_AEP_SetBNCallBacks    = NULL;
+        p_AEP_CloseConnection   = NULL;
+
+        return to_return;
+        }
+
+/* Destructor (complements the "ENGINE_aep()" constructor) */
+static int aep_destroy(ENGINE *e)
+        {
+        ERR_unload_AEPHK_strings();
+        return 1;
+        }
+
+static int aep_finish(ENGINE *e)
+        {
+        int to_return = 0, in_use;
+        AEP_RV rv;
+
+        if(aep_dso == NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        rv = aep_close_all_connections(0, &in_use);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CLOSE_HANDLES_FAILED);
+                goto err;
+                }
+        if (in_use)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CONNECTIONS_IN_USE);
+                goto err;
+                }
+
+        rv = p_AEP_Finalize();
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_FINALIZE_FAILED);
+                goto err;
+                }
+
+        if(!DSO_free(aep_dso))
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_UNIT_FAILURE);
+                goto err;
+                }
+
+        aep_dso = NULL;
+        p_AEP_CloseConnection   = NULL;
+        p_AEP_OpenConnection    = NULL;
+        p_AEP_ModExp            = NULL;
+        p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+        p_AEP_GenRandom         = NULL;
+#endif
+        p_AEP_Initialize        = NULL;
+        p_AEP_Finalize          = NULL;
+        p_AEP_SetBNCallBacks    = NULL;
+
+        to_return = 1;
+ err:
+        return to_return;
+        }
+
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((aep_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case AEP_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_CTRL,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_CTRL,
+                                AEPHK_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                AEP_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        AEPHKerr(AEPHK_F_AEP_CTRL,AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx)
+        {
+        int to_return = 0;
+        int     r_len = 0;
+        AEP_CONNECTION_HNDL hConnection;
+        AEP_RV rv;
+        
+        r_len = BN_num_bits(m);
+
+        /* Perform in software if modulus is too large for hardware. */
+
+        if (r_len > max_key_len){
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP, AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return BN_mod_exp(r, a, p, m, ctx);
+        } 
+
+        /*Grab a connection from the pool*/
+        rv = aep_get_connection(&hConnection);
+        if (rv != AEP_R_OK)
+                {     
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_GET_HANDLE_FAILED);
+                return BN_mod_exp(r, a, p, m, ctx);
+                }
+
+        /*To the card with the mod exp*/
+        rv = p_AEP_ModExp(hConnection,(void*)a, (void*)p,(void*)m, (void*)r,NULL);
+
+        if (rv !=  AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_MOD_EXP_FAILED);
+                rv = aep_close_connection(hConnection);
+                return BN_mod_exp(r, a, p, m, ctx);
+                }
+
+        /*Return the connection to the pool*/
+        rv = aep_return_connection(hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+                goto err;
+                }
+
+        to_return = 1;
+ err:
+        return to_return;
+        }
+        
+static AEP_RV aep_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *q, const BIGNUM *dmp1,
+        const BIGNUM *dmq1,const BIGNUM *iqmp, BN_CTX *ctx)
+        {
+        AEP_RV rv = AEP_R_OK;
+        AEP_CONNECTION_HNDL hConnection;
+
+        /*Grab a connection from the pool*/
+        rv = aep_get_connection(&hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_GET_HANDLE_FAILED);
+                return FAIL_TO_SW;
+                }
+
+        /*To the card with the mod exp*/
+        rv = p_AEP_ModExpCrt(hConnection,(void*)a, (void*)p, (void*)q, (void*)dmp1,(void*)dmq1,
+                (void*)iqmp,(void*)r,NULL);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_MOD_EXP_CRT_FAILED);
+                rv = aep_close_connection(hConnection);
+                return FAIL_TO_SW;
+                }
+
+        /*Return the connection to the pool*/
+        rv = aep_return_connection(hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+                goto err;
+                }
+ 
+ err:
+        return rv;
+        }
+        
+
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf,int len )
+        {
+        AEP_RV rv = AEP_R_OK;
+        AEP_CONNECTION_HNDL hConnection;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+        /*Can the request be serviced with what's already in the buffer?*/
+        if (len <= rand_block_bytes)
+                {
+                memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+                rand_block_bytes -= len;
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+                }
+        else
+                /*If not the get another block of random bytes*/
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+                rv = aep_get_connection(&hConnection);
+                if (rv !=  AEP_R_OK)
+                        { 
+                        AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_HANDLE_FAILED);             
+                        goto err_nounlock;
+                        }
+
+                if (len > RAND_BLK_SIZE)
+                        {
+                        rv = p_AEP_GenRandom(hConnection, len, 2, buf, NULL);
+                        if (rv !=  AEP_R_OK)
+                                {  
+                                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+                                goto err_nounlock;
+                                }
+                        }
+                else
+                        {
+                        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+                        rv = p_AEP_GenRandom(hConnection, RAND_BLK_SIZE, 2, &rand_block[0], NULL);
+                        if (rv !=  AEP_R_OK)
+                                {       
+                                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+              
+                                goto err;
+                                }
+
+                        rand_block_bytes = RAND_BLK_SIZE;
+
+                        memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+                        rand_block_bytes -= len;
+
+                        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+                        }
+
+                rv = aep_return_connection(hConnection);
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+          
+                        goto err_nounlock;
+                        }
+                }
+  
+        return 1;
+ err:
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ err_nounlock:
+        return 0;
+        }
+        
+static int aep_rand_status(void)
+{
+        return 1;
+}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx = NULL;
+        int to_return = 0;
+        AEP_RV rv = AEP_R_OK;
+
+        if ((ctx = BN_CTX_new()) == NULL)
+                goto err;
+
+        if (!aep_dso)
+                {
+                AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        /*See if we have all the necessary bits for a crt*/
+        if (rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp)
+                {
+                rv =  aep_mod_exp_crt(r0,I,rsa->p,rsa->q, rsa->dmp1,rsa->dmq1,rsa->iqmp,ctx);
+
+                if (rv == FAIL_TO_SW){
+                        const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                        to_return = (*meth->rsa_mod_exp)(r0, I, rsa);
+                        goto err;
+                }
+                else if (rv != AEP_R_OK)
+                        goto err;
+                }
+        else
+                {
+                if (!rsa->d || !rsa->n)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_MISSING_KEY_COMPONENTS);
+                        goto err;
+                        }
+ 
+                rv = aep_mod_exp(r0,I,rsa->d,rsa->n,ctx);
+                if  (rv != AEP_R_OK)
+                        goto err;
+        
+                }
+
+        to_return = 1;
+
+ err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+        BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+        BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+        BN_init(&t);
+
+        /* let rr = a1 ^ p1 mod m */
+        if (!aep_mod_exp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!aep_mod_exp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+ end: 
+        BN_free(&t);
+        return to_return;
+        }
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx)
+        {  
+        return aep_mod_exp(r, a, p, m, ctx); 
+        }
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return aep_mod_exp(r, a, p, m, ctx);
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx)
+        {
+        return aep_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR phConnection)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        /*Get the current process id*/
+        pid_t curr_pid;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        curr_pid = getpid();
+
+        /*Check if this is the first time this is being called from the current
+          process*/
+        if (recorded_pid != curr_pid)
+                {
+                /*Remember our pid so we can check if we're in a new process*/
+                recorded_pid = curr_pid;
+
+                /*Call Finalize to make sure we have not inherited some data
+                  from a parent process*/
+                p_AEP_Finalize();
+     
+                /*Initialise the AEP API*/
+                rv = p_AEP_Initialize(NULL);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_INIT_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+                /*Set the AEP big num call back functions*/
+                rv = p_AEP_SetBNCallBacks(&GetBigNumSize, &MakeAEPBigNum,
+                        &ConvertAEPBigNum);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_SETBNCALLBACK_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+#ifdef AEPRAND
+                /*Reset the rand byte count*/
+                rand_block_bytes = 0;
+#endif
+
+                /*Init the structures*/
+                for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                        {
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        }
+
+                /*Open a connection*/
+                rv = p_AEP_OpenConnection(phConnection);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+                aep_app_conn_table[0].conn_state = InUse;
+                aep_app_conn_table[0].conn_hndl = *phConnection;
+                goto end;
+                }
+        /*Check the existing connections to see if we can find a free one*/
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_state == Connected)
+                        {
+                        aep_app_conn_table[count].conn_state = InUse;
+                        *phConnection = aep_app_conn_table[count].conn_hndl;
+                        goto end;
+                        }
+                }
+        /*If no connections available, we're going to have to try
+          to open a new one*/
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_state == NotConnected)
+                        {
+                        /*Open a connection*/
+                        rv = p_AEP_OpenConnection(phConnection);
+
+                        if (rv != AEP_R_OK)
+                                {             
+                                AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+                                goto end;
+                                }
+
+                        aep_app_conn_table[count].conn_state = InUse;
+                        aep_app_conn_table[count].conn_hndl = *phConnection;
+                        goto end;
+                        }
+                }
+        rv = AEP_R_GENERAL_ERROR;
+ end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection)
+        {
+        int count;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        /*Find the connection item that matches this connection handle*/
+        for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_hndl == hConnection)
+                        {
+                        aep_app_conn_table[count].conn_state = Connected;
+                        break;
+                        }
+                }
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+
+        return AEP_R_OK;
+        }
+
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        /*Find the connection item that matches this connection handle*/
+        for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_hndl == hConnection)
+                        {
+                        rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+                        if (rv != AEP_R_OK)
+                                goto end;
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        break;
+                        }
+                }
+
+ end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        *in_use = 0;
+        if (use_engine_lock) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                switch (aep_app_conn_table[count].conn_state)
+                        {
+                case Connected:
+                        rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+                        if (rv != AEP_R_OK)
+                                goto end;
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        break;
+                case InUse:
+                        (*in_use)++;
+                        break;
+                case NotConnected:
+                        break;
+                        }
+                }
+ end:
+        if (use_engine_lock) CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+/*BigNum call back functions, used to convert OpenSSL bignums into AEP bignums.
+  Note only 32bit Openssl build support*/
+
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize)
+        {
+        BIGNUM* bn;
+
+        /*Cast the ArbBigNum pointer to our BIGNUM struct*/
+        bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        *BigNumSize = bn->top << 3;
+#else
+        /*Size of the bignum in bytes is equal to the bn->top (no of 32 bit
+          words) multiplies by 4*/
+        *BigNumSize = bn->top << 2;
+#endif
+
+        return AEP_R_OK;
+        }
+
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum)
+        {
+        BIGNUM* bn;
+
+#ifndef SIXTY_FOUR_BIT_LONG
+        unsigned char* buf;
+        int i;
+#endif
+
+        /*Cast the ArbBigNum pointer to our BIGNUM struct*/
+        bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        memcpy(AEP_BigNum, bn->d, BigNumSize);
+#else
+        /*Must copy data into a (monotone) least significant byte first format
+          performing endian conversion if necessary*/
+        for(i=0;i<bn->top;i++)
+                {
+                buf = (unsigned char*)&bn->d[i];
+
+                *((AEP_U32*)AEP_BigNum) = (AEP_U32)
+                        ((unsigned) buf[1] << 8 | buf[0]) |
+                        ((unsigned) buf[3] << 8 | buf[2])  << 16;
+
+                AEP_BigNum += 4;
+                }
+#endif
+
+        return AEP_R_OK;
+        }
+
+/*Turn an AEP Big Num back to a user big num*/
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum)
+        {
+        BIGNUM* bn;
+#ifndef SIXTY_FOUR_BIT_LONG
+        int i;
+#endif
+
+        bn = (BIGNUM*)ArbBigNum;
+
+        /*Expand the result bn so that it can hold our big num.
+          Size is in bits*/
+        bn_expand(bn, (int)(BigNumSize << 3));
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        bn->top = BigNumSize >> 3;
+        
+        if((BigNumSize & 7) != 0)
+                bn->top++;
+
+        memset(bn->d, 0, bn->top << 3); 
+
+        memcpy(bn->d, AEP_BigNum, BigNumSize);
+#else
+        bn->top = BigNumSize >> 2;
+ 
+        for(i=0;i<bn->top;i++)
+                {
+                bn->d[i] = (AEP_U32)
+                        ((unsigned) AEP_BigNum[3] << 8 | AEP_BigNum[2]) << 16 |
+                        ((unsigned) AEP_BigNum[1] << 8 | AEP_BigNum[0]);
+                AEP_BigNum += 4;
+                }
+#endif
+
+        return AEP_R_OK;
+}       
+        
+#endif /* !OPENSSL_NO_HW_AEP */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_aep_err.c b/src/lib/libssl/src/crypto/engine/hw_aep_err.c
new file mode 100644
index 0000000000..092f532946
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_aep_err.c
@@ -0,0 +1,157 @@
+/* hw_aep_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_aep_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA AEPHK_str_functs[]=
+        {
+{ERR_PACK(0,AEPHK_F_AEP_CTRL,0),        "AEP_CTRL"},
+{ERR_PACK(0,AEPHK_F_AEP_FINISH,0),      "AEP_FINISH"},
+{ERR_PACK(0,AEPHK_F_AEP_GET_CONNECTION,0),      "AEP_GET_CONNECTION"},
+{ERR_PACK(0,AEPHK_F_AEP_INIT,0),        "AEP_INIT"},
+{ERR_PACK(0,AEPHK_F_AEP_MOD_EXP,0),     "AEP_MOD_EXP"},
+{ERR_PACK(0,AEPHK_F_AEP_MOD_EXP_CRT,0), "AEP_MOD_EXP_CRT"},
+{ERR_PACK(0,AEPHK_F_AEP_RAND,0),        "AEP_RAND"},
+{ERR_PACK(0,AEPHK_F_AEP_RSA_MOD_EXP,0), "AEP_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA AEPHK_str_reasons[]=
+        {
+{AEPHK_R_ALREADY_LOADED                  ,"already loaded"},
+{AEPHK_R_CLOSE_HANDLES_FAILED            ,"close handles failed"},
+{AEPHK_R_CONNECTIONS_IN_USE              ,"connections in use"},
+{AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{AEPHK_R_FINALIZE_FAILED                 ,"finalize failed"},
+{AEPHK_R_GET_HANDLE_FAILED               ,"get handle failed"},
+{AEPHK_R_GET_RANDOM_FAILED               ,"get random failed"},
+{AEPHK_R_INIT_FAILURE                    ,"init failure"},
+{AEPHK_R_MISSING_KEY_COMPONENTS          ,"missing key components"},
+{AEPHK_R_MOD_EXP_CRT_FAILED              ,"mod exp crt failed"},
+{AEPHK_R_MOD_EXP_FAILED                  ,"mod exp failed"},
+{AEPHK_R_NOT_LOADED                      ,"not loaded"},
+{AEPHK_R_OK                              ,"ok"},
+{AEPHK_R_RETURN_CONNECTION_FAILED        ,"return connection failed"},
+{AEPHK_R_SETBNCALLBACK_FAILURE           ,"setbncallback failure"},
+{AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL     ,"size too large or too small"},
+{AEPHK_R_UNIT_FAILURE                    ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef AEPHK_LIB_NAME
+static ERR_STRING_DATA AEPHK_lib_name[]=
+        {
+{0      ,AEPHK_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int AEPHK_lib_error_code=0;
+static int AEPHK_error_init=1;
+
+static void ERR_load_AEPHK_strings(void)
+        {
+        if (AEPHK_lib_error_code == 0)
+                AEPHK_lib_error_code=ERR_get_next_error_library();
+
+        if (AEPHK_error_init)
+                {
+                AEPHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+                ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+                AEPHK_lib_name->error = ERR_PACK(AEPHK_lib_error_code,0,0);
+                ERR_load_strings(0,AEPHK_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_AEPHK_strings(void)
+        {
+        if (AEPHK_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+                ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+                ERR_unload_strings(0,AEPHK_lib_name);
+#endif
+                AEPHK_error_init=1;
+                }
+        }
+
+static void ERR_AEPHK_error(int function, int reason, char *file, int line)
+        {
+        if (AEPHK_lib_error_code == 0)
+                AEPHK_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(AEPHK_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_aep_err.h b/src/lib/libssl/src/crypto/engine/hw_aep_err.h
new file mode 100644
index 0000000000..8fe4cf921f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_aep_err.h
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_AEPHK_ERR_H
+#define HEADER_AEPHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_AEPHK_strings(void);
+static void ERR_unload_AEPHK_strings(void);
+static void ERR_AEPHK_error(int function, int reason, char *file, int line);
+#define AEPHKerr(f,r) ERR_AEPHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the AEPHK functions. */
+
+/* Function codes. */
+#define AEPHK_F_AEP_CTRL                                 100
+#define AEPHK_F_AEP_FINISH                               101
+#define AEPHK_F_AEP_GET_CONNECTION                       102
+#define AEPHK_F_AEP_INIT                                 103
+#define AEPHK_F_AEP_MOD_EXP                              104
+#define AEPHK_F_AEP_MOD_EXP_CRT                          105
+#define AEPHK_F_AEP_RAND                                 106
+#define AEPHK_F_AEP_RSA_MOD_EXP                          107
+
+/* Reason codes. */
+#define AEPHK_R_ALREADY_LOADED                           100
+#define AEPHK_R_CLOSE_HANDLES_FAILED                     101
+#define AEPHK_R_CONNECTIONS_IN_USE                       102
+#define AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED             103
+#define AEPHK_R_FINALIZE_FAILED                          104
+#define AEPHK_R_GET_HANDLE_FAILED                        105
+#define AEPHK_R_GET_RANDOM_FAILED                        106
+#define AEPHK_R_INIT_FAILURE                             107
+#define AEPHK_R_MISSING_KEY_COMPONENTS                   108
+#define AEPHK_R_MOD_EXP_CRT_FAILED                       109
+#define AEPHK_R_MOD_EXP_FAILED                           110
+#define AEPHK_R_NOT_LOADED                               111
+#define AEPHK_R_OK                                       112
+#define AEPHK_R_RETURN_CONNECTION_FAILED                 113
+#define AEPHK_R_SETBNCALLBACK_FAILURE                    114
+#define AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL              116
+#define AEPHK_R_UNIT_FAILURE                             115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_atalla.c b/src/lib/libssl/src/crypto/engine/hw_atalla.c
new file mode 100644
index 0000000000..3bb992a193
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_atalla.c
@@ -0,0 +1,444 @@
+/* crypto/engine/hw_atalla.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_ATALLA
+
+#ifdef FLAT_INC
+#include "atalla.h"
+#else
+#include "vendor_defns/atalla.h"
+#endif
+
+static int atalla_init(void);
+static int atalla_finish(void);
+
+/* BIGNUM stuff */
+static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx);
+
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD atalla_rsa =
+        {
+        "Atalla RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        atalla_rsa_mod_exp,
+        atalla_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD atalla_dsa =
+        {
+        "Atalla DSA method",
+        NULL, /* dsa_do_sign */
+        NULL, /* dsa_sign_setup */
+        NULL, /* dsa_do_verify */
+        atalla_dsa_mod_exp, /* dsa_mod_exp */
+        atalla_mod_exp_dsa, /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD atalla_dh =
+        {
+        "Atalla DH method",
+        NULL,
+        NULL,
+        atalla_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+
+/* Our ENGINE structure. */
+static ENGINE engine_atalla =
+        {
+        "atalla",
+        "Atalla hardware engine support",
+        &atalla_rsa,
+        &atalla_dsa,
+        &atalla_dh,
+        NULL,
+        atalla_mod_exp,
+        NULL,
+        atalla_init,
+        atalla_finish,
+        NULL, /* no ctrl() */
+        NULL, /* no load_privkey() */
+        NULL, /* no load_pubkey() */
+        0, /* no flags */
+        0, 0, /* no references */
+        NULL, NULL /* unlinked */
+        };
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_atalla()
+        {
+        RSA_METHOD *meth1;
+        DSA_METHOD *meth2;
+        DH_METHOD *meth3;
+
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the atalla-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        atalla_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        atalla_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        atalla_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        atalla_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2 = DSA_OpenSSL();
+        atalla_dsa.dsa_do_sign = meth2->dsa_do_sign;
+        atalla_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+        atalla_dsa.dsa_do_verify = meth2->dsa_do_verify;
+
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        atalla_dh.generate_key = meth3->generate_key;
+        atalla_dh.compute_key = meth3->compute_key;
+        return &engine_atalla;
+        }
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Atalla library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *atalla_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static tfnASI_GetHardwareConfig *p_Atalla_GetHardwareConfig = NULL;
+static tfnASI_RSAPrivateKeyOpFn *p_Atalla_RSAPrivateKeyOpFn = NULL;
+static tfnASI_GetPerformanceStatistics *p_Atalla_GetPerformanceStatistics = NULL;
+
+/* (de)initialisation functions. */
+static int atalla_init()
+        {
+        tfnASI_GetHardwareConfig *p1;
+        tfnASI_RSAPrivateKeyOpFn *p2;
+        tfnASI_GetPerformanceStatistics *p3;
+        /* Not sure of the origin of this magic value, but Ben's code had it
+         * and it seemed to have been working for a few people. :-) */
+        unsigned int config_buf[1024];
+
+        if(atalla_dso != NULL)
+                {
+                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* Attempt to load libatasi.so/atasi.dll/whatever. Needs to be
+         * changed unfortunately because the Atalla drivers don't have
+         * standard library names that can be platform-translated well. */
+        /* TODO: Work out how to actually map to the names the Atalla
+         * drivers really use - for now a symbollic link needs to be
+         * created on the host system from libatasi.so to atasi.so on
+         * unix variants. */
+        atalla_dso = DSO_load(NULL, ATALLA_LIBNAME, NULL,
+                DSO_FLAG_NAME_TRANSLATION);
+        if(atalla_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        if(!(p1 = (tfnASI_GetHardwareConfig *)DSO_bind_func(
+                                atalla_dso, ATALLA_F1)) ||
+                        !(p2 = (tfnASI_RSAPrivateKeyOpFn *)DSO_bind_func(
+                                atalla_dso, ATALLA_F2)) ||
+                        !(p3 = (tfnASI_GetPerformanceStatistics *)DSO_bind_func(
+                                atalla_dso, ATALLA_F3)))
+                {
+                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        /* Copy the pointers */
+        p_Atalla_GetHardwareConfig = p1;
+        p_Atalla_RSAPrivateKeyOpFn = p2;
+        p_Atalla_GetPerformanceStatistics = p3;
+        /* Perform a basic test to see if there's actually any unit
+         * running. */
+        if(p1(0L, config_buf) != 0)
+                {
+                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_UNIT_FAILURE);
+                goto err;
+                }
+        /* Everything's fine. */
+        return 1;
+err:
+        if(atalla_dso)
+                DSO_free(atalla_dso);
+        p_Atalla_GetHardwareConfig = NULL;
+        p_Atalla_RSAPrivateKeyOpFn = NULL;
+        p_Atalla_GetPerformanceStatistics = NULL;
+        return 0;
+        }
+
+static int atalla_finish()
+        {
+        if(atalla_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(atalla_dso))
+                {
+                ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_DSO_FAILURE);
+                return 0;
+                }
+        atalla_dso = NULL;
+        p_Atalla_GetHardwareConfig = NULL;
+        p_Atalla_RSAPrivateKeyOpFn = NULL;
+        p_Atalla_GetPerformanceStatistics = NULL;
+        return 1;
+        }
+
+static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx)
+        {
+        /* I need somewhere to store temporary serialised values for
+         * use with the Atalla API calls. A neat cheat - I'll use
+         * BIGNUMs from the BN_CTX but access their arrays directly as
+         * byte arrays <grin>. This way I don't have to clean anything
+         * up. */
+        BIGNUM *modulus;
+        BIGNUM *exponent;
+        BIGNUM *argument;
+        BIGNUM *result;
+        RSAPrivateKey keydata;
+        int to_return, numbytes;
+
+        modulus = exponent = argument = result = NULL;
+        to_return = 0; /* expect failure */
+
+        if(!atalla_dso)
+        {
+                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_NOT_LOADED);
+                goto err;
+        }
+        /* Prepare the params */
+        modulus = BN_CTX_get(ctx);
+        exponent = BN_CTX_get(ctx);
+        argument = BN_CTX_get(ctx);
+        result = BN_CTX_get(ctx);
+        if(!modulus || !exponent || !argument || !result)
+        {
+                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+                goto err;
+        }
+        if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, m->top) ||
+           !bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top))
+        {
+                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+        /* Prepare the key-data */
+        memset(&keydata, 0,sizeof keydata);
+        numbytes = BN_num_bytes(m);
+        memset(exponent->d, 0, numbytes);
+        memset(modulus->d, 0, numbytes);
+        BN_bn2bin(p, (unsigned char *)exponent->d + numbytes - BN_num_bytes(p));
+        BN_bn2bin(m, (unsigned char *)modulus->d + numbytes - BN_num_bytes(m));
+        keydata.privateExponent.data = (unsigned char *)exponent->d;
+        keydata.privateExponent.len = numbytes;
+        keydata.modulus.data = (unsigned char *)modulus->d;
+        keydata.modulus.len = numbytes;
+        /* Prepare the argument */
+        memset(argument->d, 0, numbytes);
+        memset(result->d, 0, numbytes);
+        BN_bn2bin(a, (unsigned char *)argument->d + numbytes - BN_num_bytes(a));
+        /* Perform the operation */
+        if(p_Atalla_RSAPrivateKeyOpFn(&keydata, (unsigned char *)result->d,
+                        (unsigned char *)argument->d,
+                        keydata.modulus.len) != 0)
+        {
+                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                goto err;
+        }
+        /* Convert the response */
+        BN_bin2bn((unsigned char *)result->d, numbytes, r);
+        to_return = 1;
+err:
+        if(modulus) ctx->tos--;
+        if(exponent) ctx->tos--;
+        if(argument) ctx->tos--;
+        if(result) ctx->tos--;
+        return to_return;
+        }
+
+static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx = NULL;
+        int to_return = 0;
+
+        if(!atalla_dso)
+        {
+                ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_NOT_LOADED);
+                goto err;
+        }
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if(!rsa->d || !rsa->n)
+                {
+                ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+                goto err;
+                }
+        to_return = atalla_mod_exp(r0, I, rsa->d, rsa->n, ctx);
+err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+ 
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!atalla_mod_exp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!atalla_mod_exp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+        }
+
+
+static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx)
+        {
+        return atalla_mod_exp(r, a, p, m, ctx);
+        }
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return atalla_mod_exp(r, a, p, m, ctx);
+        }
+
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return atalla_mod_exp(r, a, p, m, ctx);
+        }
+
+#endif /* !NO_HW_ATALLA */
+#endif /* !NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_atalla_err.c b/src/lib/libssl/src/crypto/engine/hw_atalla_err.c
new file mode 100644
index 0000000000..1df9c4570c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_atalla_err.c
@@ -0,0 +1,145 @@
+/* hw_atalla_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_atalla_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ATALLA_str_functs[]=
+        {
+{ERR_PACK(0,ATALLA_F_ATALLA_CTRL,0),    "ATALLA_CTRL"},
+{ERR_PACK(0,ATALLA_F_ATALLA_FINISH,0),  "ATALLA_FINISH"},
+{ERR_PACK(0,ATALLA_F_ATALLA_INIT,0),    "ATALLA_INIT"},
+{ERR_PACK(0,ATALLA_F_ATALLA_MOD_EXP,0), "ATALLA_MOD_EXP"},
+{ERR_PACK(0,ATALLA_F_ATALLA_RSA_MOD_EXP,0),     "ATALLA_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ATALLA_str_reasons[]=
+        {
+{ATALLA_R_ALREADY_LOADED                 ,"already loaded"},
+{ATALLA_R_BN_CTX_FULL                    ,"bn ctx full"},
+{ATALLA_R_BN_EXPAND_FAIL                 ,"bn expand fail"},
+{ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ATALLA_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{ATALLA_R_NOT_LOADED                     ,"not loaded"},
+{ATALLA_R_REQUEST_FAILED                 ,"request failed"},
+{ATALLA_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef ATALLA_LIB_NAME
+static ERR_STRING_DATA ATALLA_lib_name[]=
+        {
+{0      ,ATALLA_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int ATALLA_lib_error_code=0;
+static int ATALLA_error_init=1;
+
+static void ERR_load_ATALLA_strings(void)
+        {
+        if (ATALLA_lib_error_code == 0)
+                ATALLA_lib_error_code=ERR_get_next_error_library();
+
+        if (ATALLA_error_init)
+                {
+                ATALLA_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+                ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+                ATALLA_lib_name->error = ERR_PACK(ATALLA_lib_error_code,0,0);
+                ERR_load_strings(0,ATALLA_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_ATALLA_strings(void)
+        {
+        if (ATALLA_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+                ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+                ERR_unload_strings(0,ATALLA_lib_name);
+#endif
+                ATALLA_error_init=1;
+                }
+        }
+
+static void ERR_ATALLA_error(int function, int reason, char *file, int line)
+        {
+        if (ATALLA_lib_error_code == 0)
+                ATALLA_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(ATALLA_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_atalla_err.h b/src/lib/libssl/src/crypto/engine/hw_atalla_err.h
new file mode 100644
index 0000000000..cdac052d8c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_atalla_err.h
@@ -0,0 +1,89 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ATALLA_ERR_H
+#define HEADER_ATALLA_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_ATALLA_strings(void);
+static void ERR_unload_ATALLA_strings(void);
+static void ERR_ATALLA_error(int function, int reason, char *file, int line);
+#define ATALLAerr(f,r) ERR_ATALLA_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the ATALLA functions. */
+
+/* Function codes. */
+#define ATALLA_F_ATALLA_CTRL                             100
+#define ATALLA_F_ATALLA_FINISH                           101
+#define ATALLA_F_ATALLA_INIT                             102
+#define ATALLA_F_ATALLA_MOD_EXP                          103
+#define ATALLA_F_ATALLA_RSA_MOD_EXP                      104
+
+/* Reason codes. */
+#define ATALLA_R_ALREADY_LOADED                          100
+#define ATALLA_R_BN_CTX_FULL                             101
+#define ATALLA_R_BN_EXPAND_FAIL                          102
+#define ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
+#define ATALLA_R_MISSING_KEY_COMPONENTS                  104
+#define ATALLA_R_NOT_LOADED                              105
+#define ATALLA_R_REQUEST_FAILED                          106
+#define ATALLA_R_UNIT_FAILURE                            107
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_cryptodev.c b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
new file mode 100644
index 0000000000..7c3728f395
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_cryptodev.c
@@ -0,0 +1,926 @@
+/*
+ * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2002 Theo de Raadt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the author nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <crypto/cryptodev.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <ssl/objects.h>
+#include <ssl/engine.h>
+#include <ssl/evp.h>
+
+static int cryptodev_fd = -1;
+static int cryptodev_sessions = 0;
+static u_int32_t cryptodev_symfeat = 0;
+
+static int bn2crparam(const BIGNUM *a, struct crparam *crp);
+static int crparam2bn(struct crparam *crp, BIGNUM *a);
+static void zapparams(struct crypt_kop *kop);
+
+static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
+    int dlen, DSA *dsa);
+static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
+    DSA_SIG *sig, DSA *dsa);
+static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx);
+static int cryptodev_dh_compute_key(unsigned char *key,
+    const BIGNUM *pub_key, DH *dh);
+
+static const ENGINE_CMD_DEFN cryptodev_defns[] = {
+        { 0, NULL, NULL, 0 }
+};
+
+static struct {
+        int     id;
+        int     nid;
+        int     ivmax;
+        int     keylen;
+} ciphers[] = {
+        { CRYPTO_DES_CBC,               NID_des_cbc,            8,       8, },
+        { CRYPTO_3DES_CBC,              NID_des_ede3_cbc,       8,      24, },
+        { CRYPTO_AES_CBC,               NID_undef,              8,      24, },
+        { CRYPTO_BLF_CBC,               NID_bf_cbc,             8,      16, },
+        { CRYPTO_CAST_CBC,              NID_cast5_cbc,          8,       8, },
+        { CRYPTO_SKIPJACK_CBC,          NID_undef,              0,       0, },
+        { CRYPTO_ARC4,                  NID_rc4,                8,      16, },
+        { 0,                            NID_undef,              0,       0, },
+};
+
+static struct {
+        int     id;
+        int     nid;
+} digests[] = {
+        { CRYPTO_SHA1_HMAC,             NID_hmacWithSHA1,       },
+        { CRYPTO_RIPEMD160_HMAC,        NID_ripemd160,          },
+        { CRYPTO_MD5_KPDK,              NID_undef,              },
+        { CRYPTO_SHA1_KPDK,             NID_undef,              },
+        { CRYPTO_MD5,                   NID_md5,                },
+        { CRYPTO_SHA1,                  NID_undef,              },
+        { 0,                            NID_undef,              },
+};
+
+/*
+ * Return 1 if /dev/crypto seems usable, 0 otherwise , also
+ * does most of the work of initting the device, if not already
+ * done.. This should leave is with global fd initialized with CRIOGET.
+ */
+static int
+check_dev_crypto()
+{
+        int fd;
+
+        if (cryptodev_fd == -1) {
+                if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
+                        return (0);
+                if (ioctl(fd, CRIOGET, &cryptodev_fd) == -1) {
+                        close(fd);
+                        return (0);
+                }
+                close(fd);
+                /* close on exec */
+                if (fcntl(cryptodev_fd, F_SETFD, 1) == -1) {
+                        close(cryptodev_fd);
+                        cryptodev_fd = -1;
+                        return (0);
+                }
+        }
+        ioctl(cryptodev_fd, CIOCSYMFEAT, &cryptodev_symfeat);
+
+        return (1);
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card.
+ */
+static int
+cryptodev_max_iv(int cipher)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].id == cipher)
+                        return (ciphers[i].ivmax);
+        return (0);
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card. For now, fake it out - but most of these
+ * for real devices should return 1 for the supported key
+ * sizes the device can handle.
+ */
+static int
+cryptodev_key_length_valid(int cipher, int len)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].id == cipher)
+                        return (ciphers[i].keylen == len);
+        return (0);
+}
+
+/* convert libcrypto nids to cryptodev */
+static int
+cipher_nid_to_cryptodev(int nid)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].nid == nid)
+                        return (ciphers[i].id);
+        return (0);
+}
+
+/*
+ * Find out what ciphers /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_ciphers routine
+ */
+static int
+get_cryptodev_ciphers(const int **cnids)
+{
+        static int nids[CRYPTO_ALGORITHM_MAX];
+        struct session_op sess;
+        int i, count = 0;
+
+        memset(&sess, 0, sizeof(sess));
+        sess.key = (caddr_t)"123456781234567812345678";
+
+        for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+                if (ciphers[i].nid == NID_undef)
+                        continue;
+                sess.cipher = ciphers[i].id;
+                sess.keylen = ciphers[i].keylen;
+                sess.mac = 0;
+                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                        nids[count++] = ciphers[i].nid;
+        }
+        if (count > 0)
+                *cnids = nids;
+        else
+                *cnids = NULL;
+        return (count);
+}
+
+/*
+ * Find out what digests /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_digests routine
+ */
+static int
+get_cryptodev_digests(const int **cnids)
+{
+        static int nids[CRYPTO_ALGORITHM_MAX];
+        struct session_op sess;
+        int i, count = 0;
+
+        memset(&sess, 0, sizeof(sess));
+        for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+                if (digests[i].nid == NID_undef)
+                        continue;
+                sess.mac = digests[i].id;
+                sess.cipher = 0;
+                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                        nids[count++] = digests[i].nid;
+        }
+        if (count > 0)
+                *cnids = nids;
+        else
+                *cnids = NULL;
+        return (count);
+}
+
+/*
+ * Find the useable ciphers|digests from dev/crypto - this is the first
+ * thing called by the engine init crud which determines what it
+ * can use for ciphers from this engine. We want to return
+ * only what we can do, anythine else is handled by software.
+ *
+ * If we can't initialize the device to do anything useful for
+ * any reason, we want to return a NULL array, and 0 length,
+ * which forces everything to be done is software. By putting
+ * the initalization of the device in here, we ensure we can
+ * use this engine as the default, and if for whatever reason
+ * /dev/crypto won't do what we want it will just be done in
+ * software
+ *
+ * This can (should) be greatly expanded to perhaps take into
+ * account speed of the device, and what we want to do.
+ * (although the disabling of particular alg's could be controlled
+ * by the device driver with sysctl's.) - this is where we
+ * want most of the decisions made about what we actually want
+ * to use from /dev/crypto.
+ */
+int
+cryptodev_usable_ciphers(const int **nids)
+{
+        if (!check_dev_crypto()) {
+                *nids = NULL;
+                return (0);
+        }
+
+        /* find what the device can do. Unfortunately, we don't
+         * necessarily want all of these yet, because we aren't
+         * yet set up to do them
+         */
+        return (get_cryptodev_ciphers(nids));
+}
+
+int
+cryptodev_usable_digests(const int **nids)
+{
+#if 1
+        /*
+         * XXXX just disable all digests for now, because it sucks.
+         * we need a better way to decide this - i.e. I may not
+         * want digests on slow cards like hifn on fast machines,
+         * but might want them on slow or loaded machines, etc.
+         * will also want them when using crypto cards that don't
+         * suck moose gonads - would be nice to be able to decide something
+         * as reasonable default without having hackery that's card dependent.
+         * of course, the default should probably be just do everything,
+         * with perhaps a sysctl to turn algoritms off (or have them off
+         * by default) on cards that generally suck like the hifn.
+         */
+        *nids = NULL;
+        return (0);
+#endif
+
+        if (!check_dev_crypto()) {
+                *nids = NULL;
+                return (0);
+        }
+        return (get_cryptodev_digests(nids));
+}
+
+
+int
+cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, unsigned int inl)
+{
+        struct crypt_op cryp;
+        struct session_op *sess = ctx->cipher_data;
+        void *iiv;
+        unsigned char save_iv[EVP_MAX_IV_LENGTH];
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        if (cryptodev_fd == -1)
+                return (0);
+        if (sess == NULL)
+                return (0);
+        if (!inl)
+                return (1);
+        if ((inl % ctx->cipher->block_size) != 0)
+                return (0);
+
+        memset(&cryp, 0, sizeof(cryp));
+
+        cryp.ses = sess->ses;
+        cryp.flags = 0;
+        cryp.len = inl;
+        cryp.src = (caddr_t) in;
+        cryp.dst = (caddr_t) out;
+        cryp.mac = 0;
+
+        cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+
+        if (ctx->cipher->iv_len) {
+                cryp.iv = (caddr_t) ctx->iv;
+                if (!ctx->encrypt) {
+                        iiv = (void *) in + inl - ctx->cipher->iv_len;
+                        memcpy(save_iv, iiv, ctx->cipher->iv_len);
+                }
+        } else
+                cryp.iv = NULL;
+
+        if (ioctl(cryptodev_fd, CIOCCRYPT, &cryp) == -1) {
+                /* XXX need better errror handling
+                 * this can fail for a number of different reasons.
+                 */
+                syslog_r(LOG_ERR, &sd, "CIOCCRYPT failed (%m)");
+                return (0);
+        }
+
+        if (ctx->cipher->iv_len) {
+                if (ctx->encrypt)
+                        iiv = (void *) out + inl - ctx->cipher->iv_len;
+                else
+                        iiv = save_iv;
+                memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
+        }
+        return (1);
+}
+
+int
+cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int enc)
+{
+        struct session_op *sess = ctx->cipher_data;
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+        int cipher;
+
+        if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
+                return (0);
+
+        if (!check_dev_crypto())
+                return (0);
+
+        if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
+                return (0);
+
+        if (!cryptodev_key_length_valid(cipher, ctx->key_len))
+                return (0);
+
+        memset(sess, 0, sizeof(struct session_op));
+
+        sess->key = (unsigned char *)key;
+        sess->keylen = ctx->key_len;
+        sess->cipher = cipher;
+
+        if (ioctl(cryptodev_fd, CIOCGSESSION, sess) == -1) {
+                syslog_r(LOG_ERR, &sd, "CIOCGSESSION failed (%m)");
+                return (0);
+        }
+        cryptodev_sessions++;
+        return (1);
+}
+
+/*
+ * free anything we allocated earlier when initting a
+ * session, and close the session.
+ */
+int
+cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
+{
+        int ret = 0;
+        struct session_op *sess = ctx->cipher_data;
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        if (sess == NULL)
+                return (0);
+
+        /* XXX if this ioctl fails, someting's wrong. the invoker
+         * may have called us with a bogus ctx, or we could
+         * have a device that for whatever reason just doesn't
+         * want to play ball - it's not clear what's right
+         * here - should this be an error? should it just
+         * increase a counter, hmm. For right now, we return
+         * 0 - I don't believe that to be "right". we could
+         * call the gorpy openssl lib error handlers that
+         * print messages to users of the library. hmm..
+         */
+
+        if (ioctl(cryptodev_fd, CIOCFSESSION, &sess->ses) == -1) {
+                syslog_r(LOG_ERR, &sd, "CIOCFSESSION failed (%m)");
+                ret = 0;
+        } else {
+                cryptodev_sessions--;
+                ret = 1;
+        }
+        if (cryptodev_sessions == 0 && cryptodev_fd != -1 ) {
+                close(cryptodev_fd); /* XXX should this be closed? */
+                cryptodev_fd = -1;
+        }
+        return (ret);
+}
+
+/*
+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine
+ * gets called when libcrypto requests a cipher NID.
+ */
+
+/* ARC4 (16 byte key) */
+const EVP_CIPHER cryptodev_arc4_cipher = {
+        NID_rc4,
+        1, 16, 0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        NULL,
+        NULL,
+        NULL
+};
+
+/* DES CBC EVP */
+const EVP_CIPHER cryptodev_des_cbc = {
+        NID_des_cbc,
+        8, 8, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+/* 3DES CBC EVP */
+const EVP_CIPHER cryptodev_3des_cbc = {
+        NID_des_ede3_cbc,
+        8, 24, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+
+/*
+ * Registered by the ENGINE when used to find out how to deal with
+ * a particular NID in the ENGINE. this says what we'll do at the
+ * top level - note, that list is restricted by what we answer with
+ */
+int
+cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+    const int **nids, int nid)
+{
+        if (!cipher)
+                return (cryptodev_usable_ciphers(nids));
+
+        switch (nid) {
+        case NID_rc4:
+                *cipher = &cryptodev_arc4_cipher;
+                break;
+        case NID_des_ede3_cbc:
+                *cipher = &cryptodev_3des_cbc;
+                break;
+        case NID_des_cbc:
+                *cipher = &cryptodev_des_cbc;
+                break;
+        default:
+                *cipher = NULL;
+                break;
+        }
+        return (*cipher != NULL);
+}
+
+int
+cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+    const int **nids, int nid)
+{
+        if (!digest)
+                return (cryptodev_usable_digests(nids));
+
+        switch (nid) {
+        case NID_md5:
+                *digest = NULL; /* need to make a clean md5 critter */
+                break;
+        default:
+                *digest = NULL;
+                break;
+        }
+        return (*digest != NULL);
+}
+
+
+/*
+ * Convert a BIGNUM to the representation that /dev/crypto needs.
+ * Upon completion of use, the caller is responsible for freeing
+ * crp->crp_p.
+ */
+static int
+bn2crparam(const BIGNUM *a, struct crparam *crp)
+{
+        int i, j, n;
+        ssize_t words, bytes, bits;
+        u_char *b;
+
+        crp->crp_p = NULL;
+        crp->crp_nbits = 0;
+
+        bits = BN_num_bits(a);
+        bytes = (bits + 7) / 8;
+
+        b = malloc(bytes);
+        if (b == NULL)
+                return (1);
+
+        crp->crp_p = b;
+        crp->crp_nbits = bits;
+
+        words = (bits + BN_BITS2 - 1) / BN_BITS2;
+
+        n = 0;
+        for (i = 0; i < words && n < bytes; i++) {
+                BN_ULONG word;
+
+                word = a->d[i];
+                for (j = 0 ; j < BN_BYTES && n < bytes; j++, n++) {
+                        *b++ = (word & 0xff);
+                        word >>= 8;
+                }
+        }
+        return (0);
+}
+
+/* Convert a /dev/crypto parameter to a BIGNUM */
+static int
+crparam2bn(struct crparam *crp, BIGNUM *a)
+{
+        int i, bytes;
+
+        bytes = (crp->crp_nbits + 7)/8;
+
+        BN_zero(a);
+        for (i = bytes - 1; i >= 0; i--) {
+                BN_lshift(a, a, 8);
+                BN_add_word(a, (u_char)crp->crp_p[i]);
+        }
+
+        return (0);
+}
+
+static void
+zapparams(struct crypt_kop *kop)
+{
+        int i;
+
+        for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
+                if (kop->crk_param[i].crp_p)
+                        free(kop->crk_param[i].crp_p);
+                kop->crk_param[i].crp_p = NULL;
+                kop->crk_param[i].crp_nbits = 0;
+        }
+}
+
+static int
+cryptodev_sym(struct crypt_kop *kop, BIGNUM *r, BIGNUM *s)
+{
+        int ret = -1;
+
+        if (r) {
+                kop->crk_param[kop->crk_iparams].crp_p = malloc(256);
+                kop->crk_param[kop->crk_iparams].crp_nbits = 256 * 8;
+                kop->crk_oparams++;
+        }
+        if (s) {
+                kop->crk_param[kop->crk_iparams+1].crp_p = malloc(256);
+                kop->crk_param[kop->crk_iparams+1].crp_nbits = 256 * 8;
+                kop->crk_oparams++;
+        }
+
+        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == 0) {
+                crparam2bn(&kop->crk_param[3], r);
+                ret = 0;
+        }
+        return (ret);
+}
+
+static int
+cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        struct crypt_kop kop;
+        int ret = 0;
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_MOD_EXP;
+
+        /* inputs: a m p */
+        if (bn2crparam(a, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(m, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(p, &kop.crk_param[2]))
+                goto err;
+        kop.crk_iparams = 3;
+
+        if (cryptodev_sym(&kop, r, NULL) == -1) {
+                ret = BN_mod_exp(r, a, p, m, ctx);
+        }
+err:
+        zapparams(&kop);
+        return (ret);
+}
+
+
+static int
+cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+{
+        struct crypt_kop kop;
+        int ret = 0;
+
+        if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
+                /* XXX 0 means failure?? */
+                goto err;
+        }
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_MOD_EXP_CRT;
+        /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */
+        if (bn2crparam(rsa->p, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(rsa->q, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(I, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(rsa->dmp1, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(rsa->dmq1, &kop.crk_param[4]))
+                goto err;
+        if (bn2crparam(rsa->iqmp, &kop.crk_param[5]))
+                goto err;
+        kop.crk_iparams = 6;
+
+        if (cryptodev_sym(&kop, r0, NULL) == -1) {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+
+                ret = (*meth->rsa_mod_exp)(r0, I, rsa);
+        }
+err:
+        zapparams(&kop);
+        return (ret);
+}
+
+static RSA_METHOD cryptodev_rsa = {
+        "cryptodev RSA method",
+        NULL,                           /* rsa_pub_enc */
+        NULL,                           /* rsa_pub_dec */
+        NULL,                           /* rsa_priv_enc */
+        NULL,                           /* rsa_priv_dec */
+        cryptodev_rsa_mod_exp,          /* rsa_mod_exp */
+        cryptodev_bn_mod_exp,           /* bn_mod_exp */
+        NULL,                           /* init */
+        NULL,                           /* finish */
+        0,                              /* flags */
+        NULL,                           /* app_data */
+        NULL,                           /* rsa_sign */
+        NULL                            /* rsa_verify */
+};
+
+static int
+cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+        return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static DSA_SIG *
+cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+{
+        struct crypt_kop kop;
+        BIGNUM *r = NULL, *s = NULL;
+        DSA_SIG *dsaret = NULL;
+
+        if ((r = BN_new()) == NULL)
+                goto err;
+        if ((s = BN_new()) == NULL) {
+                BN_free(r);
+                goto err;
+        }
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DSA_SIGN;
+
+        /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
+        kop.crk_param[0].crp_p = (caddr_t)dgst;
+        kop.crk_param[0].crp_nbits = dlen * 8;
+        if (bn2crparam(dsa->p, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dsa->q, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(dsa->g, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(dsa->priv_key, &kop.crk_param[4]))
+                goto err;
+        kop.crk_iparams = 5;
+
+        if (cryptodev_sym(&kop, r, s) == 0) {
+                dsaret = DSA_SIG_new();
+                dsaret->r = r;
+                dsaret->s = s;
+        } else {
+                const DSA_METHOD *meth = DSA_OpenSSL();
+
+                BN_free(r);
+                BN_free(s);
+                dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa);
+        }
+err:
+        kop.crk_param[0].crp_p = NULL;
+        zapparams(&kop);
+        return (dsaret);
+}
+
+static int
+cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
+    DSA_SIG *sig, DSA *dsa)
+{
+        struct crypt_kop kop;
+        int dsaret = 0;
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DSA_VERIFY;
+
+        /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
+        kop.crk_param[0].crp_p = (caddr_t)dgst;
+        kop.crk_param[0].crp_nbits = dlen * 8;
+        if (bn2crparam(dsa->p, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dsa->q, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(dsa->g, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(dsa->pub_key, &kop.crk_param[4]))
+                goto err;
+        if (bn2crparam(sig->r, &kop.crk_param[5]))
+                goto err;
+        if (bn2crparam(sig->s, &kop.crk_param[6]))
+                goto err;
+        kop.crk_iparams = 7;
+
+        if (cryptodev_sym(&kop, NULL, NULL) == 0) {
+                dsaret = kop.crk_status;
+        } else {
+                const DSA_METHOD *meth = DSA_OpenSSL();
+
+                dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa);
+        }
+err:
+        kop.crk_param[0].crp_p = NULL;
+        zapparams(&kop);
+        return (dsaret);
+}
+
+static DSA_METHOD cryptodev_dsa = {
+        "cryptodev DSA method",
+        cryptodev_dsa_do_sign,
+        NULL,                           /* dsa_sign_setup */
+        cryptodev_dsa_verify,
+        NULL,                           /* dsa_mod_exp */
+        cryptodev_dsa_bn_mod_exp,       /* bn_mod_exp */
+        NULL,                           /* init */
+        NULL,                           /* finish */
+        0,      /* flags */
+        NULL    /* app_data */
+};
+
+static int
+cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx)
+{
+        return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static int
+cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+{
+        struct crypt_kop kop;
+        int dhret = 0;
+        int keylen;
+
+        keylen = BN_num_bits(dh->p);
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DH_COMPUTE_KEY;
+
+        /* inputs: dh->priv_key pub_key dh->p key */
+        if (bn2crparam(dh->priv_key, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(pub_key, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dh->p, &kop.crk_param[2]))
+                goto err;
+        kop.crk_iparams = 3;
+
+        kop.crk_param[3].crp_p = key;
+        kop.crk_param[3].crp_nbits = keylen * 8;
+        kop.crk_oparams = 1;
+
+        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == -1) {
+                const DH_METHOD *meth = DH_OpenSSL();
+
+                dhret = (meth->compute_key)(key, pub_key, dh);
+        }
+err:
+        kop.crk_param[3].crp_p = NULL;
+        zapparams(&kop);
+        return (dhret);
+}
+
+static DH_METHOD cryptodev_dh = {
+        "cryptodev DH method",
+        NULL,                           /* cryptodev_dh_generate_key */
+        cryptodev_dh_compute_key,
+        cryptodev_mod_exp_dh,
+        NULL,
+        NULL,
+        0,      /* flags */
+        NULL    /* app_data */
+};
+
+/*
+ * ctrl right now is just a wrapper that doesn't do much
+ * but I expect we'll want some options soon.
+ */
+static int
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+{
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        switch (cmd) {
+        default:
+                syslog_r(LOG_ERR, &sd,
+                    "cryptodev_ctrl: unknown command %d", cmd);
+                break;
+        }
+        return (1);
+}
+
+void
+ENGINE_load_cryptodev(void)
+{
+        ENGINE *engine = ENGINE_new();
+        const RSA_METHOD *rsa_meth;
+        const DH_METHOD *dh_meth;
+
+        if (engine == NULL)
+                return;
+
+        if (!ENGINE_set_id(engine, "cryptodev") ||
+            !ENGINE_set_name(engine, "OpenBSD cryptodev engine") ||
+            !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
+            !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
+            !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
+            !ENGINE_set_cmd_defns(engine, cryptodev_defns)) {
+                ENGINE_free(engine);
+                return;
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_RSA) &&
+            ENGINE_set_RSA(engine, &cryptodev_rsa)) {
+                rsa_meth = RSA_PKCS1_SSLeay();
+                cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
+                cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
+                cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_dec;
+                cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_DSA) &&
+            ENGINE_set_DSA(engine, &cryptodev_dsa)) {
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_DH) &&
+            ENGINE_set_DH(engine, &cryptodev_dh)) {
+                dh_meth = DH_OpenSSL();
+                cryptodev_dh.generate_key = dh_meth->generate_key;
+                cryptodev_dh.compute_key = dh_meth->compute_key;
+        }
+
+        ENGINE_add(engine);
+        ENGINE_free(engine);
+        ERR_clear_error();
+}
diff --git a/src/lib/libssl/src/crypto/engine/hw_cswift.c b/src/lib/libssl/src/crypto/engine/hw_cswift.c
new file mode 100644
index 0000000000..77608b8983
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_cswift.c
@@ -0,0 +1,807 @@
+/* crypto/engine/hw_cswift.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_CSWIFT
+
+/* Attribution notice: Rainbow have generously allowed me to reproduce
+ * the necessary definitions here from their API. This means the support
+ * can build independently of whether application builders have the
+ * API or hardware. This will allow developers to easily produce software
+ * that has latent hardware support for any users that have accelerators
+ * installed, without the developers themselves needing anything extra.
+ *
+ * I have only clipped the parts from the CryptoSwift header files that
+ * are (or seem) relevant to the CryptoSwift support code. This is
+ * simply to keep the file sizes reasonable.
+ * [Geoff]
+ */
+#ifdef FLAT_INC
+#include "cswift.h"
+#else
+#include "vendor_defns/cswift.h"
+#endif
+
+static int cswift_init(void);
+static int cswift_finish(void);
+
+/* BIGNUM stuff */
+static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
+                const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* RSA stuff */
+static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa);
+
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD cswift_rsa =
+        {
+        "CryptoSwift RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        cswift_rsa_mod_exp,
+        cswift_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD cswift_dsa =
+        {
+        "CryptoSwift DSA method",
+        cswift_dsa_sign,
+        NULL, /* dsa_sign_setup */
+        cswift_dsa_verify,
+        NULL, /* dsa_mod_exp */
+        NULL, /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD cswift_dh =
+        {
+        "CryptoSwift DH method",
+        NULL,
+        NULL,
+        cswift_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+
+/* Our ENGINE structure. */
+static ENGINE engine_cswift =
+        {
+        "cswift",
+        "CryptoSwift hardware engine support",
+        &cswift_rsa,
+        &cswift_dsa,
+        &cswift_dh,
+        NULL,
+        cswift_mod_exp,
+        cswift_mod_exp_crt,
+        cswift_init,
+        cswift_finish,
+        NULL, /* no ctrl() */
+        NULL, /* no load_privkey() */
+        NULL, /* no load_pubkey() */
+        0, /* no flags */
+        0, 0, /* no references */
+        NULL, NULL /* unlinked */
+        };
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_cswift()
+        {
+        RSA_METHOD *meth1;
+        DH_METHOD *meth2;
+
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the cswift-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        cswift_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+
+        /* Much the same for Diffie-Hellman */
+        meth2 = DH_OpenSSL();
+        cswift_dh.generate_key = meth2->generate_key;
+        cswift_dh.compute_key = meth2->compute_key;
+        return &engine_cswift;
+        }
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the CryptoSwift library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *cswift_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+t_swAcquireAccContext *p_CSwift_AcquireAccContext = NULL;
+t_swAttachKeyParam *p_CSwift_AttachKeyParam = NULL;
+t_swSimpleRequest *p_CSwift_SimpleRequest = NULL;
+t_swReleaseAccContext *p_CSwift_ReleaseAccContext = NULL;
+
+/* Used in the DSO operations. */
+static const char *CSWIFT_LIBNAME = "swift";
+static const char *CSWIFT_F1 = "swAcquireAccContext";
+static const char *CSWIFT_F2 = "swAttachKeyParam";
+static const char *CSWIFT_F3 = "swSimpleRequest";
+static const char *CSWIFT_F4 = "swReleaseAccContext";
+
+
+/* CryptoSwift library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. */
+
+/* utility function to obtain a context */
+static int get_context(SW_CONTEXT_HANDLE *hac)
+        {
+        SW_STATUS status;
+ 
+        status = p_CSwift_AcquireAccContext(hac);
+        if(status != SW_OK)
+                return 0;
+        return 1;
+        }
+ 
+/* similarly to release one. */
+static void release_context(SW_CONTEXT_HANDLE hac)
+        {
+        p_CSwift_ReleaseAccContext(hac);
+        }
+
+/* (de)initialisation functions. */
+static int cswift_init()
+        {
+        SW_CONTEXT_HANDLE hac;
+        t_swAcquireAccContext *p1;
+        t_swAttachKeyParam *p2;
+        t_swSimpleRequest *p3;
+        t_swReleaseAccContext *p4;
+
+        if(cswift_dso != NULL)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* Attempt to load libswift.so/swift.dll/whatever. */
+        cswift_dso = DSO_load(NULL, CSWIFT_LIBNAME, NULL,
+                DSO_FLAG_NAME_TRANSLATION);
+        if(cswift_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        if(!(p1 = (t_swAcquireAccContext *)
+                                DSO_bind_func(cswift_dso, CSWIFT_F1)) ||
+                        !(p2 = (t_swAttachKeyParam *)
+                                DSO_bind_func(cswift_dso, CSWIFT_F2)) ||
+                        !(p3 = (t_swSimpleRequest *)
+                                DSO_bind_func(cswift_dso, CSWIFT_F3)) ||
+                        !(p4 = (t_swReleaseAccContext *)
+                                DSO_bind_func(cswift_dso, CSWIFT_F4)))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        /* Copy the pointers */
+        p_CSwift_AcquireAccContext = p1;
+        p_CSwift_AttachKeyParam = p2;
+        p_CSwift_SimpleRequest = p3;
+        p_CSwift_ReleaseAccContext = p4;
+        /* Try and get a context - if not, we may have a DSO but no
+         * accelerator! */
+        if(!get_context(&hac))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_UNIT_FAILURE);
+                goto err;
+                }
+        release_context(hac);
+        /* Everything's fine. */
+        return 1;
+err:
+        if(cswift_dso)
+                DSO_free(cswift_dso);
+        p_CSwift_AcquireAccContext = NULL;
+        p_CSwift_AttachKeyParam = NULL;
+        p_CSwift_SimpleRequest = NULL;
+        p_CSwift_ReleaseAccContext = NULL;
+        return 0;
+        }
+
+static int cswift_finish()
+        {
+        if(cswift_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(cswift_dso))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_DSO_FAILURE);
+                return 0;
+                }
+        cswift_dso = NULL;
+        p_CSwift_AcquireAccContext = NULL;
+        p_CSwift_AttachKeyParam = NULL;
+        p_CSwift_SimpleRequest = NULL;
+        p_CSwift_ReleaseAccContext = NULL;
+        return 1;
+        }
+
+/* Un petit mod_exp */
+static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx)
+        {
+        /* I need somewhere to store temporary serialised values for
+         * use with the CryptoSwift API calls. A neat cheat - I'll use
+         * BIGNUMs from the BN_CTX but access their arrays directly as
+         * byte arrays <grin>. This way I don't have to clean anything
+         * up. */
+        BIGNUM *modulus;
+        BIGNUM *exponent;
+        BIGNUM *argument;
+        BIGNUM *result;
+        SW_STATUS sw_status;
+        SW_LARGENUMBER arg, res;
+        SW_PARAM sw_param;
+        SW_CONTEXT_HANDLE hac;
+        int to_return, acquired;
+ 
+        modulus = exponent = argument = result = NULL;
+        to_return = 0; /* expect failure */
+        acquired = 0;
+ 
+        if(!get_context(&hac))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_GET_HANDLE_FAILED);
+                goto err;
+                }
+        acquired = 1;
+        /* Prepare the params */
+        modulus = BN_CTX_get(ctx);
+        exponent = BN_CTX_get(ctx);
+        argument = BN_CTX_get(ctx);
+        result = BN_CTX_get(ctx);
+        if(!modulus || !exponent || !argument || !result)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+                goto err;
+                }
+        if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, p->top) ||
+                !bn_wexpand(argument, a->top) || !bn_wexpand(result, m->top))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+                goto err;
+                }
+        sw_param.type = SW_ALG_EXP;
+        sw_param.up.exp.modulus.nbytes = BN_bn2bin(m,
+                (unsigned char *)modulus->d);
+        sw_param.up.exp.modulus.value = (unsigned char *)modulus->d;
+        sw_param.up.exp.exponent.nbytes = BN_bn2bin(p,
+                (unsigned char *)exponent->d);
+        sw_param.up.exp.exponent.value = (unsigned char *)exponent->d;
+        /* Attach the key params */
+        sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+        switch(sw_status)
+                {
+        case SW_OK:
+                break;
+        case SW_ERR_INPUT_SIZE:
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,
+                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                goto err;
+        default:
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                }
+                goto err;
+                }
+        /* Prepare the argument and response */
+        arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+        arg.value = (unsigned char *)argument->d;
+        res.nbytes = BN_num_bytes(m);
+        memset(result->d, 0, res.nbytes);
+        res.value = (unsigned char *)result->d;
+        /* Perform the operation */
+        if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP, &arg, 1,
+                &res, 1)) != SW_OK)
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                goto err;
+                }
+        /* Convert the response */
+        BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+        to_return = 1;
+err:
+        if(acquired)
+                release_context(hac);
+        if(modulus) ctx->tos--;
+        if(exponent) ctx->tos--;
+        if(argument) ctx->tos--;
+        if(result) ctx->tos--;
+        return to_return;
+        }
+
+/* Un petit mod_exp chinois */
+static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *q, const BIGNUM *dmp1,
+                        const BIGNUM *dmq1, const BIGNUM *iqmp, BN_CTX *ctx)
+        {
+        SW_STATUS sw_status;
+        SW_LARGENUMBER arg, res;
+        SW_PARAM sw_param;
+        SW_CONTEXT_HANDLE hac;
+        BIGNUM *rsa_p = NULL;
+        BIGNUM *rsa_q = NULL;
+        BIGNUM *rsa_dmp1 = NULL;
+        BIGNUM *rsa_dmq1 = NULL;
+        BIGNUM *rsa_iqmp = NULL;
+        BIGNUM *argument = NULL;
+        BIGNUM *result = NULL;
+        int to_return = 0; /* expect failure */
+        int acquired = 0;
+ 
+        if(!get_context(&hac))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_GET_HANDLE_FAILED);
+                goto err;
+                }
+        acquired = 1;
+        /* Prepare the params */
+        rsa_p = BN_CTX_get(ctx);
+        rsa_q = BN_CTX_get(ctx);
+        rsa_dmp1 = BN_CTX_get(ctx);
+        rsa_dmq1 = BN_CTX_get(ctx);
+        rsa_iqmp = BN_CTX_get(ctx);
+        argument = BN_CTX_get(ctx);
+        result = BN_CTX_get(ctx);
+        if(!rsa_p || !rsa_q || !rsa_dmp1 || !rsa_dmq1 || !rsa_iqmp ||
+                        !argument || !result)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_CTX_FULL);
+                goto err;
+                }
+        if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
+                        !bn_wexpand(rsa_dmp1, dmp1->top) ||
+                        !bn_wexpand(rsa_dmq1, dmq1->top) ||
+                        !bn_wexpand(rsa_iqmp, iqmp->top) ||
+                        !bn_wexpand(argument, a->top) ||
+                        !bn_wexpand(result, p->top + q->top))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_EXPAND_FAIL);
+                goto err;
+                }
+        sw_param.type = SW_ALG_CRT;
+        sw_param.up.crt.p.nbytes = BN_bn2bin(p, (unsigned char *)rsa_p->d);
+        sw_param.up.crt.p.value = (unsigned char *)rsa_p->d;
+        sw_param.up.crt.q.nbytes = BN_bn2bin(q, (unsigned char *)rsa_q->d);
+        sw_param.up.crt.q.value = (unsigned char *)rsa_q->d;
+        sw_param.up.crt.dmp1.nbytes = BN_bn2bin(dmp1,
+                (unsigned char *)rsa_dmp1->d);
+        sw_param.up.crt.dmp1.value = (unsigned char *)rsa_dmp1->d;
+        sw_param.up.crt.dmq1.nbytes = BN_bn2bin(dmq1,
+                (unsigned char *)rsa_dmq1->d);
+        sw_param.up.crt.dmq1.value = (unsigned char *)rsa_dmq1->d;
+        sw_param.up.crt.iqmp.nbytes = BN_bn2bin(iqmp,
+                (unsigned char *)rsa_iqmp->d);
+        sw_param.up.crt.iqmp.value = (unsigned char *)rsa_iqmp->d;
+        /* Attach the key params */
+        sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+        switch(sw_status)
+                {
+        case SW_OK:
+                break;
+        case SW_ERR_INPUT_SIZE:
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,
+                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                goto err;
+        default:
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                }
+                goto err;
+                }
+        /* Prepare the argument and response */
+        arg.nbytes = BN_bn2bin(a, (unsigned char *)argument->d);
+        arg.value = (unsigned char *)argument->d;
+        res.nbytes = 2 * BN_num_bytes(p);
+        memset(result->d, 0, res.nbytes);
+        res.value = (unsigned char *)result->d;
+        /* Perform the operation */
+        if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP_CRT, &arg, 1,
+                &res, 1)) != SW_OK)
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                goto err;
+                }
+        /* Convert the response */
+        BN_bin2bn((unsigned char *)result->d, res.nbytes, r);
+        to_return = 1;
+err:
+        if(acquired)
+                release_context(hac);
+        if(rsa_p) ctx->tos--;
+        if(rsa_q) ctx->tos--;
+        if(rsa_dmp1) ctx->tos--;
+        if(rsa_dmq1) ctx->tos--;
+        if(rsa_iqmp) ctx->tos--;
+        if(argument) ctx->tos--;
+        if(result) ctx->tos--;
+        return to_return;
+        }
+ 
+static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx;
+        int to_return = 0;
+
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+                goto err;
+                }
+        to_return = cswift_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+                rsa->dmq1, rsa->iqmp, ctx);
+err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return cswift_mod_exp(r, a, p, m, ctx);
+        }
+
+static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        SW_CONTEXT_HANDLE hac;
+        SW_PARAM sw_param;
+        SW_STATUS sw_status;
+        SW_LARGENUMBER arg, res;
+        unsigned char *ptr;
+        BN_CTX *ctx;
+        BIGNUM *dsa_p = NULL;
+        BIGNUM *dsa_q = NULL;
+        BIGNUM *dsa_g = NULL;
+        BIGNUM *dsa_key = NULL;
+        BIGNUM *result = NULL;
+        DSA_SIG *to_return = NULL;
+        int acquired = 0;
+
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if(!get_context(&hac))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_GET_HANDLE_FAILED);
+                goto err;
+                }
+        acquired = 1;
+        /* Prepare the params */
+        dsa_p = BN_CTX_get(ctx);
+        dsa_q = BN_CTX_get(ctx);
+        dsa_g = BN_CTX_get(ctx);
+        dsa_key = BN_CTX_get(ctx);
+        result = BN_CTX_get(ctx);
+        if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !result)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_CTX_FULL);
+                goto err;
+                }
+        if(!bn_wexpand(dsa_p, dsa->p->top) ||
+                        !bn_wexpand(dsa_q, dsa->q->top) ||
+                        !bn_wexpand(dsa_g, dsa->g->top) ||
+                        !bn_wexpand(dsa_key, dsa->priv_key->top) ||
+                        !bn_wexpand(result, dsa->p->top))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_EXPAND_FAIL);
+                goto err;
+                }
+        sw_param.type = SW_ALG_DSA;
+        sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+                                (unsigned char *)dsa_p->d);
+        sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+        sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+                                (unsigned char *)dsa_q->d);
+        sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+        sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+                                (unsigned char *)dsa_g->d);
+        sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+        sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->priv_key,
+                                (unsigned char *)dsa_key->d);
+        sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+        /* Attach the key params */
+        sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+        switch(sw_status)
+                {
+        case SW_OK:
+                break;
+        case SW_ERR_INPUT_SIZE:
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,
+                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                goto err;
+        default:
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                }
+                goto err;
+                }
+        /* Prepare the argument and response */
+        arg.nbytes = dlen;
+        arg.value = (unsigned char *)dgst;
+        res.nbytes = BN_num_bytes(dsa->p);
+        memset(result->d, 0, res.nbytes);
+        res.value = (unsigned char *)result->d;
+        /* Perform the operation */
+        sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_SIGN, &arg, 1,
+                &res, 1);
+        if(sw_status != SW_OK)
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                goto err;
+                }
+        /* Convert the response */
+        ptr = (unsigned char *)result->d;
+        if((to_return = DSA_SIG_new()) == NULL)
+                goto err;
+        to_return->r = BN_bin2bn((unsigned char *)result->d, 20, NULL);
+        to_return->s = BN_bin2bn((unsigned char *)result->d + 20, 20, NULL);
+
+err:
+        if(acquired)
+                release_context(hac);
+        if(dsa_p) ctx->tos--;
+        if(dsa_q) ctx->tos--;
+        if(dsa_g) ctx->tos--;
+        if(dsa_key) ctx->tos--;
+        if(result) ctx->tos--;
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+
+static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa)
+        {
+        SW_CONTEXT_HANDLE hac;
+        SW_PARAM sw_param;
+        SW_STATUS sw_status;
+        SW_LARGENUMBER arg[2], res;
+        unsigned long sig_result;
+        BN_CTX *ctx;
+        BIGNUM *dsa_p = NULL;
+        BIGNUM *dsa_q = NULL;
+        BIGNUM *dsa_g = NULL;
+        BIGNUM *dsa_key = NULL;
+        BIGNUM *argument = NULL;
+        int to_return = -1;
+        int acquired = 0;
+
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+        if(!get_context(&hac))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_GET_HANDLE_FAILED);
+                goto err;
+                }
+        acquired = 1;
+        /* Prepare the params */
+        dsa_p = BN_CTX_get(ctx);
+        dsa_q = BN_CTX_get(ctx);
+        dsa_g = BN_CTX_get(ctx);
+        dsa_key = BN_CTX_get(ctx);
+        argument = BN_CTX_get(ctx);
+        if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !argument)
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_CTX_FULL);
+                goto err;
+                }
+        if(!bn_wexpand(dsa_p, dsa->p->top) ||
+                        !bn_wexpand(dsa_q, dsa->q->top) ||
+                        !bn_wexpand(dsa_g, dsa->g->top) ||
+                        !bn_wexpand(dsa_key, dsa->pub_key->top) ||
+                        !bn_wexpand(argument, 40))
+                {
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_EXPAND_FAIL);
+                goto err;
+                }
+        sw_param.type = SW_ALG_DSA;
+        sw_param.up.dsa.p.nbytes = BN_bn2bin(dsa->p,
+                                (unsigned char *)dsa_p->d);
+        sw_param.up.dsa.p.value = (unsigned char *)dsa_p->d;
+        sw_param.up.dsa.q.nbytes = BN_bn2bin(dsa->q,
+                                (unsigned char *)dsa_q->d);
+        sw_param.up.dsa.q.value = (unsigned char *)dsa_q->d;
+        sw_param.up.dsa.g.nbytes = BN_bn2bin(dsa->g,
+                                (unsigned char *)dsa_g->d);
+        sw_param.up.dsa.g.value = (unsigned char *)dsa_g->d;
+        sw_param.up.dsa.key.nbytes = BN_bn2bin(dsa->pub_key,
+                                (unsigned char *)dsa_key->d);
+        sw_param.up.dsa.key.value = (unsigned char *)dsa_key->d;
+        /* Attach the key params */
+        sw_status = p_CSwift_AttachKeyParam(hac, &sw_param);
+        switch(sw_status)
+                {
+        case SW_OK:
+                break;
+        case SW_ERR_INPUT_SIZE:
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,
+                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                goto err;
+        default:
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                }
+                goto err;
+                }
+        /* Prepare the argument and response */
+        arg[0].nbytes = dgst_len;
+        arg[0].value = (unsigned char *)dgst;
+        arg[1].nbytes = 40;
+        arg[1].value = (unsigned char *)argument->d;
+        memset(arg[1].value, 0, 40);
+        BN_bn2bin(sig->r, arg[1].value + 20 - BN_num_bytes(sig->r));
+        BN_bn2bin(sig->s, arg[1].value + 40 - BN_num_bytes(sig->s));
+        res.nbytes = 4; /* unsigned long */
+        res.value = (unsigned char *)(&sig_result);
+        /* Perform the operation */
+        sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_DSS_VERIFY, arg, 2,
+                &res, 1);
+        if(sw_status != SW_OK)
+                {
+                char tmpbuf[20];
+                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+                sprintf(tmpbuf, "%ld", sw_status);
+                ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
+                goto err;
+                }
+        /* Convert the response */
+        to_return = ((sig_result == 0) ? 0 : 1);
+
+err:
+        if(acquired)
+                release_context(hac);
+        if(dsa_p) ctx->tos--;
+        if(dsa_q) ctx->tos--;
+        if(dsa_g) ctx->tos--;
+        if(dsa_key) ctx->tos--;
+        if(argument) ctx->tos--;
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return cswift_mod_exp(r, a, p, m, ctx);
+        }
+
+#endif /* !NO_HW_CSWIFT */
+#endif /* !NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_cswift_err.c b/src/lib/libssl/src/crypto/engine/hw_cswift_err.c
new file mode 100644
index 0000000000..684f53bf27
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_cswift_err.c
@@ -0,0 +1,149 @@
+/* hw_cswift_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_cswift_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA CSWIFT_str_functs[]=
+        {
+{ERR_PACK(0,CSWIFT_F_CSWIFT_CTRL,0),    "CSWIFT_CTRL"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_DSA_SIGN,0),        "CSWIFT_DSA_SIGN"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_DSA_VERIFY,0),      "CSWIFT_DSA_VERIFY"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_FINISH,0),  "CSWIFT_FINISH"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_INIT,0),    "CSWIFT_INIT"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_MOD_EXP,0), "CSWIFT_MOD_EXP"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_MOD_EXP_CRT,0),     "CSWIFT_MOD_EXP_CRT"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_RSA_MOD_EXP,0),     "CSWIFT_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA CSWIFT_str_reasons[]=
+        {
+{CSWIFT_R_ALREADY_LOADED                 ,"already loaded"},
+{CSWIFT_R_BAD_KEY_SIZE                   ,"bad key size"},
+{CSWIFT_R_BN_CTX_FULL                    ,"bn ctx full"},
+{CSWIFT_R_BN_EXPAND_FAIL                 ,"bn expand fail"},
+{CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{CSWIFT_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{CSWIFT_R_NOT_LOADED                     ,"not loaded"},
+{CSWIFT_R_REQUEST_FAILED                 ,"request failed"},
+{CSWIFT_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+static ERR_STRING_DATA CSWIFT_lib_name[]=
+        {
+{0      ,CSWIFT_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int CSWIFT_lib_error_code=0;
+static int CSWIFT_error_init=1;
+
+static void ERR_load_CSWIFT_strings(void)
+        {
+        if (CSWIFT_lib_error_code == 0)
+                CSWIFT_lib_error_code=ERR_get_next_error_library();
+
+        if (CSWIFT_error_init)
+                {
+                CSWIFT_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+                ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+                CSWIFT_lib_name->error = ERR_PACK(CSWIFT_lib_error_code,0,0);
+                ERR_load_strings(0,CSWIFT_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_CSWIFT_strings(void)
+        {
+        if (CSWIFT_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+                ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+                ERR_unload_strings(0,CSWIFT_lib_name);
+#endif
+                CSWIFT_error_init=1;
+                }
+        }
+
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line)
+        {
+        if (CSWIFT_lib_error_code == 0)
+                CSWIFT_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(CSWIFT_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_cswift_err.h b/src/lib/libssl/src/crypto/engine/hw_cswift_err.h
new file mode 100644
index 0000000000..7120c3216f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_cswift_err.h
@@ -0,0 +1,93 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CSWIFT_ERR_H
+#define HEADER_CSWIFT_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CSWIFT_strings(void);
+static void ERR_unload_CSWIFT_strings(void);
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line);
+#define CSWIFTerr(f,r) ERR_CSWIFT_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CSWIFT functions. */
+
+/* Function codes. */
+#define CSWIFT_F_CSWIFT_CTRL                             100
+#define CSWIFT_F_CSWIFT_DSA_SIGN                         101
+#define CSWIFT_F_CSWIFT_DSA_VERIFY                       102
+#define CSWIFT_F_CSWIFT_FINISH                           103
+#define CSWIFT_F_CSWIFT_INIT                             104
+#define CSWIFT_F_CSWIFT_MOD_EXP                          105
+#define CSWIFT_F_CSWIFT_MOD_EXP_CRT                      106
+#define CSWIFT_F_CSWIFT_RSA_MOD_EXP                      107
+
+/* Reason codes. */
+#define CSWIFT_R_ALREADY_LOADED                          100
+#define CSWIFT_R_BAD_KEY_SIZE                            101
+#define CSWIFT_R_BN_CTX_FULL                             102
+#define CSWIFT_R_BN_EXPAND_FAIL                          103
+#define CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED            104
+#define CSWIFT_R_MISSING_KEY_COMPONENTS                  105
+#define CSWIFT_R_NOT_LOADED                              106
+#define CSWIFT_R_REQUEST_FAILED                          107
+#define CSWIFT_R_UNIT_FAILURE                            108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher.c b/src/lib/libssl/src/crypto/engine/hw_ncipher.c
new file mode 100644
index 0000000000..41f5900676
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher.c
@@ -0,0 +1,1019 @@
+/* crypto/engine/hw_ncipher.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org), Geoff Thorpe
+ * (geoff@geoffthorpe.net) and Dr Stephen N Henson (shenson@bigfoot.com)
+ * for the OpenSSL project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include "engine_int.h"
+#include <openssl/engine.h>
+
+#ifndef NO_HW
+#ifndef NO_HW_NCIPHER
+
+/* Attribution notice: nCipher have said several times that it's OK for
+ * us to implement a general interface to their boxes, and recently declared
+ * their HWCryptoHook to be public, and therefore available for us to use.
+ * Thanks, nCipher.
+ *
+ * The hwcryptohook.h included here is from May 2000.
+ * [Richard Levitte]
+ */
+#ifdef FLAT_INC
+#include "hwcryptohook.h"
+#else
+#include "vendor_defns/hwcryptohook.h"
+#endif
+
+static int hwcrhk_init(void);
+static int hwcrhk_finish(void);
+static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)()); 
+
+/* Functions to handle mutexes */
+static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
+static int hwcrhk_mutex_lock(HWCryptoHook_Mutex*);
+static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
+static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
+
+/* BIGNUM stuff */
+static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+
+/* RSA stuff */
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa);
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int hwcrhk_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DH stuff */
+/* This function is alised to mod_exp (with the DH and mont dropped). */
+static int hwcrhk_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* RAND stuff */
+static int hwcrhk_rand_bytes(unsigned char *buf, int num);
+static int hwcrhk_rand_status(void);
+
+/* KM stuff */
+static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
+        const char *passphrase);
+static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id,
+        const char *passphrase);
+static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int index,long argl, void *argp);
+
+/* Interaction stuff */
+static int hwcrhk_get_pass(const char *prompt_info,
+        int *len_io, char *buf,
+        HWCryptoHook_PassphraseContext *ppctx,
+        HWCryptoHook_CallerContext *cactx);
+static void hwcrhk_log_message(void *logstream, const char *message);
+
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD hwcrhk_rsa =
+        {
+        "nCipher RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        hwcrhk_rsa_mod_exp,
+        hwcrhk_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD hwcrhk_dh =
+        {
+        "nCipher DH method",
+        NULL,
+        NULL,
+        hwcrhk_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+
+static RAND_METHOD hwcrhk_rand =
+        {
+        /* "nCipher RAND method", */
+        NULL,
+        hwcrhk_rand_bytes,
+        NULL,
+        NULL,
+        hwcrhk_rand_bytes,
+        hwcrhk_rand_status,
+        };
+
+/* Our ENGINE structure. */
+static ENGINE engine_hwcrhk =
+        {
+        "chil",
+        "nCipher hardware engine support",
+        &hwcrhk_rsa,
+        NULL,
+        &hwcrhk_dh,
+        &hwcrhk_rand,
+        hwcrhk_mod_exp,
+        NULL,
+        hwcrhk_init,
+        hwcrhk_finish,
+        hwcrhk_ctrl,
+        hwcrhk_load_privkey,
+        hwcrhk_load_pubkey,
+        0, /* no flags */
+        0, 0, /* no references */
+        NULL, NULL /* unlinked */
+        };
+
+/* Internal stuff for HWCryptoHook */
+
+/* Some structures needed for proper use of thread locks */
+/* hwcryptohook.h has some typedefs that turn struct HWCryptoHook_MutexValue
+   into HWCryptoHook_Mutex */
+struct HWCryptoHook_MutexValue
+        {
+        int lockid;
+        };
+
+/* hwcryptohook.h has some typedefs that turn
+   struct HWCryptoHook_PassphraseContextValue
+   into HWCryptoHook_PassphraseContext */
+struct HWCryptoHook_PassphraseContextValue
+        {
+        void *any;
+        };
+
+/* hwcryptohook.h has some typedefs that turn
+   struct HWCryptoHook_CallerContextValue
+   into HWCryptoHook_CallerContext */
+struct HWCryptoHook_CallerContextValue
+        {
+        void *any;
+        };
+
+/* The MPI structure in HWCryptoHook is pretty compatible with OpenSSL
+   BIGNUM's, so lets define a couple of conversion macros */
+#define BN2MPI(mp, bn) \
+    {mp.size = bn->top * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
+#define MPI2BN(bn, mp) \
+    {mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
+
+#if 0 /* Card and password management is not yet supported */
+/* HWCryptoHook callbacks.  insert_card() and get_pass() are not yet
+   defined, because we haven't quite decided on the proper form yet.
+   log_message() just adds an entry in the error stack.  I don't know
+   if that's good or bad...  */
+static int insert_card(const char *prompt_info,
+        const char *wrong_info,
+        HWCryptoHook_PassphraseContext *ppctx,
+        HWCryptoHook_CallerContext *cactx);
+static int get_pass(const char *prompt_info,
+        int *len_io, char *buf,
+        HWCryptoHook_PassphraseContext *ppctx,
+        HWCryptoHook_CallerContext *cactx);
+#endif
+
+static BIO *logstream = NULL;
+static pem_password_cb *password_callback = NULL;
+#if 0
+static void *password_callback_userdata = NULL;
+#endif
+static int disable_mutex_callbacks = 0;
+
+/* Stuff to pass to the HWCryptoHook library */
+static HWCryptoHook_InitInfo hwcrhk_globals = {
+        0,                      /* Flags */
+        &logstream,             /* logstream */
+        sizeof(BN_ULONG),       /* limbsize */
+        0,                      /* mslimb first: false for BNs */
+        -1,                     /* msbyte first: use native */
+        0,                      /* Max mutexes, 0 = no small limit */
+        0,                      /* Max simultaneous, 0 = default */
+
+        /* The next few are mutex stuff: we write wrapper functions
+           around the OS mutex functions.  We initialise them to 0
+           here, and change that to actual function pointers in hwcrhk_init()
+           if dynamic locks are supported (that is, if the application
+           programmer has made sure of setting up callbacks bafore starting
+           this engine) *and* if disable_mutex_callbacks hasn't been set by
+           a call to ENGINE_ctrl(ENGINE_CTRL_CHIL_NO_LOCKING). */
+        sizeof(HWCryptoHook_Mutex),
+        0,
+        0,
+        0,
+        0,
+
+        /* The next few are condvar stuff: we write wrapper functions
+           round the OS functions.  Currently not implemented and not
+           and absolute necessity even in threaded programs, therefore
+           0'ed.  Will hopefully be implemented some day, since it
+           enhances the efficiency of HWCryptoHook.  */
+        0, /* sizeof(HWCryptoHook_CondVar), */
+        0, /* hwcrhk_cv_init, */
+        0, /* hwcrhk_cv_wait, */
+        0, /* hwcrhk_cv_signal, */
+        0, /* hwcrhk_cv_broadcast, */
+        0, /* hwcrhk_cv_destroy, */
+
+        hwcrhk_get_pass,        /* pass phrase */
+        0, /* insert_card, */   /* insert a card */
+        hwcrhk_log_message      /* Log message */
+};
+
+
+/* Now, to our own code */
+
+/* As this is only ever called once, there's no need for locking
+ * (indeed - the lock will already be held by our caller!!!) */
+ENGINE *ENGINE_ncipher()
+        {
+        RSA_METHOD *meth1;
+        DH_METHOD *meth2;
+
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the cswift-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        hwcrhk_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+
+        /* Much the same for Diffie-Hellman */
+        meth2 = DH_OpenSSL();
+        hwcrhk_dh.generate_key = meth2->generate_key;
+        hwcrhk_dh.compute_key = meth2->compute_key;
+        return &engine_hwcrhk;
+        }
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the HWCryptoHook library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *hwcrhk_dso = NULL;
+static HWCryptoHook_ContextHandle hwcrhk_context = 0;
+static int hndidx = -1; /* Index for KM handle.  Not really used yet. */
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static HWCryptoHook_Init_t *p_hwcrhk_Init = NULL;
+static HWCryptoHook_Finish_t *p_hwcrhk_Finish = NULL;
+static HWCryptoHook_ModExp_t *p_hwcrhk_ModExp = NULL;
+static HWCryptoHook_RSA_t *p_hwcrhk_RSA = NULL;
+static HWCryptoHook_RandomBytes_t *p_hwcrhk_RandomBytes = NULL;
+static HWCryptoHook_RSALoadKey_t *p_hwcrhk_RSALoadKey = NULL;
+static HWCryptoHook_RSAGetPublicKey_t *p_hwcrhk_RSAGetPublicKey = NULL;
+static HWCryptoHook_RSAUnloadKey_t *p_hwcrhk_RSAUnloadKey = NULL;
+static HWCryptoHook_ModExpCRT_t *p_hwcrhk_ModExpCRT = NULL;
+
+/* Used in the DSO operations. */
+static const char *HWCRHK_LIBNAME = "nfhwcrhk";
+static const char *n_hwcrhk_Init = "HWCryptoHook_Init";
+static const char *n_hwcrhk_Finish = "HWCryptoHook_Finish";
+static const char *n_hwcrhk_ModExp = "HWCryptoHook_ModExp";
+static const char *n_hwcrhk_RSA = "HWCryptoHook_RSA";
+static const char *n_hwcrhk_RandomBytes = "HWCryptoHook_RandomBytes";
+static const char *n_hwcrhk_RSALoadKey = "HWCryptoHook_RSALoadKey";
+static const char *n_hwcrhk_RSAGetPublicKey = "HWCryptoHook_RSAGetPublicKey";
+static const char *n_hwcrhk_RSAUnloadKey = "HWCryptoHook_RSAUnloadKey";
+static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
+
+/* HWCryptoHook library functions and mechanics - these are used by the
+ * higher-level functions further down. NB: As and where there's no
+ * error checking, take a look lower down where these functions are
+ * called, the checking and error handling is probably down there. */
+
+/* utility function to obtain a context */
+static int get_context(HWCryptoHook_ContextHandle *hac)
+        {
+        char tempbuf[1024];
+        HWCryptoHook_ErrMsgBuf rmsg;
+
+        rmsg.buf = tempbuf;
+        rmsg.size = 1024;
+
+        *hac = p_hwcrhk_Init(&hwcrhk_globals, sizeof(hwcrhk_globals), &rmsg,
+                NULL);
+        if (!*hac)
+                return 0;
+        return 1;
+        }
+ 
+/* similarly to release one. */
+static void release_context(HWCryptoHook_ContextHandle hac)
+        {
+        p_hwcrhk_Finish(hac);
+        }
+
+/* (de)initialisation functions. */
+static int hwcrhk_init()
+        {
+        HWCryptoHook_Init_t *p1;
+        HWCryptoHook_Finish_t *p2;
+        HWCryptoHook_ModExp_t *p3;
+        HWCryptoHook_RSA_t *p4;
+        HWCryptoHook_RSALoadKey_t *p5;
+        HWCryptoHook_RSAGetPublicKey_t *p6;
+        HWCryptoHook_RSAUnloadKey_t *p7;
+        HWCryptoHook_RandomBytes_t *p8;
+        HWCryptoHook_ModExpCRT_t *p9;
+
+        if(hwcrhk_dso != NULL)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* Attempt to load libnfhwcrhk.so/nfhwcrhk.dll/whatever. */
+        hwcrhk_dso = DSO_load(NULL, HWCRHK_LIBNAME, NULL,
+                DSO_FLAG_NAME_TRANSLATION);
+        if(hwcrhk_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        if(!(p1 = (HWCryptoHook_Init_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_Init)) ||
+                !(p2 = (HWCryptoHook_Finish_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_Finish)) ||
+                !(p3 = (HWCryptoHook_ModExp_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExp)) ||
+                !(p4 = (HWCryptoHook_RSA_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSA)) ||
+                !(p5 = (HWCryptoHook_RSALoadKey_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSALoadKey)) ||
+                !(p6 = (HWCryptoHook_RSAGetPublicKey_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAGetPublicKey)) ||
+                !(p7 = (HWCryptoHook_RSAUnloadKey_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAUnloadKey)) ||
+                !(p8 = (HWCryptoHook_RandomBytes_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_RandomBytes)) ||
+                !(p9 = (HWCryptoHook_ModExpCRT_t *)
+                        DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExpCRT)))
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+                goto err;
+                }
+        /* Copy the pointers */
+        p_hwcrhk_Init = p1;
+        p_hwcrhk_Finish = p2;
+        p_hwcrhk_ModExp = p3;
+        p_hwcrhk_RSA = p4;
+        p_hwcrhk_RSALoadKey = p5;
+        p_hwcrhk_RSAGetPublicKey = p6;
+        p_hwcrhk_RSAUnloadKey = p7;
+        p_hwcrhk_RandomBytes = p8;
+        p_hwcrhk_ModExpCRT = p9;
+
+        /* Check if the application decided to support dynamic locks,
+           and if it does, use them. */
+        if (disable_mutex_callbacks == 0 &&
+                CRYPTO_get_dynlock_create_callback() != NULL &&
+                CRYPTO_get_dynlock_lock_callback() != NULL &&
+                CRYPTO_get_dynlock_destroy_callback() != NULL)
+                {
+                hwcrhk_globals.mutex_init = hwcrhk_mutex_init;
+                hwcrhk_globals.mutex_acquire = hwcrhk_mutex_lock;
+                hwcrhk_globals.mutex_release = hwcrhk_mutex_unlock;
+                hwcrhk_globals.mutex_destroy = hwcrhk_mutex_destroy;
+                }
+
+        /* Try and get a context - if not, we may have a DSO but no
+         * accelerator! */
+        if(!get_context(&hwcrhk_context))
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_UNIT_FAILURE);
+                goto err;
+                }
+        /* Everything's fine. */
+        if (hndidx == -1)
+                hndidx = RSA_get_ex_new_index(0,
+                        "nFast HWCryptoHook RSA key handle",
+                        NULL, NULL, hwcrhk_ex_free);
+        return 1;
+err:
+        if(hwcrhk_dso)
+                DSO_free(hwcrhk_dso);
+        hwcrhk_dso = NULL;
+        p_hwcrhk_Init = NULL;
+        p_hwcrhk_Finish = NULL;
+        p_hwcrhk_ModExp = NULL;
+        p_hwcrhk_RSA = NULL;
+        p_hwcrhk_RSALoadKey = NULL;
+        p_hwcrhk_RSAGetPublicKey = NULL;
+        p_hwcrhk_RSAUnloadKey = NULL;
+        p_hwcrhk_ModExpCRT = NULL;
+        p_hwcrhk_RandomBytes = NULL;
+        return 0;
+        }
+
+static int hwcrhk_finish()
+        {
+        int to_return = 1;
+        if(hwcrhk_dso == NULL)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_NOT_LOADED);
+                to_return = 0;
+                goto err;
+                }
+        release_context(hwcrhk_context);
+        if(!DSO_free(hwcrhk_dso))
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_DSO_FAILURE);
+                to_return = 0;
+                goto err;
+                }
+ err:
+        if (logstream)
+                BIO_free(logstream);
+        hwcrhk_dso = NULL;
+        p_hwcrhk_Init = NULL;
+        p_hwcrhk_Finish = NULL;
+        p_hwcrhk_ModExp = NULL;
+        p_hwcrhk_RSA = NULL;
+        p_hwcrhk_RSALoadKey = NULL;
+        p_hwcrhk_RSAGetPublicKey = NULL;
+        p_hwcrhk_RSAUnloadKey = NULL;
+        p_hwcrhk_ModExpCRT = NULL;
+        p_hwcrhk_RandomBytes = NULL;
+        return to_return;
+        }
+
+static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
+        {
+        int to_return = 1;
+
+        switch(cmd)
+                {
+        case ENGINE_CTRL_SET_LOGSTREAM:
+                {
+                BIO *bio = (BIO *)p;
+
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                if (logstream)
+                        {
+                        BIO_free(logstream);
+                        logstream = NULL;
+                        }
+                if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
+                        logstream = bio;
+                else
+                        ENGINEerr(ENGINE_F_HWCRHK_CTRL,ENGINE_R_BIO_WAS_FREED);
+                }
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        case ENGINE_CTRL_SET_PASSWORD_CALLBACK:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                password_callback = (pem_password_cb *)f;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        /* this enables or disables the "SimpleForkCheck" flag used in the
+         * initialisation structure. */
+        case ENGINE_CTRL_CHIL_SET_FORKCHECK:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                if(i)
+                        hwcrhk_globals.flags |=
+                                HWCryptoHook_InitFlags_SimpleForkCheck;
+                else
+                        hwcrhk_globals.flags &=
+                                ~HWCryptoHook_InitFlags_SimpleForkCheck;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        /* This will prevent the initialisation function from "installing"
+         * the mutex-handling callbacks, even if they are available from
+         * within the library (or were provided to the library from the
+         * calling application). This is to remove any baggage for
+         * applications not using multithreading. */
+        case ENGINE_CTRL_CHIL_NO_LOCKING:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                disable_mutex_callbacks = 1;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+
+        /* The command isn't understood by this engine */
+        default:
+                ENGINEerr(ENGINE_F_HWCRHK_CTRL,
+                        ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                to_return = 0;
+                break;
+                }
+
+        return to_return;
+        }
+
+static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
+        const char *passphrase)
+        {
+        RSA *rtmp = NULL;
+        EVP_PKEY *res = NULL;
+        HWCryptoHook_MPI e, n;
+        HWCryptoHook_RSAKeyHandle *hptr;
+        HWCryptoHook_ErrMsgBuf rmsg;
+
+        if(!hwcrhk_context)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+                        ENGINE_R_NOT_INITIALISED);
+                goto err;
+                }
+        hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle));
+        if (!hptr)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+                        ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        if (p_hwcrhk_RSALoadKey(hwcrhk_context, key_id, hptr,
+                &rmsg, NULL))
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+                        ENGINE_R_CHIL_ERROR);
+                ERR_add_error_data(1,rmsg.buf);
+                goto err;
+                }
+        if (!*hptr)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+                        ENGINE_R_NO_KEY);
+                goto err;
+                }
+        rtmp = RSA_new_method(&engine_hwcrhk);
+        RSA_set_ex_data(rtmp, hndidx, (char *)hptr);
+        rtmp->e = BN_new();
+        rtmp->n = BN_new();
+        rtmp->flags |= RSA_FLAG_EXT_PKEY;
+        MPI2BN(rtmp->e, e);
+        MPI2BN(rtmp->n, n);
+        if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg)
+                != HWCRYPTOHOOK_ERROR_MPISIZE)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,ENGINE_R_CHIL_ERROR);
+                ERR_add_error_data(1,rmsg.buf);
+                goto err;
+                }
+                        
+        bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG));
+        bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG));
+        MPI2BN(rtmp->e, e);
+        MPI2BN(rtmp->n, n);
+
+        if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg))
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
+                        ENGINE_R_CHIL_ERROR);
+                ERR_add_error_data(1,rmsg.buf);
+                goto err;
+                }
+        rtmp->e->top = e.size / sizeof(BN_ULONG);
+        bn_fix_top(rtmp->e);
+        rtmp->n->top = n.size / sizeof(BN_ULONG);
+        bn_fix_top(rtmp->n);
+
+        res = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(res, rtmp);
+
+        return res;
+ err:
+        if (res)
+                EVP_PKEY_free(res);
+        if (rtmp)
+                RSA_free(rtmp);
+        return NULL;
+        }
+
+static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
+        {
+        EVP_PKEY *res = hwcrhk_load_privkey(key_id, passphrase);
+
+        if (res)
+                switch(res->type)
+                        {
+                case EVP_PKEY_RSA:
+                        {
+                        RSA *rsa = NULL;
+
+                        CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
+                        rsa = res->pkey.rsa;
+                        res->pkey.rsa = RSA_new();
+                        res->pkey.rsa->n = rsa->n;
+                        res->pkey.rsa->e = rsa->e;
+                        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
+                        RSA_free(rsa);
+                        }
+                default:
+                        ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
+                                ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                        goto err;
+                        }
+
+        return res;
+ err:
+        if (res)
+                EVP_PKEY_free(res);
+        return NULL;
+        }
+
+/* A little mod_exp */
+static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *m, BN_CTX *ctx)
+        {
+        char tempbuf[1024];
+        HWCryptoHook_ErrMsgBuf rmsg;
+        /* Since HWCryptoHook_MPI is pretty compatible with BIGNUM's,
+           we use them directly, plus a little macro magic.  We only
+           thing we need to make sure of is that enough space is allocated. */
+        HWCryptoHook_MPI m_a, m_p, m_n, m_r;
+        int to_return, ret;
+ 
+        to_return = 0; /* expect failure */
+        rmsg.buf = tempbuf;
+        rmsg.size = 1024;
+
+        if(!hwcrhk_context)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+                goto err;
+                }
+        /* Prepare the params */
+        bn_expand2(r, m->top);  /* Check for error !! */
+        BN2MPI(m_a, a);
+        BN2MPI(m_p, p);
+        BN2MPI(m_n, m);
+        MPI2BN(r, m_r);
+
+        /* Perform the operation */
+        ret = p_hwcrhk_ModExp(hwcrhk_context, m_a, m_p, m_n, &m_r, &rmsg);
+
+        /* Convert the response */
+        r->top = m_r.size / sizeof(BN_ULONG);
+        bn_fix_top(r);
+
+        if (ret < 0)
+                {
+                /* FIXME: When this error is returned, HWCryptoHook is
+                   telling us that falling back to software computation
+                   might be a good thing. */
+                if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                        }
+                else
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                        }
+                ERR_add_error_data(1,rmsg.buf);
+                goto err;
+                }
+
+        to_return = 1;
+err:
+        return to_return;
+        }
+ 
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
+        {
+        char tempbuf[1024];
+        HWCryptoHook_ErrMsgBuf rmsg;
+        HWCryptoHook_RSAKeyHandle *hptr;
+        int to_return = 0, ret;
+
+        if(!hwcrhk_context)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+                goto err;
+                }
+
+        /* This provides support for nForce keys.  Since that's opaque data
+           all we do is provide a handle to the proper key and let HWCryptoHook
+           take care of the rest. */
+        if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx))
+                != NULL)
+                {
+                HWCryptoHook_MPI m_a, m_r;
+
+                if(!rsa->n)
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
+                                ENGINE_R_MISSING_KEY_COMPONENTS);
+                        goto err;
+                        }
+
+                rmsg.buf = tempbuf;
+                rmsg.size = 1024;
+
+                /* Prepare the params */
+                bn_expand2(r, rsa->n->top); /* Check for error !! */
+                BN2MPI(m_a, I);
+                MPI2BN(r, m_r);
+
+                /* Perform the operation */
+                ret = p_hwcrhk_RSA(m_a, *hptr, &m_r, &rmsg);
+
+                /* Convert the response */
+                r->top = m_r.size / sizeof(BN_ULONG);
+                bn_fix_top(r);
+
+                if (ret < 0)
+                        {
+                        /* FIXME: When this error is returned, HWCryptoHook is
+                           telling us that falling back to software computation
+                           might be a good thing. */
+                        if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+                                {
+                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                                }
+                        else
+                                {
+                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                                }
+                        ERR_add_error_data(1,rmsg.buf);
+                        goto err;
+                        }
+                }
+        else
+                {
+                HWCryptoHook_MPI m_a, m_p, m_q, m_dmp1, m_dmq1, m_iqmp, m_r;
+
+                if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
+                                ENGINE_R_MISSING_KEY_COMPONENTS);
+                        goto err;
+                        }
+
+                rmsg.buf = tempbuf;
+                rmsg.size = 1024;
+
+                /* Prepare the params */
+                bn_expand2(r, rsa->n->top); /* Check for error !! */
+                BN2MPI(m_a, I);
+                BN2MPI(m_p, rsa->p);
+                BN2MPI(m_q, rsa->q);
+                BN2MPI(m_dmp1, rsa->dmp1);
+                BN2MPI(m_dmq1, rsa->dmq1);
+                BN2MPI(m_iqmp, rsa->iqmp);
+                MPI2BN(r, m_r);
+
+                /* Perform the operation */
+                ret = p_hwcrhk_ModExpCRT(hwcrhk_context, m_a, m_p, m_q,
+                        m_dmp1, m_dmq1, m_iqmp, &m_r, NULL);
+
+                /* Convert the response */
+                r->top = m_r.size / sizeof(BN_ULONG);
+                bn_fix_top(r);
+
+                if (ret < 0)
+                        {
+                        /* FIXME: When this error is returned, HWCryptoHook is
+                           telling us that falling back to software computation
+                           might be a good thing. */
+                        if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+                                {
+                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                                }
+                        else
+                                {
+                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                                }
+                        ERR_add_error_data(1,rmsg.buf);
+                        goto err;
+                        }
+                }
+        /* If we're here, we must be here with some semblance of success :-) */
+        to_return = 1;
+err:
+        return to_return;
+        }
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int hwcrhk_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return hwcrhk_mod_exp(r, a, p, m, ctx);
+        }
+
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int hwcrhk_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return hwcrhk_mod_exp(r, a, p, m, ctx);
+        }
+
+/* Random bytes are good */
+static int hwcrhk_rand_bytes(unsigned char *buf, int num)
+        {
+        char tempbuf[1024];
+        HWCryptoHook_ErrMsgBuf rmsg;
+        int to_return = 0; /* assume failure */
+        int ret;
+
+        rmsg.buf = tempbuf;
+        rmsg.size = 1024;
+
+        if(!hwcrhk_context)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+                goto err;
+                }
+
+        ret = p_hwcrhk_RandomBytes(hwcrhk_context, buf, num, &rmsg);
+        if (ret < 0)
+                {
+                /* FIXME: When this error is returned, HWCryptoHook is
+                   telling us that falling back to software computation
+                   might be a good thing. */
+                if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FALLBACK);
+                        }
+                else
+                        {
+                        ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FAILED);
+                        }
+                ERR_add_error_data(1,rmsg.buf);
+                goto err;
+                }
+        to_return = 1;
+ err:
+        return to_return;
+        }
+
+static int hwcrhk_rand_status(void)
+        {
+        return 1;
+        }
+
+/* This cleans up an RSA KM key, called when ex_data is freed */
+
+static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+        int index,long argl, void *argp)
+{
+        char tempbuf[1024];
+        HWCryptoHook_ErrMsgBuf rmsg;
+        HWCryptoHook_RSAKeyHandle *hptr;
+        int ret;
+
+        rmsg.buf = tempbuf;
+        rmsg.size = 1024;
+
+        hptr = (HWCryptoHook_RSAKeyHandle *) item;
+        if(!hptr) return;
+        ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+        OPENSSL_free(hptr);
+}
+
+/* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
+ * these just wrap the POSIX functions and add some logging.
+ */
+
+static int hwcrhk_mutex_init(HWCryptoHook_Mutex* mt,
+        HWCryptoHook_CallerContext *cactx)
+        {
+        mt->lockid = CRYPTO_get_new_dynlockid();
+        if (mt->lockid == 0)
+                return 0;
+        return 1;
+        }
+
+static int hwcrhk_mutex_lock(HWCryptoHook_Mutex *mt)
+        {
+        CRYPTO_w_lock(mt->lockid);
+        return 1;
+        }
+
+void hwcrhk_mutex_unlock(HWCryptoHook_Mutex * mt)
+        {
+        CRYPTO_w_unlock(mt->lockid);
+        }
+
+static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex *mt)
+        {
+        CRYPTO_destroy_dynlockid(mt->lockid);
+        }
+
+static int hwcrhk_get_pass(const char *prompt_info,
+        int *len_io, char *buf,
+        HWCryptoHook_PassphraseContext *ppctx,
+        HWCryptoHook_CallerContext *cactx)
+        {
+        int l = 0;
+        char prompt[1024];
+
+        if (password_callback == NULL)
+                {
+                ENGINEerr(ENGINE_F_HWCRHK_GET_PASS,ENGINE_R_NO_CALLBACK);
+                return -1;
+                }
+        if (prompt_info)
+                {
+                strncpy(prompt, "Card: \"", sizeof(prompt));
+                l += 5;
+                strncpy(prompt + l, prompt_info, sizeof(prompt) - l);
+                l += strlen(prompt_info);
+                if (l + 2 < sizeof(prompt))
+                        {
+                        strncpy(prompt + l, "\"\n", sizeof(prompt) - l);
+                        l += 2;
+                        }
+                }
+        if (l < sizeof(prompt) - 1)
+                {
+                strncpy(prompt, "Enter Passphrase <enter to cancel>:",
+                        sizeof(prompt) - l);
+                l += 35;
+                }
+        prompt[l] = '\0';
+
+        /* I know, passing on the prompt instead of the user data *is*
+           a bad thing.  However, that's all we have right now.
+           --  Richard Levitte */
+        *len_io = password_callback(buf, *len_io, 0, prompt);
+        if(!*len_io)
+                return -1;
+        return 0;
+        }
+
+static void hwcrhk_log_message(void *logstream, const char *message)
+        {
+        BIO *lstream = NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_BIO);
+        if (logstream)
+                lstream=*(BIO **)logstream;
+        if (lstream)
+                {
+                BIO_write(lstream, message, strlen(message));
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
+        }
+
+#endif /* !NO_HW_NCIPHER */
+#endif /* !NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c
new file mode 100644
index 0000000000..24024cfc6f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.c
@@ -0,0 +1,156 @@
+/* hw_ncipher_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_ncipher_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA HWCRHK_str_functs[]=
+        {
+{ERR_PACK(0,HWCRHK_F_HWCRHK_CTRL,0),    "HWCRHK_CTRL"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_FINISH,0),  "HWCRHK_FINISH"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_GET_PASS,0),        "HWCRHK_GET_PASS"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INIT,0),    "HWCRHK_INIT"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INSERT_CARD,0),     "HWCRHK_INSERT_CARD"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PRIVKEY,0),    "HWCRHK_LOAD_PRIVKEY"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PUBKEY,0),     "HWCRHK_LOAD_PUBKEY"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_MOD_EXP,0), "HWCRHK_MOD_EXP"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RAND_BYTES,0),      "HWCRHK_RAND_BYTES"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RSA_MOD_EXP,0),     "HWCRHK_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA HWCRHK_str_reasons[]=
+        {
+{HWCRHK_R_ALREADY_LOADED                 ,"already loaded"},
+{HWCRHK_R_BIO_WAS_FREED                  ,"bio was freed"},
+{HWCRHK_R_CHIL_ERROR                     ,"chil error"},
+{HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{HWCRHK_R_DSO_FAILURE                    ,"dso failure"},
+{HWCRHK_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{HWCRHK_R_NOT_INITIALISED                ,"not initialised"},
+{HWCRHK_R_NOT_LOADED                     ,"not loaded"},
+{HWCRHK_R_NO_CALLBACK                    ,"no callback"},
+{HWCRHK_R_NO_KEY                         ,"no key"},
+{HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED,"private key algorithms disabled"},
+{HWCRHK_R_REQUEST_FAILED                 ,"request failed"},
+{HWCRHK_R_REQUEST_FALLBACK               ,"request fallback"},
+{HWCRHK_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+static ERR_STRING_DATA HWCRHK_lib_name[]=
+        {
+{0      ,HWCRHK_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int HWCRHK_lib_error_code=0;
+static int HWCRHK_error_init=1;
+
+static void ERR_load_HWCRHK_strings(void)
+        {
+        if (HWCRHK_lib_error_code == 0)
+                HWCRHK_lib_error_code=ERR_get_next_error_library();
+
+        if (HWCRHK_error_init)
+                {
+                HWCRHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+                ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+                HWCRHK_lib_name->error = ERR_PACK(HWCRHK_lib_error_code,0,0);
+                ERR_load_strings(0,HWCRHK_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_HWCRHK_strings(void)
+        {
+        if (HWCRHK_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+                ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+                ERR_unload_strings(0,HWCRHK_lib_name);
+#endif
+                HWCRHK_error_init=1;
+                }
+        }
+
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line)
+        {
+        if (HWCRHK_lib_error_code == 0)
+                HWCRHK_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(HWCRHK_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h
new file mode 100644
index 0000000000..4d65b1d470
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ncipher_err.h
@@ -0,0 +1,100 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_HWCRHK_ERR_H
+#define HEADER_HWCRHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_HWCRHK_strings(void);
+static void ERR_unload_HWCRHK_strings(void);
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
+#define HWCRHKerr(f,r) ERR_HWCRHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the HWCRHK functions. */
+
+/* Function codes. */
+#define HWCRHK_F_HWCRHK_CTRL                             100
+#define HWCRHK_F_HWCRHK_FINISH                           101
+#define HWCRHK_F_HWCRHK_GET_PASS                         102
+#define HWCRHK_F_HWCRHK_INIT                             103
+#define HWCRHK_F_HWCRHK_INSERT_CARD                      104
+#define HWCRHK_F_HWCRHK_LOAD_PRIVKEY                     105
+#define HWCRHK_F_HWCRHK_LOAD_PUBKEY                      106
+#define HWCRHK_F_HWCRHK_MOD_EXP                          107
+#define HWCRHK_F_HWCRHK_RAND_BYTES                       108
+#define HWCRHK_F_HWCRHK_RSA_MOD_EXP                      109
+
+/* Reason codes. */
+#define HWCRHK_R_ALREADY_LOADED                          100
+#define HWCRHK_R_BIO_WAS_FREED                           101
+#define HWCRHK_R_CHIL_ERROR                              102
+#define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
+#define HWCRHK_R_DSO_FAILURE                             104
+#define HWCRHK_R_MISSING_KEY_COMPONENTS                  105
+#define HWCRHK_R_NOT_INITIALISED                         106
+#define HWCRHK_R_NOT_LOADED                              107
+#define HWCRHK_R_NO_CALLBACK                             108
+#define HWCRHK_R_NO_KEY                                  109
+#define HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED         110
+#define HWCRHK_R_REQUEST_FAILED                          111
+#define HWCRHK_R_REQUEST_FALLBACK                        112
+#define HWCRHK_R_UNIT_FAILURE                            113
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_nuron.c b/src/lib/libssl/src/crypto/engine/hw_nuron.c
new file mode 100644
index 0000000000..2672012154
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_nuron.c
@@ -0,0 +1,399 @@
+/* crypto/engine/hw_nuron.c */
+/* Written by Ben Laurie for the OpenSSL Project, leaning heavily on Geoff
+ * Thorpe's Atalla implementation.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_NURON
+
+#define NURON_LIB_NAME "nuron engine"
+#include "hw_nuron_err.c"
+
+static const char def_NURON_LIBNAME[] = "nuronssl";
+static const char *NURON_LIBNAME = def_NURON_LIBNAME;
+static const char *NURON_F1 = "nuron_mod_exp";
+
+/* The definitions for control commands specific to this engine */
+#define NURON_CMD_SO_PATH               ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN nuron_cmd_defns[] = {
+        {NURON_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'nuronssl' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+typedef int tfnModExp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,const BIGNUM *m);
+static tfnModExp *pfnModExp = NULL;
+
+static DSO *pvDSOHandle = NULL;
+
+static int nuron_destroy(ENGINE *e)
+        {
+        ERR_unload_NURON_strings();
+        return 1;
+        }
+
+static int nuron_init(ENGINE *e)
+        {
+        if(pvDSOHandle != NULL)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_ALREADY_LOADED);
+                return 0;
+                }
+
+        pvDSOHandle = DSO_load(NULL, NURON_LIBNAME, NULL,
+                DSO_FLAG_NAME_TRANSLATION_EXT_ONLY);
+        if(!pvDSOHandle)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_NOT_FOUND);
+                return 0;
+                }
+
+        pfnModExp = (tfnModExp *)DSO_bind_func(pvDSOHandle, NURON_F1);
+        if(!pfnModExp)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_FUNCTION_NOT_FOUND);
+                return 0;
+                }
+
+        return 1;
+        }
+
+static int nuron_finish(ENGINE *e)
+        {
+        if(pvDSOHandle == NULL)
+                {
+                NURONerr(NURON_F_NURON_FINISH,NURON_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(pvDSOHandle))
+                {
+                NURONerr(NURON_F_NURON_FINISH,NURON_R_DSO_FAILURE);
+                return 0;
+                }
+        pvDSOHandle=NULL;
+        pfnModExp=NULL;
+        return 1;
+        }
+
+static int nuron_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((pvDSOHandle == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case NURON_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        NURONerr(NURON_F_NURON_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        NURONerr(NURON_F_NURON_CTRL,NURON_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                NURON_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        NURONerr(NURON_F_NURON_CTRL,NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+}
+
+static int nuron_mod_exp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,
+                         const BIGNUM *m,BN_CTX *ctx)
+        {
+        if(!pvDSOHandle)
+                {
+                NURONerr(NURON_F_NURON_MOD_EXP,NURON_R_NOT_LOADED);
+                return 0;
+                }
+        return pfnModExp(r,a,p,m);
+        }
+
+#ifndef OPENSSL_NO_RSA
+static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        return nuron_mod_exp(r0,I,rsa->d,rsa->n,NULL);
+        }
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int nuron_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                             BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                             BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+ 
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!nuron_mod_exp(rr,a1,p1,m,ctx))
+                goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!nuron_mod_exp(&t,a2,p2,m,ctx))
+                goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx))
+                goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+        }
+
+
+static int nuron_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                             const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                             BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int nuron_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int nuron_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD nuron_rsa =
+        {
+        "Nuron RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        nuron_rsa_mod_exp,
+        nuron_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_METHOD nuron_dsa =
+        {
+        "Nuron DSA method",
+        NULL, /* dsa_do_sign */
+        NULL, /* dsa_sign_setup */
+        NULL, /* dsa_do_verify */
+        nuron_dsa_mod_exp, /* dsa_mod_exp */
+        nuron_mod_exp_dsa, /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+static DH_METHOD nuron_dh =
+        {
+        "Nuron DH method",
+        NULL,
+        NULL,
+        nuron_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_nuron_id = "nuron";
+static const char *engine_nuron_name = "Nuron hardware engine support";
+
+/* This internal function is used by ENGINE_nuron() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth3;
+#endif
+        if(!ENGINE_set_id(e, engine_nuron_id) ||
+                        !ENGINE_set_name(e, engine_nuron_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &nuron_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &nuron_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &nuron_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, nuron_destroy) ||
+                        !ENGINE_set_init_function(e, nuron_init) ||
+                        !ENGINE_set_finish_function(e, nuron_finish) ||
+                        !ENGINE_set_ctrl_function(e, nuron_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, nuron_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the nuron-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1=RSA_PKCS1_SSLeay();
+        nuron_rsa.rsa_pub_enc=meth1->rsa_pub_enc;
+        nuron_rsa.rsa_pub_dec=meth1->rsa_pub_dec;
+        nuron_rsa.rsa_priv_enc=meth1->rsa_priv_enc;
+        nuron_rsa.rsa_priv_dec=meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2=DSA_OpenSSL();
+        nuron_dsa.dsa_do_sign=meth2->dsa_do_sign;
+        nuron_dsa.dsa_sign_setup=meth2->dsa_sign_setup;
+        nuron_dsa.dsa_do_verify=meth2->dsa_do_verify;
+#endif
+
+#ifndef OPENSSL_NO_DH
+        /* Much the same for Diffie-Hellman */
+        meth3=DH_OpenSSL();
+        nuron_dh.generate_key=meth3->generate_key;
+        nuron_dh.compute_key=meth3->compute_key;
+#endif
+
+        /* Ensure the nuron error handling is set up */
+        ERR_load_NURON_strings();
+        return 1;
+        }
+
+static ENGINE *engine_nuron(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_nuron(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_nuron();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */      
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_nuron_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_NURON */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_nuron_err.c b/src/lib/libssl/src/crypto/engine/hw_nuron_err.c
new file mode 100644
index 0000000000..df9d7bde76
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_nuron_err.c
@@ -0,0 +1,142 @@
+/* hw_nuron_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_nuron_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA NURON_str_functs[]=
+        {
+{ERR_PACK(0,NURON_F_NURON_CTRL,0),      "NURON_CTRL"},
+{ERR_PACK(0,NURON_F_NURON_FINISH,0),    "NURON_FINISH"},
+{ERR_PACK(0,NURON_F_NURON_INIT,0),      "NURON_INIT"},
+{ERR_PACK(0,NURON_F_NURON_MOD_EXP,0),   "NURON_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA NURON_str_reasons[]=
+        {
+{NURON_R_ALREADY_LOADED                  ,"already loaded"},
+{NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{NURON_R_DSO_FAILURE                     ,"dso failure"},
+{NURON_R_DSO_FUNCTION_NOT_FOUND          ,"dso function not found"},
+{NURON_R_DSO_NOT_FOUND                   ,"dso not found"},
+{NURON_R_NOT_LOADED                      ,"not loaded"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef NURON_LIB_NAME
+static ERR_STRING_DATA NURON_lib_name[]=
+        {
+{0      ,NURON_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int NURON_lib_error_code=0;
+static int NURON_error_init=1;
+
+static void ERR_load_NURON_strings(void)
+        {
+        if (NURON_lib_error_code == 0)
+                NURON_lib_error_code=ERR_get_next_error_library();
+
+        if (NURON_error_init)
+                {
+                NURON_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(NURON_lib_error_code,NURON_str_functs);
+                ERR_load_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+                NURON_lib_name->error = ERR_PACK(NURON_lib_error_code,0,0);
+                ERR_load_strings(0,NURON_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_NURON_strings(void)
+        {
+        if (NURON_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(NURON_lib_error_code,NURON_str_functs);
+                ERR_unload_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+                ERR_unload_strings(0,NURON_lib_name);
+#endif
+                NURON_error_init=1;
+                }
+        }
+
+static void ERR_NURON_error(int function, int reason, char *file, int line)
+        {
+        if (NURON_lib_error_code == 0)
+                NURON_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(NURON_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_nuron_err.h b/src/lib/libssl/src/crypto/engine/hw_nuron_err.h
new file mode 100644
index 0000000000..a56bfdf303
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_nuron_err.h
@@ -0,0 +1,86 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_NURON_ERR_H
+#define HEADER_NURON_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_NURON_strings(void);
+static void ERR_unload_NURON_strings(void);
+static void ERR_NURON_error(int function, int reason, char *file, int line);
+#define NURONerr(f,r) ERR_NURON_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the NURON functions. */
+
+/* Function codes. */
+#define NURON_F_NURON_CTRL                               100
+#define NURON_F_NURON_FINISH                             101
+#define NURON_F_NURON_INIT                               102
+#define NURON_F_NURON_MOD_EXP                            103
+
+/* Reason codes. */
+#define NURON_R_ALREADY_LOADED                           100
+#define NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED             101
+#define NURON_R_DSO_FAILURE                              102
+#define NURON_R_DSO_FUNCTION_NOT_FOUND                   103
+#define NURON_R_DSO_NOT_FOUND                            104
+#define NURON_R_NOT_LOADED                               105
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_sureware_err.c b/src/lib/libssl/src/crypto/engine/hw_sureware_err.c
new file mode 100644
index 0000000000..69955dadbb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_sureware_err.c
@@ -0,0 +1,150 @@
+/* hw_sureware_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_sureware_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA SUREWARE_str_functs[]=
+        {
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_CTRL,0),      "SUREWAREHK_CTRL"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,0),       "SUREWAREHK_DSA_DO_SIGN"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_EX_FREE,0),   "SUREWAREHK_EX_FREE"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_FINISH,0),    "SUREWAREHK_FINISH"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_INIT,0),      "SUREWAREHK_INIT"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,0),  "SUREWAREHK_LOAD_PRIVATE_KEY"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,0),   "SUREWAREHK_LOAD_PUBLIC_KEY"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_MOD_EXP,0),   "SUREWAREHK_MOD_EXP"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RAND_BYTES,0),        "SUREWAREHK_RAND_BYTES"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RAND_SEED,0), "SUREWAREHK_RAND_SEED"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,0),      "SUREWAREHK_RSA_PRIV_DEC"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,0),      "SUREWAREHK_RSA_PRIV_ENC"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA SUREWARE_str_reasons[]=
+        {
+{SUREWARE_R_BIO_WAS_FREED                ,"bio was freed"},
+{SUREWARE_R_MISSING_KEY_COMPONENTS       ,"missing key components"},
+{SUREWARE_R_REQUEST_FAILED               ,"request failed"},
+{SUREWARE_R_REQUEST_FALLBACK             ,"request fallback"},
+{SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL  ,"size too large or too small"},
+{SUREWARE_R_UNIT_FAILURE                 ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+static ERR_STRING_DATA SUREWARE_lib_name[]=
+        {
+{0      ,SUREWARE_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int SUREWARE_lib_error_code=0;
+static int SUREWARE_error_init=1;
+
+static void ERR_load_SUREWARE_strings(void)
+        {
+        if (SUREWARE_lib_error_code == 0)
+                SUREWARE_lib_error_code=ERR_get_next_error_library();
+
+        if (SUREWARE_error_init)
+                {
+                SUREWARE_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+                ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+                SUREWARE_lib_name->error = ERR_PACK(SUREWARE_lib_error_code,0,0);
+                ERR_load_strings(0,SUREWARE_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_SUREWARE_strings(void)
+        {
+        if (SUREWARE_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+                ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+                ERR_unload_strings(0,SUREWARE_lib_name);
+#endif
+                SUREWARE_error_init=1;
+                }
+        }
+
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line)
+        {
+        if (SUREWARE_lib_error_code == 0)
+                SUREWARE_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(SUREWARE_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_sureware_err.h b/src/lib/libssl/src/crypto/engine/hw_sureware_err.h
new file mode 100644
index 0000000000..bc52af5e05
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_sureware_err.h
@@ -0,0 +1,94 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SUREWARE_ERR_H
+#define HEADER_SUREWARE_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_SUREWARE_strings(void);
+static void ERR_unload_SUREWARE_strings(void);
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line);
+#define SUREWAREerr(f,r) ERR_SUREWARE_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the SUREWARE functions. */
+
+/* Function codes. */
+#define SUREWARE_F_SUREWAREHK_CTRL                       100
+#define SUREWARE_F_SUREWAREHK_DSA_DO_SIGN                101
+#define SUREWARE_F_SUREWAREHK_EX_FREE                    102
+#define SUREWARE_F_SUREWAREHK_FINISH                     103
+#define SUREWARE_F_SUREWAREHK_INIT                       104
+#define SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY           105
+#define SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY            106
+#define SUREWARE_F_SUREWAREHK_MOD_EXP                    107
+#define SUREWARE_F_SUREWAREHK_RAND_BYTES                 108
+#define SUREWARE_F_SUREWAREHK_RAND_SEED                  109
+#define SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC               110
+#define SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC               111
+
+/* Reason codes. */
+#define SUREWARE_R_BIO_WAS_FREED                         100
+#define SUREWARE_R_MISSING_KEY_COMPONENTS                105
+#define SUREWARE_R_REQUEST_FAILED                        101
+#define SUREWARE_R_REQUEST_FALLBACK                      102
+#define SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL           103
+#define SUREWARE_R_UNIT_FAILURE                          104
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec.c b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
new file mode 100644
index 0000000000..743c06043c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ubsec.c
@@ -0,0 +1,1041 @@
+/* crypto/engine/hw_ubsec.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ *
+ * Cloned shamelessly by Joe Tardo. 
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_UBSEC
+
+#ifdef FLAT_INC
+#include "hw_ubsec.h"
+#else
+#include "vendor_defns/hw_ubsec.h"
+#endif
+
+#define UBSEC_LIB_NAME "ubsec engine"
+#include "hw_ubsec_err.c"
+
+#define FAIL_TO_SOFTWARE -15
+
+static int ubsec_destroy(ENGINE *e);
+static int ubsec_init(ENGINE *e);
+static int ubsec_finish(ENGINE *e);
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *q, const BIGNUM *dp,
+                        const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx);
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#ifndef OPENSSL_NO_DSA
+#if NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx);
+#endif
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa);
+#endif
+#ifndef OPENSSL_NO_DH
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx);
+static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
+static int ubsec_dh_generate_key(DH *dh);
+#endif
+
+#if NOT_USED
+static int ubsec_rand_bytes(unsigned char *buf, int num);
+static int ubsec_rand_status(void);
+#endif
+
+#define UBSEC_CMD_SO_PATH               ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN ubsec_cmd_defns[] = {
+        {UBSEC_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'ubsec' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD ubsec_rsa =
+        {
+        "UBSEC RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        ubsec_rsa_mod_exp,
+        ubsec_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD ubsec_dsa =
+        {
+        "UBSEC DSA method",
+        ubsec_dsa_do_sign, /* dsa_do_sign */
+        NULL, /* dsa_sign_setup */
+        ubsec_dsa_verify, /* dsa_do_verify */
+        NULL, /* ubsec_dsa_mod_exp */ /* dsa_mod_exp */
+        NULL, /* ubsec_mod_exp_dsa */ /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD ubsec_dh =
+        {
+        "UBSEC DH method",
+        ubsec_dh_generate_key,
+        ubsec_dh_compute_key,
+        ubsec_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_ubsec_id = "ubsec";
+static const char *engine_ubsec_name = "UBSEC hardware engine support";
+
+/* This internal function is used by ENGINE_ubsec() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+        const DH_METHOD *meth3;
+#endif /* HAVE_UBSEC_DH */
+#endif
+        if(!ENGINE_set_id(e, engine_ubsec_id) ||
+                        !ENGINE_set_name(e, engine_ubsec_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &ubsec_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &ubsec_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &ubsec_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, ubsec_destroy) ||
+                        !ENGINE_set_init_function(e, ubsec_init) ||
+                        !ENGINE_set_finish_function(e, ubsec_finish) ||
+                        !ENGINE_set_ctrl_function(e, ubsec_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, ubsec_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the Broadcom-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        ubsec_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        ubsec_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        ubsec_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        ubsec_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        ubsec_dh.generate_key = meth3->generate_key;
+        ubsec_dh.compute_key = meth3->compute_key;
+#endif /* HAVE_UBSEC_DH */
+#endif
+
+        /* Ensure the ubsec error handling is set up */
+        ERR_load_UBSEC_strings();
+        return 1;
+        }
+
+static ENGINE *engine_ubsec(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_ubsec(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_ubsec();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the UBSEC library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+
+static DSO *ubsec_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+
+static t_UBSEC_ubsec_bytes_to_bits *p_UBSEC_ubsec_bytes_to_bits = NULL;
+static t_UBSEC_ubsec_bits_to_bytes *p_UBSEC_ubsec_bits_to_bytes = NULL;
+static t_UBSEC_ubsec_open *p_UBSEC_ubsec_open = NULL;
+static t_UBSEC_ubsec_close *p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+static t_UBSEC_diffie_hellman_generate_ioctl 
+        *p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+static t_UBSEC_diffie_hellman_agree_ioctl *p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
+static t_UBSEC_rsa_mod_exp_crt_ioctl *p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static t_UBSEC_dsa_sign_ioctl *p_UBSEC_dsa_sign_ioctl = NULL;
+static t_UBSEC_dsa_verify_ioctl *p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+static t_UBSEC_math_accelerate_ioctl *p_UBSEC_math_accelerate_ioctl = NULL;
+static t_UBSEC_rng_ioctl *p_UBSEC_rng_ioctl = NULL;
+static t_UBSEC_max_key_len_ioctl *p_UBSEC_max_key_len_ioctl = NULL;
+
+static int max_key_len = 1024;  /* ??? */
+
+/* 
+ * These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+ */
+
+static const char *UBSEC_LIBNAME = "ubsec";
+static const char *UBSEC_F1 = "ubsec_bytes_to_bits";
+static const char *UBSEC_F2 = "ubsec_bits_to_bytes";
+static const char *UBSEC_F3 = "ubsec_open";
+static const char *UBSEC_F4 = "ubsec_close";
+#ifndef OPENSSL_NO_DH
+static const char *UBSEC_F5 = "diffie_hellman_generate_ioctl";
+static const char *UBSEC_F6 = "diffie_hellman_agree_ioctl";
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static const char *UBSEC_F7 = "rsa_mod_exp_ioctl";
+static const char *UBSEC_F8 = "rsa_mod_exp_crt_ioctl";
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static const char *UBSEC_F9 = "dsa_sign_ioctl";
+static const char *UBSEC_F10 = "dsa_verify_ioctl";
+#endif
+static const char *UBSEC_F11 = "math_accelerate_ioctl";
+static const char *UBSEC_F12 = "rng_ioctl";
+static const char *UBSEC_F13 = "ubsec_max_key_len_ioctl";
+
+/* Destructor (complements the "ENGINE_ubsec()" constructor) */
+static int ubsec_destroy(ENGINE *e)
+        {
+        ERR_unload_UBSEC_strings();
+        return 1;
+        }
+
+/* (de)initialisation functions. */
+static int ubsec_init(ENGINE *e)
+        {
+        t_UBSEC_ubsec_bytes_to_bits *p1;
+        t_UBSEC_ubsec_bits_to_bytes *p2;
+        t_UBSEC_ubsec_open *p3;
+        t_UBSEC_ubsec_close *p4;
+#ifndef OPENSSL_NO_DH
+        t_UBSEC_diffie_hellman_generate_ioctl *p5;
+        t_UBSEC_diffie_hellman_agree_ioctl *p6;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+        t_UBSEC_rsa_mod_exp_ioctl *p7;
+        t_UBSEC_rsa_mod_exp_crt_ioctl *p8;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+        t_UBSEC_dsa_sign_ioctl *p9;
+        t_UBSEC_dsa_verify_ioctl *p10;
+#endif
+        t_UBSEC_math_accelerate_ioctl *p11;
+        t_UBSEC_rng_ioctl *p12;
+        t_UBSEC_max_key_len_ioctl *p13;
+        int fd = 0;
+
+        if(ubsec_dso != NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* 
+         * Attempt to load libubsec.so/ubsec.dll/whatever. 
+         */
+        ubsec_dso = DSO_load(NULL, UBSEC_LIBNAME, NULL, 0);
+        if(ubsec_dso == NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+                goto err;
+                }
+
+        if (
+        !(p1 = (t_UBSEC_ubsec_bytes_to_bits *) DSO_bind_func(ubsec_dso, UBSEC_F1)) ||
+        !(p2 = (t_UBSEC_ubsec_bits_to_bytes *) DSO_bind_func(ubsec_dso, UBSEC_F2)) ||
+        !(p3 = (t_UBSEC_ubsec_open *) DSO_bind_func(ubsec_dso, UBSEC_F3)) ||
+        !(p4 = (t_UBSEC_ubsec_close *) DSO_bind_func(ubsec_dso, UBSEC_F4)) ||
+#ifndef OPENSSL_NO_DH
+        !(p5 = (t_UBSEC_diffie_hellman_generate_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F5)) ||
+        !(p6 = (t_UBSEC_diffie_hellman_agree_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F6)) ||
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+        !(p7 = (t_UBSEC_rsa_mod_exp_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F7)) ||
+        !(p8 = (t_UBSEC_rsa_mod_exp_crt_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F8)) ||
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+        !(p9 = (t_UBSEC_dsa_sign_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F9)) ||
+        !(p10 = (t_UBSEC_dsa_verify_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F10)) ||
+#endif
+        !(p11 = (t_UBSEC_math_accelerate_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F11)) ||
+        !(p12 = (t_UBSEC_rng_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F12)) ||
+        !(p13 = (t_UBSEC_max_key_len_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F13)))
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+                goto err;
+                }
+
+        /* Copy the pointers */
+        p_UBSEC_ubsec_bytes_to_bits = p1;
+        p_UBSEC_ubsec_bits_to_bytes = p2;
+        p_UBSEC_ubsec_open = p3;
+        p_UBSEC_ubsec_close = p4;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = p5;
+        p_UBSEC_diffie_hellman_agree_ioctl = p6;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = p7;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = p8;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = p9;
+        p_UBSEC_dsa_verify_ioctl = p10;
+#endif
+        p_UBSEC_math_accelerate_ioctl = p11;
+        p_UBSEC_rng_ioctl = p12;
+        p_UBSEC_max_key_len_ioctl = p13;
+
+        /* Perform an open to see if there's actually any unit running. */
+        if (((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) > 0) && (p_UBSEC_max_key_len_ioctl(fd, &max_key_len) == 0))
+        {
+           p_UBSEC_ubsec_close(fd);
+           return 1;
+        }
+        else
+        {
+          UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+        }
+
+err:
+        if(ubsec_dso)
+                DSO_free(ubsec_dso);
+        p_UBSEC_ubsec_bytes_to_bits = NULL;
+        p_UBSEC_ubsec_bits_to_bytes = NULL;
+        p_UBSEC_ubsec_open = NULL;
+        p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+        p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = NULL;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = NULL;
+        p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+        p_UBSEC_math_accelerate_ioctl = NULL;
+        p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+
+        return 0;
+        }
+
+static int ubsec_finish(ENGINE *e)
+        {
+        if(ubsec_dso == NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(ubsec_dso))
+                {
+                UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_DSO_FAILURE);
+                return 0;
+                }
+        ubsec_dso = NULL;
+        p_UBSEC_ubsec_bytes_to_bits = NULL;
+        p_UBSEC_ubsec_bits_to_bytes = NULL;
+        p_UBSEC_ubsec_open = NULL;
+        p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+        p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = NULL;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = NULL;
+        p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+        p_UBSEC_math_accelerate_ioctl = NULL;
+        p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+        return 1;
+        }
+
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((ubsec_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case UBSEC_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        UBSECerr(UBSEC_F_UBSEC_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                UBSEC_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx)
+        {
+        int     y_len = 0;
+        int     fd;
+
+        if(ubsec_dso == NULL)
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);
+                return 0;
+        }
+
+        /* Check if hardware can't handle this argument. */
+        y_len = BN_num_bits(m);
+        if (y_len > max_key_len) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return BN_mod_exp(r, a, p, m, ctx);
+        } 
+
+        if(!bn_wexpand(r, m->top))
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
+                return 0;
+        }
+        memset(r->d, 0, BN_num_bytes(m));
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                return BN_mod_exp(r, a, p, m, ctx);
+        }
+
+        if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
+                (unsigned char *)m->d, BN_num_bits(m), (unsigned char *)p->d, 
+                BN_num_bits(p), (unsigned char *)r->d, &y_len) != 0)
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                return BN_mod_exp(r, a, p, m, ctx);
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (BN_num_bits(m)+BN_BITS2-1)/BN_BITS2;
+        return 1;
+        }
+
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx;
+        int to_return = 0;
+
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+
+        if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+                {
+                UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP, UBSEC_R_MISSING_KEY_COMPONENTS);
+                goto err;
+                }
+
+        to_return = ubsec_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+                    rsa->dmq1, rsa->iqmp, ctx);
+        if (to_return == FAIL_TO_SOFTWARE)
+        {
+          /*
+           * Do in software as hardware failed.
+           */
+           const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+           to_return = (*meth->rsa_mod_exp)(r0, I, rsa);
+        }
+err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+#endif
+
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *q, const BIGNUM *dp,
+                        const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx)
+        {
+        int     y_len,
+                m_len,
+                fd;
+
+        m_len = BN_num_bytes(p) + BN_num_bytes(q) + 1;
+        y_len = BN_num_bits(p) + BN_num_bits(q);
+
+        /* Check if hardware can't handle this argument. */
+        if (y_len > max_key_len) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return FAIL_TO_SOFTWARE;
+        } 
+
+        if (!bn_wexpand(r, p->top + q->top + 1)) {
+                UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP_CRT, UBSEC_R_BN_EXPAND_FAIL);
+                return 0;
+        }
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                return FAIL_TO_SOFTWARE;
+        }
+
+        if (p_UBSEC_rsa_mod_exp_crt_ioctl(fd,
+                (unsigned char *)a->d, BN_num_bits(a), 
+                (unsigned char *)qinv->d, BN_num_bits(qinv),
+                (unsigned char *)dp->d, BN_num_bits(dp),
+                (unsigned char *)p->d, BN_num_bits(p),
+                (unsigned char *)dq->d, BN_num_bits(dq),
+                (unsigned char *)q->d, BN_num_bits(q),
+                (unsigned char *)r->d,  &y_len) != 0) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+                return FAIL_TO_SOFTWARE;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (BN_num_bits(p) + BN_num_bits(q) + BN_BITS2 - 1)/BN_BITS2;
+        return 1;
+}
+
+#ifndef OPENSSL_NO_DSA
+#if NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+ 
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!ubsec_mod_exp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!ubsec_mod_exp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+        }
+
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx)
+        {
+        return ubsec_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+#endif
+
+/*
+ * This function is aliased to mod_exp (with the mont stuff dropped).
+ */
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        int ret = 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* Do in software if the key is too large for the hardware. */
+        if (BN_num_bits(m) > max_key_len)
+                {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                ret = (*meth->bn_mod_exp)(r, a, p, m, ctx, m_ctx);
+                }
+        else
+#endif
+                {
+                ret = ubsec_mod_exp(r, a, p, m, ctx);
+                }
+        
+        return ret;
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx)
+        {
+        return ubsec_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        DSA_SIG *to_return = NULL;
+        int s_len = 160, r_len = 160, d_len, fd;
+        BIGNUM m, *r=NULL, *s=NULL;
+
+        BN_init(&m);
+
+        s = BN_new();
+        r = BN_new();
+        if ((s == NULL) || (r==NULL))
+                goto err;
+
+        d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dlen);
+
+        if(!bn_wexpand(r, (160+BN_BITS2-1)/BN_BITS2) ||
+           (!bn_wexpand(s, (160+BN_BITS2-1)/BN_BITS2))) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        if (BN_bin2bn(dgst,dlen,&m) == NULL) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        } 
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return =  meth->dsa_do_sign(dgst, dlen, dsa);
+                goto err;
+        }
+
+        if (p_UBSEC_dsa_sign_ioctl(fd, 0, /* compute hash before signing */
+                (unsigned char *)dgst, d_len,
+                NULL, 0,  /* compute random value */
+                (unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+                (unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+                (unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+                (unsigned char *)dsa->priv_key->d, BN_num_bits(dsa->priv_key),
+                (unsigned char *)r->d, &r_len,
+                (unsigned char *)s->d, &s_len ) != 0) {
+                const DSA_METHOD *meth;
+
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_sign(dgst, dlen, dsa);
+
+                goto err;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (160+BN_BITS2-1)/BN_BITS2;
+        s->top = (160+BN_BITS2-1)/BN_BITS2;
+
+        to_return = DSA_SIG_new();
+        if(to_return == NULL) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        to_return->r = r;
+        to_return->s = s;
+
+err:
+        if (!to_return) {
+                if (r) BN_free(r);
+                if (s) BN_free(s);
+        }                                 
+        BN_clear_free(&m);
+        return to_return;
+}
+
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa)
+        {
+        int v_len, d_len;
+        int to_return = 0;
+        int fd;
+        BIGNUM v;
+
+        BN_init(&v);
+
+        if(!bn_wexpand(&v, dsa->p->top)) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY ,UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        v_len = BN_num_bits(dsa->p);
+
+        d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dgst_len);
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+                goto err;
+        }
+
+        if (p_UBSEC_dsa_verify_ioctl(fd, 0, /* compute hash before signing */
+                (unsigned char *)dgst, d_len,
+                (unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+                (unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+                (unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+                (unsigned char *)dsa->pub_key->d, BN_num_bits(dsa->pub_key),
+                (unsigned char *)sig->r->d, BN_num_bits(sig->r),
+                (unsigned char *)sig->s->d, BN_num_bits(sig->s),
+                (unsigned char *)v.d, &v_len) != 0) {
+                const DSA_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY , UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+
+                goto err;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        to_return = 1;
+err:
+        BN_clear_free(&v);
+        return to_return;
+        }
+#endif
+
+#ifndef OPENSSL_NO_DH
+static int ubsec_dh_compute_key (unsigned char *key,const BIGNUM *pub_key,DH *dh)
+        {
+        int      ret      = -1,
+                 k_len,
+                 fd;
+
+        k_len = BN_num_bits(dh->p);
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_agree_ioctl(fd,
+                                               (unsigned char *)dh->priv_key->d, BN_num_bits(dh->priv_key),
+                                               (unsigned char *)pub_key->d, BN_num_bits(pub_key),
+                                               (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                               key, &k_len) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = p_UBSEC_ubsec_bits_to_bytes(k_len);
+err:
+        return ret;
+        }
+
+static int ubsec_dh_generate_key (DH *dh)
+        {
+        int      ret               = 0,
+                 random_bits       = 0,
+                 pub_key_len       = 0,
+                 priv_key_len      = 0,
+                 fd;
+        BIGNUM   *pub_key          = NULL;
+        BIGNUM   *priv_key         = NULL;
+
+        /* 
+         *  How many bits should Random x be? dh_key.c
+         *  sets the range from 0 to num_bits(modulus) ???
+         */
+
+        if (dh->priv_key == NULL)
+                {
+                priv_key = BN_new();
+                if (priv_key == NULL) goto err;
+                priv_key_len = BN_num_bits(dh->p);
+                bn_wexpand(priv_key, dh->p->top);
+                do
+                        if (!BN_rand_range(priv_key, dh->p)) goto err;
+                while (BN_is_zero(priv_key));
+                random_bits = BN_num_bits(priv_key);
+                }
+        else
+                {
+                priv_key = dh->priv_key;
+                }
+
+        if (dh->pub_key == NULL)
+                {
+                pub_key = BN_new();
+                pub_key_len = BN_num_bits(dh->p);
+                bn_wexpand(pub_key, dh->p->top);
+                if(pub_key == NULL) goto err;
+                }
+        else
+                {
+                pub_key = dh->pub_key;
+                }
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_generate_ioctl(fd,
+                                                  (unsigned char *)priv_key->d, &priv_key_len,
+                                                  (unsigned char *)pub_key->d,  &pub_key_len,
+                                                  (unsigned char *)dh->g->d, BN_num_bits(dh->g),
+                                                  (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                                  0, 0, random_bits) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+
+                ENGINEerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        dh->pub_key = pub_key;
+        dh->pub_key->top = (pub_key_len + BN_BITS2-1) / BN_BITS2;
+        dh->priv_key = priv_key;
+        dh->priv_key->top = (priv_key_len + BN_BITS2-1) / BN_BITS2;
+
+        ret = 1;
+err:
+        return ret;
+        }
+#endif
+
+#if NOT_USED
+static int ubsec_rand_bytes(unsigned char * buf,
+                            int num)
+        {
+        int      ret      = 0,
+                 fd;
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const RAND_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+                goto err;
+                }
+
+        num *= 8; /* bytes to bits */
+
+        if (p_UBSEC_rng_ioctl(fd,
+                              UBSEC_RNG_DIRECT,
+                              buf,
+                              &num) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const RAND_METHOD *meth;
+
+                ENGINEerr(UBSEC_F_UBSEC_RNG_BYTES, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = 1;
+err:
+        return(ret);
+        }
+
+
+static int ubsec_rand_status(void)
+        {
+        return 0;
+        }
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_ubsec_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_UBSEC */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec_err.c b/src/lib/libssl/src/crypto/engine/hw_ubsec_err.c
new file mode 100644
index 0000000000..d707331fc2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ubsec_err.c
@@ -0,0 +1,151 @@
+/* hw_ubsec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_ubsec_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA UBSEC_str_functs[]=
+        {
+{ERR_PACK(0,UBSEC_F_UBSEC_CTRL,0),      "UBSEC_CTRL"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DH_COMPUTE_KEY,0),    "UBSEC_DH_COMPUTE_KEY"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DSA_SIGN,0),  "UBSEC_DSA_SIGN"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DSA_VERIFY,0),        "UBSEC_DSA_VERIFY"},
+{ERR_PACK(0,UBSEC_F_UBSEC_FINISH,0),    "UBSEC_FINISH"},
+{ERR_PACK(0,UBSEC_F_UBSEC_INIT,0),      "UBSEC_INIT"},
+{ERR_PACK(0,UBSEC_F_UBSEC_MOD_EXP,0),   "UBSEC_MOD_EXP"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RNG_BYTES,0), "UBSEC_RNG_BYTES"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RSA_MOD_EXP,0),       "UBSEC_RSA_MOD_EXP"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RSA_MOD_EXP_CRT,0),   "UBSEC_RSA_MOD_EXP_CRT"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA UBSEC_str_reasons[]=
+        {
+{UBSEC_R_ALREADY_LOADED                  ,"already loaded"},
+{UBSEC_R_BN_EXPAND_FAIL                  ,"bn expand fail"},
+{UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{UBSEC_R_DSO_FAILURE                     ,"dso failure"},
+{UBSEC_R_MISSING_KEY_COMPONENTS          ,"missing key components"},
+{UBSEC_R_NOT_LOADED                      ,"not loaded"},
+{UBSEC_R_REQUEST_FAILED                  ,"request failed"},
+{UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL     ,"size too large or too small"},
+{UBSEC_R_UNIT_FAILURE                    ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef UBSEC_LIB_NAME
+static ERR_STRING_DATA UBSEC_lib_name[]=
+        {
+{0      ,UBSEC_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int UBSEC_lib_error_code=0;
+static int UBSEC_error_init=1;
+
+static void ERR_load_UBSEC_strings(void)
+        {
+        if (UBSEC_lib_error_code == 0)
+                UBSEC_lib_error_code=ERR_get_next_error_library();
+
+        if (UBSEC_error_init)
+                {
+                UBSEC_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+                ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+                UBSEC_lib_name->error = ERR_PACK(UBSEC_lib_error_code,0,0);
+                ERR_load_strings(0,UBSEC_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_UBSEC_strings(void)
+        {
+        if (UBSEC_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+                ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+                ERR_unload_strings(0,UBSEC_lib_name);
+#endif
+                UBSEC_error_init=1;
+                }
+        }
+
+static void ERR_UBSEC_error(int function, int reason, char *file, int line)
+        {
+        if (UBSEC_lib_error_code == 0)
+                UBSEC_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(UBSEC_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libssl/src/crypto/engine/hw_ubsec_err.h b/src/lib/libssl/src/crypto/engine/hw_ubsec_err.h
new file mode 100644
index 0000000000..023d3be771
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/hw_ubsec_err.h
@@ -0,0 +1,95 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UBSEC_ERR_H
+#define HEADER_UBSEC_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_UBSEC_strings(void);
+static void ERR_unload_UBSEC_strings(void);
+static void ERR_UBSEC_error(int function, int reason, char *file, int line);
+#define UBSECerr(f,r) ERR_UBSEC_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the UBSEC functions. */
+
+/* Function codes. */
+#define UBSEC_F_UBSEC_CTRL                               100
+#define UBSEC_F_UBSEC_DH_COMPUTE_KEY                     101
+#define UBSEC_F_UBSEC_DSA_SIGN                           102
+#define UBSEC_F_UBSEC_DSA_VERIFY                         103
+#define UBSEC_F_UBSEC_FINISH                             104
+#define UBSEC_F_UBSEC_INIT                               105
+#define UBSEC_F_UBSEC_MOD_EXP                            106
+#define UBSEC_F_UBSEC_RNG_BYTES                          107
+#define UBSEC_F_UBSEC_RSA_MOD_EXP                        108
+#define UBSEC_F_UBSEC_RSA_MOD_EXP_CRT                    109
+
+/* Reason codes. */
+#define UBSEC_R_ALREADY_LOADED                           100
+#define UBSEC_R_BN_EXPAND_FAIL                           101
+#define UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED             102
+#define UBSEC_R_DSO_FAILURE                              103
+#define UBSEC_R_MISSING_KEY_COMPONENTS                   104
+#define UBSEC_R_NOT_LOADED                               105
+#define UBSEC_R_REQUEST_FAILED                           106
+#define UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL              107
+#define UBSEC_R_UNIT_FAILURE                             108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/engine/tb_cipher.c b/src/lib/libssl/src/crypto/engine/tb_cipher.c
new file mode 100644
index 0000000000..c5a50fc910
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_cipher.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_cipher_engine(), the function that
+ * is used by EVP to hook in cipher code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_CIPHER_DEBUG */
+
+static ENGINE_TABLE *cipher_table = NULL;
+
+void ENGINE_unregister_ciphers(ENGINE *e)
+        {
+        engine_table_unregister(&cipher_table, e);
+        }
+
+static void engine_unregister_all_ciphers(void)
+        {
+        engine_table_cleanup(&cipher_table);
+        }
+
+int ENGINE_register_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_ciphers()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_ciphers(e);
+        }
+
+int ENGINE_set_default_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+ENGINE *ENGINE_get_cipher_engine(int nid)
+        {
+        return engine_table_select(&cipher_table, nid);
+        }
+
+/* Obtains a cipher implementation from an ENGINE functional reference */
+const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid)
+        {
+        const EVP_CIPHER *ret;
+        ENGINE_CIPHERS_PTR fn = ENGINE_get_ciphers(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_CIPHER,
+                                ENGINE_R_UNIMPLEMENTED_CIPHER);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the cipher callback from an ENGINE structure */
+ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e)
+        {
+        return e->ciphers;
+        }
+
+/* Sets the cipher callback in an ENGINE structure */
+int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f)
+        {
+        e->ciphers = f;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/tb_dh.c b/src/lib/libssl/src/crypto/engine/tb_dh.c
new file mode 100644
index 0000000000..c9347235ea
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_dh.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DH(), the function that is
+ * used by DH to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DH_DEBUG */
+
+static ENGINE_TABLE *dh_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DH(ENGINE *e)
+        {
+        engine_table_unregister(&dh_table, e);
+        }
+
+static void engine_unregister_all_DH(void)
+        {
+        engine_table_cleanup(&dh_table);
+        }
+
+int ENGINE_register_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DH()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DH(e);
+        }
+
+int ENGINE_set_default_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DH(void)
+        {
+        return engine_table_select(&dh_table, dummy_nid);
+        }
+
+/* Obtains an DH implementation from an ENGINE functional reference */
+const DH_METHOD *ENGINE_get_DH(const ENGINE *e)
+        {
+        return e->dh_meth;
+        }
+
+/* Sets an DH implementation in an ENGINE structure */
+int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth)
+        {
+        e->dh_meth = dh_meth;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/tb_digest.c b/src/lib/libssl/src/crypto/engine/tb_digest.c
new file mode 100644
index 0000000000..2c4dd6f796
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_digest.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_digest_engine(), the function that
+ * is used by EVP to hook in digest code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DIGEST_DEBUG */
+
+static ENGINE_TABLE *digest_table = NULL;
+
+void ENGINE_unregister_digests(ENGINE *e)
+        {
+        engine_table_unregister(&digest_table, e);
+        }
+
+static void engine_unregister_all_digests(void)
+        {
+        engine_table_cleanup(&digest_table);
+        }
+
+int ENGINE_register_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_digests()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_digests(e);
+        }
+
+int ENGINE_set_default_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given digest 'nid' */
+ENGINE *ENGINE_get_digest_engine(int nid)
+        {
+        return engine_table_select(&digest_table, nid);
+        }
+
+/* Obtains a digest implementation from an ENGINE functional reference */
+const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid)
+        {
+        const EVP_MD *ret;
+        ENGINE_DIGESTS_PTR fn = ENGINE_get_digests(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_DIGEST,
+                                ENGINE_R_UNIMPLEMENTED_DIGEST);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the digest callback from an ENGINE structure */
+ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e)
+        {
+        return e->digests;
+        }
+
+/* Sets the digest callback in an ENGINE structure */
+int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f)
+        {
+        e->digests = f;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/tb_dsa.c b/src/lib/libssl/src/crypto/engine/tb_dsa.c
new file mode 100644
index 0000000000..e9209476b8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_dsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DSA(), the function that is
+ * used by DSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DSA_DEBUG */
+
+static ENGINE_TABLE *dsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DSA(ENGINE *e)
+        {
+        engine_table_unregister(&dsa_table, e);
+        }
+
+static void engine_unregister_all_DSA(void)
+        {
+        engine_table_cleanup(&dsa_table);
+        }
+
+int ENGINE_register_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DSA(e);
+        }
+
+int ENGINE_set_default_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DSA(void)
+        {
+        return engine_table_select(&dsa_table, dummy_nid);
+        }
+
+/* Obtains an DSA implementation from an ENGINE functional reference */
+const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e)
+        {
+        return e->dsa_meth;
+        }
+
+/* Sets an DSA implementation in an ENGINE structure */
+int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth)
+        {
+        e->dsa_meth = dsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/tb_rand.c b/src/lib/libssl/src/crypto/engine/tb_rand.c
new file mode 100644
index 0000000000..0b1d031f1e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_rand.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RAND(), the function that is
+ * used by RAND to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RAND_DEBUG */
+
+static ENGINE_TABLE *rand_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RAND(ENGINE *e)
+        {
+        engine_table_unregister(&rand_table, e);
+        }
+
+static void engine_unregister_all_RAND(void)
+        {
+        engine_table_cleanup(&rand_table);
+        }
+
+int ENGINE_register_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RAND()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RAND(e);
+        }
+
+int ENGINE_set_default_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RAND(void)
+        {
+        return engine_table_select(&rand_table, dummy_nid);
+        }
+
+/* Obtains an RAND implementation from an ENGINE functional reference */
+const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e)
+        {
+        return e->rand_meth;
+        }
+
+/* Sets an RAND implementation in an ENGINE structure */
+int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth)
+        {
+        e->rand_meth = rand_meth;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/tb_rsa.c b/src/lib/libssl/src/crypto/engine/tb_rsa.c
new file mode 100644
index 0000000000..f84fea3968
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/tb_rsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RSA(), the function that is
+ * used by RSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RSA_DEBUG */
+
+static ENGINE_TABLE *rsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RSA(ENGINE *e)
+        {
+        engine_table_unregister(&rsa_table, e);
+        }
+
+static void engine_unregister_all_RSA(void)
+        {
+        engine_table_cleanup(&rsa_table);
+        }
+
+int ENGINE_register_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RSA(e);
+        }
+
+int ENGINE_set_default_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RSA(void)
+        {
+        return engine_table_select(&rsa_table, dummy_nid);
+        }
+
+/* Obtains an RSA implementation from an ENGINE functional reference */
+const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e)
+        {
+        return e->rsa_meth;
+        }
+
+/* Sets an RSA implementation in an ENGINE structure */
+int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth)
+        {
+        e->rsa_meth = rsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/aep.h b/src/lib/libssl/src/crypto/engine/vendor_defns/aep.h
new file mode 100644
index 0000000000..2b2792d2d6
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/vendor_defns/aep.h
@@ -0,0 +1,178 @@
+/* This header declares the necessary definitions for using the exponentiation
+ * acceleration capabilities, and rnd number generation of the AEP card. 
+ *
+ */
+
+/*
+ *
+ * Some AEP defines
+ *
+ */
+
+/*Successful return value*/
+#define AEP_R_OK                                0x00000000
+
+/*Miscelleanous unsuccessful return value*/
+#define AEP_R_GENERAL_ERROR                     0x10000001
+
+/*Insufficient host memory*/
+#define AEP_R_HOST_MEMORY                       0x10000002
+
+#define AEP_R_FUNCTION_FAILED                   0x10000006
+
+/*Invalid arguments in function call*/
+#define AEP_R_ARGUMENTS_BAD                     0x10020000
+
+#define AEP_R_NO_TARGET_RESOURCES                               0x10030000
+
+/*Error occuring on socket operation*/
+#define AEP_R_SOCKERROR                                                 0x10000010
+
+/*Socket has been closed from the other end*/
+#define AEP_R_SOCKEOF                                                   0x10000011
+
+/*Invalid handles*/
+#define AEP_R_CONNECTION_HANDLE_INVALID         0x100000B3
+
+#define AEP_R_TRANSACTION_HANDLE_INVALID                0x10040000
+
+/*Transaction has not yet returned from accelerator*/
+#define AEP_R_TRANSACTION_NOT_READY                             0x00010000
+
+/*There is already a thread waiting on this transaction*/
+#define AEP_R_TRANSACTION_CLAIMED                               0x10050000
+
+/*The transaction timed out*/
+#define AEP_R_TIMED_OUT                                                 0x10060000
+
+#define AEP_R_FXN_NOT_IMPLEMENTED                               0x10070000
+
+#define AEP_R_TARGET_ERROR                                              0x10080000
+
+/*Error in the AEP daemon process*/
+#define AEP_R_DAEMON_ERROR                                              0x10090000
+
+/*Invalid ctx id*/
+#define AEP_R_INVALID_CTX_ID                                    0x10009000
+
+#define AEP_R_NO_KEY_MANAGER                                    0x1000a000
+
+/*Error obtaining a mutex*/
+#define AEP_R_MUTEX_BAD                         0x000001A0
+
+/*Fxn call before AEP_Initialise ot after AEP_Finialise*/
+#define AEP_R_AEPAPI_NOT_INITIALIZED                    0x10000190
+
+/*AEP_Initialise has already been called*/
+#define AEP_R_AEPAPI_ALREADY_INITIALIZED                0x10000191
+
+/*Maximum number of connections to daemon reached*/
+#define AEP_R_NO_MORE_CONNECTION_HNDLS                  0x10000200
+
+/*
+ *
+ * Some AEP Type definitions
+ *
+ */
+
+/* an unsigned 8-bit value */
+typedef unsigned char                           AEP_U8;
+
+/* an unsigned 8-bit character */
+typedef char                                    AEP_CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef AEP_U8                                  AEP_BBOOL;
+
+/*Unsigned value, at least 16 bits long*/
+typedef unsigned short                          AEP_U16;
+
+/* an unsigned value, at least 32 bits long */
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned int                            AEP_U32;
+#else
+typedef unsigned long                           AEP_U32;
+#endif
+
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned long                           AEP_U64;
+#else
+typedef struct { unsigned long l1, l2; }        AEP_U64;
+#endif
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef AEP_U32                 AEP_FLAGS;
+
+typedef AEP_U8          *AEP_U8_PTR;
+typedef AEP_CHAR        *AEP_CHAR_PTR;
+typedef AEP_U32                 *AEP_U32_PTR;
+typedef AEP_U64                 *AEP_U64_PTR;
+typedef void            *AEP_VOID_PTR;
+
+/* Pointer to a AEP_VOID_PTR-- i.e., pointer to pointer to void */
+typedef AEP_VOID_PTR    *AEP_VOID_PTR_PTR;
+
+/*Used to identify an AEP connection handle*/
+typedef AEP_U32                                 AEP_CONNECTION_HNDL;
+
+/*Pointer to an AEP connection handle*/
+typedef AEP_CONNECTION_HNDL     *AEP_CONNECTION_HNDL_PTR;
+
+/*Used by an application (in conjunction with the apps process id) to 
+identify an individual transaction*/
+typedef AEP_U32                                 AEP_TRANSACTION_ID;
+
+/*Pointer to an applications transaction identifier*/
+typedef AEP_TRANSACTION_ID              *AEP_TRANSACTION_ID_PTR;
+
+/*Return value type*/
+typedef AEP_U32                                 AEP_RV;
+
+#define MAX_PROCESS_CONNECTIONS 256
+
+#define RAND_BLK_SIZE 1024
+
+typedef enum{
+        NotConnected=   0,
+        Connected=              1,
+        InUse=                  2
+} AEP_CONNECTION_STATE;
+
+
+typedef struct AEP_CONNECTION_ENTRY{
+        AEP_CONNECTION_STATE    conn_state;
+        AEP_CONNECTION_HNDL     conn_hndl;
+} AEP_CONNECTION_ENTRY;
+
+
+typedef AEP_RV t_AEP_OpenConnection(AEP_CONNECTION_HNDL_PTR phConnection);
+typedef AEP_RV t_AEP_CloseConnection(AEP_CONNECTION_HNDL hConnection);
+
+typedef AEP_RV t_AEP_ModExp(AEP_CONNECTION_HNDL hConnection,
+                            AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+                            AEP_VOID_PTR pN,
+                            AEP_VOID_PTR pResult,
+                            AEP_TRANSACTION_ID* pidTransID);
+
+typedef AEP_RV t_AEP_ModExpCrt(AEP_CONNECTION_HNDL hConnection,
+                               AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+                               AEP_VOID_PTR pQ,
+                               AEP_VOID_PTR pDmp1, AEP_VOID_PTR pDmq1,
+                               AEP_VOID_PTR pIqmp,
+                               AEP_VOID_PTR pResult,
+                               AEP_TRANSACTION_ID* pidTransID);
+
+#ifdef AEPRAND
+typedef AEP_RV t_AEP_GenRandom(AEP_CONNECTION_HNDL hConnection,
+                               AEP_U32 Len,
+                               AEP_U32 Type,
+                               AEP_VOID_PTR pResult,
+                               AEP_TRANSACTION_ID* pidTransID);
+#endif
+
+typedef AEP_RV t_AEP_Initialize(AEP_VOID_PTR pInitArgs);
+typedef AEP_RV t_AEP_Finalize();
+typedef AEP_RV t_AEP_SetBNCallBacks(AEP_RV (*GetBigNumSizeFunc)(),
+                                    AEP_RV (*MakeAEPBigNumFunc)(),
+                                    AEP_RV (*ConverAEPBigNumFunc)());
+
diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/atalla.h b/src/lib/libssl/src/crypto/engine/vendor_defns/atalla.h
new file mode 100644
index 0000000000..8111649c54
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/vendor_defns/atalla.h
@@ -0,0 +1,61 @@
+/* This header declares the necessary definitions for using the exponentiation
+ * acceleration capabilities of Atalla cards. The only cryptographic operation
+ * is performed by "ASI_RSAPrivateKeyOpFn" and this takes a structure that
+ * defines an "RSA private key". However, it is really only performing a
+ * regular mod_exp using the supplied modulus and exponent - no CRT form is
+ * being used. Hence, it is a generic mod_exp function in disguise, and we use
+ * it as such.
+ *
+ * Thanks to the people at Atalla for letting me know these definitions are
+ * fine and that they can be reproduced here.
+ *
+ * Geoff.
+ */
+
+typedef struct ItemStr
+        {
+        unsigned char *data;
+        int len;
+        } Item;
+
+typedef struct RSAPrivateKeyStr
+        {
+        void *reserved;
+        Item version;
+        Item modulus;
+        Item publicExponent;
+        Item privateExponent;
+        Item prime[2];
+        Item exponent[2];
+        Item coefficient;
+        } RSAPrivateKey;
+
+/* Predeclare the function pointer types that we dynamically load from the DSO.
+ * These use the same names and form that Ben's original support code had (in
+ * crypto/bn/bn_exp.c) unless of course I've inadvertently changed the style
+ * somewhere along the way!
+ */
+
+typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
+                                        unsigned int *ret_buf);
+
+typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
+
+typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
+                                        unsigned char *output,
+                                        unsigned char *input,
+                                        unsigned int modulus_len);
+
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. Regrettably, the DSO name on *nix appears to be
+ * "atasi.so" rather than something more consistent like "libatasi.so". At the
+ * time of writing, I'm not sure what the file name on win32 is but clearly
+ * native name translation is not possible (eg libatasi.so on *nix, and
+ * atasi.dll on win32). For the purposes of testing, I have created a symbollic
+ * link called "libatasi.so" so that we can use native name-translation - a
+ * better solution will be needed. */
+static const char *ATALLA_LIBNAME = "atasi";
+static const char *ATALLA_F1 = "ASI_GetHardwareConfig";
+static const char *ATALLA_F2 = "ASI_RSAPrivateKeyOpFn";
+static const char *ATALLA_F3 = "ASI_GetPerformanceStatistics";
+
diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/cswift.h b/src/lib/libssl/src/crypto/engine/vendor_defns/cswift.h
new file mode 100644
index 0000000000..0af14a1a92
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/vendor_defns/cswift.h
@@ -0,0 +1,213 @@
+/* Attribution notice: Rainbow have generously allowed me to reproduce
+ * the necessary definitions here from their API. This means the support
+ * can build independently of whether application builders have the
+ * API or hardware. This will allow developers to easily produce software
+ * that has latent hardware support for any users that have accelertors
+ * installed, without the developers themselves needing anything extra.
+ *
+ * I have only clipped the parts from the CryptoSwift header files that
+ * are (or seem) relevant to the CryptoSwift support code. This is
+ * simply to keep the file sizes reasonable.
+ * [Geoff]
+ */
+
+
+/* NB: These type widths do *not* seem right in general, in particular
+ * they're not terribly friendly to 64-bit architectures (unsigned long)
+ * will be 64-bit on IA-64 for a start. I'm leaving these alone as they
+ * agree with Rainbow's API and this will only be called into question
+ * on platforms with Rainbow support anyway! ;-) */
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+typedef long              SW_STATUS;              /* status           */
+typedef unsigned char     SW_BYTE;                /* 8 bit byte       */
+typedef unsigned short    SW_U16;                 /* 16 bit number    */
+#if defined(_IRIX)
+#include <sgidefs.h>
+typedef __uint32_t        SW_U32;
+#else
+typedef unsigned long     SW_U32;                 /* 32 bit integer   */
+#endif
+ 
+#if defined(WIN32)
+  typedef struct _SW_U64 {
+      SW_U32 low32;
+      SW_U32 high32;
+  } SW_U64;                                         /* 64 bit integer   */
+#elif defined(MAC)
+  typedef longlong SW_U64
+#else /* Unix variants */
+  typedef struct _SW_U64 {
+      SW_U32 low32;
+      SW_U32 high32;
+  } SW_U64;                                         /* 64 bit integer   */
+#endif
+
+/* status codes */
+#define SW_OK                 (0L)
+#define SW_ERR_BASE           (-10000L)
+#define SW_ERR_NO_CARD        (SW_ERR_BASE-1) /* The Card is not present   */
+#define SW_ERR_CARD_NOT_READY (SW_ERR_BASE-2) /* The card has not powered  */
+                                              /*    up yet                 */
+#define SW_ERR_TIME_OUT       (SW_ERR_BASE-3) /* Execution of a command    */
+                                              /*    time out               */
+#define SW_ERR_NO_EXECUTE     (SW_ERR_BASE-4) /* The Card failed to        */
+                                              /*    execute the command    */
+#define SW_ERR_INPUT_NULL_PTR (SW_ERR_BASE-5) /* a required pointer is     */
+                                              /*    NULL                   */
+#define SW_ERR_INPUT_SIZE     (SW_ERR_BASE-6) /* size is invalid, too      */
+                                              /*    small, too large.      */
+#define SW_ERR_INVALID_HANDLE (SW_ERR_BASE-7) /* Invalid SW_ACC_CONTEXT    */
+                                              /*    handle                 */
+#define SW_ERR_PENDING        (SW_ERR_BASE-8) /* A request is already out- */
+                                              /*    standing at this       */
+                                              /*    context handle         */
+#define SW_ERR_AVAILABLE      (SW_ERR_BASE-9) /* A result is available.    */
+#define SW_ERR_NO_PENDING     (SW_ERR_BASE-10)/* No request is pending.    */
+#define SW_ERR_NO_MEMORY      (SW_ERR_BASE-11)/* Not enough memory         */
+#define SW_ERR_BAD_ALGORITHM  (SW_ERR_BASE-12)/* Invalid algorithm type    */
+                                              /*    in SW_PARAM structure  */
+#define SW_ERR_MISSING_KEY    (SW_ERR_BASE-13)/* No key is associated with */
+                                              /*    context.               */
+                                              /*    swAttachKeyParam() is  */
+                                              /*    not called.            */
+#define SW_ERR_KEY_CMD_MISMATCH \
+                              (SW_ERR_BASE-14)/* Cannot perform requested  */
+                                              /*    SW_COMMAND_CODE since  */
+                                              /*    key attached via       */
+                                              /*    swAttachKeyParam()     */
+                                              /*    cannot be used for this*/
+                                              /*    SW_COMMAND_CODE.       */
+#define SW_ERR_NOT_IMPLEMENTED \
+                              (SW_ERR_BASE-15)/* Not implemented           */
+#define SW_ERR_BAD_COMMAND    (SW_ERR_BASE-16)/* Bad command code          */
+#define SW_ERR_BAD_ITEM_SIZE  (SW_ERR_BASE-17)/* too small or too large in */
+                                              /*    the "initems" or       */
+                                              /*    "outitems".            */
+#define SW_ERR_BAD_ACCNUM     (SW_ERR_BASE-18)/* Bad accelerator number    */
+#define SW_ERR_SELFTEST_FAIL  (SW_ERR_BASE-19)/* At least one of the self  */
+                                              /*    test fail, look at the */
+                                              /*    selfTestBitmap in      */
+                                              /*    SW_ACCELERATOR_INFO for*/
+                                              /*    details.               */
+#define SW_ERR_MISALIGN       (SW_ERR_BASE-20)/* Certain alogrithms require*/
+                                              /*    key materials aligned  */
+                                              /*    in certain order, e.g. */
+                                              /*    128 bit for CRT        */
+#define SW_ERR_OUTPUT_NULL_PTR \
+                              (SW_ERR_BASE-21)/* a required pointer is     */
+                                              /*    NULL                   */
+#define SW_ERR_OUTPUT_SIZE \
+                              (SW_ERR_BASE-22)/* size is invalid, too      */
+                                              /*    small, too large.      */
+#define SW_ERR_FIRMWARE_CHECKSUM \
+                              (SW_ERR_BASE-23)/* firmware checksum mismatch*/
+                                              /*    download failed.       */
+#define SW_ERR_UNKNOWN_FIRMWARE \
+                              (SW_ERR_BASE-24)/* unknown firmware error    */
+#define SW_ERR_INTERRUPT      (SW_ERR_BASE-25)/* request is abort when     */
+                                              /*    it's waiting to be     */
+                                              /*    completed.             */
+#define SW_ERR_NVWRITE_FAIL   (SW_ERR_BASE-26)/* error in writing to Non-  */
+                                              /*    volatile memory        */
+#define SW_ERR_NVWRITE_RANGE  (SW_ERR_BASE-27)/* out of range error in     */
+                                              /*    writing to NV memory   */
+#define SW_ERR_RNG_ERROR      (SW_ERR_BASE-28)/* Random Number Generation  */
+                                              /*    failure                */
+#define SW_ERR_DSS_FAILURE    (SW_ERR_BASE-29)/* DSS Sign or Verify failure*/
+#define SW_ERR_MODEXP_FAILURE (SW_ERR_BASE-30)/* Failure in various math   */
+                                              /*    calculations           */
+#define SW_ERR_ONBOARD_MEMORY (SW_ERR_BASE-31)/* Error in accessing on -   */
+                                              /*    board memory           */
+#define SW_ERR_FIRMWARE_VERSION \
+                              (SW_ERR_BASE-32)/* Wrong version in firmware */
+                                              /*    update                 */
+#define SW_ERR_ZERO_WORKING_ACCELERATOR \
+                              (SW_ERR_BASE-44)/* All accelerators are bad  */
+
+
+  /* algorithm type */
+#define SW_ALG_CRT          1
+#define SW_ALG_EXP          2
+#define SW_ALG_DSA          3
+#define SW_ALG_NVDATA       4
+
+  /* command code */
+#define SW_CMD_MODEXP_CRT   1 /* perform Modular Exponentiation using  */
+                              /*  Chinese Remainder Theorem (CRT)      */
+#define SW_CMD_MODEXP       2 /* perform Modular Exponentiation        */
+#define SW_CMD_DSS_SIGN     3 /* perform DSS sign                      */
+#define SW_CMD_DSS_VERIFY   4 /* perform DSS verify                    */
+#define SW_CMD_RAND         5 /* perform random number generation      */
+#define SW_CMD_NVREAD       6 /* perform read to nonvolatile RAM       */
+#define SW_CMD_NVWRITE      7 /* perform write to nonvolatile RAM      */
+
+typedef SW_U32            SW_ALGTYPE;             /* alogrithm type   */
+typedef SW_U32            SW_STATE;               /* state            */
+typedef SW_U32            SW_COMMAND_CODE;        /* command code     */
+typedef SW_U32            SW_COMMAND_BITMAP[4];   /* bitmap           */
+
+typedef struct _SW_LARGENUMBER {
+    SW_U32    nbytes;       /* number of bytes in the buffer "value"  */
+    SW_BYTE*  value;        /* the large integer as a string of       */
+                            /*   bytes in network (big endian) order  */
+} SW_LARGENUMBER;               
+
+typedef struct _SW_CRT {
+    SW_LARGENUMBER  p;      /* prime number p                         */
+    SW_LARGENUMBER  q;      /* prime number q                         */
+    SW_LARGENUMBER  dmp1;   /* exponent1                              */
+    SW_LARGENUMBER  dmq1;   /* exponent2                              */
+    SW_LARGENUMBER  iqmp;   /* CRT coefficient                        */
+} SW_CRT;
+
+typedef struct _SW_EXP {
+    SW_LARGENUMBER  modulus; /* modulus                                */
+    SW_LARGENUMBER  exponent;/* exponent                               */
+} SW_EXP;
+
+typedef struct _SW_DSA {
+    SW_LARGENUMBER  p;      /*                                        */
+    SW_LARGENUMBER  q;      /*                                        */
+    SW_LARGENUMBER  g;      /*                                        */
+    SW_LARGENUMBER  key;    /* private/public key                     */
+} SW_DSA;
+
+typedef struct _SW_NVDATA {
+    SW_U32 accnum;          /* accelerator board number               */
+    SW_U32 offset;          /* offset in byte                         */
+} SW_NVDATA;
+
+typedef struct _SW_PARAM {
+    SW_ALGTYPE    type;     /* type of the alogrithm                  */
+    union {
+        SW_CRT    crt;
+        SW_EXP    exp;
+        SW_DSA    dsa;
+        SW_NVDATA nvdata;
+    } up;
+} SW_PARAM;
+
+typedef SW_U32 SW_CONTEXT_HANDLE; /* opaque context handle */
+
+
+/* Now the OpenSSL bits, these function types are the for the function
+ * pointers that will bound into the Rainbow shared libraries. */
+typedef SW_STATUS t_swAcquireAccContext(SW_CONTEXT_HANDLE *hac);
+typedef SW_STATUS t_swAttachKeyParam(SW_CONTEXT_HANDLE hac,
+                                SW_PARAM *key_params);
+typedef SW_STATUS t_swSimpleRequest(SW_CONTEXT_HANDLE hac,
+                                SW_COMMAND_CODE cmd,
+                                SW_LARGENUMBER pin[],
+                                SW_U32 pin_count,
+                                SW_LARGENUMBER pout[],
+                                SW_U32 pout_count);
+typedef SW_STATUS t_swReleaseAccContext(SW_CONTEXT_HANDLE hac);
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
diff --git a/src/lib/libssl/src/crypto/engine/vendor_defns/hw_4758_cca.h b/src/lib/libssl/src/crypto/engine/vendor_defns/hw_4758_cca.h
new file mode 100644
index 0000000000..296636e81a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/engine/vendor_defns/hw_4758_cca.h
@@ -0,0 +1,149 @@
+/**********************************************************************/
+/*                                                                    */
+/*  Prototypes of the CCA verbs used by the 4758 CCA openssl driver   */
+/*                                                                    */
+/*  Maurice Gittens <maurice@gittens.nl>                              */
+/*                                                                    */
+/**********************************************************************/
+
+#ifndef __HW_4758_CCA__
+#define __HW_4758_CCA__
+
+/*
+ *  Only WIN32 support for now
+ */
+#if defined(WIN32)
+
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX_32"
+  #define CSNDKRR   "CSNDKRR_32"
+  #define CSNDPKE   "CSNDPKE_32"
+  #define CSNDPKD   "CSNDPKD_32"
+  #define CSNDDSV   "CSNDDSV_32"
+  #define CSNDDSG   "CSNDDSG_32"
+  #define CSNBRNG   "CSNBRNG_32"
+
+  #define SECURITYAPI __stdcall
+#else
+    /* Fixme!!         
+      Find out the values of these constants for other platforms.
+    */
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX"
+  #define CSNDKRR   "CSNDKRR"
+  #define CSNDPKE   "CSNDPKE"
+  #define CSNDPKD   "CSNDPKD"
+  #define CSNDDSV   "CSNDDSV"
+  #define CSNDDSG   "CSNDDSG"
+  #define CSNBRNG   "CSNBRNG"
+
+  #define SECURITYAPI
+#endif
+
+/*
+ * security API prototypes
+ */
+
+/* PKA Key Record Read */
+typedef void (SECURITYAPI *F_KEYRECORDREAD)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              unsigned char * key_label,
+              long          * key_token_length,
+              unsigned char * key_token);
+
+/* Random Number Generate */
+typedef void (SECURITYAPI *F_RANDOMNUMBERGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              unsigned char * form,
+              unsigned char * random_number);
+
+/* Digital Signature Generate */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_private_key_id_length,
+              unsigned char * PKA_private_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              long          * signature_bit_length,
+              unsigned char * signature_field);
+
+/* Digital Signature Verify */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREVERIFY)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_public_key_id_length,
+              unsigned char * PKA_public_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              unsigned char * signature_field);
+
+/* PKA Public Key Extract */
+typedef void (SECURITYAPI *F_PUBLICKEYEXTRACT)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * source_key_identifier_length,
+              unsigned char * source_key_identifier,
+              long          * target_key_token_length,
+              unsigned char * target_key_token);
+
+/* PKA Encrypt */
+typedef void   (SECURITYAPI *F_PKAENCRYPT)
+               (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  key_value_length,
+                 unsigned char *  key_value,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_public_key_length,
+                 unsigned char *  RSA_public_key,
+                 long          *  RSA_encipher_length,
+                 unsigned char *  RSA_encipher );
+
+/* PKA Decrypt */
+typedef void    (SECURITYAPI *F_PKADECRYPT)
+                (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  enciphered_key_length,
+                 unsigned char *  enciphered_key,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_private_key_length,
+                 unsigned char *  RSA_private_key,
+                 long          *  key_value_length,
+                 unsigned char *  key_value    );
+
+
+#endif
diff --git a/src/lib/libssl/src/crypto/err/openssl.ec b/src/lib/libssl/src/crypto/err/openssl.ec
new file mode 100644
index 0000000000..c2a8acff0c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/err/openssl.ec
@@ -0,0 +1,71 @@
+L ERR           NONE                            NONE
+L CRYPTO        crypto/crypto.h                 crypto/cpt_err.c
+L BN            crypto/bn/bn.h                  crypto/bn/bn_err.c
+L RSA           crypto/rsa/rsa.h                crypto/rsa/rsa_err.c
+L DSA           crypto/dsa/dsa.h                crypto/dsa/dsa_err.c
+L DH            crypto/dh/dh.h                  crypto/dh/dh_err.c
+L EVP           crypto/evp/evp.h                crypto/evp/evp_err.c
+L BUF           crypto/buffer/buffer.h          crypto/buffer/buf_err.c
+L BIO           crypto/bio/bio.h                crypto/bio/bio_err.c
+L OBJ           crypto/objects/objects.h        crypto/objects/obj_err.c
+L PEM           crypto/pem/pem.h                crypto/pem/pem_err.c
+L X509          crypto/x509/x509.h              crypto/x509/x509_err.c
+L NONE          crypto/x509/x509_vfy.h          NONE
+L X509V3        crypto/x509v3/x509v3.h          crypto/x509v3/v3err.c
+#L METH         crypto/meth/meth.h              crypto/meth/meth_err.c
+L ASN1          crypto/asn1/asn1.h              crypto/asn1/asn1_err.c
+L CONF          crypto/conf/conf.h              crypto/conf/conf_err.c
+#L PROXY                crypto/proxy/proxy.h            crypto/proxy/proxy_err.c
+L PKCS7         crypto/pkcs7/pkcs7.h            crypto/pkcs7/pkcs7err.c
+L PKCS12        crypto/pkcs12/pkcs12.h          crypto/pkcs12/pk12err.c
+L RSAREF        rsaref/rsaref.h                 rsaref/rsar_err.c
+L SSL           ssl/ssl.h                       ssl/ssl_err.c
+L COMP          crypto/comp/comp.h              crypto/comp/comp_err.c
+
+
+F RSAREF_F_RSA_BN2BIN
+F RSAREF_F_RSA_PRIVATE_DECRYPT
+F RSAREF_F_RSA_PRIVATE_ENCRYPT
+F RSAREF_F_RSA_PUBLIC_DECRYPT
+F RSAREF_F_RSA_PUBLIC_ENCRYPT
+#F SSL_F_CLIENT_CERTIFICATE
+
+R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE          1010
+R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC              1020
+R SSL_R_TLSV1_ALERT_DECRYPTION_FAILED           1021
+R SSL_R_TLSV1_ALERT_RECORD_OVERFLOW             1022
+R SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE       1030
+R SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE           1040
+R SSL_R_SSLV3_ALERT_NO_CERTIFICATE              1041
+R SSL_R_SSLV3_ALERT_BAD_CERTIFICATE             1042
+R SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE     1043
+R SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED         1044
+R SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED         1045
+R SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN         1046
+R SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER           1047
+R SSL_R_TLSV1_ALERT_UNKNOWN_CA                  1048
+R SSL_R_TLSV1_ALERT_ACCESS_DENIED               1049
+R SSL_R_TLSV1_ALERT_DECODE_ERROR                1050
+R SSL_R_TLSV1_ALERT_DECRYPT_ERROR               1051
+R SSL_R_TLSV1_ALERT_EXPORT_RESTRICION           1060
+R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION            1070
+R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY       1071
+R SSL_R_TLSV1_ALERT_INTERNAL_ERROR              1080
+R SSL_R_TLSV1_ALERT_USER_CANCLED                1090
+R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION            1100
+
+R RSAREF_R_CONTENT_ENCODING                     0x0400
+R RSAREF_R_DATA                                 0x0401
+R RSAREF_R_DIGEST_ALGORITHM                     0x0402
+R RSAREF_R_ENCODING                             0x0403
+R RSAREF_R_KEY                                  0x0404
+R RSAREF_R_KEY_ENCODING                         0x0405
+R RSAREF_R_LEN                                  0x0406
+R RSAREF_R_MODULUS_LEN                          0x0407
+R RSAREF_R_NEED_RANDOM                          0x0408
+R RSAREF_R_PRIVATE_KEY                          0x0409
+R RSAREF_R_PUBLIC_KEY                           0x040a
+R RSAREF_R_SIGNATURE                            0x040b
+R RSAREF_R_SIGNATURE_ENCODING                   0x040c
+R RSAREF_R_ENCRYPTION_ALGORITHM                 0x040d
+
diff --git a/src/lib/libssl/src/crypto/evp/bio_ok.c b/src/lib/libssl/src/crypto/evp/bio_ok.c
new file mode 100644
index 0000000000..101275d648
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/bio_ok.c
@@ -0,0 +1,552 @@
+/* crypto/evp/bio_ok.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+        From: Arne Ansper <arne@cyber.ee>
+
+        Why BIO_f_reliable?
+
+        I wrote function which took BIO* as argument, read data from it
+        and processed it. Then I wanted to store the input file in 
+        encrypted form. OK I pushed BIO_f_cipher to the BIO stack
+        and everything was OK. BUT if user types wrong password 
+        BIO_f_cipher outputs only garbage and my function crashes. Yes
+        I can and I should fix my function, but BIO_f_cipher is 
+        easy way to add encryption support to many exisiting applications
+        and it's hard to debug and fix them all. 
+
+        So I wanted another BIO which would catch the incorrect passwords and
+        file damages which cause garbage on BIO_f_cipher's output. 
+
+        The easy way is to push the BIO_f_md and save the checksum at 
+        the end of the file. However there are several problems with this
+        approach:
+
+        1) you must somehow separate checksum from actual data. 
+        2) you need lot's of memory when reading the file, because you 
+        must read to the end of the file and verify the checksum before
+        leting the application to read the data. 
+        
+        BIO_f_reliable tries to solve both problems, so that you can 
+        read and write arbitraly long streams using only fixed amount
+        of memory.
+
+        BIO_f_reliable splits data stream into blocks. Each block is prefixed
+        with it's length and suffixed with it's digest. So you need only 
+        several Kbytes of memory to buffer single block before verifying 
+        it's digest. 
+
+        BIO_f_reliable goes futher and adds several important capabilities:
+
+        1) the digest of the block is computed over the whole stream 
+        -- so nobody can rearrange the blocks or remove or replace them.
+
+        2) to detect invalid passwords right at the start BIO_f_reliable 
+        adds special prefix to the stream. In order to avoid known plain-text
+        attacks this prefix is generated as follows:
+
+                *) digest is initialized with random seed instead of 
+                standardized one.
+                *) same seed is written to ouput
+                *) well-known text is then hashed and the output 
+                of the digest is also written to output.
+
+        reader can now read the seed from stream, hash the same string
+        and then compare the digest output.
+
+        Bad things: BIO_f_reliable knows what's going on in EVP_Digest. I 
+        initialy wrote and tested this code on x86 machine and wrote the
+        digests out in machine-dependent order :( There are people using
+        this code and I cannot change this easily without making existing
+        data files unreadable.
+
+*/
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+
+static int ok_write(BIO *h,char *buf,int num);
+static int ok_read(BIO *h,char *buf,int size);
+static long ok_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int ok_new(BIO *h);
+static int ok_free(BIO *data);
+static void sig_out(BIO* b);
+static void sig_in(BIO* b);
+static void block_out(BIO* b);
+static void block_in(BIO* b);
+#define OK_BLOCK_SIZE   (1024*4)
+#define OK_BLOCK_BLOCK  4
+#define IOBS            (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
+#define WELLKNOWN "The quick brown fox jumped over the lazy dog's back."
+
+#ifndef L_ENDIAN
+#define swapem(x) \
+        ((unsigned long int)((((unsigned long int)(x) & 0x000000ffU) << 24) | \
+                             (((unsigned long int)(x) & 0x0000ff00U) <<  8) | \
+                             (((unsigned long int)(x) & 0x00ff0000U) >>  8) | \
+                             (((unsigned long int)(x) & 0xff000000U) >> 24)))
+#else
+#define swapem(x) (x)
+#endif
+
+typedef struct ok_struct
+        {
+        int buf_len;
+        int buf_off;
+        int buf_len_save;
+        int buf_off_save;
+        int cont;               /* <= 0 when finished */
+        int finished;
+        EVP_MD_CTX md;
+        int blockout;           /* output block is ready */ 
+        int sigio;              /* must process signature */
+        char buf[IOBS];
+        } BIO_OK_CTX;
+
+static BIO_METHOD methods_ok=
+        {
+        BIO_TYPE_CIPHER,"reliable",
+        ok_write,
+        ok_read,
+        NULL, /* ok_puts, */
+        NULL, /* ok_gets, */
+        ok_ctrl,
+        ok_new,
+        ok_free,
+        };
+
+BIO_METHOD *BIO_f_reliable(void)
+        {
+        return(&methods_ok);
+        }
+
+static int ok_new(BIO *bi)
+        {
+        BIO_OK_CTX *ctx;
+
+        ctx=(BIO_OK_CTX *)Malloc(sizeof(BIO_OK_CTX));
+        if (ctx == NULL) return(0);
+
+        ctx->buf_len=0;
+        ctx->buf_off=0;
+        ctx->buf_len_save=0;
+        ctx->buf_off_save=0;
+        ctx->cont=1;
+        ctx->finished=0;
+        ctx->blockout= 0;
+        ctx->sigio=1;
+
+        bi->init=0;
+        bi->ptr=(char *)ctx;
+        bi->flags=0;
+        return(1);
+        }
+
+static int ok_free(BIO *a)
+        {
+        if (a == NULL) return(0);
+        memset(a->ptr,0,sizeof(BIO_OK_CTX));
+        Free(a->ptr);
+        a->ptr=NULL;
+        a->init=0;
+        a->flags=0;
+        return(1);
+        }
+        
+static int ok_read(BIO *b, char *out, int outl)
+        {
+        int ret=0,i,n;
+        BIO_OK_CTX *ctx;
+
+        if (out == NULL) return(0);
+        ctx=(BIO_OK_CTX *)b->ptr;
+
+        if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
+
+        while(outl > 0)
+                {
+
+                /* copy clean bytes to output buffer */
+                if (ctx->blockout)
+                        {
+                        i=ctx->buf_len-ctx->buf_off;
+                        if (i > outl) i=outl;
+                        memcpy(out,&(ctx->buf[ctx->buf_off]),i);
+                        ret+=i;
+                        out+=i;
+                        outl-=i;
+                        ctx->buf_off+=i;
+
+                        /* all clean bytes are out */
+                        if (ctx->buf_len == ctx->buf_off)
+                                {
+                                ctx->buf_off=0;
+
+                                /* copy start of the next block into proper place */
+                                if(ctx->buf_len_save- ctx->buf_off_save > 0)
+                                        {
+                                        ctx->buf_len= ctx->buf_len_save- ctx->buf_off_save;
+                                        memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]),
+                                                        ctx->buf_len);
+                                        }
+                                else
+                                        {
+                                        ctx->buf_len=0;
+                                        }
+                                ctx->blockout= 0;
+                                }
+                        }
+        
+                /* output buffer full -- cancel */
+                if (outl == 0) break;
+
+                /* no clean bytes in buffer -- fill it */
+                n=IOBS- ctx->buf_len;
+                i=BIO_read(b->next_bio,&(ctx->buf[ctx->buf_len]),n);
+
+                if (i <= 0) break;      /* nothing new */
+
+                ctx->buf_len+= i;
+
+                /* no signature yet -- check if we got one */
+                if (ctx->sigio == 1) sig_in(b);
+
+                /* signature ok -- check if we got block */
+                if (ctx->sigio == 0) block_in(b);
+
+                /* invalid block -- cancel */
+                if (ctx->cont <= 0) break;
+
+                }
+
+        BIO_clear_retry_flags(b);
+        BIO_copy_next_retry(b);
+        return(ret);
+        }
+
+static int ok_write(BIO *b, char *in, int inl)
+        {
+        int ret=0,n,i;
+        BIO_OK_CTX *ctx;
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+        ret=inl;
+
+        if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
+
+        if(ctx->sigio) sig_out(b);
+
+        do{
+                BIO_clear_retry_flags(b);
+                n=ctx->buf_len-ctx->buf_off;
+                while (ctx->blockout && n > 0)
+                        {
+                        i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+                        if (i <= 0)
+                                {
+                                BIO_copy_next_retry(b);
+                                if(!BIO_should_retry(b))
+                                        ctx->cont= 0;
+                                return(i);
+                                }
+                        ctx->buf_off+=i;
+                        n-=i;
+                        }
+
+                /* at this point all pending data has been written */
+                ctx->blockout= 0;
+                if (ctx->buf_len == ctx->buf_off)
+                        {
+                        ctx->buf_len=OK_BLOCK_BLOCK;
+                        ctx->buf_off=0;
+                        }
+        
+                if ((in == NULL) || (inl <= 0)) return(0);
+
+                n= (inl+ ctx->buf_len > OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) ? 
+                                OK_BLOCK_SIZE+ OK_BLOCK_BLOCK- ctx->buf_len : inl;
+
+                memcpy((unsigned char *)(&(ctx->buf[ctx->buf_len])),(unsigned char *)in,n);
+                ctx->buf_len+= n;
+                inl-=n;
+                in+=n;
+
+                if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK)
+                        {
+                        block_out(b);
+                        }
+        }while(inl > 0);
+
+        BIO_clear_retry_flags(b);
+        BIO_copy_next_retry(b);
+        return(ret);
+        }
+
+static long ok_ctrl(BIO *b, int cmd, long num, char *ptr)
+        {
+        BIO_OK_CTX *ctx;
+        EVP_MD *md;
+        const EVP_MD **ppmd;
+        long ret=1;
+        int i;
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+
+        switch (cmd)
+                {
+        case BIO_CTRL_RESET:
+                ctx->buf_len=0;
+                ctx->buf_off=0;
+                ctx->buf_len_save=0;
+                ctx->buf_off_save=0;
+                ctx->cont=1;
+                ctx->finished=0;
+                ctx->blockout= 0;
+                ctx->sigio=1;
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_EOF:      /* More to read */
+                if (ctx->cont <= 0)
+                        ret=1;
+                else
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_PENDING: /* More to read in buffer */
+        case BIO_CTRL_WPENDING: /* More to read in buffer */
+                ret=ctx->blockout ? ctx->buf_len-ctx->buf_off : 0;
+                if (ret <= 0)
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_FLUSH:
+                /* do a final write */
+                if(ctx->blockout == 0)
+                        block_out(b);
+
+                while (ctx->blockout)
+                        {
+                        i=ok_write(b,NULL,0);
+                        if (i < 0)
+                                {
+                                ret=i;
+                                break;
+                                }
+                        }
+
+                ctx->finished=1;
+                ctx->buf_off=ctx->buf_len=0;
+                ctx->cont=(int)ret;
+                
+                /* Finally flush the underlying BIO */
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_C_DO_STATE_MACHINE:
+                BIO_clear_retry_flags(b);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                BIO_copy_next_retry(b);
+                break;
+        case BIO_CTRL_INFO:
+                ret=(long)ctx->cont;
+                break;
+        case BIO_C_SET_MD:
+                md=(EVP_MD *)ptr;
+                EVP_DigestInit(&(ctx->md),md);
+                b->init=1;
+                break;
+        case BIO_C_GET_MD:
+                if (b->init)
+                        {
+                        ppmd=(const EVP_MD **)ptr;
+                        *ppmd=ctx->md.digest;
+                        }
+                else
+                        ret=0;
+                break;
+        default:
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+                }
+        return(ret);
+        }
+
+static void longswap(void *_ptr, int len)
+{
+#ifndef L_ENDIAN
+        int i;
+        char *ptr=_ptr;
+
+        for(i= 0;i < len;i+= 4){
+                *((unsigned long *)&(ptr[i]))= swapem(*((unsigned long *)&(ptr[i])));
+        }
+#endif
+}
+
+static void sig_out(BIO* b)
+        {
+        BIO_OK_CTX *ctx;
+        EVP_MD_CTX *md;
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+        md= &(ctx->md);
+
+        if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
+
+        EVP_DigestInit(md, md->digest);
+        RAND_bytes(&(md->md.base[0]), md->digest->md_size);
+        memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
+        longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
+        ctx->buf_len+= md->digest->md_size;
+
+        EVP_DigestUpdate(md, (unsigned char*)WELLKNOWN, strlen(WELLKNOWN));
+        md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+        ctx->buf_len+= md->digest->md_size;
+        ctx->blockout= 1;
+        ctx->sigio= 0;
+        }
+
+static void sig_in(BIO* b)
+        {
+        BIO_OK_CTX *ctx;
+        EVP_MD_CTX *md;
+        unsigned char tmp[EVP_MAX_MD_SIZE];
+        int ret= 0;
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+        md= &(ctx->md);
+
+        if(ctx->buf_len- ctx->buf_off < 2* md->digest->md_size) return;
+
+        EVP_DigestInit(md, md->digest);
+        memcpy(&(md->md.base[0]), &(ctx->buf[ctx->buf_off]), md->digest->md_size);
+        longswap(&(md->md.base[0]), md->digest->md_size);
+        ctx->buf_off+= md->digest->md_size;
+
+        EVP_DigestUpdate(md, (unsigned char*)WELLKNOWN, strlen(WELLKNOWN));
+        md->digest->final(tmp, &(md->md.base[0]));
+        ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
+        ctx->buf_off+= md->digest->md_size;
+        if(ret == 1)
+                {
+                ctx->sigio= 0;
+                if(ctx->buf_len != ctx->buf_off)
+                        {
+                        memmove(ctx->buf, &(ctx->buf[ctx->buf_off]), ctx->buf_len- ctx->buf_off);
+                        }
+                ctx->buf_len-= ctx->buf_off;
+                ctx->buf_off= 0;
+                }
+        else
+                {
+                ctx->cont= 0;
+                }
+        }
+
+static void block_out(BIO* b)
+        {
+        BIO_OK_CTX *ctx;
+        EVP_MD_CTX *md;
+        unsigned long tl;
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+        md= &(ctx->md);
+
+        tl= ctx->buf_len- OK_BLOCK_BLOCK;
+        tl= swapem(tl);
+        memcpy(ctx->buf, &tl, OK_BLOCK_BLOCK);
+        tl= swapem(tl);
+        EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
+        md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+        ctx->buf_len+= md->digest->md_size;
+        ctx->blockout= 1;
+        }
+
+static void block_in(BIO* b)
+        {
+        BIO_OK_CTX *ctx;
+        EVP_MD_CTX *md;
+        long tl= 0;
+        unsigned char tmp[EVP_MAX_MD_SIZE];
+
+        ctx=(BIO_OK_CTX *)b->ptr;
+        md= &(ctx->md);
+
+        memcpy(&tl, ctx->buf, OK_BLOCK_BLOCK);
+        tl= swapem(tl);
+        if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return;
+ 
+        EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
+        md->digest->final(tmp, &(md->md.base[0]));
+        if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0)
+                {
+                /* there might be parts from next block lurking around ! */
+                ctx->buf_off_save= tl+ OK_BLOCK_BLOCK+ md->digest->md_size;
+                ctx->buf_len_save= ctx->buf_len;
+                ctx->buf_off= OK_BLOCK_BLOCK;
+                ctx->buf_len= tl+ OK_BLOCK_BLOCK;
+                ctx->blockout= 1;
+                }
+        else
+                {
+                ctx->cont= 0;
+                }
+        }
+
diff --git a/src/lib/libssl/src/crypto/evp/c_allc.c b/src/lib/libssl/src/crypto/evp/c_allc.c
new file mode 100644
index 0000000000..f24d3756c9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/c_allc.c
@@ -0,0 +1,149 @@
+/* crypto/evp/c_allc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include <openssl/objects.h>
+
+void OpenSSL_add_all_ciphers(void)
+        {
+#ifndef NO_DES
+        EVP_add_cipher(EVP_des_cfb());
+        EVP_add_cipher(EVP_des_ede_cfb());
+        EVP_add_cipher(EVP_des_ede3_cfb());
+
+        EVP_add_cipher(EVP_des_ofb());
+        EVP_add_cipher(EVP_des_ede_ofb());
+        EVP_add_cipher(EVP_des_ede3_ofb());
+
+        EVP_add_cipher(EVP_desx_cbc());
+        EVP_add_cipher_alias(SN_desx_cbc,"DESX");
+        EVP_add_cipher_alias(SN_desx_cbc,"desx");
+
+        EVP_add_cipher(EVP_des_cbc());
+        EVP_add_cipher_alias(SN_des_cbc,"DES");
+        EVP_add_cipher_alias(SN_des_cbc,"des");
+        EVP_add_cipher(EVP_des_ede_cbc());
+        EVP_add_cipher(EVP_des_ede3_cbc());
+        EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+        EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+        EVP_add_cipher(EVP_des_ecb());
+        EVP_add_cipher(EVP_des_ede());
+        EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef NO_RC4
+        EVP_add_cipher(EVP_rc4());
+        EVP_add_cipher(EVP_rc4_40());
+#endif
+
+#ifndef NO_IDEA
+        EVP_add_cipher(EVP_idea_ecb());
+        EVP_add_cipher(EVP_idea_cfb());
+        EVP_add_cipher(EVP_idea_ofb());
+        EVP_add_cipher(EVP_idea_cbc());
+        EVP_add_cipher_alias(SN_idea_cbc,"IDEA");
+        EVP_add_cipher_alias(SN_idea_cbc,"idea");
+#endif
+
+#ifndef NO_RC2
+        EVP_add_cipher(EVP_rc2_ecb());
+        EVP_add_cipher(EVP_rc2_cfb());
+        EVP_add_cipher(EVP_rc2_ofb());
+        EVP_add_cipher(EVP_rc2_cbc());
+        EVP_add_cipher(EVP_rc2_40_cbc());
+        EVP_add_cipher(EVP_rc2_64_cbc());
+        EVP_add_cipher_alias(SN_rc2_cbc,"RC2");
+        EVP_add_cipher_alias(SN_rc2_cbc,"rc2");
+#endif
+
+#ifndef NO_BF
+        EVP_add_cipher(EVP_bf_ecb());
+        EVP_add_cipher(EVP_bf_cfb());
+        EVP_add_cipher(EVP_bf_ofb());
+        EVP_add_cipher(EVP_bf_cbc());
+        EVP_add_cipher_alias(SN_bf_cbc,"BF");
+        EVP_add_cipher_alias(SN_bf_cbc,"bf");
+        EVP_add_cipher_alias(SN_bf_cbc,"blowfish");
+#endif
+
+#ifndef NO_CAST
+        EVP_add_cipher(EVP_cast5_ecb());
+        EVP_add_cipher(EVP_cast5_cfb());
+        EVP_add_cipher(EVP_cast5_ofb());
+        EVP_add_cipher(EVP_cast5_cbc());
+        EVP_add_cipher_alias(SN_cast5_cbc,"CAST");
+        EVP_add_cipher_alias(SN_cast5_cbc,"cast");
+        EVP_add_cipher_alias(SN_cast5_cbc,"CAST-cbc");
+        EVP_add_cipher_alias(SN_cast5_cbc,"cast-cbc");
+#endif
+
+#ifndef NO_RC5
+        EVP_add_cipher(EVP_rc5_32_12_16_ecb());
+        EVP_add_cipher(EVP_rc5_32_12_16_cfb());
+        EVP_add_cipher(EVP_rc5_32_12_16_ofb());
+        EVP_add_cipher(EVP_rc5_32_12_16_cbc());
+        EVP_add_cipher_alias(SN_rc5_cbc,"rc5");
+        EVP_add_cipher_alias(SN_rc5_cbc,"RC5");
+#endif
+        PKCS12_PBE_add();
+        PKCS5_PBE_add();
+        }
diff --git a/src/lib/libssl/src/crypto/evp/c_alld.c b/src/lib/libssl/src/crypto/evp/c_alld.c
new file mode 100644
index 0000000000..febe51a3ee
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/c_alld.c
@@ -0,0 +1,100 @@
+/* crypto/evp/c_alld.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/pkcs12.h>
+#include <openssl/objects.h>
+
+void OpenSSL_add_all_digests(void)
+        {
+#ifndef NO_MD2
+        EVP_add_digest(EVP_md2());
+#endif
+#ifndef NO_MD5
+        EVP_add_digest(EVP_md5());
+        EVP_add_digest_alias(SN_md5,"ssl2-md5");
+        EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef NO_SHA
+        EVP_add_digest(EVP_sha());
+#ifndef NO_DSA
+        EVP_add_digest(EVP_dss());
+#endif
+#endif
+#ifndef NO_SHA
+        EVP_add_digest(EVP_sha1());
+        EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+        EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef NO_DSA
+        EVP_add_digest(EVP_dss1());
+        EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+        EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+        EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#endif
+#if !defined(NO_MDC2) && !defined(NO_DES)
+        EVP_add_digest(EVP_mdc2());
+#endif
+#ifndef NO_RIPEMD
+        EVP_add_digest(EVP_ripemd160());
+        EVP_add_digest_alias(SN_ripemd160,"ripemd");
+        EVP_add_digest_alias(SN_ripemd160,"rmd160");
+#endif
+        }
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
new file mode 100644
index 0000000000..9d03a9602f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -0,0 +1,99 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef OPENSSL_NO_AES
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <string.h>
+#include <assert.h>
+#include <openssl/aes.h>
+#include "evp_locl.h"
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                                        const unsigned char *iv, int enc);
+
+typedef struct
+        {
+        AES_KEY ks;
+        } EVP_AES_KEY;
+
+#define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
+
+IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
+                       NID_aes_128, 16, 16, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
+                       NID_aes_192, 16, 24, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
+                       NID_aes_256, 16, 32, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                   const unsigned char *iv, int enc) {
+
+        if (enc) 
+                AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+        else
+                AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+
+        return 1;
+}
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_bf.c b/src/lib/libssl/src/crypto/evp/e_bf.c
new file mode 100644
index 0000000000..72047f64da
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_bf.c
@@ -0,0 +1,80 @@
+/* crypto/evp/e_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_BF
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include "evp_locl.h"
+#include <openssl/objects.h>
+
+static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                       const unsigned char *iv, int enc);
+
+IMPLEMENT_BLOCK_CIPHER(bf, bf_ks, BF, bf_ks, NID_bf, 8, 16, 8,
+                        0, bf_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+        
+static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                       const unsigned char *iv, int enc)
+        {
+        BF_set_key(&(ctx->c.bf_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_cast.c b/src/lib/libssl/src/crypto/evp/e_cast.c
new file mode 100644
index 0000000000..e5af7fb4ed
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_cast.c
@@ -0,0 +1,82 @@
+/* crypto/evp/e_cast.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_CAST
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv,int enc);
+
+IMPLEMENT_BLOCK_CIPHER(cast5, cast_ks, CAST, cast_ks, 
+                        NID_cast5, 8, EVP_CAST5_KEY_SIZE, 8,
+                        EVP_CIPH_VARIABLE_LENGTH, cast_init_key, NULL,
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+                        
+static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv, int enc)
+        {
+        CAST_set_key(&(ctx->c.cast_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_des.c b/src/lib/libssl/src/crypto/evp/e_des.c
new file mode 100644
index 0000000000..f4e998b81c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_des.c
@@ -0,0 +1,118 @@
+/* crypto/evp/e_des.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc);
+
+/* Because of various casts and different names can't use IMPLEMENT_BLOCK_CIPHER */
+
+static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                des_ecb_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), ctx->c.des_ks, ctx->encrypt);
+        return 1;
+}
+
+static int des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_ofb64_encrypt(in, out, (long)inl, ctx->c.des_ks, (des_cblock *)ctx->iv, &ctx->num);
+        return 1;
+}
+
+static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_ncbc_encrypt(in, out, (long)inl, ctx->c.des_ks,
+                         (des_cblock *)ctx->iv, ctx->encrypt);
+        return 1;
+}
+
+static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                          const unsigned char *in, unsigned int inl)
+{
+        des_cfb64_encrypt(in, out, (long)inl, ctx->c.des_ks,
+                          (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        return 1;
+}
+
+BLOCK_CIPHER_defs(des, des_ks, NID_des, 8, 8, 8,
+                        0, des_init_key, NULL,
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+
+static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(deskey,ctx->c.des_ks);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_des3.c b/src/lib/libssl/src/crypto/evp/e_des3.c
new file mode 100644
index 0000000000..a9aba4ae70
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_des3.c
@@ -0,0 +1,165 @@
+/* crypto/evp/e_des3.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_DES
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                            const unsigned char *iv,int enc);
+
+static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv,int enc);
+
+/* Because of various casts and different args can't use IMPLEMENT_BLOCK_CIPHER */
+
+static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                des_ecb3_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), 
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                         ctx->encrypt);
+        return 1;
+}
+
+static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_ofb64_encrypt(in, out, (long)inl,
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                                                (des_cblock *)ctx->iv, &ctx->num);
+        return 1;
+}
+
+static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_cbc_encrypt(in, out, (long)inl,
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                                                (des_cblock *)ctx->iv, ctx->encrypt);
+        return 1;
+}
+
+static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, unsigned int inl)
+{
+        des_ede3_cfb64_encrypt(in, out, (long)inl, 
+                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
+                                        (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        return 1;
+}
+
+#define NID_des_ede_ecb NID_des_ede
+
+BLOCK_CIPHER_defs(des_ede, des_ede, NID_des_ede, 8, 16, 8,
+                        0, des_ede_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+#define NID_des_ede3_ecb NID_des_ede3
+#define des_ede3_cfb_cipher des_ede_cfb_cipher
+#define des_ede3_ofb_cipher des_ede_ofb_cipher
+#define des_ede3_cbc_cipher des_ede_cbc_cipher
+#define des_ede3_ecb_cipher des_ede_ecb_cipher
+
+BLOCK_CIPHER_defs(des_ede3, des_ede, NID_des_ede3, 8, 24, 8,
+                        0, des_ede3_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv,
+                        EVP_CIPHER_get_asn1_iv,
+                        NULL)
+
+static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                            const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+        memcpy( (char *)ctx->c.des_ede.ks3,
+                        (char *)ctx->c.des_ede.ks1,
+                        sizeof(ctx->c.des_ede.ks1));
+        return 1;
+        }
+
+static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv, int enc)
+        {
+        des_cblock *deskey = (des_cblock *)key;
+
+        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
+        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
+        des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+
+        return 1;
+        }
+
+EVP_CIPHER *EVP_des_ede(void)
+{
+        return &des_ede_ecb;
+}
+
+EVP_CIPHER *EVP_des_ede3(void)
+{
+        return &des_ede3_ecb;
+}
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_idea.c b/src/lib/libssl/src/crypto/evp/e_idea.c
new file mode 100644
index 0000000000..8d3c88deb7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_idea.c
@@ -0,0 +1,112 @@
+/* crypto/evp/e_idea.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_IDEA
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv,int enc);
+
+/* NB idea_ecb_encrypt doesn't take an 'encrypt' argument so we treat it as a special
+ * case 
+ */
+
+static int idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, unsigned int inl)
+{
+        BLOCK_CIPHER_ecb_loop()
+                idea_ecb_encrypt(in + i, out + i, &ctx->c.idea_ks);
+        return 1;
+}
+
+/* Can't use IMPLEMENT_BLOCK_CIPHER because idea_ecb_encrypt is different */
+
+BLOCK_CIPHER_func_cbc(idea, idea, idea_ks)
+BLOCK_CIPHER_func_ofb(idea, idea, idea_ks)
+BLOCK_CIPHER_func_cfb(idea, idea, idea_ks)
+
+BLOCK_CIPHER_defs(idea, idea_ks, NID_idea, 8, 16, 8,
+                        0, idea_init_key, NULL, 
+                        EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
+
+static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                         const unsigned char *iv, int enc)
+        {
+        if(!enc) {
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) enc = 1;
+                else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE) enc = 1;
+        }
+        if (enc) idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+        else
+                {
+                IDEA_KEY_SCHEDULE tmp;
+
+                idea_set_encrypt_key(key,&tmp);
+                idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
+                memset((unsigned char *)&tmp,0,
+                                sizeof(IDEA_KEY_SCHEDULE));
+                }
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_rc2.c b/src/lib/libssl/src/crypto/evp/e_rc2.c
new file mode 100644
index 0000000000..3955c3ef84
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_rc2.c
@@ -0,0 +1,222 @@
+/* crypto/evp/e_rc2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC2
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv,int enc);
+static int rc2_meth_to_magic(EVP_CIPHER_CTX *ctx);
+static int rc2_magic_to_meth(int i);
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
+
+IMPLEMENT_BLOCK_CIPHER(rc2, rc2.ks, RC2, rc2, NID_rc2,
+                        8,
+                        EVP_RC2_KEY_SIZE, 8,
+                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+                        rc2_init_key, NULL,
+                        rc2_set_asn1_type_and_iv, rc2_get_asn1_type_and_iv, 
+                        rc2_ctrl)
+
+#define RC2_40_MAGIC    0xa0
+#define RC2_64_MAGIC    0x78
+#define RC2_128_MAGIC   0x3a
+
+static EVP_CIPHER r2_64_cbc_cipher=
+        {
+        NID_rc2_64_cbc,
+        8,8 /* 64 bit */,8,
+        EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+        rc2_init_key,
+        rc2_cbc_cipher,
+        NULL,
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        rc2_set_asn1_type_and_iv,
+        rc2_get_asn1_type_and_iv,
+        rc2_ctrl,
+        NULL
+        };
+
+static EVP_CIPHER r2_40_cbc_cipher=
+        {
+        NID_rc2_40_cbc,
+        8,5 /* 40 bit */,8,
+        EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+        rc2_init_key,
+        rc2_cbc_cipher,
+        NULL,
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        rc2_set_asn1_type_and_iv,
+        rc2_get_asn1_type_and_iv,
+        rc2_ctrl,
+        NULL
+        };
+
+EVP_CIPHER *EVP_rc2_64_cbc(void)
+        {
+        return(&r2_64_cbc_cipher);
+        }
+
+EVP_CIPHER *EVP_rc2_40_cbc(void)
+        {
+        return(&r2_40_cbc_cipher);
+        }
+        
+static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+        RC2_set_key(&(ctx->c.rc2.ks),EVP_CIPHER_CTX_key_length(ctx),
+                        key,ctx->c.rc2.key_bits);
+        return 1;
+        }
+
+static int rc2_meth_to_magic(EVP_CIPHER_CTX *e)
+        {
+        int i;
+
+        EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i);
+        if      (i == 128) return(RC2_128_MAGIC);
+        else if (i == 64)  return(RC2_64_MAGIC);
+        else if (i == 40)  return(RC2_40_MAGIC);
+        else return(0);
+        }
+
+static int rc2_magic_to_meth(int i)
+        {
+        if      (i == RC2_128_MAGIC) return 128;
+        else if (i == RC2_64_MAGIC)  return 64;
+        else if (i == RC2_40_MAGIC)  return 40;
+        else
+                {
+                EVPerr(EVP_F_RC2_MAGIC_TO_METH,EVP_R_UNSUPPORTED_KEY_SIZE);
+                return(0);
+                }
+        }
+
+static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+        {
+        long num=0;
+        int i=0,l;
+        int key_bits;
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+
+        if (type != NULL)
+                {
+                l=EVP_CIPHER_CTX_iv_length(c);
+                i=ASN1_TYPE_get_int_octetstring(type,&num,iv,l);
+                if (i != l)
+                        return(-1);
+                key_bits =rc2_magic_to_meth((int)num);
+                if (!key_bits)
+                        return(-1);
+                if(i > 0) EVP_CipherInit(c, NULL, NULL, iv, -1);
+                EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
+                EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
+                }
+        return(i);
+        }
+
+static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
+        {
+        long num;
+        int i=0,j;
+
+        if (type != NULL)
+                {
+                num=rc2_meth_to_magic(c);
+                j=EVP_CIPHER_CTX_iv_length(c);
+                i=ASN1_TYPE_set_int_octetstring(type,num,c->oiv,j);
+                }
+        return(i);
+        }
+
+static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+        {
+                switch(type) {
+
+                        case EVP_CTRL_INIT:
+                        c->c.rc2.key_bits = EVP_CIPHER_CTX_key_length(c) * 8;
+                        return 1;
+
+                        case EVP_CTRL_GET_RC2_KEY_BITS:
+                        *(int *)ptr = c->c.rc2.key_bits;
+                        return 1;
+                        
+                        
+                        case EVP_CTRL_SET_RC2_KEY_BITS:
+                        if(arg > 0) {
+                                c->c.rc2.key_bits = arg;
+                                return 1;
+                        }
+                        return 0;
+
+                        default:
+                        return -1;
+                }
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/e_rc5.c b/src/lib/libssl/src/crypto/evp/e_rc5.c
new file mode 100644
index 0000000000..5885f1826b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/e_rc5.c
@@ -0,0 +1,118 @@
+/* crypto/evp/e_rc5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_RC5
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+
+static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                               const unsigned char *iv,int enc);
+static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
+
+IMPLEMENT_BLOCK_CIPHER(rc5_32_12_16, rc5.ks, RC5_32, rc5, NID_rc5,
+                        8, EVP_RC5_32_12_16_KEY_SIZE, 8, 
+                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+                        r_32_12_16_init_key, NULL,
+                        NULL, NULL, rc5_ctrl)
+
+
+
+static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+        {
+                switch(type) {
+
+                        case EVP_CTRL_INIT:
+                        c->c.rc5.rounds = RC5_12_ROUNDS;
+                        return 1;
+
+                        case EVP_CTRL_GET_RC5_ROUNDS:
+                        *(int *)ptr = c->c.rc5.rounds;
+                        return 1;
+                        
+                        
+                        case EVP_CTRL_SET_RC5_ROUNDS:
+                        switch(arg) {
+                                case RC5_8_ROUNDS:
+                                case RC5_12_ROUNDS:
+                                case RC5_16_ROUNDS:
+                                c->c.rc5.rounds = arg;
+                                return 1;
+
+                                default:
+                                EVPerr(EVP_F_RC5_CTRL, EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+                                return 0;
+                        }
+
+                        default:
+                        return -1;
+                }
+        }
+
+static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                               const unsigned char *iv, int enc)
+        {
+        RC5_32_set_key(&(ctx->c.rc5.ks),EVP_CIPHER_CTX_key_length(ctx),
+                        key,ctx->c.rc5.rounds);
+        return 1;
+        }
+
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/evp_acnf.c b/src/lib/libssl/src/crypto/evp/evp_acnf.c
new file mode 100644
index 0000000000..a68b979bdb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evp_acnf.c
@@ -0,0 +1,74 @@
+/* evp_acnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+
+/* Load all algorithms and configure OpenSSL.
+ * This function is called automatically when
+ * OPENSSL_LOAD_CONF is set.
+ */
+
+void OPENSSL_add_all_algorithms_conf(void)
+        {
+        OPENSSL_add_all_algorithms_noconf();
+        OPENSSL_config(NULL);
+        }
diff --git a/src/lib/libssl/src/crypto/evp/evp_locl.h b/src/lib/libssl/src/crypto/evp/evp_locl.h
new file mode 100644
index 0000000000..ce49d5b7d8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evp_locl.h
@@ -0,0 +1,168 @@
+/* evp_locl.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Macros to code block cipher wrappers */
+
+/* Wrapper functions for each cipher mode */
+
+#define BLOCK_CIPHER_ecb_loop() \
+        unsigned int i; \
+        if(inl < 8) return 1;\
+        inl -= 8; \
+        for(i=0; i <= inl; i+=8) \
+
+#define BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
+static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        BLOCK_CIPHER_ecb_loop() \
+                cprefix##_ecb_encrypt(in + i, out + i, &ctx->c.kname, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_ofb(cname, cprefix, kname) \
+static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_ofb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
+static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_cbc_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
+static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
+{\
+        cprefix##_cfb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
+        BLOCK_CIPHER_func_ofb(cname, cprefix, kname)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                                nid, block_size, key_len, iv_len, flags,\
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl)\
+static EVP_CIPHER cname##_cbc = {\
+        nid##_cbc, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_CBC_MODE,\
+        init_key,\
+        cname##_cbc_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
+static EVP_CIPHER cname##_cfb = {\
+        nid##_cfb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_CFB_MODE,\
+        init_key,\
+        cname##_cfb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
+static EVP_CIPHER cname##_ofb = {\
+        nid##_ofb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_OFB_MODE,\
+        init_key,\
+        cname##_ofb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
+static EVP_CIPHER cname##_ecb = {\
+        nid##_ecb, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_ECB_MODE,\
+        init_key,\
+        cname##_ecb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
+
+
+
+#define IMPLEMENT_BLOCK_CIPHER(cname, kname, cprefix, kstruct, \
+                                nid, block_size, key_len, iv_len, flags, \
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl) \
+        BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
+        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, flags,\
+                 init_key, cleanup, set_asn1, get_asn1, ctrl) 
+
diff --git a/src/lib/libssl/src/crypto/evp/evp_pbe.c b/src/lib/libssl/src/crypto/evp/evp_pbe.c
new file mode 100644
index 0000000000..353c3ad667
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evp_pbe.c
@@ -0,0 +1,134 @@
+/* evp_pbe.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include "cryptlib.h"
+
+/* Password based encryption (PBE) functions */
+
+static STACK *pbe_algs;
+
+/* Setup a cipher context from a PBE algorithm */
+
+typedef struct {
+int pbe_nid;
+EVP_CIPHER *cipher;
+EVP_MD *md;
+EVP_PBE_KEYGEN *keygen;
+} EVP_PBE_CTL;
+
+int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
+             ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
+{
+
+        EVP_PBE_CTL *pbetmp, pbelu;
+        int i;
+        pbelu.pbe_nid = OBJ_obj2nid(pbe_obj);
+        if (pbelu.pbe_nid != NID_undef) i = sk_find(pbe_algs, (char *)&pbelu);
+        else i = -1;
+
+        if (i == -1) {
+                char obj_tmp[80];
+                EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM);
+                if (!pbe_obj) strcpy (obj_tmp, "NULL");
+                else i2t_ASN1_OBJECT(obj_tmp, 80, pbe_obj);
+                ERR_add_error_data(2, "TYPE=", obj_tmp);
+                return 0;
+        }
+        if (passlen == -1) passlen = strlen(pass);
+        pbetmp = (EVP_PBE_CTL *)sk_value (pbe_algs, i);
+        i = (*pbetmp->keygen)(ctx, pass, passlen, param, pbetmp->cipher,
+                                                 pbetmp->md, en_de);
+        if (!i) {
+                EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE);
+                return 0;
+        }
+        return 1;       
+}
+
+static int pbe_cmp (EVP_PBE_CTL **pbe1, EVP_PBE_CTL **pbe2)
+{
+        return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid);
+}
+
+/* Add a PBE algorithm */
+
+int EVP_PBE_alg_add (int nid, EVP_CIPHER *cipher, EVP_MD *md,
+             EVP_PBE_KEYGEN *keygen)
+{
+        EVP_PBE_CTL *pbe_tmp;
+        if (!pbe_algs) pbe_algs = sk_new (pbe_cmp);
+        if (!(pbe_tmp = (EVP_PBE_CTL*) Malloc (sizeof(EVP_PBE_CTL)))) {
+                EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        pbe_tmp->pbe_nid = nid;
+        pbe_tmp->cipher = cipher;
+        pbe_tmp->md = md;
+        pbe_tmp->keygen = keygen;
+        sk_push (pbe_algs, (char *)pbe_tmp);
+        return 1;
+}
+
+void EVP_PBE_cleanup(void)
+{
+        sk_pop_free(pbe_algs, FreeFunc);
+        pbe_algs = NULL;
+}
diff --git a/src/lib/libssl/src/crypto/evp/evp_pkey.c b/src/lib/libssl/src/crypto/evp/evp_pkey.c
new file mode 100644
index 0000000000..421e452db1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evp_pkey.c
@@ -0,0 +1,298 @@
+/* evp_pkey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/rand.h>
+
+/* Extract a private key from a PKCS8 structure */
+
+EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
+{
+        EVP_PKEY *pkey;
+#ifndef NO_RSA
+        RSA *rsa;
+#endif
+#ifndef NO_DSA
+        DSA *dsa;
+        ASN1_INTEGER *dsapriv;
+        STACK *ndsa;
+        BN_CTX *ctx;
+        int plen;
+#endif
+        X509_ALGOR *a;
+        unsigned char *p;
+        int pkeylen;
+        char obj_tmp[80];
+
+        switch (p8->broken) {
+                case PKCS8_OK:
+                p = p8->pkey->value.octet_string->data;
+                pkeylen = p8->pkey->value.octet_string->length;
+                break;
+
+                case PKCS8_NO_OCTET:
+                p = p8->pkey->value.sequence->data;
+                pkeylen = p8->pkey->value.sequence->length;
+                break;
+
+                default:
+                EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+                return NULL;
+                break;
+        }
+        if (!(pkey = EVP_PKEY_new())) {
+                EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        a = p8->pkeyalg;
+        switch (OBJ_obj2nid(a->algorithm))
+        {
+#ifndef NO_RSA
+                case NID_rsaEncryption:
+                if (!(rsa = d2i_RSAPrivateKey (NULL, &p, pkeylen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                EVP_PKEY_assign_RSA (pkey, rsa);
+                break;
+#endif
+#ifndef NO_DSA
+                case NID_dsa:
+                /* PKCS#8 DSA is weird: you just get a private key integer
+                 * and parameters in the AlgorithmIdentifier the pubkey must
+                 * be recalculated.
+                 */
+        
+                /* Check for broken Netscape Database DSA PKCS#8, UGH! */
+                if(*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
+                    if(!(ndsa = ASN1_seq_unpack(p, pkeylen, 
+                                        (char *(*)())d2i_ASN1_INTEGER,
+                                                         ASN1_STRING_free))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                    }
+                    if(sk_num(ndsa) != 2 ) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        sk_pop_free(ndsa, ASN1_STRING_free);
+                        return NULL;
+                    }
+                    dsapriv = (ASN1_INTEGER *) sk_pop(ndsa);
+                    sk_pop_free(ndsa, ASN1_STRING_free);
+                } else if (!(dsapriv=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                /* Retrieve parameters */
+                if (a->parameter->type != V_ASN1_SEQUENCE) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_NO_DSA_PARAMETERS);
+                        return NULL;
+                }
+                p = a->parameter->value.sequence->data;
+                plen = a->parameter->value.sequence->length;
+                if (!(dsa = d2i_DSAparams (NULL, &p, plen))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
+                        return NULL;
+                }
+                /* We have parameters now set private key */
+                if (!(dsa->priv_key = ASN1_INTEGER_to_BN(dsapriv, NULL))) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_DECODE_ERROR);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                /* Calculate public key (ouch!) */
+                if (!(dsa->pub_key = BN_new())) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                if (!(ctx = BN_CTX_new())) {
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+                        
+                if (!BN_mod_exp(dsa->pub_key, dsa->g,
+                                                 dsa->priv_key, dsa->p, ctx)) {
+                        
+                        EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_PUBKEY_ERROR);
+                        BN_CTX_free (ctx);
+                        DSA_free (dsa);
+                        return NULL;
+                }
+
+                EVP_PKEY_assign_DSA (pkey, dsa);
+                BN_CTX_free (ctx);
+                break;
+#endif
+                default:
+                EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+                if (!a->algorithm) strcpy (obj_tmp, "NULL");
+                else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm);
+                ERR_add_error_data(2, "TYPE=", obj_tmp);
+                EVP_PKEY_free (pkey);
+                return NULL;
+        }
+        return pkey;
+}
+
+/* Turn a private key into a PKCS8 structure */
+
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+#ifndef NO_DSA
+        ASN1_INTEGER *dpkey;
+        unsigned char *p, *q;
+        int len;
+#endif
+        if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {        
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (p8->version, 0);
+        if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) {
+                EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
+        switch (EVP_PKEY_type(pkey->type)) {
+#ifndef NO_RSA
+                case EVP_PKEY_RSA:
+
+                p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+                p8->pkeyalg->parameter->type = V_ASN1_NULL;
+                if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey,
+                                         &p8->pkey->value.octet_string)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                break;
+#endif
+#ifndef NO_DSA
+                case EVP_PKEY_DSA:
+                p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa);
+
+                /* get paramaters and place in AlgorithmIdentifier */
+                len = i2d_DSAparams (pkey->pkey.dsa, NULL);
+                if (!(p = Malloc(len))) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                q = p;
+                i2d_DSAparams (pkey->pkey.dsa, &q);
+                p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE;
+                p8->pkeyalg->parameter->value.sequence = ASN1_STRING_new();
+                ASN1_STRING_set(p8->pkeyalg->parameter->value.sequence, p, len);
+                Free(p);
+                /* Get private key into an integer and pack */
+                if (!(dpkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                
+                if (!ASN1_pack_string((char *)dpkey, i2d_ASN1_INTEGER,
+                                         &p8->pkey->value.octet_string)) {
+                        EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE);
+                        ASN1_INTEGER_free (dpkey);
+                        PKCS8_PRIV_KEY_INFO_free (p8);
+                        return NULL;
+                }
+                ASN1_INTEGER_free (dpkey);
+                break;
+#endif
+                default:
+                EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                return NULL;
+        }
+        p8->pkey->type = V_ASN1_OCTET_STRING;
+        RAND_seed (p8->pkey->value.octet_string->data,
+                                         p8->pkey->value.octet_string->length);
+        return p8;
+}
+
+PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
+{
+        switch (broken) {
+
+                case PKCS8_OK:
+                p8->broken = PKCS8_OK;
+                return p8;
+                break;
+
+                case PKCS8_NO_OCTET:
+                p8->broken = PKCS8_NO_OCTET;
+                p8->pkey->type = V_ASN1_SEQUENCE;
+                return p8;
+                break;
+
+                default:
+                EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+                return NULL;
+                break;
+                
+        }
+}
+
+
diff --git a/src/lib/libssl/src/crypto/evp/evp_test.c b/src/lib/libssl/src/crypto/evp/evp_test.c
new file mode 100644
index 0000000000..3607fe7776
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evp_test.c
@@ -0,0 +1,365 @@
+/* Written by Ben Laurie, 2001 */
+/*
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+
+static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
+    {
+    int n=0;
+
+    fprintf(f,"%s",title);
+    for( ; n < l ; ++n)
+        {
+        if((n%16) == 0)
+            fprintf(f,"\n%04x",n);
+        fprintf(f," %02x",s[n]);
+        }
+    fprintf(f,"\n");
+    }
+
+static int convert(unsigned char *s)
+    {
+    unsigned char *d;
+
+    for(d=s ; *s ; s+=2,++d)
+        {
+        unsigned int n;
+
+        if(!s[1])
+            {
+            fprintf(stderr,"Odd number of hex digits!");
+            exit(4);
+            }
+        sscanf((char *)s,"%2x",&n);
+        *d=(unsigned char)n;
+        }
+    return s-d;
+    }
+
+static char *sstrsep(char **string, const char *delim)
+    {
+    char isdelim[256];
+    char *token = *string;
+
+    if (**string == 0)
+        return NULL;
+
+    memset(isdelim, 0, 256);
+    isdelim[0] = 1;
+
+    while (*delim)
+        {
+        isdelim[(unsigned char)(*delim)] = 1;
+        delim++;
+        }
+
+    while (!isdelim[(unsigned char)(**string)])
+        {
+        (*string)++;
+        }
+
+    if (**string)
+        {
+        **string = 0;
+        (*string)++;
+        }
+
+    return token;
+    }
+
+static unsigned char *ustrsep(char **p,const char *sep)
+    { return (unsigned char *)sstrsep((char **)p,sep); }
+
+static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
+                  const unsigned char *iv,int in,
+                  const unsigned char *plaintext,int pn,
+                  const unsigned char *ciphertext,int cn)
+    {
+    EVP_CIPHER_CTX ctx;
+    unsigned char out[4096];
+    int outl,outl2;
+
+    printf("Testing cipher %s\n",EVP_CIPHER_name(c));
+    hexdump(stdout,"Key",key,kn);
+    if(in)
+        hexdump(stdout,"IV",iv,in);
+    hexdump(stdout,"Plaintext",plaintext,pn);
+    hexdump(stdout,"Ciphertext",ciphertext,cn);
+    
+    if(kn != c->key_len)
+        {
+        fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn,
+                c->key_len);
+        exit(5);
+        }
+    EVP_CIPHER_CTX_init(&ctx);
+    if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
+        {
+        fprintf(stderr,"EncryptInit failed\n");
+        exit(10);
+        }
+    EVP_CIPHER_CTX_set_padding(&ctx,0);
+
+    if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
+        {
+        fprintf(stderr,"Encrypt failed\n");
+        exit(6);
+        }
+    if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
+        {
+        fprintf(stderr,"EncryptFinal failed\n");
+        exit(7);
+        }
+
+    if(outl+outl2 != cn)
+        {
+        fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
+                outl+outl2,cn);
+        exit(8);
+        }
+
+    if(memcmp(out,ciphertext,cn))
+        {
+        fprintf(stderr,"Ciphertext mismatch\n");
+        hexdump(stderr,"Got",out,cn);
+        hexdump(stderr,"Expected",ciphertext,cn);
+        exit(9);
+        }
+
+    if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
+        {
+        fprintf(stderr,"DecryptInit failed\n");
+        exit(11);
+        }
+    EVP_CIPHER_CTX_set_padding(&ctx,0);
+
+    if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,pn))
+        {
+        fprintf(stderr,"Decrypt failed\n");
+        exit(6);
+        }
+    if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
+        {
+        fprintf(stderr,"DecryptFinal failed\n");
+        exit(7);
+        }
+
+    if(outl+outl2 != cn)
+        {
+        fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
+                outl+outl2,cn);
+        exit(8);
+        }
+
+    if(memcmp(out,plaintext,cn))
+        {
+        fprintf(stderr,"Plaintext mismatch\n");
+        hexdump(stderr,"Got",out,cn);
+        hexdump(stderr,"Expected",plaintext,cn);
+        exit(9);
+        }
+
+    printf("\n");
+    }
+
+static int test_cipher(const char *cipher,const unsigned char *key,int kn,
+                       const unsigned char *iv,int in,
+                       const unsigned char *plaintext,int pn,
+                       const unsigned char *ciphertext,int cn)
+    {
+    const EVP_CIPHER *c;
+
+    c=EVP_get_cipherbyname(cipher);
+    if(!c)
+        return 0;
+
+    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn);
+
+    return 1;
+    }
+
+static int test_digest(const char *digest,
+                       const unsigned char *plaintext,int pn,
+                       const unsigned char *ciphertext, unsigned int cn)
+    {
+    const EVP_MD *d;
+    EVP_MD_CTX ctx;
+    unsigned char md[EVP_MAX_MD_SIZE];
+    unsigned int mdn;
+
+    d=EVP_get_digestbyname(digest);
+    if(!d)
+        return 0;
+
+    printf("Testing digest %s\n",EVP_MD_name(d));
+    hexdump(stdout,"Plaintext",plaintext,pn);
+    hexdump(stdout,"Digest",ciphertext,cn);
+
+    EVP_MD_CTX_init(&ctx);
+    if(!EVP_DigestInit_ex(&ctx,d, NULL))
+        {
+        fprintf(stderr,"DigestInit failed\n");
+        exit(100);
+        }
+    if(!EVP_DigestUpdate(&ctx,plaintext,pn))
+        {
+        fprintf(stderr,"DigestUpdate failed\n");
+        exit(101);
+        }
+    if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
+        {
+        fprintf(stderr,"DigestFinal failed\n");
+        exit(101);
+        }
+    EVP_MD_CTX_cleanup(&ctx);
+
+    if(mdn != cn)
+        {
+        fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn);
+        exit(102);
+        }
+
+    if(memcmp(md,ciphertext,cn))
+        {
+        fprintf(stderr,"Digest mismatch\n");
+        hexdump(stderr,"Got",md,cn);
+        hexdump(stderr,"Expected",ciphertext,cn);
+        exit(103);
+        }
+
+    printf("\n");
+
+    return 1;
+    }
+
+int main(int argc,char **argv)
+    {
+    const char *szTestFile;
+    FILE *f;
+
+    if(argc != 2)
+        {
+        fprintf(stderr,"%s <test file>\n",argv[0]);
+        exit(1);
+        }
+    CRYPTO_malloc_debug_init();
+    CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+    szTestFile=argv[1];
+
+    f=fopen(szTestFile,"r");
+    if(!f)
+        {
+        perror(szTestFile);
+        exit(2);
+        }
+
+    /* Load up the software EVP_CIPHER and EVP_MD definitions */
+    OpenSSL_add_all_ciphers();
+    OpenSSL_add_all_digests();
+    /* Load all compiled-in ENGINEs */
+    ENGINE_load_builtin_engines();
+#if 0
+    OPENSSL_config();
+#endif
+    /* Register all available ENGINE implementations of ciphers and digests.
+     * This could perhaps be changed to "ENGINE_register_all_complete()"? */
+    ENGINE_register_all_ciphers();
+    ENGINE_register_all_digests();
+    /* If we add command-line options, this statement should be switchable.
+     * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
+     * they weren't already initialised. */
+    /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
+
+    for( ; ; )
+        {
+        char line[4096];
+        char *p;
+        char *cipher;
+        unsigned char *iv,*key,*plaintext,*ciphertext;
+        int kn,in,pn,cn;
+
+        if(!fgets((char *)line,sizeof line,f))
+            break;
+        if(line[0] == '#' || line[0] == '\n')
+            continue;
+        p=line;
+        cipher=sstrsep(&p,":"); 
+        key=ustrsep(&p,":");
+        iv=ustrsep(&p,":");
+        plaintext=ustrsep(&p,":");
+        ciphertext=ustrsep(&p,"\n");
+
+        kn=convert(key);
+        in=convert(iv);
+        pn=convert(plaintext);
+        cn=convert(ciphertext);
+
+        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn)
+           && !test_digest(cipher,plaintext,pn,ciphertext,cn))
+            {
+            fprintf(stderr,"Can't find %s\n",cipher);
+            exit(3);
+            }
+        }
+
+    ENGINE_cleanup();
+    EVP_cleanup();
+    CRYPTO_cleanup_all_ex_data();
+    ERR_remove_state(0);
+    ERR_free_strings();
+    CRYPTO_mem_leaks_fp(stderr);
+
+    return 0;
+    }
diff --git a/src/lib/libssl/src/crypto/evp/evptests.txt b/src/lib/libssl/src/crypto/evp/evptests.txt
new file mode 100644
index 0000000000..6c1529db37
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/evptests.txt
@@ -0,0 +1,82 @@
+#cipher:key:iv:input:output
+#digest:::input:output
+
+# SHA(1) tests (from shatest.c)
+SHA1:::616263:a9993e364706816aba3e25717850c26c9cd0d89d
+
+# MD5 tests (from md5test.c)
+MD5::::d41d8cd98f00b204e9800998ecf8427e
+MD5:::61:0cc175b9c0f1b6a831c399e269772661
+MD5:::616263:900150983cd24fb0d6963f7d28e17f72
+MD5:::6d65737361676520646967657374:f96b697d7cb7938d525a2f31aaf161d0
+MD5:::6162636465666768696a6b6c6d6e6f707172737475767778797a:c3fcd3d76192e4007dfb496cca67e13b
+MD5:::4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839:d174ab98d277d9f5a5611c2c9f419d9f
+MD5:::3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930:57edf4a22be3c955ac49da2e2107b67a
+
+# AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A
+
+# AES 192 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191
+
+# AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089
+
+# AES 128 ECB tests (from NIST test vectors, encrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::00000000000000000000000000000000:C34C052CC0DA8D73451AFE5F03BE297F
+
+# AES 128 ECB tests (from NIST test vectors, decrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::44416AC2D1F53C583303917E6BE9EBE0:00000000000000000000000000000000
+
+# AES 192 ECB tests (from NIST test vectors, decrypt)
+
+#AES-192-ECB:000000000000000000000000000000000000000000000000::48E31E9E256718F29229319C19F15BA4:00000000000000000000000000000000
+
+# AES 256 ECB tests (from NIST test vectors, decrypt)
+
+#AES-256-ECB:0000000000000000000000000000000000000000000000000000000000000000::058CCFFDBBCB382D1F6F56585D8A4ADE:00000000000000000000000000000000
+
+# AES 128 CBC tests (from NIST test vectors, encrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D
+
+# AES 192 CBC tests (from NIST test vectors, encrypt)
+
+#AES-192-CBC:000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:7BD966D53AD8C1BB85D2ADFAE87BB104
+
+# AES 256 CBC tests (from NIST test vectors, encrypt)
+
+#AES-256-CBC:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:FE3C53653E2F45B56FCD88B2CC898FF0
+
+# AES 128 CBC tests (from NIST test vectors, decrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000
+
+# DES ECB tests (from destest)
+
+DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7
+DES-ECB:FFFFFFFFFFFFFFFF::FFFFFFFFFFFFFFFF:7359B2163E4EDC58
+DES-ECB:3000000000000000::1000000000000001:958E6E627A05557B
+DES-ECB:1111111111111111::1111111111111111:F40379AB9E0EC533
+DES-ECB:0123456789ABCDEF::1111111111111111:17668DFC7292532D
+DES-ECB:1111111111111111::0123456789ABCDEF:8A5AE1F81AB8F2DD
+DES-ECB:FEDCBA9876543210::0123456789ABCDEF:ED39D950FA74BCC4
+
+# DESX-CBC tests (from destest)
+DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:846B2914851E9A2954732F8AA0A611C115CDC2D7951B1053A63C5E03B21AA3C4
+
+# DES EDE3 CBC tests (from destest)
+DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+
+# RC4 tests (from rc4test)
+RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
+RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
+RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a
+RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858
+RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf
+RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61
diff --git a/src/lib/libssl/src/crypto/evp/m_md4.c b/src/lib/libssl/src/crypto/evp/m_md4.c
new file mode 100644
index 0000000000..6a24ceb86d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/m_md4.c
@@ -0,0 +1,83 @@
+/* crypto/evp/m_md4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef NO_MD4
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+static EVP_MD md4_md=
+        {
+        NID_md4,
+        0,
+        MD4_DIGEST_LENGTH,
+        MD4_Init,
+        MD4_Update,
+        MD4_Final,
+        EVP_PKEY_RSA_method,
+        MD4_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(MD4_CTX),
+        };
+
+EVP_MD *EVP_md4(void)
+        {
+        return(&md4_md);
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/openbsd_hw.c b/src/lib/libssl/src/crypto/evp/openbsd_hw.c
new file mode 100644
index 0000000000..3831a5731e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/openbsd_hw.c
@@ -0,0 +1,446 @@
+/* Written by Ben Laurie, 2001 */
+/*
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include "evp_locl.h"
+
+/* This stuff should now all be supported through
+ * crypto/engine/hw_openbsd_dev_crypto.c unless I botched it up */
+static void *dummy=&dummy;
+
+#if 0
+
+/* check flag after OpenSSL headers to ensure make depend works */
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+#include <crypto/cryptodev.h>
+#include <unistd.h>
+#include <assert.h>
+
+/* longest key supported in hardware */
+#define MAX_HW_KEY      24
+#define MAX_HW_IV       8
+
+#define MD5_DIGEST_LENGTH       16
+#define MD5_CBLOCK              64
+
+static int fd;
+static int dev_failed;
+
+typedef struct session_op session_op;
+
+#define CDATA(ctx) EVP_C_DATA(session_op,ctx)
+
+static void err(const char *str)
+    {
+    fprintf(stderr,"%s: errno %d\n",str,errno);
+    }
+
+static int dev_crypto_init(session_op *ses)
+    {
+    if(dev_failed)
+        return 0;
+    if(!fd)
+        {
+        int cryptodev_fd;
+
+        if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0)
+            {
+            err("/dev/crypto");
+            dev_failed=1;
+            return 0;
+            }
+        if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1)
+            {
+            err("CRIOGET failed");
+            close(cryptodev_fd);
+            dev_failed=1;
+            return 0;
+            }
+        close(cryptodev_fd);
+        }
+    assert(ses);
+    memset(ses,'\0',sizeof *ses);
+
+    return 1;
+    }
+
+static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx)
+    {
+    if(ioctl(fd,CIOCFSESSION,&CDATA(ctx)->ses) == -1)
+        err("CIOCFSESSION failed");
+
+    OPENSSL_free(CDATA(ctx)->key);
+
+    return 1;
+    }
+
+static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx,int cipher,
+                               const unsigned char *key,int klen)
+    {
+    if(!dev_crypto_init(CDATA(ctx)))
+        return 0;
+
+    CDATA(ctx)->key=OPENSSL_malloc(MAX_HW_KEY);
+
+    assert(ctx->cipher->iv_len <= MAX_HW_IV);
+
+    memcpy(CDATA(ctx)->key,key,klen);
+    
+    CDATA(ctx)->cipher=cipher;
+    CDATA(ctx)->keylen=klen;
+
+    if (ioctl(fd,CIOCGSESSION,CDATA(ctx)) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    return 1;
+    }
+
+static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
+                             const unsigned char *in,unsigned int inl)
+    {
+    struct crypt_op cryp;
+    unsigned char lb[MAX_HW_IV];
+
+    if(!inl)
+        return 1;
+
+    assert(CDATA(ctx));
+    assert(!dev_failed);
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=CDATA(ctx)->ses;
+    cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+    cryp.flags=0;
+    cryp.len=inl;
+    assert((inl&(ctx->cipher->block_size-1)) == 0);
+    cryp.src=(caddr_t)in;
+    cryp.dst=(caddr_t)out;
+    cryp.mac=0;
+    if(ctx->cipher->iv_len)
+        cryp.iv=(caddr_t)ctx->iv;
+
+    if(!ctx->encrypt)
+        memcpy(lb,&in[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL) /* buffers are misaligned */
+            {
+            unsigned int cinl=0;
+            char *cin=NULL;
+            char *cout=NULL;
+
+            /* NB: this can only make cinl != inl with stream ciphers */
+            cinl=(inl+3)/4*4;
+
+            if(((unsigned long)in&3) || cinl != inl)
+                {
+                cin=OPENSSL_malloc(cinl);
+                memcpy(cin,in,inl);
+                cryp.src=cin;
+                }
+
+            if(((unsigned long)out&3) || cinl != inl)
+                {
+                cout=OPENSSL_malloc(cinl);
+                cryp.dst=cout;
+                }
+
+            cryp.len=cinl;
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(2) failed");
+                printf("src=%p dst=%p\n",cryp.src,cryp.dst);
+                abort();
+                return 0;
+                }
+                
+            if(cout)
+                {
+                memcpy(out,cout,inl);
+                OPENSSL_free(cout);
+                }
+            if(cin)
+                OPENSSL_free(cin);
+            }
+        else 
+            {       
+            err("CIOCCRYPT failed");
+            abort();
+            return 0;
+            }
+        }
+
+    if(ctx->encrypt)
+        memcpy(ctx->iv,&out[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+    else
+        memcpy(ctx->iv,lb,ctx->cipher->iv_len);
+
+    return 1;
+    }
+
+static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_3DES_CBC,key,24); }
+
+#define dev_crypto_des_ede3_cbc_cipher dev_crypto_cipher
+
+BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, session_op, NID_des_ede3, 8, 24, 8,
+                     0, dev_crypto_des_ede3_init_key,
+                     dev_crypto_cleanup, 
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,
+                     NULL)
+
+static int dev_crypto_rc4_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_ARC4,key,16); }
+
+static const EVP_CIPHER r4_cipher=
+    {
+    NID_rc4,
+    1,16,0,     /* FIXME: key should be up to 256 bytes */
+    EVP_CIPH_VARIABLE_LENGTH,
+    dev_crypto_rc4_init_key,
+    dev_crypto_cipher,
+    dev_crypto_cleanup,
+    sizeof(session_op),
+    NULL,
+    NULL,
+    NULL
+    };
+
+const EVP_CIPHER *EVP_dev_crypto_rc4(void)
+    { return &r4_cipher; }
+
+typedef struct
+    {
+    session_op sess;
+    char *data;
+    int len;
+    unsigned char md[EVP_MAX_MD_SIZE];
+    } MD_DATA;
+
+static int dev_crypto_init_digest(MD_DATA *md_data,int mac)
+    {
+    if(!dev_crypto_init(&md_data->sess))
+        return 0;
+
+    md_data->len=0;
+    md_data->data=NULL;
+
+    md_data->sess.mac=mac;
+
+    if (ioctl(fd,CIOCGSESSION,&md_data->sess) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    return 1;
+    }
+
+static int dev_crypto_cleanup_digest(MD_DATA *md_data)
+    {
+    if (ioctl(fd,CIOCFSESSION,&md_data->sess.ses) == -1)
+        {
+        err("CIOCFSESSION failed");
+        return 0;
+        }
+
+    return 1;
+    }
+
+/* FIXME: if device can do chained MACs, then don't accumulate */
+/* FIXME: move accumulation to the framework */
+static int dev_crypto_md5_init(EVP_MD_CTX *ctx)
+    { return dev_crypto_init_digest(ctx->md_data,CRYPTO_MD5); }
+
+static int do_digest(int ses,unsigned char *md,const void *data,int len)
+    {
+    struct crypt_op cryp;
+    static unsigned char md5zero[16]=
+        {
+        0xd4,0x1d,0x8c,0xd9,0x8f,0x00,0xb2,0x04,
+        0xe9,0x80,0x09,0x98,0xec,0xf8,0x42,0x7e
+        };
+
+    /* some cards can't do zero length */
+    if(!len)
+        {
+        memcpy(md,md5zero,16);
+        return 1;
+        }
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=ses;
+    cryp.op=COP_ENCRYPT;/* required to do the MAC rather than check it */
+    cryp.len=len;
+    cryp.src=(caddr_t)data;
+    cryp.dst=(caddr_t)data; // FIXME!!!
+    cryp.mac=(caddr_t)md;
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL) /* buffer is misaligned */
+            {
+            char *dcopy;
+
+            dcopy=OPENSSL_malloc(len);
+            memcpy(dcopy,data,len);
+            cryp.src=dcopy;
+            cryp.dst=cryp.src; // FIXME!!!
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(MAC2) failed");
+                abort();
+                return 0;
+                }
+            OPENSSL_free(dcopy);
+            }
+        else
+            {
+            err("CIOCCRYPT(MAC) failed");
+            abort();
+            return 0;
+            }
+        }
+    //    printf("done\n");
+
+    return 1;
+    }
+
+static int dev_crypto_md5_update(EVP_MD_CTX *ctx,const void *data,
+                                 unsigned long len)
+    {
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        return do_digest(md_data->sess.ses,md_data->md,data,len);
+
+    md_data->data=OPENSSL_realloc(md_data->data,md_data->len+len);
+    memcpy(md_data->data+md_data->len,data,len);
+    md_data->len+=len;
+
+    return 1;
+    }   
+
+static int dev_crypto_md5_final(EVP_MD_CTX *ctx,unsigned char *md)
+    {
+    int ret;
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        {
+        memcpy(md,md_data->md,MD5_DIGEST_LENGTH);
+        ret=1;
+        }
+    else
+        {
+        ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len);
+        OPENSSL_free(md_data->data);
+        md_data->data=NULL;
+        md_data->len=0;
+        }
+
+    return ret;
+    }
+
+static int dev_crypto_md5_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+    {
+    const MD_DATA *from_md=from->md_data;
+    MD_DATA *to_md=to->md_data;
+
+    // How do we copy sessions?
+    assert(from->digest->flags&EVP_MD_FLAG_ONESHOT);
+
+    to_md->data=OPENSSL_malloc(from_md->len);
+    memcpy(to_md->data,from_md->data,from_md->len);
+
+    return 1;
+    }
+
+static int dev_crypto_md5_cleanup(EVP_MD_CTX *ctx)
+    {
+    return dev_crypto_cleanup_digest(ctx->md_data);
+    }
+
+static const EVP_MD md5_md=
+    {
+    NID_md5,
+    NID_md5WithRSAEncryption,
+    MD5_DIGEST_LENGTH,
+    EVP_MD_FLAG_ONESHOT,        // XXX: set according to device info...
+    dev_crypto_md5_init,
+    dev_crypto_md5_update,
+    dev_crypto_md5_final,
+    dev_crypto_md5_copy,
+    dev_crypto_md5_cleanup,
+    EVP_PKEY_RSA_method,
+    MD5_CBLOCK,
+    sizeof(MD_DATA),
+    };
+
+const EVP_MD *EVP_dev_crypto_md5(void)
+    { return &md5_md; }
+
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt.c b/src/lib/libssl/src/crypto/evp/p5_crpt.c
new file mode 100644
index 0000000000..e3dae52d4d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt.c
@@ -0,0 +1,146 @@
+/* p5_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include "cryptlib.h"
+
+/* PKCS#5 v1.5 compatible PBE functions: see PKCS#5 v2.0 for more info.
+ */
+
+void PKCS5_PBE_add(void)
+{
+#ifndef NO_DES
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndDES_CBC, EVP_des_cbc(), EVP_md5(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndDES_CBC, EVP_des_cbc(), EVP_md2(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndDES_CBC, EVP_des_cbc(), EVP_sha1(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_RC2
+#  ifndef NO_MD5
+EVP_PBE_alg_add(NID_pbeWithMD5AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md5(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_MD2
+EVP_PBE_alg_add(NID_pbeWithMD2AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md2(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#  ifndef NO_SHA
+EVP_PBE_alg_add(NID_pbeWithSHA1AndRC2_CBC, EVP_rc2_64_cbc(), EVP_sha1(),
+                                                         PKCS5_PBE_keyivgen);
+#  endif
+#endif
+#ifndef NO_HMAC
+EVP_PBE_alg_add(NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen);
+#endif
+}
+
+int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+                         int en_de)
+{
+        EVP_MD_CTX ctx;
+        unsigned char md_tmp[EVP_MAX_MD_SIZE];
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+        int i;
+        PBEPARAM *pbe;
+        int saltlen, iter;
+        unsigned char *salt, *pbuf;
+
+        /* Extract useful info from parameter */
+        pbuf = param->value.sequence->data;
+        if (!param || (param->type != V_ASN1_SEQUENCE) ||
+           !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+                EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        if (!pbe->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (pbe->iter);
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+
+        EVP_DigestInit (&ctx, md);
+        EVP_DigestUpdate (&ctx, pass, passlen);
+        EVP_DigestUpdate (&ctx, salt, saltlen);
+        PBEPARAM_free(pbe);
+        EVP_DigestFinal (&ctx, md_tmp, NULL);
+        for (i = 1; i < iter; i++) {
+                EVP_DigestInit(&ctx, md);
+                EVP_DigestUpdate(&ctx, md_tmp, EVP_MD_size(md));
+                EVP_DigestFinal (&ctx, md_tmp, NULL);
+        }
+        memcpy (key, md_tmp, EVP_CIPHER_key_length(cipher));
+        memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+                                                 EVP_CIPHER_iv_length(cipher));
+        EVP_CipherInit(cctx, cipher, key, iv, en_de);
+        memset(md_tmp, 0, EVP_MAX_MD_SIZE);
+        memset(key, 0, EVP_MAX_KEY_LENGTH);
+        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/evp/p5_crpt2.c b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
new file mode 100644
index 0000000000..27a2c518be
--- /dev/null
+++ b/src/lib/libssl/src/crypto/evp/p5_crpt2.c
@@ -0,0 +1,247 @@
+/* p5_crpt2.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#if !defined(NO_HMAC) && !defined(NO_SHA)
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include "cryptlib.h"
+
+/* set this to print out info about the keygen algorithm */
+/* #define DEBUG_PKCS5V2 */
+
+#ifdef DEBUG_PKCS5V2
+        static void h__dump (const unsigned char *p, int len);
+#endif
+
+/* This is an implementation of PKCS#5 v2.0 password based encryption key
+ * derivation function PBKDF2 using the only currently defined function HMAC
+ * with SHA1. Verified against test vectors posted by Peter Gutmann
+ * <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
+ */
+
+int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+                           unsigned char *salt, int saltlen, int iter,
+                           int keylen, unsigned char *out)
+{
+        unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4];
+        int cplen, j, k, tkeylen;
+        unsigned long i = 1;
+        HMAC_CTX hctx;
+        p = out;
+        tkeylen = keylen;
+        if(passlen == -1) passlen = strlen(pass);
+        while(tkeylen) {
+                if(tkeylen > SHA_DIGEST_LENGTH) cplen = SHA_DIGEST_LENGTH;
+                else cplen = tkeylen;
+                /* We are unlikely to ever use more than 256 blocks (5120 bits!)
+                 * but just in case...
+                 */
+                itmp[0] = (unsigned char)((i >> 24) & 0xff);
+                itmp[1] = (unsigned char)((i >> 16) & 0xff);
+                itmp[2] = (unsigned char)((i >> 8) & 0xff);
+                itmp[3] = (unsigned char)(i & 0xff);
+                HMAC_Init(&hctx, pass, passlen, EVP_sha1());
+                HMAC_Update(&hctx, salt, saltlen);
+                HMAC_Update(&hctx, itmp, 4);
+                HMAC_Final(&hctx, digtmp, NULL);
+                memcpy(p, digtmp, cplen);
+                for(j = 1; j < iter; j++) {
+                        HMAC(EVP_sha1(), pass, passlen,
+                                 digtmp, SHA_DIGEST_LENGTH, digtmp, NULL);
+                        for(k = 0; k < cplen; k++) p[k] ^= digtmp[k];
+                }
+                tkeylen-= cplen;
+                i++;
+                p+= cplen;
+        }
+        HMAC_cleanup(&hctx);
+#ifdef DEBUG_PKCS5V2
+        fprintf(stderr, "Password:\n");
+        h__dump (pass, passlen);
+        fprintf(stderr, "Salt:\n");
+        h__dump (salt, saltlen);
+        fprintf(stderr, "Iteration count %d\n", iter);
+        fprintf(stderr, "Key:\n");
+        h__dump (out, keylen);
+#endif
+        return 1;
+}
+
+#ifdef DO_TEST
+main()
+{
+        unsigned char out[4];
+        unsigned char salt[] = {0x12, 0x34, 0x56, 0x78};
+        PKCS5_PBKDF2_HMAC_SHA1("password", -1, salt, 4, 5, 4, out);
+        fprintf(stderr, "Out %02X %02X %02X %02X\n",
+                                         out[0], out[1], out[2], out[3]);
+}
+
+#endif
+
+/* Now the key derivation function itself. This is a bit evil because
+ * it has to check the ASN1 parameters are valid: and there are quite a
+ * few of them...
+ */
+
+int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *c, EVP_MD *md,
+                         int en_de)
+{
+        unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
+        int saltlen, keylen, iter, plen;
+        PBE2PARAM *pbe2 = NULL;
+        const EVP_CIPHER *cipher;
+        PBKDF2PARAM *kdf = NULL;
+
+        pbuf = param->value.sequence->data;
+        plen = param->value.sequence->length;
+        if(!param || (param->type != V_ASN1_SEQUENCE) ||
+                                   !(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        /* See if we recognise the key derivation function */
+
+        if(OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
+                goto err;
+        }
+
+        /* lets see if we recognise the encryption algorithm.
+         */
+
+        cipher = EVP_get_cipherbyname(
+                        OBJ_nid2sn(OBJ_obj2nid(pbe2->encryption->algorithm)));
+
+        if(!cipher) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_CIPHER);
+                goto err;
+        }
+
+        /* Fixup cipher based on AlgorithmIdentifier */
+        EVP_CipherInit(ctx, cipher, NULL, NULL, en_de);
+        if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                        EVP_R_CIPHER_PARAMETER_ERROR);
+                goto err;
+        }
+        keylen = EVP_CIPHER_CTX_key_length(ctx);
+
+        /* Now decode key derivation function */
+
+        pbuf = pbe2->keyfunc->parameter->value.sequence->data;
+        plen = pbe2->keyfunc->parameter->value.sequence->length;
+        if(!pbe2->keyfunc->parameter ||
+                 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
+                                !(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                goto err;
+        }
+
+        PBE2PARAM_free(pbe2);
+        pbe2 = NULL;
+
+        /* Now check the parameters of the kdf */
+
+        if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_KEYLENGTH);
+                goto err;
+        }
+
+        if(kdf->prf && (OBJ_obj2nid(kdf->prf->algorithm) != NID_hmacWithSHA1)) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
+                goto err;
+        }
+
+        if(kdf->salt->type != V_ASN1_OCTET_STRING) {
+                EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
+                                                EVP_R_UNSUPPORTED_SALT_TYPE);
+                goto err;
+        }
+
+        /* it seems that its all OK */
+        salt = kdf->salt->value.octet_string->data;
+        saltlen = kdf->salt->value.octet_string->length;
+        iter = ASN1_INTEGER_get(kdf->iter);
+        PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
+        EVP_CipherInit(ctx, NULL, key, NULL, en_de);
+        memset(key, 0, keylen);
+        PBKDF2PARAM_free(kdf);
+        return 1;
+
+        err:
+        PBE2PARAM_free(pbe2);
+        PBKDF2PARAM_free(kdf);
+        return 0;
+}
+
+#ifdef DEBUG_PKCS5V2
+static void h__dump (const unsigned char *p, int len)
+{
+        for (; len --; p++) fprintf(stderr, "%02X ", *p);
+        fprintf(stderr, "\n");
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/idea/idea.h b/src/lib/libssl/src/crypto/idea/idea.h
new file mode 100644
index 0000000000..ae32f5692e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/idea/idea.h
@@ -0,0 +1,99 @@
+/* crypto/idea/idea.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_IDEA_H
+#define HEADER_IDEA_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_IDEA
+#error IDEA is disabled.
+#endif
+
+#define IDEA_ENCRYPT    1
+#define IDEA_DECRYPT    0
+
+#include <openssl/opensslconf.h> /* IDEA_INT */
+#define IDEA_BLOCK      8
+#define IDEA_KEY_LENGTH 16
+
+typedef struct idea_key_st
+        {
+        IDEA_INT data[9][6];
+        } IDEA_KEY_SCHEDULE;
+
+const char *idea_options(void);
+void idea_ecb_encrypt(unsigned char *in, unsigned char *out,
+        IDEA_KEY_SCHEDULE *ks);
+void idea_set_encrypt_key(unsigned char *key, IDEA_KEY_SCHEDULE *ks);
+void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
+void idea_cbc_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,int enc);
+void idea_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,
+        int *num,int enc);
+void idea_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int *num);
+void idea_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/install.com b/src/lib/libssl/src/crypto/install.com
new file mode 100644
index 0000000000..b75d1b44b2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/install.com
@@ -0,0 +1,128 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1   root of the directory tree
+$!
+$       IF P1 .EQS. ""
+$       THEN
+$           WRITE SYS$OUTPUT "First argument missing."
+$           WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$           EXIT
+$       ENDIF
+$
+$       ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$       DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$       DEFINE/NOLOG WRK_SSLVLIB WRK_SSLROOT:[VAX_LIB]
+$       DEFINE/NOLOG WRK_SSLALIB WRK_SSLROOT:[ALPHA_LIB]
+$       DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
+$
+$       IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$       IF F$PARSE("WRK_SSLVLIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVLIB:
+$       IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLALIB:
+$       IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLINCLUDE:
+$
+$       SDIRS := ,MD2,MD5,SHA,MDC2,HMAC,RIPEMD,-
+                 DES,RC2,RC4,RC5,IDEA,BF,CAST,-
+                 BN,RSA,DSA,DH,-
+                 BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,-
+                 EVP,ASN1,PEM,X509,X509V3,-
+                 CONF,TXT_DB,PKCS7,PKCS12,COMP
+$       EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h
+$       EXHEADER_MD2 := md2.h
+$       EXHEADER_MD5 := md5.h
+$       EXHEADER_SHA := sha.h
+$       EXHEADER_MDC2 := mdc2.h
+$       EXHEADER_HMAC := hmac.h
+$       EXHEADER_RIPEMD := ripemd.h
+$       EXHEADER_DES := des.h
+$       EXHEADER_RC2 := rc2.h
+$       EXHEADER_RC4 := rc4.h
+$       EXHEADER_RC5 := rc5.h
+$       EXHEADER_IDEA := idea.h
+$       EXHEADER_BF := blowfish.h
+$       EXHEADER_CAST := cast.h
+$       EXHEADER_BN := bn.h
+$       EXHEADER_RSA := rsa.h
+$       EXHEADER_DSA := dsa.h
+$       EXHEADER_DH := dh.h
+$       EXHEADER_BUFFER := buffer.h
+$       EXHEADER_BIO := bio.h
+$       EXHEADER_STACK := stack.h,safestack.h
+$       EXHEADER_LHASH := lhash.h
+$       EXHEADER_RAND := rand.h
+$       EXHEADER_ERR := err.h
+$       EXHEADER_OBJECTS := objects.h
+$       EXHEADER_EVP := evp.h
+$       EXHEADER_ASN1 := asn1.h,asn1_mac.h
+$       EXHEADER_PEM := pem.h,pem2.h
+$       EXHEADER_X509 := x509.h,x509_vfy.h
+$       EXHEADER_X509V3 := x509v3.h
+$       EXHEADER_CONF := conf.h
+$       EXHEADER_TXT_DB := txt_db.h
+$       EXHEADER_PKCS7 := pkcs7.h
+$       EXHEADER_PKCS12 := pkcs12.h
+$       EXHEADER_COMP := comp.h
+$       LIBS := LIBCRYPTO
+$
+$       VEXE_DIR := [-.VAX.EXE.CRYPTO]
+$       AEXE_DIR := [-.AXP.EXE.CRYPTO]
+$
+$       I = 0
+$ LOOP_SDIRS: 
+$       D = F$EDIT(F$ELEMENT(I, ",", SDIRS),"TRIM")
+$       I = I + 1
+$       IF D .EQS. "," THEN GOTO LOOP_SDIRS_END
+$       tmp = EXHEADER_'D'
+$       IF D .EQS. ""
+$       THEN
+$         COPY 'tmp' WRK_SSLINCLUDE: /LOG
+$       ELSE
+$         COPY [.'D']'tmp' WRK_SSLINCLUDE: /LOG
+$       ENDIF
+$       GOTO LOOP_SDIRS
+$ LOOP_SDIRS_END:
+$
+$       I = 0
+$ LOOP_LIB: 
+$       E = F$EDIT(F$ELEMENT(I, ",", LIBS),"TRIM")
+$       I = I + 1
+$       IF E .EQS. "," THEN GOTO LOOP_LIB_END
+$       SET NOON
+$       IF F$SEARCH(VEXE_DIR+E+".OLB") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.OLB WRK_SSLVLIB:'E'.OLB/log
+$         SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.OLB
+$       ENDIF
+$       ! Preparing for the time when we have shareable images
+$       IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.EXE WRK_SSLVLIB:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.EXE
+$       ENDIF
+$       IF F$SEARCH(AEXE_DIR+E+".OLB") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.OLB WRK_SSLALIB:'E'.OLB/log
+$         SET FILE/PROT=W:RE WRK_SSLALIB:'E'.OLB
+$       ENDIF
+$       ! Preparing for the time when we have shareable images
+$       IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.EXE WRK_SSLALIB:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLALIB:'E'.EXE
+$       ENDIF
+$       SET ON
+$       GOTO LOOP_LIB
+$ LOOP_LIB_END:
+$
+$       EXIT
diff --git a/src/lib/libssl/src/crypto/krb5/krb5_asn.c b/src/lib/libssl/src/crypto/krb5/krb5_asn.c
new file mode 100644
index 0000000000..1fb741d2a0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/krb5/krb5_asn.c
@@ -0,0 +1,167 @@
+/* krb5_asn.c */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/krb5_asn.h>
+
+
+ASN1_SEQUENCE(KRB5_ENCDATA) = {
+        ASN1_EXP(KRB5_ENCDATA, etype,           ASN1_INTEGER,     0),
+        ASN1_EXP_OPT(KRB5_ENCDATA, kvno,        ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_ENCDATA, cipher,          ASN1_OCTET_STRING,2)
+} ASN1_SEQUENCE_END(KRB5_ENCDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCDATA)
+
+
+ASN1_SEQUENCE(KRB5_PRINCNAME) = {
+        ASN1_EXP(KRB5_PRINCNAME, nametype,      ASN1_INTEGER,     0),
+        ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1)
+} ASN1_SEQUENCE_END(KRB5_PRINCNAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+
+
+/* [APPLICATION 1] = 0x61 */
+ASN1_SEQUENCE(KRB5_TKTBODY) = {
+        ASN1_EXP(KRB5_TKTBODY, tktvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_TKTBODY, realm,           ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_TKTBODY, sname,           KRB5_PRINCNAME,   2),
+        ASN1_EXP(KRB5_TKTBODY, encdata,         KRB5_ENCDATA,     3)
+} ASN1_SEQUENCE_END(KRB5_TKTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TKTBODY)
+
+
+ASN1_ITEM_TEMPLATE(KRB5_TICKET) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1,
+                        KRB5_TICKET, KRB5_TKTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_TICKET)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TICKET)
+
+
+/* [APPLICATION 14] = 0x6e */
+ASN1_SEQUENCE(KRB5_APREQBODY) = {
+        ASN1_EXP(KRB5_APREQBODY, pvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_APREQBODY, msgtype,       ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_APREQBODY, apoptions,     ASN1_BIT_STRING,  2),
+        ASN1_EXP(KRB5_APREQBODY, ticket,        KRB5_TICKET,      3),
+        ASN1_EXP(KRB5_APREQBODY, authenticator, KRB5_ENCDATA,     4),
+} ASN1_SEQUENCE_END(KRB5_APREQBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_APREQ) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14,
+                        KRB5_APREQ, KRB5_APREQBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_APREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQ)
+
+
+/*  Authenticator stuff         */
+
+ASN1_SEQUENCE(KRB5_CHECKSUM) = {
+        ASN1_EXP(KRB5_CHECKSUM, ctype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_CHECKSUM, checksum,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_CHECKSUM)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+
+
+ASN1_SEQUENCE(KRB5_ENCKEY) = {
+        ASN1_EXP(KRB5_ENCKEY,   ktype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_ENCKEY,   keyvalue,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_ENCKEY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCKEY)
+
+
+/* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */
+ASN1_SEQUENCE(KRB5_AUTHDATA) = {
+        ASN1_EXP(KRB5_AUTHDATA, adtype,         ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHDATA, addata,         ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_AUTHDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+
+
+/* [APPLICATION 2] = 0x62 */
+ASN1_SEQUENCE(KRB5_AUTHENTBODY) = {
+        ASN1_EXP(KRB5_AUTHENTBODY,      avno,   ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHENTBODY,      crealm, ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cname,  KRB5_PRINCNAME,   2),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  cksum,  KRB5_CHECKSUM,    3),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cusec,  ASN1_INTEGER,     4),
+        ASN1_EXP(KRB5_AUTHENTBODY,      ctime,  ASN1_GENERALIZEDTIME, 5),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  subkey, KRB5_ENCKEY,      6),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  seqnum, ASN1_INTEGER,     7),
+        ASN1_EXP_SEQUENCE_OF_OPT
+                    (KRB5_AUTHENTBODY,  authorization,  KRB5_AUTHDATA, 8),
+} ASN1_SEQUENCE_END(KRB5_AUTHENTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2,
+                        KRB5_AUTHENT, KRB5_AUTHENTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
diff --git a/src/lib/libssl/src/crypto/krb5/krb5_asn.h b/src/lib/libssl/src/crypto/krb5/krb5_asn.h
new file mode 100644
index 0000000000..3329477b07
--- /dev/null
+++ b/src/lib/libssl/src/crypto/krb5/krb5_asn.h
@@ -0,0 +1,256 @@
+/* krb5_asn.h */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_KRB5_ASN_H
+#define HEADER_KRB5_ASN_H
+
+/*
+#include <krb5.h>
+*/
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+/*      ASN.1 from Kerberos RFC 1510
+*/
+
+/*      EncryptedData ::=   SEQUENCE {
+**              etype[0]                      INTEGER, -- EncryptionType
+**              kvno[1]                       INTEGER OPTIONAL,
+**              cipher[2]                     OCTET STRING -- ciphertext
+**      }
+*/
+typedef struct  krb5_encdata_st
+        {
+        ASN1_INTEGER                    *etype;
+        ASN1_INTEGER                    *kvno;
+        ASN1_OCTET_STRING               *cipher;
+        }       KRB5_ENCDATA;
+
+DECLARE_STACK_OF(KRB5_ENCDATA)
+
+/*      PrincipalName ::=   SEQUENCE {
+**              name-type[0]                  INTEGER,
+**              name-string[1]                SEQUENCE OF GeneralString
+**      }
+*/
+typedef struct  krb5_princname_st
+        {
+        ASN1_INTEGER                    *nametype;
+        STACK_OF(ASN1_GENERALSTRING)    *namestring;
+        }       KRB5_PRINCNAME;
+
+DECLARE_STACK_OF(KRB5_PRINCNAME)
+
+
+/*      Ticket ::=      [APPLICATION 1] SEQUENCE {
+**              tkt-vno[0]                    INTEGER,
+**              realm[1]                      Realm,
+**              sname[2]                      PrincipalName,
+**              enc-part[3]                   EncryptedData
+**      }
+*/
+typedef struct  krb5_tktbody_st
+        {
+        ASN1_INTEGER                    *tktvno;
+        ASN1_GENERALSTRING              *realm;
+        KRB5_PRINCNAME                  *sname;
+        KRB5_ENCDATA                    *encdata;
+        }       KRB5_TKTBODY;
+
+typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET;
+DECLARE_STACK_OF(KRB5_TKTBODY)
+
+
+/*      AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+**              pvno[0]                       INTEGER,
+**              msg-type[1]                   INTEGER,
+**              ap-options[2]                 APOptions,
+**              ticket[3]                     Ticket,
+**              authenticator[4]              EncryptedData
+**      }
+**
+**      APOptions ::=   BIT STRING {
+**              reserved(0), use-session-key(1), mutual-required(2) }
+*/
+typedef struct  krb5_ap_req_st
+        {
+        ASN1_INTEGER                    *pvno;
+        ASN1_INTEGER                    *msgtype;
+        ASN1_BIT_STRING                 *apoptions;
+        KRB5_TICKET                     *ticket;
+        KRB5_ENCDATA                    *authenticator;
+        }       KRB5_APREQBODY;
+
+typedef STACK_OF(KRB5_APREQBODY) KRB5_APREQ;
+DECLARE_STACK_OF(KRB5_APREQBODY)
+
+
+/*      Authenticator Stuff     */
+
+
+/*      Checksum ::=   SEQUENCE {
+**              cksumtype[0]                  INTEGER,
+**              checksum[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_checksum_st
+        {
+        ASN1_INTEGER                    *ctype;
+        ASN1_OCTET_STRING               *checksum;
+        }       KRB5_CHECKSUM;
+
+DECLARE_STACK_OF(KRB5_CHECKSUM)
+
+
+/*      EncryptionKey ::=   SEQUENCE {
+**              keytype[0]                    INTEGER,
+**              keyvalue[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_encryptionkey_st
+        {
+        ASN1_INTEGER                    *ktype;
+        ASN1_OCTET_STRING               *keyvalue;
+        }       KRB5_ENCKEY;
+
+DECLARE_STACK_OF(KRB5_ENCKEY)
+
+
+/*      AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+**              ad-type[0]                    INTEGER,
+**              ad-data[1]                    OCTET STRING
+**      }
+*/
+typedef struct  krb5_authorization_st
+        {
+        ASN1_INTEGER                    *adtype;
+        ASN1_OCTET_STRING               *addata;
+        }       KRB5_AUTHDATA;
+
+DECLARE_STACK_OF(KRB5_AUTHDATA)
+
+                        
+/*      -- Unencrypted authenticator
+**      Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+**              authenticator-vno[0]          INTEGER,
+**              crealm[1]                     Realm,
+**              cname[2]                      PrincipalName,
+**              cksum[3]                      Checksum OPTIONAL,
+**              cusec[4]                      INTEGER,
+**              ctime[5]                      KerberosTime,
+**              subkey[6]                     EncryptionKey OPTIONAL,
+**              seq-number[7]                 INTEGER OPTIONAL,
+**              authorization-data[8]         AuthorizationData OPTIONAL
+**      }
+*/
+typedef struct  krb5_authenticator_st
+        {
+        ASN1_INTEGER                    *avno;
+        ASN1_GENERALSTRING              *crealm;
+        KRB5_PRINCNAME                  *cname;
+        KRB5_CHECKSUM                   *cksum;
+        ASN1_INTEGER                    *cusec;
+        ASN1_GENERALIZEDTIME            *ctime;
+        KRB5_ENCKEY                     *subkey;
+        ASN1_INTEGER                    *seqnum;
+        KRB5_AUTHDATA                   *authorization;
+        }       KRB5_AUTHENTBODY;
+
+typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT;
+DECLARE_STACK_OF(KRB5_AUTHENTBODY)
+
+
+/*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
+**      type *name##_new(void);
+**      void name##_free(type *a);
+**      DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
+**       DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
+**        type *d2i_##name(type **a, unsigned char **in, long len);
+**        int i2d_##name(type *a, unsigned char **out);
+**        DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
+*/
+
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+DECLARE_ASN1_FUNCTIONS(KRB5_TKTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_TICKET)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQ)
+
+DECLARE_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCKEY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/md2/md2.h b/src/lib/libssl/src/crypto/md2/md2.h
new file mode 100644
index 0000000000..0d3592506c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md2/md2.h
@@ -0,0 +1,91 @@
+/* crypto/md/md2.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD2_H
+#define HEADER_MD2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_MD2
+#error MD2 is disabled.
+#endif
+
+#define MD2_DIGEST_LENGTH       16
+#define MD2_BLOCK               16
+#include <openssl/opensslconf.h> /* MD2_INT */
+
+typedef struct MD2state_st
+        {
+        int num;
+        unsigned char data[MD2_BLOCK];
+        MD2_INT cksm[MD2_BLOCK];
+        MD2_INT state[MD2_BLOCK];
+        } MD2_CTX;
+
+const char *MD2_options(void);
+void MD2_Init(MD2_CTX *c);
+void MD2_Update(MD2_CTX *c, register unsigned char *data, unsigned long len);
+void MD2_Final(unsigned char *md, MD2_CTX *c);
+unsigned char *MD2(unsigned char *d, unsigned long n,unsigned char *md);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/md32_common.h b/src/lib/libssl/src/crypto/md32_common.h
new file mode 100644
index 0000000000..2b91f9eef2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md32_common.h
@@ -0,0 +1,594 @@
+/* crypto/md32_common.h */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This is a generic 32 bit "collector" for message digest algorithms.
+ * Whenever needed it collects input character stream into chunks of
+ * 32 bit values and invokes a block function that performs actual hash
+ * calculations.
+ *
+ * Porting guide.
+ *
+ * Obligatory macros:
+ *
+ * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
+ *      this macro defines byte order of input stream.
+ * HASH_CBLOCK
+ *      size of a unit chunk HASH_BLOCK operates on.
+ * HASH_LONG
+ *      has to be at lest 32 bit wide, if it's wider, then
+ *      HASH_LONG_LOG2 *has to* be defined along
+ * HASH_CTX
+ *      context structure that at least contains following
+ *      members:
+ *              typedef struct {
+ *                      ...
+ *                      HASH_LONG       Nl,Nh;
+ *                      HASH_LONG       data[HASH_LBLOCK];
+ *                      int             num;
+ *                      ...
+ *                      } HASH_CTX;
+ * HASH_UPDATE
+ *      name of "Update" function, implemented here.
+ * HASH_TRANSFORM
+ *      name of "Transform" function, implemented here.
+ * HASH_FINAL
+ *      name of "Final" function, implemented here.
+ * HASH_BLOCK_HOST_ORDER
+ *      name of "block" function treating *aligned* input message
+ *      in host byte order, implemented externally.
+ * HASH_BLOCK_DATA_ORDER
+ *      name of "block" function treating *unaligned* input message
+ *      in original (data) byte order, implemented externally (it
+ *      actually is optional if data and host are of the same
+ *      "endianess").
+ *
+ * Optional macros:
+ *
+ * B_ENDIAN or L_ENDIAN
+ *      defines host byte-order.
+ * HASH_LONG_LOG2
+ *      defaults to 2 if not states otherwise.
+ * HASH_LBLOCK
+ *      assumed to be HASH_CBLOCK/4 if not stated otherwise.
+ * HASH_BLOCK_DATA_ORDER_ALIGNED
+ *      alternative "block" function capable of treating
+ *      aligned input message in original (data) order,
+ *      implemented externally.
+ *
+ * MD5 example:
+ *
+ *      #define DATA_ORDER_IS_LITTLE_ENDIAN
+ *
+ *      #define HASH_LONG               MD5_LONG
+ *      #define HASH_LONG_LOG2          MD5_LONG_LOG2
+ *      #define HASH_CTX                MD5_CTX
+ *      #define HASH_CBLOCK             MD5_CBLOCK
+ *      #define HASH_LBLOCK             MD5_LBLOCK
+ *      #define HASH_UPDATE             MD5_Update
+ *      #define HASH_TRANSFORM          MD5_Transform
+ *      #define HASH_FINAL              MD5_Final
+ *      #define HASH_BLOCK_HOST_ORDER   md5_block_host_order
+ *      #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
+ *
+ *                                      <appro@fy.chalmers.se>
+ */
+
+#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#error "DATA_ORDER must be defined!"
+#endif
+
+#ifndef HASH_CBLOCK
+#error "HASH_CBLOCK must be defined!"
+#endif
+#ifndef HASH_LONG
+#error "HASH_LONG must be defined!"
+#endif
+#ifndef HASH_CTX
+#error "HASH_CTX must be defined!"
+#endif
+
+#ifndef HASH_UPDATE
+#error "HASH_UPDATE must be defined!"
+#endif
+#ifndef HASH_TRANSFORM
+#error "HASH_TRANSFORM must be defined!"
+#endif
+#ifndef HASH_FINAL
+#error "HASH_FINAL must be defined!"
+#endif
+
+#ifndef HASH_BLOCK_HOST_ORDER
+#error "HASH_BLOCK_HOST_ORDER must be defined!"
+#endif
+
+#if 0
+/*
+ * Moved below as it's required only if HASH_BLOCK_DATA_ORDER_ALIGNED
+ * isn't defined.
+ */
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#ifndef HASH_LBLOCK
+#define HASH_LBLOCK     (HASH_CBLOCK/4)
+#endif
+
+#ifndef HASH_LONG_LOG2
+#define HASH_LONG_LOG2  2
+#endif
+
+/*
+ * Engage compiler specific rotate intrinsic function if available.
+ */
+#undef ROTATE
+#ifndef PEDANTIC
+# if defined(_MSC_VER)
+#  define ROTATE(a,n)     _lrotl(a,n)
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+  /*
+   * Some GNU C inline assembler templates. Note that these are
+   * rotates by *constant* number of bits! But that's exactly
+   * what we need here...
+   *
+   *                                    <appro@fy.chalmers.se>
+   */
+#  if defined(__i386)
+#   define ROTATE(a,n)  ({ register unsigned int ret;   \
+                                asm volatile (          \
+                                "roll %1,%0"            \
+                                : "=r"(ret)             \
+                                : "I"(n), "0"(a)        \
+                                : "cc");                \
+                           ret;                         \
+                        })
+#  elif defined(__powerpc)
+#   define ROTATE(a,n)  ({ register unsigned int ret;   \
+                                asm volatile (          \
+                                "rlwinm %0,%1,%2,0,31"  \
+                                : "=r"(ret)             \
+                                : "r"(a), "I"(n));      \
+                           ret;                         \
+                        })
+#  endif
+# endif
+
+/*
+ * Engage compiler specific "fetch in reverse byte order"
+ * intrinsic function if available.
+ */
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM)
+  /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
+#  if defined(__i386) && !defined(I386_ONLY)
+#   define BE_FETCH32(a)        ({ register unsigned int l=(a);\
+                                asm volatile (          \
+                                "bswapl %0"             \
+                                : "=r"(l) : "0"(l));    \
+                          l;                            \
+                        })
+#  elif defined(__powerpc)
+#   define LE_FETCH32(a)        ({ register unsigned int l;     \
+                                asm volatile (          \
+                                "lwbrx %0,0,%1"         \
+                                : "=r"(l)               \
+                                : "r"(a));              \
+                           l;                           \
+                        })
+
+#  elif defined(__sparc) && defined(ULTRASPARC)
+#  define LE_FETCH32(a) ({ register unsigned int l;             \
+                                asm volatile (                  \
+                                "lda [%1]#ASI_PRIMARY_LITTLE,%0"\
+                                : "=r"(l)                       \
+                                : "r"(a));                      \
+                           l;                                   \
+                        })
+#  endif
+# endif
+#endif /* PEDANTIC */
+
+#if HASH_LONG_LOG2==2   /* Engage only if sizeof(HASH_LONG)== 4 */
+/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
+#ifdef ROTATE
+/* 5 instructions with rotate instruction, else 9 */
+#define REVERSE_FETCH32(a,l)    (                                       \
+                l=*(const HASH_LONG *)(a),                              \
+                ((ROTATE(l,8)&0x00FF00FF)|(ROTATE((l&0x00FF00FF),24)))  \
+                                )
+#else
+/* 6 instructions with rotate instruction, else 8 */
+#define REVERSE_FETCH32(a,l)    (                               \
+                l=*(const HASH_LONG *)(a),                      \
+                l=(((l>>8)&0x00FF00FF)|((l&0x00FF00FF)<<8)),    \
+                ROTATE(l,16)                                    \
+                                )
+/*
+ * Originally the middle line started with l=(((l&0xFF00FF00)>>8)|...
+ * It's rewritten as above for two reasons:
+ *      - RISCs aren't good at long constants and have to explicitely
+ *        compose 'em with several (well, usually 2) instructions in a
+ *        register before performing the actual operation and (as you
+ *        already realized:-) having same constant should inspire the
+ *        compiler to permanently allocate the only register for it;
+ *      - most modern CPUs have two ALUs, but usually only one has
+ *        circuitry for shifts:-( this minor tweak inspires compiler
+ *        to schedule shift instructions in a better way...
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
+#endif
+
+#ifndef ROTATE
+#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#endif
+
+/*
+ * Make some obvious choices. E.g., HASH_BLOCK_DATA_ORDER_ALIGNED
+ * and HASH_BLOCK_HOST_ORDER ought to be the same if input data
+ * and host are of the same "endianess". It's possible to mask
+ * this with blank #define HASH_BLOCK_DATA_ORDER though...
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#if defined(B_ENDIAN)
+#  if defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED     HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef LE_FETCH32
+#        define HOST_FETCH32(p,l)       LE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)       REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#elif defined(L_ENDIAN)
+#  if defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+#    if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED) && HASH_LONG_LOG2==2
+#      define HASH_BLOCK_DATA_ORDER_ALIGNED     HASH_BLOCK_HOST_ORDER
+#    endif
+#  elif defined(DATA_ORDER_IS_BIG_ENDIAN)
+#    ifndef HOST_FETCH32
+#      ifdef BE_FETCH32
+#        define HOST_FETCH32(p,l)       BE_FETCH32(p)
+#      elif defined(REVERSE_FETCH32)
+#        define HOST_FETCH32(p,l)       REVERSE_FETCH32(p,l)
+#      endif
+#    endif
+#  endif
+#endif
+
+#if !defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+#ifndef HASH_BLOCK_DATA_ORDER
+#error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+#endif
+
+#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+
+#define HOST_c2l(c,l)   (l =(((unsigned long)(*((c)++)))<<24),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))    ),          \
+                         l)
+#define HOST_p_c2l(c,l,n)       {                                       \
+                        switch (n) {                                    \
+                        case 0: l =((unsigned long)(*((c)++)))<<24;     \
+                        case 1: l|=((unsigned long)(*((c)++)))<<16;     \
+                        case 2: l|=((unsigned long)(*((c)++)))<< 8;     \
+                        case 3: l|=((unsigned long)(*((c)++)));         \
+                                } }
+#define HOST_p_c2l_p(c,l,sc,len) {                                      \
+                        switch (sc) {                                   \
+                        case 0: l =((unsigned long)(*((c)++)))<<24;     \
+                                if (--len == 0) break;                  \
+                        case 1: l|=((unsigned long)(*((c)++)))<<16;     \
+                                if (--len == 0) break;                  \
+                        case 2: l|=((unsigned long)(*((c)++)))<< 8;     \
+                                } }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)       {                                       \
+                        l=0; (c)+=n;                                    \
+                        switch (n) {                                    \
+                        case 3: l =((unsigned long)(*(--(c))))<< 8;     \
+                        case 2: l|=((unsigned long)(*(--(c))))<<16;     \
+                        case 1: l|=((unsigned long)(*(--(c))))<<24;     \
+                                } }
+#define HOST_l2c(l,c)   (*((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         l)
+
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+
+#define HOST_c2l(c,l)   (l =(((unsigned long)(*((c)++)))    ),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<<24),          \
+                         l)
+#define HOST_p_c2l(c,l,n)       {                                       \
+                        switch (n) {                                    \
+                        case 0: l =((unsigned long)(*((c)++)));         \
+                        case 1: l|=((unsigned long)(*((c)++)))<< 8;     \
+                        case 2: l|=((unsigned long)(*((c)++)))<<16;     \
+                        case 3: l|=((unsigned long)(*((c)++)))<<24;     \
+                                } }
+#define HOST_p_c2l_p(c,l,sc,len) {                                      \
+                        switch (sc) {                                   \
+                        case 0: l =((unsigned long)(*((c)++)));         \
+                                if (--len == 0) break;                  \
+                        case 1: l|=((unsigned long)(*((c)++)))<< 8;     \
+                                if (--len == 0) break;                  \
+                        case 2: l|=((unsigned long)(*((c)++)))<<16;     \
+                                } }
+/* NOTE the pointer is not incremented at the end of this */
+#define HOST_c2l_p(c,l,n)       {                                       \
+                        l=0; (c)+=n;                                    \
+                        switch (n) {                                    \
+                        case 3: l =((unsigned long)(*(--(c))))<<16;     \
+                        case 2: l|=((unsigned long)(*(--(c))))<< 8;     \
+                        case 1: l|=((unsigned long)(*(--(c))));         \
+                                } }
+#define HOST_l2c(l,c)   (*((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         l)
+
+#endif
+
+/*
+ * Time for some action:-)
+ */
+
+void HASH_UPDATE (HASH_CTX *c, const unsigned char *data, unsigned long len)
+        {
+        register HASH_LONG * p;
+        register unsigned long l;
+        int sw,sc,ew,ec;
+
+        if (len==0) return;
+
+        l=(c->Nl+(len<<3))&0xffffffffL;
+        /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
+         * Wei Dai <weidai@eskimo.com> for pointing it out. */
+        if (l < c->Nl) /* overflow */
+                c->Nh++;
+        c->Nh+=(len>>29);
+        c->Nl=l;
+
+        if (c->num != 0)
+                {
+                p=c->data;
+                sw=c->num>>2;
+                sc=c->num&0x03;
+
+                if ((c->num+len) >= HASH_CBLOCK)
+                        {
+                        l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                        for (; sw<HASH_LBLOCK; sw++)
+                                {
+                                HOST_c2l(data,l); p[sw]=l;
+                                }
+                        HASH_BLOCK_HOST_ORDER (c,p,1);
+                        len-=(HASH_CBLOCK-c->num);
+                        c->num=0;
+                        /* drop through and do the rest */
+                        }
+                else
+                        {
+                        c->num+=len;
+                        if ((sc+len) < 4) /* ugly, add char's to a word */
+                                {
+                                l=p[sw]; HOST_p_c2l_p(data,l,sc,len); p[sw]=l;
+                                }
+                        else
+                                {
+                                ew=(c->num>>2);
+                                ec=(c->num&0x03);
+                                l=p[sw]; HOST_p_c2l(data,l,sc); p[sw++]=l;
+                                for (; sw < ew; sw++)
+                                        {
+                                        HOST_c2l(data,l); p[sw]=l;
+                                        }
+                                if (ec)
+                                        {
+                                        HOST_c2l_p(data,l,ec); p[sw]=l;
+                                        }
+                                }
+                        return;
+                        }
+                }
+
+        sw=len/HASH_CBLOCK;
+        if (sw > 0)
+                {
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+                /*
+                 * Note that HASH_BLOCK_DATA_ORDER_ALIGNED gets defined
+                 * only if sizeof(HASH_LONG)==4.
+                 */
+                if ((((unsigned long)data)%4) == 0)
+                        {
+                        /* data is properly aligned so that we can cast it: */
+                        HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,sw);
+                        sw*=HASH_CBLOCK;
+                        data+=sw;
+                        len-=sw;
+                        }
+                else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+                        while (sw--)
+                                {
+                                memcpy (p=c->data,data,HASH_CBLOCK);
+                                HASH_BLOCK_DATA_ORDER_ALIGNED(c,p,1);
+                                data+=HASH_CBLOCK;
+                                len-=HASH_CBLOCK;
+                                }
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+                        {
+                        HASH_BLOCK_DATA_ORDER(c,data,sw);
+                        sw*=HASH_CBLOCK;
+                        data+=sw;
+                        len-=sw;
+                        }
+#endif
+                }
+
+        if (len!=0)
+                {
+                p = c->data;
+                c->num = len;
+                ew=len>>2;      /* words to copy */
+                ec=len&0x03;
+                for (; ew; ew--,p++)
+                        {
+                        HOST_c2l(data,l); *p=l;
+                        }
+                HOST_c2l_p(data,l,ec);
+                *p=l;
+                }
+        }
+
+
+void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
+        {
+#if defined(HASH_BLOCK_DATA_ORDER_ALIGNED)
+        if ((((unsigned long)data)%4) == 0)
+                /* data is properly aligned so that we can cast it: */
+                HASH_BLOCK_DATA_ORDER_ALIGNED (c,(HASH_LONG *)data,1);
+        else
+#if !defined(HASH_BLOCK_DATA_ORDER)
+                {
+                memcpy (c->data,data,HASH_CBLOCK);
+                HASH_BLOCK_DATA_ORDER_ALIGNED (c,c->data,1);
+                }
+#endif
+#endif
+#if defined(HASH_BLOCK_DATA_ORDER)
+        HASH_BLOCK_DATA_ORDER (c,data,1);
+#endif
+        }
+
+
+void HASH_FINAL (unsigned char *md, HASH_CTX *c)
+        {
+        register HASH_LONG *p;
+        register unsigned long l;
+        register int i,j;
+        static const unsigned char end[4]={0x80,0x00,0x00,0x00};
+        const unsigned char *cp=end;
+
+        /* c->num should definitly have room for at least one more byte. */
+        p=c->data;
+        i=c->num>>2;
+        j=c->num&0x03;
+
+#if 0
+        /* purify often complains about the following line as an
+         * Uninitialized Memory Read.  While this can be true, the
+         * following p_c2l macro will reset l when that case is true.
+         * This is because j&0x03 contains the number of 'valid' bytes
+         * already in p[i].  If and only if j&0x03 == 0, the UMR will
+         * occur but this is also the only time p_c2l will do
+         * l= *(cp++) instead of l|= *(cp++)
+         * Many thanks to Alex Tang <altitude@cic.net> for pickup this
+         * 'potential bug' */
+#ifdef PURIFY
+        if (j==0) p[i]=0; /* Yeah, but that's not the way to fix it:-) */
+#endif
+        l=p[i];
+#else
+        l = (j==0) ? 0 : p[i];
+#endif
+        HOST_p_c2l(cp,l,j); p[i++]=l; /* i is the next 'undefined word' */
+
+        if (i>(HASH_LBLOCK-2)) /* save room for Nl and Nh */
+                {
+                if (i<HASH_LBLOCK) p[i]=0;
+                HASH_BLOCK_HOST_ORDER (c,p,1);
+                i=0;
+                }
+        for (; i<(HASH_LBLOCK-2); i++)
+                p[i]=0;
+
+#if   defined(DATA_ORDER_IS_BIG_ENDIAN)
+        p[HASH_LBLOCK-2]=c->Nh;
+        p[HASH_LBLOCK-1]=c->Nl;
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+        p[HASH_LBLOCK-2]=c->Nl;
+        p[HASH_LBLOCK-1]=c->Nh;
+#endif
+        HASH_BLOCK_HOST_ORDER (c,p,1);
+
+        l=c->A; HOST_l2c(l,md);
+        l=c->B; HOST_l2c(l,md);
+        l=c->C; HOST_l2c(l,md);
+        l=c->D; HOST_l2c(l,md);
+
+        c->num=0;
+        /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
+         * but I'm not worried :-)
+        memset((void *)c,0,sizeof(HASH_CTX));
+         */
+        }
diff --git a/src/lib/libssl/src/crypto/md4/md4.c b/src/lib/libssl/src/crypto/md4/md4.c
new file mode 100644
index 0000000000..e4b0aac011
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4.c
@@ -0,0 +1,127 @@
+/* crypto/md4/md4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md4.h>
+
+#define BUFSIZE 1024*16
+
+void do_fp(FILE *f);
+void pt(unsigned char *md);
+#ifndef _OSD_POSIX
+int read(int, void *, unsigned int);
+#endif
+
+int main(int argc, char **argv)
+        {
+        int i,err=0;
+        FILE *IN;
+
+        if (argc == 1)
+                {
+                do_fp(stdin);
+                }
+        else
+                {
+                for (i=1; i<argc; i++)
+                        {
+                        IN=fopen(argv[i],"r");
+                        if (IN == NULL)
+                                {
+                                perror(argv[i]);
+                                err++;
+                                continue;
+                                }
+                        printf("MD4(%s)= ",argv[i]);
+                        do_fp(IN);
+                        fclose(IN);
+                        }
+                }
+        exit(err);
+        }
+
+void do_fp(FILE *f)
+        {
+        MD4_CTX c;
+        unsigned char md[MD4_DIGEST_LENGTH];
+        int fd;
+        int i;
+        static unsigned char buf[BUFSIZE];
+
+        fd=fileno(f);
+        MD4_Init(&c);
+        for (;;)
+                {
+                i=read(fd,buf,BUFSIZE);
+                if (i <= 0) break;
+                MD4_Update(&c,buf,(unsigned long)i);
+                }
+        MD4_Final(&(md[0]),&c);
+        pt(md);
+        }
+
+void pt(unsigned char *md)
+        {
+        int i;
+
+        for (i=0; i<MD4_DIGEST_LENGTH; i++)
+                printf("%02x",md[i]);
+        printf("\n");
+        }
+
diff --git a/src/lib/libssl/src/crypto/md4/md4.h b/src/lib/libssl/src/crypto/md4/md4.h
new file mode 100644
index 0000000000..c794e186db
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4.h
@@ -0,0 +1,114 @@
+/* crypto/md4/md4.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD4_H
+#define HEADER_MD4_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_MD4
+#error MD4 is disabled.
+#endif
+
+/*
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ * ! MD4_LONG has to be at least 32 bits wide. If it's wider, then !
+ * ! MD4_LONG_LOG2 has to be defined along.                        !
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ */
+
+#if defined(WIN16) || defined(__LP32__)
+#define MD4_LONG unsigned long
+#elif defined(_CRAY) || defined(__ILP64__)
+#define MD4_LONG unsigned long
+#define MD4_LONG_LOG2 3
+/*
+ * _CRAY note. I could declare short, but I have no idea what impact
+ * does it have on performance on none-T3E machines. I could declare
+ * int, but at least on C90 sizeof(int) can be chosen at compile time.
+ * So I've chosen long...
+ *                                      <appro@fy.chalmers.se>
+ */
+#else
+#define MD4_LONG unsigned int
+#endif
+
+#define MD4_CBLOCK      64
+#define MD4_LBLOCK      (MD4_CBLOCK/4)
+#define MD4_DIGEST_LENGTH 16
+
+typedef struct MD4state_st
+        {
+        MD4_LONG A,B,C,D;
+        MD4_LONG Nl,Nh;
+        MD4_LONG data[MD4_LBLOCK];
+        int num;
+        } MD4_CTX;
+
+void MD4_Init(MD4_CTX *c);
+void MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
+void MD4_Final(unsigned char *md, MD4_CTX *c);
+unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
+void MD4_Transform(MD4_CTX *c, const unsigned char *b);
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/md4/md4_dgst.c b/src/lib/libssl/src/crypto/md4/md4_dgst.c
new file mode 100644
index 0000000000..81488ae2e2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4_dgst.c
@@ -0,0 +1,285 @@
+/* crypto/md4/md4_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "md4_locl.h"
+#include <openssl/opensslv.h>
+
+const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
+
+/* Implemented from RFC1186 The MD4 Message-Digest Algorithm
+ */
+
+#define INIT_DATA_A (unsigned long)0x67452301L
+#define INIT_DATA_B (unsigned long)0xefcdab89L
+#define INIT_DATA_C (unsigned long)0x98badcfeL
+#define INIT_DATA_D (unsigned long)0x10325476L
+
+void MD4_Init(MD4_CTX *c)
+        {
+        c->A=INIT_DATA_A;
+        c->B=INIT_DATA_B;
+        c->C=INIT_DATA_C;
+        c->D=INIT_DATA_D;
+        c->Nl=0;
+        c->Nh=0;
+        c->num=0;
+        }
+
+#ifndef md4_block_host_order
+void md4_block_host_order (MD4_CTX *c, const void *data, int num)
+        {
+        const MD4_LONG *X=data;
+        register unsigned long A,B,C,D;
+        /*
+         * In case you wonder why A-D are declared as long and not
+         * as MD4_LONG. Doing so results in slight performance
+         * boost on LP64 architectures. The catch is we don't
+         * really care if 32 MSBs of a 64-bit register get polluted
+         * with eventual overflows as we *save* only 32 LSBs in
+         * *either* case. Now declaring 'em long excuses the compiler
+         * from keeping 32 MSBs zeroed resulting in 13% performance
+         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+         * Well, to be honest it should say that this *prevents* 
+         * performance degradation.
+         *
+         *                              <appro@fy.chalmers.se>
+         */
+
+        A=c->A;
+        B=c->B;
+        C=c->C;
+        D=c->D;
+
+        for (;num--;X+=HASH_LBLOCK)
+                {
+        /* Round 0 */
+        R0(A,B,C,D,X[ 0], 3,0);
+        R0(D,A,B,C,X[ 1], 7,0);
+        R0(C,D,A,B,X[ 2],11,0);
+        R0(B,C,D,A,X[ 3],19,0);
+        R0(A,B,C,D,X[ 4], 3,0);
+        R0(D,A,B,C,X[ 5], 7,0);
+        R0(C,D,A,B,X[ 6],11,0);
+        R0(B,C,D,A,X[ 7],19,0);
+        R0(A,B,C,D,X[ 8], 3,0);
+        R0(D,A,B,C,X[ 9], 7,0);
+        R0(C,D,A,B,X[10],11,0);
+        R0(B,C,D,A,X[11],19,0);
+        R0(A,B,C,D,X[12], 3,0);
+        R0(D,A,B,C,X[13], 7,0);
+        R0(C,D,A,B,X[14],11,0);
+        R0(B,C,D,A,X[15],19,0);
+        /* Round 1 */
+        R1(A,B,C,D,X[ 0], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 4], 5,0x5A827999L);
+        R1(C,D,A,B,X[ 8], 9,0x5A827999L);
+        R1(B,C,D,A,X[12],13,0x5A827999L);
+        R1(A,B,C,D,X[ 1], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 5], 5,0x5A827999L);
+        R1(C,D,A,B,X[ 9], 9,0x5A827999L);
+        R1(B,C,D,A,X[13],13,0x5A827999L);
+        R1(A,B,C,D,X[ 2], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 6], 5,0x5A827999L);
+        R1(C,D,A,B,X[10], 9,0x5A827999L);
+        R1(B,C,D,A,X[14],13,0x5A827999L);
+        R1(A,B,C,D,X[ 3], 3,0x5A827999L);
+        R1(D,A,B,C,X[ 7], 5,0x5A827999L);
+        R1(C,D,A,B,X[11], 9,0x5A827999L);
+        R1(B,C,D,A,X[15],13,0x5A827999L);
+        /* Round 2 */
+        R2(A,B,C,D,X[ 0], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[ 8], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 4],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[12],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 2], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[10], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 6],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[14],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 1], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[ 9], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 5],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[13],15,0x6ED9EBA1);
+        R2(A,B,C,D,X[ 3], 3,0x6ED9EBA1);
+        R2(D,A,B,C,X[11], 9,0x6ED9EBA1);
+        R2(C,D,A,B,X[ 7],11,0x6ED9EBA1);
+        R2(B,C,D,A,X[15],15,0x6ED9EBA1);
+
+        A = c->A += A;
+        B = c->B += B;
+        C = c->C += C;
+        D = c->D += D;
+                }
+        }
+#endif
+
+#ifndef md4_block_data_order
+#ifdef X
+#undef X
+#endif
+void md4_block_data_order (MD4_CTX *c, const void *data_, int num)
+        {
+        const unsigned char *data=data_;
+        register unsigned long A,B,C,D,l;
+        /*
+         * In case you wonder why A-D are declared as long and not
+         * as MD4_LONG. Doing so results in slight performance
+         * boost on LP64 architectures. The catch is we don't
+         * really care if 32 MSBs of a 64-bit register get polluted
+         * with eventual overflows as we *save* only 32 LSBs in
+         * *either* case. Now declaring 'em long excuses the compiler
+         * from keeping 32 MSBs zeroed resulting in 13% performance
+         * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+         * Well, to be honest it should say that this *prevents* 
+         * performance degradation.
+         *
+         *                              <appro@fy.chalmers.se>
+         */
+#ifndef MD32_XARRAY
+        /* See comment in crypto/sha/sha_locl.h for details. */
+        unsigned long   XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
+                        XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
+# define X(i)   XX##i
+#else
+        MD4_LONG XX[MD4_LBLOCK];
+# define X(i)   XX[i]
+#endif
+
+        A=c->A;
+        B=c->B;
+        C=c->C;
+        D=c->D;
+
+        for (;num--;)
+                {
+        HOST_c2l(data,l); X( 0)=l;              HOST_c2l(data,l); X( 1)=l;
+        /* Round 0 */
+        R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l;
+        R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l;
+        R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l;
+        R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l;
+        R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l;
+        R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l;
+        R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l;
+        R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l;
+        R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l;
+        R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l;
+        R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l;
+        R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l;
+        R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l;
+        R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l;
+        R0(C,D,A,B,X(14),11,0);
+        R0(B,C,D,A,X(15),19,0);
+        /* Round 1 */
+        R1(A,B,C,D,X( 0), 3,0x5A827999L);
+        R1(D,A,B,C,X( 4), 5,0x5A827999L);
+        R1(C,D,A,B,X( 8), 9,0x5A827999L);
+        R1(B,C,D,A,X(12),13,0x5A827999L);
+        R1(A,B,C,D,X( 1), 3,0x5A827999L);
+        R1(D,A,B,C,X( 5), 5,0x5A827999L);
+        R1(C,D,A,B,X( 9), 9,0x5A827999L);
+        R1(B,C,D,A,X(13),13,0x5A827999L);
+        R1(A,B,C,D,X( 2), 3,0x5A827999L);
+        R1(D,A,B,C,X( 6), 5,0x5A827999L);
+        R1(C,D,A,B,X(10), 9,0x5A827999L);
+        R1(B,C,D,A,X(14),13,0x5A827999L);
+        R1(A,B,C,D,X( 3), 3,0x5A827999L);
+        R1(D,A,B,C,X( 7), 5,0x5A827999L);
+        R1(C,D,A,B,X(11), 9,0x5A827999L);
+        R1(B,C,D,A,X(15),13,0x5A827999L);
+        /* Round 2 */
+        R2(A,B,C,D,X( 0), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X( 8), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 4),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(12),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 2), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X(10), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 6),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(14),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 1), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X( 9), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 5),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(13),15,0x6ED9EBA1L);
+        R2(A,B,C,D,X( 3), 3,0x6ED9EBA1L);
+        R2(D,A,B,C,X(11), 9,0x6ED9EBA1L);
+        R2(C,D,A,B,X( 7),11,0x6ED9EBA1L);
+        R2(B,C,D,A,X(15),15,0x6ED9EBA1L);
+
+        A = c->A += A;
+        B = c->B += B;
+        C = c->C += C;
+        D = c->D += D;
+                }
+        }
+#endif
+
+#ifdef undef
+int printit(unsigned long *l)
+        {
+        int i,ii;
+
+        for (i=0; i<2; i++)
+                {
+                for (ii=0; ii<8; ii++)
+                        {
+                        fprintf(stderr,"%08lx ",l[i*8+ii]);
+                        }
+                fprintf(stderr,"\n");
+                }
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/md4/md4_locl.h b/src/lib/libssl/src/crypto/md4/md4_locl.h
new file mode 100644
index 0000000000..0a2b39018d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4_locl.h
@@ -0,0 +1,154 @@
+/* crypto/md4/md4_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/md4.h>
+
+#ifndef MD4_LONG_LOG2
+#define MD4_LONG_LOG2 2 /* default to 32 bits */
+#endif
+
+void md4_block_host_order (MD4_CTX *c, const void *p,int num);
+void md4_block_data_order (MD4_CTX *c, const void *p,int num);
+
+#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+/*
+ * *_block_host_order is expected to handle aligned data while
+ * *_block_data_order - unaligned. As algorithm and host (x86)
+ * are in this case of the same "endianness" these two are
+ * otherwise indistinguishable. But normally you don't want to
+ * call the same function because unaligned access in places
+ * where alignment is expected is usually a "Bad Thing". Indeed,
+ * on RISCs you get punished with BUS ERROR signal or *severe*
+ * performance degradation. Intel CPUs are in turn perfectly
+ * capable of loading unaligned data without such drastic side
+ * effect. Yes, they say it's slower than aligned load, but no
+ * exception is generated and therefore performance degradation
+ * is *incomparable* with RISCs. What we should weight here is
+ * costs of unaligned access against costs of aligning data.
+ * According to my measurements allowing unaligned access results
+ * in ~9% performance improvement on Pentium II operating at
+ * 266MHz. I won't be surprised if the difference will be higher
+ * on faster systems:-)
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#define md4_block_data_order md4_block_host_order
+#endif
+
+#define DATA_ORDER_IS_LITTLE_ENDIAN
+
+#define HASH_LONG               MD4_LONG
+#define HASH_LONG_LOG2          MD4_LONG_LOG2
+#define HASH_CTX                MD4_CTX
+#define HASH_CBLOCK             MD4_CBLOCK
+#define HASH_LBLOCK             MD4_LBLOCK
+#define HASH_UPDATE             MD4_Update
+#define HASH_TRANSFORM          MD4_Transform
+#define HASH_FINAL              MD4_Final
+#define HASH_MAKE_STRING(c,s)   do {    \
+        unsigned long ll;               \
+        ll=(c)->A; HOST_l2c(ll,(s));    \
+        ll=(c)->B; HOST_l2c(ll,(s));    \
+        ll=(c)->C; HOST_l2c(ll,(s));    \
+        ll=(c)->D; HOST_l2c(ll,(s));    \
+        } while (0)
+#define HASH_BLOCK_HOST_ORDER   md4_block_host_order
+#if !defined(L_ENDIAN) || defined(md4_block_data_order)
+#define HASH_BLOCK_DATA_ORDER   md4_block_data_order
+/*
+ * Little-endians (Intel and Alpha) feel better without this.
+ * It looks like memcpy does better job than generic
+ * md4_block_data_order on copying-n-aligning input data.
+ * But frankly speaking I didn't expect such result on Alpha.
+ * On the other hand I've got this with egcs-1.0.2 and if
+ * program is compiled with another (better?) compiler it
+ * might turn out other way around.
+ *
+ *                              <appro@fy.chalmers.se>
+ */
+#endif
+
+#include "md32_common.h"
+
+/*
+#define F(x,y,z)        (((x) & (y))  |  ((~(x)) & (z)))
+#define G(x,y,z)        (((x) & (y))  |  ((x) & ((z))) | ((y) & ((z))))
+*/
+
+/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+ * simplified to the code below.  Wei attributes these optimizations
+ * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
+ */
+#define F(b,c,d)        ((((c) ^ (d)) & (b)) ^ (d))
+#define G(b,c,d)        (((b) & (c)) | ((b) & (d)) | ((c) & (d)))
+#define H(b,c,d)        ((b) ^ (c) ^ (d))
+
+#define R0(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+F((b),(c),(d))); \
+        a=ROTATE(a,s); };
+
+#define R1(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+G((b),(c),(d))); \
+        a=ROTATE(a,s); };\
+
+#define R2(a,b,c,d,k,s,t) { \
+        a+=((k)+(t)+H((b),(c),(d))); \
+        a=ROTATE(a,s); };
diff --git a/src/lib/libssl/src/crypto/md4/md4_one.c b/src/lib/libssl/src/crypto/md4/md4_one.c
new file mode 100644
index 0000000000..87a995d38d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4_one.c
@@ -0,0 +1,95 @@
+/* crypto/md4/md4_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/md4.h>
+
+#ifdef CHARSET_EBCDIC
+#include <openssl/ebcdic.h>
+#endif
+
+unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
+        {
+        MD4_CTX c;
+        static unsigned char m[MD4_DIGEST_LENGTH];
+
+        if (md == NULL) md=m;
+        MD4_Init(&c);
+#ifndef CHARSET_EBCDIC
+        MD4_Update(&c,d,n);
+#else
+        {
+                char temp[1024];
+                unsigned long chunk;
+
+                while (n > 0)
+                {
+                        chunk = (n > sizeof(temp)) ? sizeof(temp) : n;
+                        ebcdic2ascii(temp, d, chunk);
+                        MD4_Update(&c,temp,chunk);
+                        n -= chunk;
+                        d += chunk;
+                }
+        }
+#endif
+        MD4_Final(md,&c);
+        memset(&c,0,sizeof(c)); /* security consideration */
+        return(md);
+        }
+
diff --git a/src/lib/libssl/src/crypto/md4/md4s.cpp b/src/lib/libssl/src/crypto/md4/md4s.cpp
new file mode 100644
index 0000000000..c0ec97fc9f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4s.cpp
@@ -0,0 +1,78 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+               : "=eax" (tsc)
+               :
+               : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md4.h>
+
+extern "C" {
+void md4_block_x86(MD4_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+        {
+        unsigned char buffer[64*256];
+        MD4_CTX ctx;
+        unsigned long s1,s2,e1,e2;
+        unsigned char k[16];
+        unsigned long data[2];
+        unsigned char iv[8];
+        int i,num=0,numm;
+        int j=0;
+
+        if (argc >= 2)
+                num=atoi(argv[1]);
+
+        if (num == 0) num=16;
+        if (num > 250) num=16;
+        numm=num+2;
+        num*=64;
+        numm*=64;
+
+        for (j=0; j<6; j++)
+                {
+                for (i=0; i<10; i++) /**/
+                        {
+                        md4_block_x86(&ctx,buffer,numm);
+                        GetTSC(s1);
+                        md4_block_x86(&ctx,buffer,numm);
+                        GetTSC(e1);
+                        GetTSC(s2);
+                        md4_block_x86(&ctx,buffer,num);
+                        GetTSC(e2);
+                        md4_block_x86(&ctx,buffer,num);
+                        }
+                printf("md4 (%d bytes) %d %d (%.2f)\n",num,
+                        e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+                }
+        }
+
diff --git a/src/lib/libssl/src/crypto/md4/md4test.c b/src/lib/libssl/src/crypto/md4/md4test.c
new file mode 100644
index 0000000000..97e6e21efd
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md4/md4test.c
@@ -0,0 +1,131 @@
+/* crypto/md4/md4test.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef NO_MD4
+int main(int argc, char *argv[])
+{
+    printf("No MD4 support\n");
+    return(0);
+}
+#else
+#include <openssl/md4.h>
+
+static char *test[]={
+        "",
+        "a",
+        "abc",
+        "message digest",
+        "abcdefghijklmnopqrstuvwxyz",
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+        "12345678901234567890123456789012345678901234567890123456789012345678901234567890",
+        NULL,
+        };
+
+static char *ret[]={
+"31d6cfe0d16ae931b73c59d7e0c089c0",
+"bde52cb31de33e46245e05fbdbd6fb24",
+"a448017aaf21d8525fc10ae87aa6729d",
+"d9130a8164549fe818874806e1c7014b",
+"d79e1c308aa5bbcdeea8ed63df412da9",
+"043f8582f241db351ce627e153e7f0e4",
+"e33b4ddc9c38f2199c3e7b164fcc0536",
+};
+
+static char *pt(unsigned char *md);
+int main(int argc, char *argv[])
+        {
+        int i,err=0;
+        unsigned char **P,**R;
+        char *p;
+
+        P=(unsigned char **)test;
+        R=(unsigned char **)ret;
+        i=1;
+        while (*P != NULL)
+                {
+                p=pt(MD4(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+                if (strcmp(p,(char *)*R) != 0)
+                        {
+                        printf("error calculating MD4 on '%s'\n",*P);
+                        printf("got %s instead of %s\n",p,*R);
+                        err++;
+                        }
+                else
+                        printf("test %d ok\n",i);
+                i++;
+                R++;
+                P++;
+                }
+        exit(err);
+        return(0);
+        }
+
+static char *pt(unsigned char *md)
+        {
+        int i;
+        static char buf[80];
+
+        for (i=0; i<MD4_DIGEST_LENGTH; i++)
+                sprintf(&(buf[i*2]),"%02x",md[i]);
+        return(buf);
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S b/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S
new file mode 100644
index 0000000000..ca4257f134
--- /dev/null
+++ b/src/lib/libssl/src/crypto/md5/asm/md5-sparcv9.S
@@ -0,0 +1,1029 @@
+.ident  "md5-sparcv9.S, Version 1.0"
+.ident  "SPARC V9 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+.file   "md5-sparcv9.S"
+
+/*
+ * ====================================================================
+ * Copyright (c) 1999 Andy Polyakov <appro@fy.chalmers.se>.
+ *
+ * Rights for redistribution and usage in source and binary forms are
+ * granted as long as above copyright notices are retained. Warranty
+ * of any kind is (of course:-) disclaimed.
+ * ====================================================================
+ */
+
+/*
+ * This is my modest contribution to OpenSSL project (see
+ * http://www.openssl.org/ for more information about it) and is an
+ * assembler implementation of MD5 block hash function. I've hand-coded
+ * this for the sole reason to reach UltraSPARC-specific "load in
+ * little-endian byte order" instruction. This gives up to 15%
+ * performance improvement for cases when input message is aligned at
+ * 32 bits boundary. The module was tested under both 32 *and* 64 bit
+ * kernels. For updates see http://fy.chalmers.se/~appro/hpe/.
+ *
+ * To compile with SC4.x/SC5.x:
+ *
+ *      cc -xarch=v[9|8plus] -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *              -c md5-sparcv9.S
+ *
+ * and with gcc:
+ *
+ *      gcc -mcpu=ultrasparc -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *              -c md5-sparcv9.S
+ *
+ * or if above fails (it does if you have gas):
+ *
+ *      gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
+ *              as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o
+ */
+
+#define A       %o0
+#define B       %o1
+#define C       %o2
+#define D       %o3
+#define T1      %o4
+#define T2      %o5
+
+#define R0      %l0
+#define R1      %l1
+#define R2      %l2
+#define R3      %l3
+#define R4      %l4
+#define R5      %l5
+#define R6      %l6
+#define R7      %l7
+#define R8      %i3
+#define R9      %i4
+#define R10     %i5
+#define R11     %g1
+#define R12     %g2
+#define R13     %g3
+#define RX      %g4
+
+#define Aptr    %i0+0
+#define Bptr    %i0+4
+#define Cptr    %i0+8
+#define Dptr    %i0+12
+
+#define Aval    R5      /* those not used at the end of the last round */
+#define Bval    R6
+#define Cval    R7
+#define Dval    R8
+
+#if defined(MD5_BLOCK_DATA_ORDER)
+# if defined(ULTRASPARC)
+#  define       LOAD                    lda
+#  define       X(i)                    [%i1+i*4]%asi
+#  define       md5_block               md5_block_asm_data_order_aligned
+#  define       ASI_PRIMARY_LITTLE      0x88
+# else
+#  error "MD5_BLOCK_DATA_ORDER is supported only on UltraSPARC!"
+# endif
+#else
+# define        LOAD                    ld
+# define        X(i)                    [%i1+i*4]
+# define        md5_block               md5_block_asm_host_order
+#endif
+
+.section        ".text",#alloc,#execinstr
+
+#if defined(__SUNPRO_C) && defined(__sparcv9)
+  /* They've said -xarch=v9 at command line */
+  .register     %g2,#scratch
+  .register     %g3,#scratch
+# define        FRAME   -192
+#elif defined(__GNUC__) && defined(__arch64__)
+  /* They've said -m64 at command line */
+  .register     %g2,#scratch
+  .register     %g3,#scratch
+# define        FRAME   -192
+#else
+# define        FRAME   -96
+#endif
+
+.align  32
+
+.global md5_block
+md5_block:
+        save    %sp,FRAME,%sp
+
+        ld      [Dptr],D
+        ld      [Cptr],C
+        ld      [Bptr],B
+        ld      [Aptr],A
+#ifdef ASI_PRIMARY_LITTLE
+        rd      %asi,%o7        ! How dare I? Well, I just do:-)
+        wr      %g0,ASI_PRIMARY_LITTLE,%asi
+#endif
+        LOAD    X(0),R0
+
+.Lmd5_block_loop:
+
+!!!!!!!!Round 0
+
+        xor     C,D,T1
+        sethi   %hi(0xd76aa478),T2
+        and     T1,B,T1
+        or      T2,%lo(0xd76aa478),T2   !=
+        xor     T1,D,T1
+        add     T1,R0,T1
+        LOAD    X(1),R1
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,7,T2
+        srl     A,32-7,A
+        or      A,T2,A                  !=
+         xor     B,C,T1
+        add     A,B,A
+
+        sethi   %hi(0xe8c7b756),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0xe8c7b756),T2
+        xor     T1,C,T1
+        LOAD    X(2),R2
+        add     T1,R1,T1                !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,12,T2
+        srl     D,32-12,D               !=
+        or      D,T2,D
+         xor     A,B,T1
+        add     D,A,D
+
+        sethi   %hi(0x242070db),T2      !=
+        and     T1,D,T1
+        or      T2,%lo(0x242070db),T2
+        xor     T1,B,T1
+        add     T1,R2,T1                !=
+        LOAD    X(3),R3
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,17,T2                 !=
+        srl     C,32-17,C
+        or      C,T2,C
+         xor     D,A,T1
+        add     C,D,C                   !=
+
+        sethi   %hi(0xc1bdceee),T2
+        and     T1,C,T1
+        or      T2,%lo(0xc1bdceee),T2
+        xor     T1,A,T1                 !=
+        add     T1,R3,T1
+        LOAD    X(4),R4
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,22,T2
+        srl     B,32-22,B
+        or      B,T2,B
+         xor     C,D,T1                 !=
+        add     B,C,B
+
+        sethi   %hi(0xf57c0faf),T2
+        and     T1,B,T1
+        or      T2,%lo(0xf57c0faf),T2   !=
+        xor     T1,D,T1
+        add     T1,R4,T1
+        LOAD    X(5),R5
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,7,T2
+        srl     A,32-7,A
+        or      A,T2,A                  !=
+         xor     B,C,T1
+        add     A,B,A
+
+        sethi   %hi(0x4787c62a),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0x4787c62a),T2
+        xor     T1,C,T1
+        LOAD    X(6),R6
+        add     T1,R5,T1                !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,12,T2
+        srl     D,32-12,D               !=
+        or      D,T2,D
+         xor     A,B,T1
+        add     D,A,D
+
+        sethi   %hi(0xa8304613),T2      !=
+        and     T1,D,T1
+        or      T2,%lo(0xa8304613),T2
+        xor     T1,B,T1
+        add     T1,R6,T1                !=
+        LOAD    X(7),R7
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,17,T2                 !=
+        srl     C,32-17,C
+        or      C,T2,C
+         xor     D,A,T1
+        add     C,D,C                   !=
+
+        sethi   %hi(0xfd469501),T2
+        and     T1,C,T1
+        or      T2,%lo(0xfd469501),T2
+        xor     T1,A,T1                 !=
+        add     T1,R7,T1
+        LOAD    X(8),R8
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,22,T2
+        srl     B,32-22,B
+        or      B,T2,B
+         xor     C,D,T1                 !=
+        add     B,C,B
+
+        sethi   %hi(0x698098d8),T2
+        and     T1,B,T1
+        or      T2,%lo(0x698098d8),T2   !=
+        xor     T1,D,T1
+        add     T1,R8,T1
+        LOAD    X(9),R9
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,7,T2
+        srl     A,32-7,A
+        or      A,T2,A                  !=
+         xor     B,C,T1
+        add     A,B,A
+
+        sethi   %hi(0x8b44f7af),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0x8b44f7af),T2
+        xor     T1,C,T1
+        LOAD    X(10),R10
+        add     T1,R9,T1                !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,12,T2
+        srl     D,32-12,D               !=
+        or      D,T2,D
+         xor     A,B,T1
+        add     D,A,D
+
+        sethi   %hi(0xffff5bb1),T2      !=
+        and     T1,D,T1
+        or      T2,%lo(0xffff5bb1),T2
+        xor     T1,B,T1
+        add     T1,R10,T1               !=
+        LOAD    X(11),R11
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,17,T2                 !=
+        srl     C,32-17,C
+        or      C,T2,C
+         xor     D,A,T1
+        add     C,D,C                   !=
+
+        sethi   %hi(0x895cd7be),T2
+        and     T1,C,T1
+        or      T2,%lo(0x895cd7be),T2
+        xor     T1,A,T1                 !=
+        add     T1,R11,T1
+        LOAD    X(12),R12
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,22,T2
+        srl     B,32-22,B
+        or      B,T2,B
+         xor     C,D,T1                 !=
+        add     B,C,B
+
+        sethi   %hi(0x6b901122),T2
+        and     T1,B,T1
+        or      T2,%lo(0x6b901122),T2   !=
+        xor     T1,D,T1
+        add     T1,R12,T1
+        LOAD    X(13),R13
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,7,T2
+        srl     A,32-7,A
+        or      A,T2,A                  !=
+         xor     B,C,T1
+        add     A,B,A
+
+        sethi   %hi(0xfd987193),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0xfd987193),T2
+        xor     T1,C,T1
+        LOAD    X(14),RX
+        add     T1,R13,T1               !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,12,T2
+        srl     D,32-12,D               !=
+        or      D,T2,D
+         xor     A,B,T1
+        add     D,A,D
+
+        sethi   %hi(0xa679438e),T2      !=
+        and     T1,D,T1
+        or      T2,%lo(0xa679438e),T2
+        xor     T1,B,T1
+        add     T1,RX,T1                !=
+        LOAD    X(15),RX
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,17,T2                 !=
+        srl     C,32-17,C
+        or      C,T2,C
+         xor     D,A,T1
+        add     C,D,C                   !=
+
+        sethi   %hi(0x49b40821),T2
+        and     T1,C,T1
+        or      T2,%lo(0x49b40821),T2
+        xor     T1,A,T1                 !=
+        add     T1,RX,T1
+        !pre-LOADed     X(1),R1
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,22,T2                 !=
+        srl     B,32-22,B
+        or      B,T2,B
+        add     B,C,B
+
+!!!!!!!!Round 1
+
+        xor     B,C,T1                  !=
+        sethi   %hi(0xf61e2562),T2
+        and     T1,D,T1
+        or      T2,%lo(0xf61e2562),T2
+        xor     T1,C,T1                 !=
+        add     T1,R1,T1
+        !pre-LOADed     X(6),R6
+        add     T1,T2,T1
+        add     A,T1,A
+        sll     A,5,T2                  !=
+        srl     A,32-5,A
+        or      A,T2,A
+        add     A,B,A
+
+        xor     A,B,T1                  !=
+        sethi   %hi(0xc040b340),T2
+        and     T1,C,T1
+        or      T2,%lo(0xc040b340),T2
+        xor     T1,B,T1                 !=
+        add     T1,R6,T1
+        !pre-LOADed     X(11),R11
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,9,T2                  !=
+        srl     D,32-9,D
+        or      D,T2,D
+        add     D,A,D
+
+        xor     D,A,T1                  !=
+        sethi   %hi(0x265e5a51),T2
+        and     T1,B,T1
+        or      T2,%lo(0x265e5a51),T2
+        xor     T1,A,T1                 !=
+        add     T1,R11,T1
+        !pre-LOADed     X(0),R0
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,14,T2                 !=
+        srl     C,32-14,C
+        or      C,T2,C
+        add     C,D,C
+
+        xor     C,D,T1                  !=
+        sethi   %hi(0xe9b6c7aa),T2
+        and     T1,A,T1
+        or      T2,%lo(0xe9b6c7aa),T2
+        xor     T1,D,T1                 !=
+        add     T1,R0,T1
+        !pre-LOADed     X(5),R5
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,20,T2                 !=
+        srl     B,32-20,B
+        or      B,T2,B
+        add     B,C,B
+
+        xor     B,C,T1                  !=
+        sethi   %hi(0xd62f105d),T2
+        and     T1,D,T1
+        or      T2,%lo(0xd62f105d),T2
+        xor     T1,C,T1                 !=
+        add     T1,R5,T1
+        !pre-LOADed     X(10),R10
+        add     T1,T2,T1
+        add     A,T1,A
+        sll     A,5,T2                  !=
+        srl     A,32-5,A
+        or      A,T2,A
+        add     A,B,A
+
+        xor     A,B,T1                  !=
+        sethi   %hi(0x02441453),T2
+        and     T1,C,T1
+        or      T2,%lo(0x02441453),T2
+        xor     T1,B,T1                 !=
+        add     T1,R10,T1
+        LOAD    X(15),RX
+        add     T1,T2,T1
+        add     D,T1,D                  !=
+        sll     D,9,T2
+        srl     D,32-9,D
+        or      D,T2,D
+        add     D,A,D                   !=
+
+        xor     D,A,T1
+        sethi   %hi(0xd8a1e681),T2
+        and     T1,B,T1
+        or      T2,%lo(0xd8a1e681),T2   !=
+        xor     T1,A,T1
+        add     T1,RX,T1
+        !pre-LOADed     X(4),R4
+        add     T1,T2,T1
+        add     C,T1,C                  !=
+        sll     C,14,T2
+        srl     C,32-14,C
+        or      C,T2,C
+        add     C,D,C                   !=
+
+        xor     C,D,T1
+        sethi   %hi(0xe7d3fbc8),T2
+        and     T1,A,T1
+        or      T2,%lo(0xe7d3fbc8),T2   !=
+        xor     T1,D,T1
+        add     T1,R4,T1
+        !pre-LOADed     X(9),R9
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,20,T2
+        srl     B,32-20,B
+        or      B,T2,B
+        add     B,C,B                   !=
+
+        xor     B,C,T1
+        sethi   %hi(0x21e1cde6),T2
+        and     T1,D,T1
+        or      T2,%lo(0x21e1cde6),T2   !=
+        xor     T1,C,T1
+        add     T1,R9,T1
+        LOAD    X(14),RX
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,5,T2
+        srl     A,32-5,A
+        or      A,T2,A                  !=
+        add     A,B,A
+
+        xor     A,B,T1
+        sethi   %hi(0xc33707d6),T2
+        and     T1,C,T1                 !=
+        or      T2,%lo(0xc33707d6),T2
+        xor     T1,B,T1
+        add     T1,RX,T1
+        !pre-LOADed     X(3),R3
+        add     T1,T2,T1                !=
+        add     D,T1,D
+        sll     D,9,T2
+        srl     D,32-9,D
+        or      D,T2,D                  !=
+        add     D,A,D
+
+        xor     D,A,T1
+        sethi   %hi(0xf4d50d87),T2
+        and     T1,B,T1                 !=
+        or      T2,%lo(0xf4d50d87),T2
+        xor     T1,A,T1
+        add     T1,R3,T1
+        !pre-LOADed     X(8),R8
+        add     T1,T2,T1                !=
+        add     C,T1,C
+        sll     C,14,T2
+        srl     C,32-14,C
+        or      C,T2,C                  !=
+        add     C,D,C
+
+        xor     C,D,T1
+        sethi   %hi(0x455a14ed),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0x455a14ed),T2
+        xor     T1,D,T1
+        add     T1,R8,T1
+        !pre-LOADed     X(13),R13
+        add     T1,T2,T1                !=
+        add     B,T1,B
+        sll     B,20,T2
+        srl     B,32-20,B
+        or      B,T2,B                  !=
+        add     B,C,B
+
+        xor     B,C,T1
+        sethi   %hi(0xa9e3e905),T2
+        and     T1,D,T1                 !=
+        or      T2,%lo(0xa9e3e905),T2
+        xor     T1,C,T1
+        add     T1,R13,T1
+        !pre-LOADed     X(2),R2
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,5,T2
+        srl     A,32-5,A
+        or      A,T2,A                  !=
+        add     A,B,A
+
+        xor     A,B,T1
+        sethi   %hi(0xfcefa3f8),T2
+        and     T1,C,T1                 !=
+        or      T2,%lo(0xfcefa3f8),T2
+        xor     T1,B,T1
+        add     T1,R2,T1
+        !pre-LOADed     X(7),R7
+        add     T1,T2,T1                !=
+        add     D,T1,D
+        sll     D,9,T2
+        srl     D,32-9,D
+        or      D,T2,D                  !=
+        add     D,A,D
+
+        xor     D,A,T1
+        sethi   %hi(0x676f02d9),T2
+        and     T1,B,T1                 !=
+        or      T2,%lo(0x676f02d9),T2
+        xor     T1,A,T1
+        add     T1,R7,T1
+        !pre-LOADed     X(12),R12
+        add     T1,T2,T1                !=
+        add     C,T1,C
+        sll     C,14,T2
+        srl     C,32-14,C
+        or      C,T2,C                  !=
+        add     C,D,C
+
+        xor     C,D,T1
+        sethi   %hi(0x8d2a4c8a),T2
+        and     T1,A,T1                 !=
+        or      T2,%lo(0x8d2a4c8a),T2
+        xor     T1,D,T1
+        add     T1,R12,T1
+        !pre-LOADed     X(5),R5
+        add     T1,T2,T1                !=
+        add     B,T1,B
+        sll     B,20,T2
+        srl     B,32-20,B
+        or      B,T2,B                  !=
+        add     B,C,B
+
+!!!!!!!!Round 2
+
+        xor     B,C,T1
+        sethi   %hi(0xfffa3942),T2
+        xor     T1,D,T1                 !=
+        or      T2,%lo(0xfffa3942),T2
+        add     T1,R5,T1
+        !pre-LOADed     X(8),R8
+        add     T1,T2,T1
+        add     A,T1,A                  !=
+        sll     A,4,T2
+        srl     A,32-4,A
+        or      A,T2,A
+        add     A,B,A                   !=
+
+        xor     A,B,T1
+        sethi   %hi(0x8771f681),T2
+        xor     T1,C,T1
+        or      T2,%lo(0x8771f681),T2   !=
+        add     T1,R8,T1
+        !pre-LOADed     X(11),R11
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,11,T2                 !=
+        srl     D,32-11,D
+        or      D,T2,D
+        add     D,A,D
+
+        xor     D,A,T1                  !=
+        sethi   %hi(0x6d9d6122),T2
+        xor     T1,B,T1
+        or      T2,%lo(0x6d9d6122),T2
+        add     T1,R11,T1               !=
+        LOAD    X(14),RX
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,16,T2                 !=
+        srl     C,32-16,C
+        or      C,T2,C
+        add     C,D,C
+
+        xor     C,D,T1                  !=
+        sethi   %hi(0xfde5380c),T2
+        xor     T1,A,T1
+        or      T2,%lo(0xfde5380c),T2
+        add     T1,RX,T1                !=
+        !pre-LOADed     X(1),R1
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,23,T2
+        srl     B,32-23,B               !=
+        or      B,T2,B
+        add     B,C,B
+
+        xor     B,C,T1
+        sethi   %hi(0xa4beea44),T2      !=
+        xor     T1,D,T1
+        or      T2,%lo(0xa4beea44),T2
+        add     T1,R1,T1
+        !pre-LOADed     X(4),R4
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,4,T2
+        srl     A,32-4,A
+        or      A,T2,A                  !=
+        add     A,B,A
+
+        xor     A,B,T1
+        sethi   %hi(0x4bdecfa9),T2
+        xor     T1,C,T1                 !=
+        or      T2,%lo(0x4bdecfa9),T2
+        add     T1,R4,T1
+        !pre-LOADed     X(7),R7
+        add     T1,T2,T1
+        add     D,T1,D                  !=
+        sll     D,11,T2
+        srl     D,32-11,D
+        or      D,T2,D
+        add     D,A,D                   !=
+
+        xor     D,A,T1
+        sethi   %hi(0xf6bb4b60),T2
+        xor     T1,B,T1
+        or      T2,%lo(0xf6bb4b60),T2   !=
+        add     T1,R7,T1
+        !pre-LOADed     X(10),R10
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,16,T2                 !=
+        srl     C,32-16,C
+        or      C,T2,C
+        add     C,D,C
+
+        xor     C,D,T1                  !=
+        sethi   %hi(0xbebfbc70),T2
+        xor     T1,A,T1
+        or      T2,%lo(0xbebfbc70),T2
+        add     T1,R10,T1               !=
+        !pre-LOADed     X(13),R13
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,23,T2
+        srl     B,32-23,B               !=
+        or      B,T2,B
+        add     B,C,B
+
+        xor     B,C,T1
+        sethi   %hi(0x289b7ec6),T2      !=
+        xor     T1,D,T1
+        or      T2,%lo(0x289b7ec6),T2
+        add     T1,R13,T1
+        !pre-LOADed     X(0),R0
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,4,T2
+        srl     A,32-4,A
+        or      A,T2,A                  !=
+        add     A,B,A
+
+        xor     A,B,T1
+        sethi   %hi(0xeaa127fa),T2
+        xor     T1,C,T1                 !=
+        or      T2,%lo(0xeaa127fa),T2
+        add     T1,R0,T1
+        !pre-LOADed     X(3),R3
+        add     T1,T2,T1
+        add     D,T1,D                  !=
+        sll     D,11,T2
+        srl     D,32-11,D
+        or      D,T2,D
+        add     D,A,D                   !=
+
+        xor     D,A,T1
+        sethi   %hi(0xd4ef3085),T2
+        xor     T1,B,T1
+        or      T2,%lo(0xd4ef3085),T2   !=
+        add     T1,R3,T1
+        !pre-LOADed     X(6),R6
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,16,T2                 !=
+        srl     C,32-16,C
+        or      C,T2,C
+        add     C,D,C
+
+        xor     C,D,T1                  !=
+        sethi   %hi(0x04881d05),T2
+        xor     T1,A,T1
+        or      T2,%lo(0x04881d05),T2
+        add     T1,R6,T1                !=
+        !pre-LOADed     X(9),R9
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,23,T2
+        srl     B,32-23,B               !=
+        or      B,T2,B
+        add     B,C,B
+
+        xor     B,C,T1
+        sethi   %hi(0xd9d4d039),T2      !=
+        xor     T1,D,T1
+        or      T2,%lo(0xd9d4d039),T2
+        add     T1,R9,T1
+        !pre-LOADed     X(12),R12
+        add     T1,T2,T1                !=
+        add     A,T1,A
+        sll     A,4,T2
+        srl     A,32-4,A
+        or      A,T2,A                  !=
+        add     A,B,A
+
+        xor     A,B,T1
+        sethi   %hi(0xe6db99e5),T2
+        xor     T1,C,T1                 !=
+        or      T2,%lo(0xe6db99e5),T2
+        add     T1,R12,T1
+        LOAD    X(15),RX
+        add     T1,T2,T1                !=
+        add     D,T1,D
+        sll     D,11,T2
+        srl     D,32-11,D
+        or      D,T2,D                  !=
+        add     D,A,D
+
+        xor     D,A,T1
+        sethi   %hi(0x1fa27cf8),T2
+        xor     T1,B,T1                 !=
+        or      T2,%lo(0x1fa27cf8),T2
+        add     T1,RX,T1
+        !pre-LOADed     X(2),R2
+        add     T1,T2,T1
+        add     C,T1,C                  !=
+        sll     C,16,T2
+        srl     C,32-16,C
+        or      C,T2,C
+        add     C,D,C                   !=
+
+        xor     C,D,T1
+        sethi   %hi(0xc4ac5665),T2
+        xor     T1,A,T1
+        or      T2,%lo(0xc4ac5665),T2   !=
+        add     T1,R2,T1
+        !pre-LOADed     X(0),R0
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,23,T2                 !=
+        srl     B,32-23,B
+        or      B,T2,B
+        add     B,C,B
+
+!!!!!!!!Round 3
+
+        orn     B,D,T1                  !=
+        sethi   %hi(0xf4292244),T2
+        xor     T1,C,T1
+        or      T2,%lo(0xf4292244),T2
+        add     T1,R0,T1                !=
+        !pre-LOADed     X(7),R7
+        add     T1,T2,T1
+        add     A,T1,A
+        sll     A,6,T2
+        srl     A,32-6,A                !=
+        or      A,T2,A
+        add     A,B,A
+
+        orn     A,C,T1
+        sethi   %hi(0x432aff97),T2      !=
+        xor     T1,B,T1
+        or      T2,%lo(0x432aff97),T2
+        LOAD    X(14),RX
+        add     T1,R7,T1                !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,10,T2
+        srl     D,32-10,D               !=
+        or      D,T2,D
+        add     D,A,D
+
+        orn     D,B,T1
+        sethi   %hi(0xab9423a7),T2      !=
+        xor     T1,A,T1
+        or      T2,%lo(0xab9423a7),T2
+        add     T1,RX,T1
+        !pre-LOADed     X(5),R5
+        add     T1,T2,T1                !=
+        add     C,T1,C
+        sll     C,15,T2
+        srl     C,32-15,C
+        or      C,T2,C                  !=
+        add     C,D,C
+
+        orn     C,A,T1
+        sethi   %hi(0xfc93a039),T2
+        xor     T1,D,T1                 !=
+        or      T2,%lo(0xfc93a039),T2
+        add     T1,R5,T1
+        !pre-LOADed     X(12),R12
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,21,T2
+        srl     B,32-21,B
+        or      B,T2,B
+        add     B,C,B                   !=
+
+        orn     B,D,T1
+        sethi   %hi(0x655b59c3),T2
+        xor     T1,C,T1
+        or      T2,%lo(0x655b59c3),T2   !=
+        add     T1,R12,T1
+        !pre-LOADed     X(3),R3
+        add     T1,T2,T1
+        add     A,T1,A
+        sll     A,6,T2                  !=
+        srl     A,32-6,A
+        or      A,T2,A
+        add     A,B,A
+
+        orn     A,C,T1                  !=
+        sethi   %hi(0x8f0ccc92),T2
+        xor     T1,B,T1
+        or      T2,%lo(0x8f0ccc92),T2
+        add     T1,R3,T1                !=
+        !pre-LOADed     X(10),R10
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,10,T2
+        srl     D,32-10,D               !=
+        or      D,T2,D
+        add     D,A,D
+
+        orn     D,B,T1
+        sethi   %hi(0xffeff47d),T2      !=
+        xor     T1,A,T1
+        or      T2,%lo(0xffeff47d),T2
+        add     T1,R10,T1
+        !pre-LOADed     X(1),R1
+        add     T1,T2,T1                !=
+        add     C,T1,C
+        sll     C,15,T2
+        srl     C,32-15,C
+        or      C,T2,C                  !=
+        add     C,D,C
+
+        orn     C,A,T1
+        sethi   %hi(0x85845dd1),T2
+        xor     T1,D,T1                 !=
+        or      T2,%lo(0x85845dd1),T2
+        add     T1,R1,T1
+        !pre-LOADed     X(8),R8
+        add     T1,T2,T1
+        add     B,T1,B                  !=
+        sll     B,21,T2
+        srl     B,32-21,B
+        or      B,T2,B
+        add     B,C,B                   !=
+
+        orn     B,D,T1
+        sethi   %hi(0x6fa87e4f),T2
+        xor     T1,C,T1
+        or      T2,%lo(0x6fa87e4f),T2   !=
+        add     T1,R8,T1
+        LOAD    X(15),RX
+        add     T1,T2,T1
+        add     A,T1,A                  !=
+        sll     A,6,T2
+        srl     A,32-6,A
+        or      A,T2,A
+        add     A,B,A                   !=
+
+        orn     A,C,T1
+        sethi   %hi(0xfe2ce6e0),T2
+        xor     T1,B,T1
+        or      T2,%lo(0xfe2ce6e0),T2   !=
+        add     T1,RX,T1
+        !pre-LOADed     X(6),R6
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,10,T2                 !=
+        srl     D,32-10,D
+        or      D,T2,D
+        add     D,A,D
+
+        orn     D,B,T1                  !=
+        sethi   %hi(0xa3014314),T2
+        xor     T1,A,T1
+        or      T2,%lo(0xa3014314),T2
+        add     T1,R6,T1                !=
+        !pre-LOADed     X(13),R13
+        add     T1,T2,T1
+        add     C,T1,C
+        sll     C,15,T2
+        srl     C,32-15,C               !=
+        or      C,T2,C
+        add     C,D,C
+
+        orn     C,A,T1
+        sethi   %hi(0x4e0811a1),T2      !=
+        xor     T1,D,T1
+        or      T2,%lo(0x4e0811a1),T2
+        !pre-LOADed     X(4),R4
+         ld      [Aptr],Aval
+        add     T1,R13,T1               !=
+        add     T1,T2,T1
+        add     B,T1,B
+        sll     B,21,T2
+        srl     B,32-21,B               !=
+        or      B,T2,B
+        add     B,C,B
+
+        orn     B,D,T1
+        sethi   %hi(0xf7537e82),T2      !=
+        xor     T1,C,T1
+        or      T2,%lo(0xf7537e82),T2
+        !pre-LOADed     X(11),R11
+         ld      [Dptr],Dval
+        add     T1,R4,T1                !=
+        add     T1,T2,T1
+        add     A,T1,A
+        sll     A,6,T2
+        srl     A,32-6,A                !=
+        or      A,T2,A
+        add     A,B,A
+
+        orn     A,C,T1
+        sethi   %hi(0xbd3af235),T2      !=
+        xor     T1,B,T1
+        or      T2,%lo(0xbd3af235),T2
+        !pre-LOADed     X(2),R2
+         ld      [Cptr],Cval
+        add     T1,R11,T1               !=
+        add     T1,T2,T1
+        add     D,T1,D
+        sll     D,10,T2
+        srl     D,32-10,D               !=
+        or      D,T2,D
+        add     D,A,D
+
+        orn     D,B,T1
+        sethi   %hi(0x2ad7d2bb),T2      !=
+        xor     T1,A,T1
+        or      T2,%lo(0x2ad7d2bb),T2
+        !pre-LOADed     X(9),R9
+         ld      [Bptr],Bval
+        add     T1,R2,T1                !=
+         add     Aval,A,Aval
+        add     T1,T2,T1
+         st      Aval,[Aptr]
+        add     C,T1,C                  !=
+        sll     C,15,T2
+         add     Dval,D,Dval
+        srl     C,32-15,C
+        or      C,T2,C                  !=
+         st      Dval,[Dptr]
+        add     C,D,C
+
+        orn     C,A,T1
+        sethi   %hi(0xeb86d391),T2      !=
+        xor     T1,D,T1
+        or      T2,%lo(0xeb86d391),T2
+        add     T1,R9,T1
+        !pre-LOADed     X(0),R0
+         mov     Aval,A                 !=
+        add     T1,T2,T1
+         mov     Dval,D
+        add     B,T1,B
+        sll     B,21,T2                 !=
+         add     Cval,C,Cval
+        srl     B,32-21,B
+         st      Cval,[Cptr]
+        or      B,T2,B                  !=
+        add     B,C,B
+
+        deccc   %i2
+        mov     Cval,C
+        add     B,Bval,B                !=
+        inc     64,%i1
+        nop
+        st      B,[Bptr]
+        nop                             !=
+
+#ifdef  ULTRASPARC
+        bg,a,pt %icc,.Lmd5_block_loop
+#else
+        bg,a    .Lmd5_block_loop
+#endif
+        LOAD    X(0),R0
+
+#ifdef ASI_PRIMARY_LITTLE
+        wr      %g0,%o7,%asi
+#endif
+        ret
+        restore %g0,0,%o0
+
+.type   md5_block,#function
+.size   md5_block,(.-md5_block)
diff --git a/src/lib/libssl/src/crypto/mem_dbg.c b/src/lib/libssl/src/crypto/mem_dbg.c
new file mode 100644
index 0000000000..14770c0733
--- /dev/null
+++ b/src/lib/libssl/src/crypto/mem_dbg.c
@@ -0,0 +1,703 @@
+/* crypto/mem_dbg.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>       
+#include <openssl/crypto.h>
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/lhash.h>
+#include "cryptlib.h"
+
+static int mh_mode=CRYPTO_MEM_CHECK_OFF;
+/* The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE
+ * when the application asks for it (usually after library initialisation
+ * for which no book-keeping is desired).
+ *
+ * State CRYPTO_MEM_CHECK_ON exists only temporarily when the library
+ * thinks that certain allocations should not be checked (e.g. the data
+ * structures used for memory checking).  It is not suitable as an initial
+ * state: the library will unexpectedly enable memory checking when it
+ * executes one of those sections that want to disable checking
+ * temporarily.
+ *
+ * State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes no sense whatsoever.
+ */
+
+static unsigned long order = 0; /* number of memory requests */
+static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
+
+
+typedef struct app_mem_info_st
+/* For application-defined information (static C-string `info')
+ * to be displayed in memory leak list.
+ * Each thread has its own stack.  For applications, there is
+ *   CRYPTO_push_info("...")     to push an entry,
+ *   CRYPTO_pop_info()           to pop an entry,
+ *   CRYPTO_remove_all_info()    to pop all entries.
+ */
+        {       
+        unsigned long thread;
+        const char *file;
+        int line;
+        const char *info;
+        struct app_mem_info_st *next; /* tail of thread's stack */
+        int references;
+        } APP_INFO;
+
+static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
+                          * that are at the top of their thread's stack
+                          * (with `thread' as key) */
+
+typedef struct mem_st
+/* memory-block description */
+        {
+        char *addr;
+        int num;
+        const char *file;
+        int line;
+        unsigned long thread;
+        unsigned long order;
+        time_t time;
+        APP_INFO *app_info;
+        } MEM;
+
+static long options =             /* extra information to be recorded */
+#if defined(CRYPTO_MDEBUG_TIME) || defined(CRYPTO_MDEBUG_ALL)
+        V_CRYPTO_MDEBUG_TIME |
+#endif
+#if defined(CRYPTO_MDEBUG_THREAD) || defined(CRYPTO_MDEBUG_ALL)
+        V_CRYPTO_MDEBUG_THREAD |
+#endif
+        0;
+
+
+static unsigned long disabling_thread = 0;
+
+int CRYPTO_mem_ctrl(int mode)
+        {
+        int ret=mh_mode;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+        switch (mode)
+                {
+        /* for applications: */
+        case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */
+                mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE;
+                disabling_thread = 0;
+                break;
+        case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
+                mh_mode = 0;
+                disabling_thread = 0;
+                break;
+
+        /* switch off temporarily (for library-internal use): */
+        case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
+                if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                        {
+                        mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE;
+                        if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */
+                                {
+                                /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while
+                                 * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if
+                                 * somebody else holds CRYPTO_LOCK_MALLOC2 (and cannot release
+                                 * it because we block entry to this function).
+                                 * Give them a chance, first, and then claim the locks in
+                                 * appropriate order (long-time lock first).
+                                 */
+                                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+                                /* Note that after we have waited for CRYPTO_LOCK_MALLOC2
+                                 * and CRYPTO_LOCK_MALLOC, we'll still be in the right
+                                 * "case" and "if" branch because MemCheck_start and
+                                 * MemCheck_stop may never be used while there are multiple
+                                 * OpenSSL threads. */
+                                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+                                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+                                disabling_thread=CRYPTO_thread_id();
+                                }
+                        }
+                break;
+        case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
+                if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                        {
+                        mh_mode|=CRYPTO_MEM_CHECK_ENABLE;
+                        if (disabling_thread != 0)
+                                {
+                                disabling_thread=0;
+                                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+                                }
+                        }
+                break;
+
+        default:
+                break;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+        return(ret);
+        }
+
+int CRYPTO_is_mem_check_on(void)
+        {
+        int ret = 0;
+
+        if (mh_mode & CRYPTO_MEM_CHECK_ON)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
+
+                ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
+                        && disabling_thread != CRYPTO_thread_id();
+
+                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
+                }
+        return(ret);
+        }       
+
+
+void CRYPTO_dbg_set_options(long bits)
+        {
+        options = bits;
+        }
+
+long CRYPTO_dbg_get_options(void)
+        {
+        return options;
+        }
+
+static int mem_cmp(MEM *a, MEM *b)
+        {
+        return(a->addr - b->addr);
+        }
+
+static unsigned long mem_hash(MEM *a)
+        {
+        unsigned long ret;
+
+        ret=(unsigned long)a->addr;
+
+        ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+        return(ret);
+        }
+
+static int app_info_cmp(APP_INFO *a, APP_INFO *b)
+        {
+        return(a->thread != b->thread);
+        }
+
+static unsigned long app_info_hash(APP_INFO *a)
+        {
+        unsigned long ret;
+
+        ret=(unsigned long)a->thread;
+
+        ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
+        return(ret);
+        }
+
+static APP_INFO *pop_info()
+        {
+        APP_INFO tmp;
+        APP_INFO *ret = NULL;
+
+        if (amih != NULL)
+                {
+                tmp.thread=CRYPTO_thread_id();
+                if ((ret=(APP_INFO *)lh_delete(amih,&tmp)) != NULL)
+                        {
+                        APP_INFO *next=ret->next;
+
+                        if (next != NULL)
+                                {
+                                next->references++;
+                                lh_insert(amih,(char *)next);
+                                }
+#ifdef LEVITTE_DEBUG
+                        if (ret->thread != tmp.thread)
+                                {
+                                fprintf(stderr, "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                                        ret->thread, tmp.thread);
+                                abort();
+                                }
+#endif
+                        if (--(ret->references) <= 0)
+                                {
+                                ret->next = NULL;
+                                if (next != NULL)
+                                        next->references--;
+                                Free(ret);
+                                }
+                        }
+                }
+        return(ret);
+        }
+
+int CRYPTO_push_info_(const char *info, const char *file, int line)
+        {
+        APP_INFO *ami, *amim;
+        int ret=0;
+
+        if (is_MemCheck_on())
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                if ((ami = (APP_INFO *)Malloc(sizeof(APP_INFO))) == NULL)
+                        {
+                        ret=0;
+                        goto err;
+                        }
+                if (amih == NULL)
+                        {
+                        if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)
+                                {
+                                Free(ami);
+                                ret=0;
+                                goto err;
+                                }
+                        }
+
+                ami->thread=CRYPTO_thread_id();
+                ami->file=file;
+                ami->line=line;
+                ami->info=info;
+                ami->references=1;
+                ami->next=NULL;
+
+                if ((amim=(APP_INFO *)lh_insert(amih,(char *)ami)) != NULL)
+                        {
+#ifdef LEVITTE_DEBUG
+                        if (ami->thread != amim->thread)
+                                {
+                                fprintf(stderr, "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                                        amim->thread, ami->thread);
+                                abort();
+                                }
+#endif
+                        ami->next=amim;
+                        }
+ err:
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+
+        return(ret);
+        }
+
+int CRYPTO_pop_info(void)
+        {
+        int ret=0;
+
+        if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                ret=(pop_info() != NULL);
+
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+        return(ret);
+        }
+
+int CRYPTO_remove_all_info(void)
+        {
+        int ret=0;
+
+        if (is_MemCheck_on()) /* _must_ be true */
+                {
+                MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                while(pop_info() != NULL)
+                        ret++;
+
+                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                }
+        return(ret);
+        }
+
+
+static unsigned long break_order_num=0;
+void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
+        int before_p)
+        {
+        MEM *m,*mm;
+        APP_INFO tmp,*amim;
+
+        switch(before_p & 127)
+                {
+        case 0:
+                break;
+        case 1:
+                if (addr == NULL)
+                        break;
+
+                if (is_MemCheck_on())
+                        {
+                        MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+                        if ((m=(MEM *)Malloc(sizeof(MEM))) == NULL)
+                                {
+                                Free(addr);
+                                MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                                return;
+                                }
+                        if (mh == NULL)
+                                {
+                                if ((mh=lh_new(mem_hash,mem_cmp)) == NULL)
+                                        {
+                                        Free(addr);
+                                        Free(m);
+                                        addr=NULL;
+                                        goto err;
+                                        }
+                                }
+
+                        m->addr=addr;
+                        m->file=file;
+                        m->line=line;
+                        m->num=num;
+                        if (options & V_CRYPTO_MDEBUG_THREAD)
+                                m->thread=CRYPTO_thread_id();
+                        else
+                                m->thread=0;
+
+                        if (order == break_order_num)
+                                {
+                                /* BREAK HERE */
+                                m->order=order;
+                                }
+                        m->order=order++;
+#ifdef LEVITTE_DEBUG
+                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] %c 0x%p (%d)\n",
+                                m->order,
+                                (before_p & 128) ? '*' : '+',
+                                m->addr, m->num);
+#endif
+                        if (options & V_CRYPTO_MDEBUG_TIME)
+                                m->time=time(NULL);
+                        else
+                                m->time=0;
+
+                        tmp.thread=CRYPTO_thread_id();
+                        m->app_info=NULL;
+                        if (amih != NULL
+                                && (amim=(APP_INFO *)lh_retrieve(amih,(char *)&tmp)) != NULL)
+                                {
+                                m->app_info = amim;
+                                amim->references++;
+                                }
+
+                        if ((mm=(MEM *)lh_insert(mh,(char *)m)) != NULL)
+                                {
+                                /* Not good, but don't sweat it */
+                                if (mm->app_info != NULL)
+                                        {
+                                        mm->app_info->references--;
+                                        }
+                                Free(mm);
+                                }
+                err:
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+                }
+        return;
+        }
+
+void CRYPTO_dbg_free(void *addr, int before_p)
+        {
+        MEM m,*mp;
+
+        switch(before_p)
+                {
+        case 0:
+                if (addr == NULL)
+                        break;
+
+                if (is_MemCheck_on() && (mh != NULL))
+                        {
+                        MemCheck_off();
+
+                        m.addr=addr;
+                        mp=(MEM *)lh_delete(mh,(char *)&m);
+                        if (mp != NULL)
+                                {
+#ifdef LEVITTE_DEBUG
+                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] - 0x%p (%d)\n",
+                                mp->order, mp->addr, mp->num);
+#endif
+                                if (mp->app_info != NULL)
+                                        {
+                                        mp->app_info->references--;
+                                        }
+                                Free(mp);
+                                }
+
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+        case 1:
+                break;
+                }
+        }
+
+void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
+        const char *file, int line, int before_p)
+        {
+        MEM m,*mp;
+
+#ifdef LEVITTE_DEBUG
+        fprintf(stderr, "LEVITTE_DEBUG: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
+                addr1, addr2, num, file, line, before_p);
+#endif
+
+        switch(before_p)
+                {
+        case 0:
+                break;
+        case 1:
+                if (addr2 == NULL)
+                        break;
+
+                if (addr1 == NULL)
+                        {
+                        CRYPTO_dbg_malloc(addr2, num, file, line, 128 | before_p);
+                        break;
+                        }
+
+                if (is_MemCheck_on())
+                        {
+                        MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */
+
+                        m.addr=addr1;
+                        mp=(MEM *)lh_delete(mh,(char *)&m);
+                        if (mp != NULL)
+                                {
+#ifdef LEVITTE_DEBUG
+                                fprintf(stderr, "LEVITTE_DEBUG: [%5d] * 0x%p (%d) -> 0x%p (%d)\n",
+                                        mp->order,
+                                        mp->addr, mp->num,
+                                        addr2, num);
+#endif
+                                mp->addr=addr2;
+                                mp->num=num;
+                                lh_insert(mh,(char *)mp);
+                                }
+
+                        MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */
+                        }
+                break;
+                }
+        return;
+        }
+
+
+typedef struct mem_leak_st
+        {
+        BIO *bio;
+        int chunks;
+        long bytes;
+        } MEM_LEAK;
+
+static void print_leak(MEM *m, MEM_LEAK *l)
+        {
+        char buf[1024];
+        char *bufp = buf;
+        APP_INFO *amip;
+        int ami_cnt;
+        struct tm *lcl = NULL;
+        unsigned long ti;
+
+        if(m->addr == (char *)l->bio)
+            return;
+
+        if (options & V_CRYPTO_MDEBUG_TIME)
+                {
+                lcl = localtime(&m->time);
+        
+                sprintf(bufp, "[%02d:%02d:%02d] ",
+                        lcl->tm_hour,lcl->tm_min,lcl->tm_sec);
+                bufp += strlen(bufp);
+                }
+
+        sprintf(bufp, "%5lu file=%s, line=%d, ",
+                m->order,m->file,m->line);
+        bufp += strlen(bufp);
+
+        if (options & V_CRYPTO_MDEBUG_THREAD)
+                {
+                sprintf(bufp, "thread=%lu, ", m->thread);
+                bufp += strlen(bufp);
+                }
+
+        sprintf(bufp, "number=%d, address=%08lX\n",
+                m->num,(unsigned long)m->addr);
+        bufp += strlen(bufp);
+
+        BIO_puts(l->bio,buf);
+        
+        l->chunks++;
+        l->bytes+=m->num;
+
+        amip=m->app_info;
+        ami_cnt=0;
+        if (!amip)
+                return;
+        ti=amip->thread;
+        
+        do
+                {
+                int buf_len;
+                int info_len;
+
+                ami_cnt++;
+                memset(buf,'>',ami_cnt);
+                sprintf(buf + ami_cnt,
+                        " thread=%lu, file=%s, line=%d, info=\"",
+                        amip->thread, amip->file, amip->line);
+                buf_len=strlen(buf);
+                info_len=strlen(amip->info);
+                if (128 - buf_len - 3 < info_len)
+                        {
+                        memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
+                        buf_len = 128 - 3;
+                        }
+                else
+                        {
+                        strcpy(buf + buf_len, amip->info);
+                        buf_len = strlen(buf);
+                        }
+                sprintf(buf + buf_len, "\"\n");
+                
+                BIO_puts(l->bio,buf);
+
+                amip = amip->next;
+                }
+        while(amip && amip->thread == ti);
+                
+#ifdef LEVITTE_DEBUG
+        if (amip)
+                {
+                fprintf(stderr, "Thread switch detected in backtrace!!!!\n");
+                abort();
+                }
+#endif
+        }
+
+void CRYPTO_mem_leaks(BIO *b)
+        {
+        MEM_LEAK ml;
+        char buf[80];
+
+        if (mh == NULL) return;
+        ml.bio=b;
+        ml.bytes=0;
+        ml.chunks=0;
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+        lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+        if (ml.chunks != 0)
+                {
+                sprintf(buf,"%ld bytes leaked in %d chunks\n",
+                        ml.bytes,ml.chunks);
+                BIO_puts(b,buf);
+                }
+
+#if 0
+        lh_stats_bio(mh,b);
+        lh_node_stats_bio(mh,b);
+        lh_node_usage_stats_bio(mh,b);
+#endif
+        }
+
+union void_fn_to_char_u
+        {
+        char *char_p;
+        void (*fn_p)();
+        };
+
+static void cb_leak(MEM *m, char *cb)
+        {
+        union void_fn_to_char_u mem_callback;
+
+        mem_callback.char_p=cb;
+        mem_callback.fn_p(m->order,m->file,m->line,m->num,m->addr);
+        }
+
+void CRYPTO_mem_leaks_cb(void (*cb)())
+        {
+        union void_fn_to_char_u mem_cb;
+
+        if (mh == NULL) return;
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+        mem_cb.fn_p=cb;
+        lh_doall_arg(mh,(void (*)())cb_leak,mem_cb.char_p);
+        mem_cb.char_p=NULL;
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+        }
+
+#ifndef NO_FP_API
+void CRYPTO_mem_leaks_fp(FILE *fp)
+        {
+        BIO *b;
+
+        if (mh == NULL) return;
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                return;
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        CRYPTO_mem_leaks(b);
+        BIO_free(b);
+        }
+#endif
+
diff --git a/src/lib/libssl/src/crypto/o_time.c b/src/lib/libssl/src/crypto/o_time.c
new file mode 100644
index 0000000000..1bc0297b36
--- /dev/null
+++ b/src/lib/libssl/src/crypto/o_time.c
@@ -0,0 +1,203 @@
+/* crypto/o_time.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/e_os2.h>
+#include <string.h>
+#include "o_time.h"
+
+#ifdef OPENSSL_SYS_VMS
+# include <libdtdef.h>
+# include <lib$routines.h>
+# include <lnmdef.h>
+# include <starlet.h>
+# include <descrip.h>
+# include <stdlib.h>
+#endif
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
+        {
+        struct tm *ts = NULL;
+
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+        /* should return &data, but doesn't on some systems,
+           so we don't even look at the return value */
+        gmtime_r(timer,result);
+        ts = result;
+#elif !defined(OPENSSL_SYS_VMS)
+        ts = gmtime(timer);
+        memcpy(result, ts, sizeof(struct tm));
+        ts = result;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        if (ts == NULL)
+                {
+                static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
+                static $DESCRIPTOR(lognam,"SYS$TIMEZONE_DIFFERENTIAL");
+                char logvalue[256];
+                unsigned int reslen = 0;
+                struct {
+                        short buflen;
+                        short code;
+                        void *bufaddr;
+                        unsigned int *reslen;
+                } itemlist[] = {
+                        { 0, LNM$_STRING, 0, 0 },
+                        { 0, 0, 0, 0 },
+                };
+                int status;
+                time_t t;
+
+                /* Get the value for SYS$TIMEZONE_DIFFERENTIAL */
+                itemlist[0].buflen = sizeof(logvalue);
+                itemlist[0].bufaddr = logvalue;
+                itemlist[0].reslen = &reslen;
+                status = sys$trnlnm(0, &tabnam, &lognam, 0, itemlist);
+                if (!(status & 1))
+                        return NULL;
+                logvalue[reslen] = '\0';
+
+                /* Get the numerical value of the equivalence string */
+                status = atoi(logvalue);
+
+                /* and use it to move time to GMT */
+                t = *timer - status;
+
+                /* then convert the result to the time structure */
+#ifndef OPENSSL_THREADS
+                ts=(struct tm *)localtime(&t);
+#else
+                /* Since there was no gmtime_r() to do this stuff for us,
+                   we have to do it the hard way. */
+                {
+                /* The VMS epoch is the astronomical Smithsonian date,
+                   if I remember correctly, which is November 17, 1858.
+                   Furthermore, time is measure in thenths of microseconds
+                   and stored in quadwords (64 bit integers).  unix_epoch
+                   below is January 1st 1970 expressed as a VMS time.  The
+                   following code was used to get this number:
+
+                   #include <stdio.h>
+                   #include <stdlib.h>
+                   #include <lib$routines.h>
+                   #include <starlet.h>
+
+                   main()
+                   {
+                     unsigned long systime[2];
+                     unsigned short epoch_values[7] =
+                       { 1970, 1, 1, 0, 0, 0, 0 };
+
+                     lib$cvt_vectim(epoch_values, systime);
+
+                     printf("%u %u", systime[0], systime[1]);
+                   }
+                */
+                unsigned long unix_epoch[2] = { 1273708544, 8164711 };
+                unsigned long deltatime[2];
+                unsigned long systime[2];
+                struct vms_vectime
+                        {
+                        short year, month, day, hour, minute, second,
+                                centi_second;
+                        } time_values;
+                long operation;
+
+                /* Turn the number of seconds since January 1st 1970 to
+                   an internal delta time.
+                   Note that lib$cvt_to_internal_time() will assume
+                   that t is signed, and will therefore break on 32-bit
+                   systems some time in 2038.
+                */
+                operation = LIB$K_DELTA_SECONDS;
+                status = lib$cvt_to_internal_time(&operation,
+                        &t, deltatime);
+
+                /* Add the delta time with the Unix epoch and we have
+                   the current UTC time in internal format */
+                status = lib$add_times(unix_epoch, deltatime, systime);
+
+                /* Turn the internal time into a time vector */
+                status = sys$numtim(&time_values, systime);
+
+                /* Fill in the struct tm with the result */
+                result->tm_sec = time_values.second;
+                result->tm_min = time_values.minute;
+                result->tm_hour = time_values.hour;
+                result->tm_mday = time_values.day;
+                result->tm_mon = time_values.month - 1;
+                result->tm_year = time_values.year - 1900;
+
+                operation = LIB$K_DAY_OF_WEEK;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_wday, systime);
+                result->tm_wday %= 7;
+
+                operation = LIB$K_DAY_OF_YEAR;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_yday, systime);
+                result->tm_yday--;
+
+                result->tm_isdst = 0; /* There's no way to know... */
+
+                ts = result;
+#endif
+                }
+                }
+#endif
+        return ts;
+        }       
diff --git a/src/lib/libssl/src/crypto/o_time.h b/src/lib/libssl/src/crypto/o_time.h
new file mode 100644
index 0000000000..e66044626d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/o_time.h
@@ -0,0 +1,66 @@
+/* crypto/o_time.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_TIME_H
+#define HEADER_O_TIME_H
+
+#include <time.h>
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
+
+#endif
diff --git a/src/lib/libssl/src/crypto/objects/o_names.c b/src/lib/libssl/src/crypto/objects/o_names.c
new file mode 100644
index 0000000000..4da5e45b9c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/objects/o_names.c
@@ -0,0 +1,243 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/lhash.h>
+#include <openssl/objects.h>
+
+/* I use the ex_data stuff to manage the identifiers for the obj_name_types
+ * that applications may define.  I only really use the free function field.
+ */
+static LHASH *names_lh=NULL;
+static int names_type_num=OBJ_NAME_TYPE_NUM;
+static STACK *names_cmp=NULL;
+static STACK *names_hash=NULL;
+static STACK *names_free=NULL;
+
+static unsigned long obj_name_hash(OBJ_NAME *a);
+static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b);
+
+int OBJ_NAME_init(void)
+        {
+        if (names_lh != NULL) return(1);
+        MemCheck_off();
+        names_lh=lh_new(obj_name_hash,obj_name_cmp);
+        MemCheck_on();
+        return(names_lh != NULL);
+        }
+
+int OBJ_NAME_new_index(unsigned long (*hash_func)(), int (*cmp_func)(),
+             void (*free_func)())
+        {
+        int ret;
+        int i;
+
+        if (names_free == NULL)
+                {
+                MemCheck_off();
+                names_hash=sk_new_null();
+                names_cmp=sk_new_null();
+                names_free=sk_new_null();
+                MemCheck_on();
+                }
+        if ((names_free == NULL) || (names_hash == NULL) || (names_cmp == NULL))
+                {
+                /* ERROR */
+                return(0);
+                }
+        ret=names_type_num;
+        names_type_num++;
+        for (i=sk_num(names_free); i<names_type_num; i++)
+                {
+                MemCheck_off();
+                sk_push(names_hash,(char *)strcmp);
+                sk_push(names_cmp,(char *)lh_strhash);
+                sk_push(names_free,NULL);
+                MemCheck_on();
+                }
+        if (hash_func != NULL)
+                sk_set(names_hash,ret,(char *)hash_func);
+        if (cmp_func != NULL)
+                sk_set(names_cmp,ret,(char *)cmp_func);
+        if (free_func != NULL)
+                sk_set(names_free,ret,(char *)free_func);
+        return(ret);
+        }
+
+static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
+        {
+        int ret;
+        int (*cmp)();
+
+        ret=a->type-b->type;
+        if (ret == 0)
+                {
+                if ((names_cmp != NULL) && (sk_num(names_cmp) > a->type))
+                        {
+                        cmp=(int (*)())sk_value(names_cmp,a->type);
+                        ret=cmp(a->name,b->name);
+                        }
+                else
+                        ret=strcmp(a->name,b->name);
+                }
+        return(ret);
+        }
+
+static unsigned long obj_name_hash(OBJ_NAME *a)
+        {
+        unsigned long ret;
+        unsigned long (*hash)();
+
+        if ((names_hash != NULL) && (sk_num(names_hash) > a->type))
+                {
+                hash=(unsigned long (*)())sk_value(names_hash,a->type);
+                ret=hash(a->name);
+                }
+        else
+                {
+                ret=lh_strhash(a->name);
+                }
+        ret^=a->type;
+        return(ret);
+        }
+
+const char *OBJ_NAME_get(const char *name, int type)
+        {
+        OBJ_NAME on,*ret;
+        int num=0,alias;
+
+        if (name == NULL) return(NULL);
+        if ((names_lh == NULL) && !OBJ_NAME_init()) return(NULL);
+
+        alias=type&OBJ_NAME_ALIAS;
+        type&= ~OBJ_NAME_ALIAS;
+
+        on.name=name;
+        on.type=type;
+
+        for (;;)
+                {
+                ret=(OBJ_NAME *)lh_retrieve(names_lh,(char *)&on);
+                if (ret == NULL) return(NULL);
+                if ((ret->alias) && !alias)
+                        {
+                        if (++num > 10) return(NULL);
+                        on.name=ret->data;
+                        }
+                else
+                        {
+                        return(ret->data);
+                        }
+                }
+        }
+
+int OBJ_NAME_add(const char *name, int type, const char *data)
+        {
+        void (*f)();
+        OBJ_NAME *onp,*ret;
+        int alias;
+
+        if ((names_lh == NULL) && !OBJ_NAME_init()) return(0);
+
+        alias=type&OBJ_NAME_ALIAS;
+        type&= ~OBJ_NAME_ALIAS;
+
+        onp=(OBJ_NAME *)Malloc(sizeof(OBJ_NAME));
+        if (onp == NULL)
+                {
+                /* ERROR */
+                return(0);
+                }
+
+        onp->name=name;
+        onp->alias=alias;
+        onp->type=type;
+        onp->data=data;
+
+        ret=(OBJ_NAME *)lh_insert(names_lh,(char *)onp);
+        if (ret != NULL)
+                {
+                /* free things */
+                if ((names_free != NULL) && (sk_num(names_free) > ret->type))
+                        {
+                        f=(void (*)())sk_value(names_free,ret->type);
+                        f(ret->name,ret->type,ret->data);
+                        }
+                Free((char *)ret);
+                }
+        else
+                {
+                if (lh_error(names_lh))
+                        {
+                        /* ERROR */
+                        return(0);
+                        }
+                }
+        return(1);
+        }
+
+int OBJ_NAME_remove(const char *name, int type)
+        {
+        OBJ_NAME on,*ret;
+        void (*f)();
+
+        if (names_lh == NULL) return(0);
+
+        type&= ~OBJ_NAME_ALIAS;
+        on.name=name;
+        on.type=type;
+        ret=(OBJ_NAME *)lh_delete(names_lh,(char *)&on);
+        if (ret != NULL)
+                {
+                /* free things */
+                if ((names_free != NULL) && (sk_num(names_free) > type))
+                        {
+                        f=(void (*)())sk_value(names_free,type);
+                        f(ret->name,ret->type,ret->data);
+                        }
+                Free((char *)ret);
+                return(1);
+                }
+        else
+                return(0);
+        }
+
+static int free_type;
+
+static void names_lh_free(OBJ_NAME *onp, int type)
+{
+        if(onp == NULL)
+            return;
+
+        if ((free_type < 0) || (free_type == onp->type))
+                {
+                OBJ_NAME_remove(onp->name,onp->type);
+                }
+        }
+
+void OBJ_NAME_cleanup(int type)
+        {
+        unsigned long down_load;
+
+        if (names_lh == NULL) return;
+
+        free_type=type;
+        down_load=names_lh->down_load;
+        names_lh->down_load=0;
+
+        lh_doall(names_lh,names_lh_free);
+        if (type < 0)
+                {
+                lh_free(names_lh);
+                sk_free(names_hash);
+                sk_free(names_cmp);
+                sk_free(names_free);
+                names_lh=NULL;
+                names_hash=NULL;
+                names_cmp=NULL;
+                names_free=NULL;
+                }
+        else
+                names_lh->down_load=down_load;
+        }
+
diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.h b/src/lib/libssl/src/crypto/objects/obj_mac.h
new file mode 100644
index 0000000000..401b1e5a1b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/objects/obj_mac.h
@@ -0,0 +1,1798 @@
+/* lib/obj/obj_mac.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
+ * following command:
+ * perl objects.pl objects.txt obj_mac.num obj_mac.h
+ */
+
+#define SN_undef                        "UNDEF"
+#define LN_undef                        "undefined"
+#define NID_undef                       0
+#define OBJ_undef                       0L
+
+#define SN_iso          "ISO"
+#define LN_iso          "iso"
+#define NID_iso         181
+#define OBJ_iso         1L
+
+#define SN_member_body          "member-body"
+#define LN_member_body          "ISO Member Body"
+#define NID_member_body         182
+#define OBJ_member_body         OBJ_iso,2L
+
+#define SN_ISO_US               "ISO-US"
+#define LN_ISO_US               "ISO US Member Body"
+#define NID_ISO_US              183
+#define OBJ_ISO_US              OBJ_member_body,840L
+
+#define SN_X9_57                "X9-57"
+#define LN_X9_57                "X9.57"
+#define NID_X9_57               184
+#define OBJ_X9_57               OBJ_ISO_US,10040L
+
+#define SN_X9cm         "X9cm"
+#define LN_X9cm         "X9.57 CM ?"
+#define NID_X9cm                185
+#define OBJ_X9cm                OBJ_X9_57,4L
+
+#define SN_dsa          "DSA"
+#define LN_dsa          "dsaEncryption"
+#define NID_dsa         116
+#define OBJ_dsa         OBJ_X9cm,1L
+
+#define SN_dsaWithSHA1          "DSA-SHA1"
+#define LN_dsaWithSHA1          "dsaWithSHA1"
+#define NID_dsaWithSHA1         113
+#define OBJ_dsaWithSHA1         OBJ_X9cm,3L
+
+#define SN_cast5_cbc            "CAST5-CBC"
+#define LN_cast5_cbc            "cast5-cbc"
+#define NID_cast5_cbc           108
+#define OBJ_cast5_cbc           OBJ_ISO_US,113533L,7L,66L,10L
+
+#define SN_cast5_ecb            "CAST5-ECB"
+#define LN_cast5_ecb            "cast5-ecb"
+#define NID_cast5_ecb           109
+
+#define SN_cast5_cfb64          "CAST5-CFB"
+#define LN_cast5_cfb64          "cast5-cfb"
+#define NID_cast5_cfb64         110
+
+#define SN_cast5_ofb64          "CAST5-OFB"
+#define LN_cast5_ofb64          "cast5-ofb"
+#define NID_cast5_ofb64         111
+
+#define LN_pbeWithMD5AndCast5_CBC               "pbeWithMD5AndCast5CBC"
+#define NID_pbeWithMD5AndCast5_CBC              112
+#define OBJ_pbeWithMD5AndCast5_CBC              OBJ_ISO_US,113533L,7L,66L,12L
+
+#define SN_rsadsi               "rsadsi"
+#define LN_rsadsi               "RSA Data Security, Inc."
+#define NID_rsadsi              1
+#define OBJ_rsadsi              OBJ_ISO_US,113549L
+
+#define SN_pkcs         "pkcs"
+#define LN_pkcs         "RSA Data Security, Inc. PKCS"
+#define NID_pkcs                2
+#define OBJ_pkcs                OBJ_rsadsi,1L
+
+#define SN_pkcs1                "pkcs1"
+#define NID_pkcs1               186
+#define OBJ_pkcs1               OBJ_pkcs,1L
+
+#define LN_rsaEncryption                "rsaEncryption"
+#define NID_rsaEncryption               6
+#define OBJ_rsaEncryption               OBJ_pkcs1,1L
+
+#define SN_md2WithRSAEncryption         "RSA-MD2"
+#define LN_md2WithRSAEncryption         "md2WithRSAEncryption"
+#define NID_md2WithRSAEncryption                7
+#define OBJ_md2WithRSAEncryption                OBJ_pkcs1,2L
+
+#define SN_md5WithRSAEncryption         "RSA-MD5"
+#define LN_md5WithRSAEncryption         "md5WithRSAEncryption"
+#define NID_md5WithRSAEncryption                8
+#define OBJ_md5WithRSAEncryption                OBJ_pkcs1,4L
+
+#define SN_sha1WithRSAEncryption                "RSA-SHA1"
+#define LN_sha1WithRSAEncryption                "sha1WithRSAEncryption"
+#define NID_sha1WithRSAEncryption               65
+#define OBJ_sha1WithRSAEncryption               OBJ_pkcs1,5L
+
+#define SN_pkcs3                "pkcs3"
+#define NID_pkcs3               27
+#define OBJ_pkcs3               OBJ_pkcs,3L
+
+#define LN_dhKeyAgreement               "dhKeyAgreement"
+#define NID_dhKeyAgreement              28
+#define OBJ_dhKeyAgreement              OBJ_pkcs3,1L
+
+#define SN_pkcs5                "pkcs5"
+#define NID_pkcs5               187
+#define OBJ_pkcs5               OBJ_pkcs,5L
+
+#define SN_pbeWithMD2AndDES_CBC         "PBE-MD2-DES"
+#define LN_pbeWithMD2AndDES_CBC         "pbeWithMD2AndDES-CBC"
+#define NID_pbeWithMD2AndDES_CBC                9
+#define OBJ_pbeWithMD2AndDES_CBC                OBJ_pkcs5,1L
+
+#define SN_pbeWithMD5AndDES_CBC         "PBE-MD5-DES"
+#define LN_pbeWithMD5AndDES_CBC         "pbeWithMD5AndDES-CBC"
+#define NID_pbeWithMD5AndDES_CBC                10
+#define OBJ_pbeWithMD5AndDES_CBC                OBJ_pkcs5,3L
+
+#define SN_pbeWithMD2AndRC2_CBC         "PBE-MD2-RC2-64"
+#define LN_pbeWithMD2AndRC2_CBC         "pbeWithMD2AndRC2-CBC"
+#define NID_pbeWithMD2AndRC2_CBC                168
+#define OBJ_pbeWithMD2AndRC2_CBC                OBJ_pkcs5,4L
+
+#define SN_pbeWithMD5AndRC2_CBC         "PBE-MD5-RC2-64"
+#define LN_pbeWithMD5AndRC2_CBC         "pbeWithMD5AndRC2-CBC"
+#define NID_pbeWithMD5AndRC2_CBC                169
+#define OBJ_pbeWithMD5AndRC2_CBC                OBJ_pkcs5,6L
+
+#define SN_pbeWithSHA1AndDES_CBC                "PBE-SHA1-DES"
+#define LN_pbeWithSHA1AndDES_CBC                "pbeWithSHA1AndDES-CBC"
+#define NID_pbeWithSHA1AndDES_CBC               170
+#define OBJ_pbeWithSHA1AndDES_CBC               OBJ_pkcs5,10L
+
+#define SN_pbeWithSHA1AndRC2_CBC                "PBE-SHA1-RC2-64"
+#define LN_pbeWithSHA1AndRC2_CBC                "pbeWithSHA1AndRC2-CBC"
+#define NID_pbeWithSHA1AndRC2_CBC               68
+#define OBJ_pbeWithSHA1AndRC2_CBC               OBJ_pkcs5,11L
+
+#define LN_id_pbkdf2            "PBKDF2"
+#define NID_id_pbkdf2           69
+#define OBJ_id_pbkdf2           OBJ_pkcs5,12L
+
+#define LN_pbes2                "PBES2"
+#define NID_pbes2               161
+#define OBJ_pbes2               OBJ_pkcs5,13L
+
+#define LN_pbmac1               "PBMAC1"
+#define NID_pbmac1              162
+#define OBJ_pbmac1              OBJ_pkcs5,14L
+
+#define SN_pkcs7                "pkcs7"
+#define NID_pkcs7               20
+#define OBJ_pkcs7               OBJ_pkcs,7L
+
+#define LN_pkcs7_data           "pkcs7-data"
+#define NID_pkcs7_data          21
+#define OBJ_pkcs7_data          OBJ_pkcs7,1L
+
+#define LN_pkcs7_signed         "pkcs7-signedData"
+#define NID_pkcs7_signed                22
+#define OBJ_pkcs7_signed                OBJ_pkcs7,2L
+
+#define LN_pkcs7_enveloped              "pkcs7-envelopedData"
+#define NID_pkcs7_enveloped             23
+#define OBJ_pkcs7_enveloped             OBJ_pkcs7,3L
+
+#define LN_pkcs7_signedAndEnveloped             "pkcs7-signedAndEnvelopedData"
+#define NID_pkcs7_signedAndEnveloped            24
+#define OBJ_pkcs7_signedAndEnveloped            OBJ_pkcs7,4L
+
+#define LN_pkcs7_digest         "pkcs7-digestData"
+#define NID_pkcs7_digest                25
+#define OBJ_pkcs7_digest                OBJ_pkcs7,5L
+
+#define LN_pkcs7_encrypted              "pkcs7-encryptedData"
+#define NID_pkcs7_encrypted             26
+#define OBJ_pkcs7_encrypted             OBJ_pkcs7,6L
+
+#define SN_pkcs9                "pkcs9"
+#define NID_pkcs9               47
+#define OBJ_pkcs9               OBJ_pkcs,9L
+
+#define SN_pkcs9_emailAddress           "Email"
+#define LN_pkcs9_emailAddress           "emailAddress"
+#define NID_pkcs9_emailAddress          48
+#define OBJ_pkcs9_emailAddress          OBJ_pkcs9,1L
+
+#define LN_pkcs9_unstructuredName               "unstructuredName"
+#define NID_pkcs9_unstructuredName              49
+#define OBJ_pkcs9_unstructuredName              OBJ_pkcs9,2L
+
+#define LN_pkcs9_contentType            "contentType"
+#define NID_pkcs9_contentType           50
+#define OBJ_pkcs9_contentType           OBJ_pkcs9,3L
+
+#define LN_pkcs9_messageDigest          "messageDigest"
+#define NID_pkcs9_messageDigest         51
+#define OBJ_pkcs9_messageDigest         OBJ_pkcs9,4L
+
+#define LN_pkcs9_signingTime            "signingTime"
+#define NID_pkcs9_signingTime           52
+#define OBJ_pkcs9_signingTime           OBJ_pkcs9,5L
+
+#define LN_pkcs9_countersignature               "countersignature"
+#define NID_pkcs9_countersignature              53
+#define OBJ_pkcs9_countersignature              OBJ_pkcs9,6L
+
+#define LN_pkcs9_challengePassword              "challengePassword"
+#define NID_pkcs9_challengePassword             54
+#define OBJ_pkcs9_challengePassword             OBJ_pkcs9,7L
+
+#define LN_pkcs9_unstructuredAddress            "unstructuredAddress"
+#define NID_pkcs9_unstructuredAddress           55
+#define OBJ_pkcs9_unstructuredAddress           OBJ_pkcs9,8L
+
+#define LN_pkcs9_extCertAttributes              "extendedCertificateAttributes"
+#define NID_pkcs9_extCertAttributes             56
+#define OBJ_pkcs9_extCertAttributes             OBJ_pkcs9,9L
+
+#define SN_ext_req              "extReq"
+#define LN_ext_req              "Extension Request"
+#define NID_ext_req             172
+#define OBJ_ext_req             OBJ_pkcs9,14L
+
+#define SN_SMIMECapabilities            "SMIME-CAPS"
+#define LN_SMIMECapabilities            "S/MIME Capabilities"
+#define NID_SMIMECapabilities           167
+#define OBJ_SMIMECapabilities           OBJ_pkcs9,15L
+
+#define SN_SMIME                "SMIME"
+#define LN_SMIME                "S/MIME"
+#define NID_SMIME               188
+#define OBJ_SMIME               OBJ_pkcs9,16L
+
+#define SN_id_smime_mod         "id-smime-mod"
+#define NID_id_smime_mod                189
+#define OBJ_id_smime_mod                OBJ_SMIME,0L
+
+#define SN_id_smime_ct          "id-smime-ct"
+#define NID_id_smime_ct         190
+#define OBJ_id_smime_ct         OBJ_SMIME,1L
+
+#define SN_id_smime_aa          "id-smime-aa"
+#define NID_id_smime_aa         191
+#define OBJ_id_smime_aa         OBJ_SMIME,2L
+
+#define SN_id_smime_alg         "id-smime-alg"
+#define NID_id_smime_alg                192
+#define OBJ_id_smime_alg                OBJ_SMIME,3L
+
+#define SN_id_smime_cd          "id-smime-cd"
+#define NID_id_smime_cd         193
+#define OBJ_id_smime_cd         OBJ_SMIME,4L
+
+#define SN_id_smime_spq         "id-smime-spq"
+#define NID_id_smime_spq                194
+#define OBJ_id_smime_spq                OBJ_SMIME,5L
+
+#define SN_id_smime_cti         "id-smime-cti"
+#define NID_id_smime_cti                195
+#define OBJ_id_smime_cti                OBJ_SMIME,6L
+
+#define SN_id_smime_mod_cms             "id-smime-mod-cms"
+#define NID_id_smime_mod_cms            196
+#define OBJ_id_smime_mod_cms            OBJ_id_smime_mod,1L
+
+#define SN_id_smime_mod_ess             "id-smime-mod-ess"
+#define NID_id_smime_mod_ess            197
+#define OBJ_id_smime_mod_ess            OBJ_id_smime_mod,2L
+
+#define SN_id_smime_mod_oid             "id-smime-mod-oid"
+#define NID_id_smime_mod_oid            198
+#define OBJ_id_smime_mod_oid            OBJ_id_smime_mod,3L
+
+#define SN_id_smime_mod_msg_v3          "id-smime-mod-msg-v3"
+#define NID_id_smime_mod_msg_v3         199
+#define OBJ_id_smime_mod_msg_v3         OBJ_id_smime_mod,4L
+
+#define SN_id_smime_mod_ets_eSignature_88               "id-smime-mod-ets-eSignature-88"
+#define NID_id_smime_mod_ets_eSignature_88              200
+#define OBJ_id_smime_mod_ets_eSignature_88              OBJ_id_smime_mod,5L
+
+#define SN_id_smime_mod_ets_eSignature_97               "id-smime-mod-ets-eSignature-97"
+#define NID_id_smime_mod_ets_eSignature_97              201
+#define OBJ_id_smime_mod_ets_eSignature_97              OBJ_id_smime_mod,6L
+
+#define SN_id_smime_mod_ets_eSigPolicy_88               "id-smime-mod-ets-eSigPolicy-88"
+#define NID_id_smime_mod_ets_eSigPolicy_88              202
+#define OBJ_id_smime_mod_ets_eSigPolicy_88              OBJ_id_smime_mod,7L
+
+#define SN_id_smime_mod_ets_eSigPolicy_97               "id-smime-mod-ets-eSigPolicy-97"
+#define NID_id_smime_mod_ets_eSigPolicy_97              203
+#define OBJ_id_smime_mod_ets_eSigPolicy_97              OBJ_id_smime_mod,8L
+
+#define SN_id_smime_ct_receipt          "id-smime-ct-receipt"
+#define NID_id_smime_ct_receipt         204
+#define OBJ_id_smime_ct_receipt         OBJ_id_smime_ct,1L
+
+#define SN_id_smime_ct_authData         "id-smime-ct-authData"
+#define NID_id_smime_ct_authData                205
+#define OBJ_id_smime_ct_authData                OBJ_id_smime_ct,2L
+
+#define SN_id_smime_ct_publishCert              "id-smime-ct-publishCert"
+#define NID_id_smime_ct_publishCert             206
+#define OBJ_id_smime_ct_publishCert             OBJ_id_smime_ct,3L
+
+#define SN_id_smime_ct_TSTInfo          "id-smime-ct-TSTInfo"
+#define NID_id_smime_ct_TSTInfo         207
+#define OBJ_id_smime_ct_TSTInfo         OBJ_id_smime_ct,4L
+
+#define SN_id_smime_ct_TDTInfo          "id-smime-ct-TDTInfo"
+#define NID_id_smime_ct_TDTInfo         208
+#define OBJ_id_smime_ct_TDTInfo         OBJ_id_smime_ct,5L
+
+#define SN_id_smime_ct_contentInfo              "id-smime-ct-contentInfo"
+#define NID_id_smime_ct_contentInfo             209
+#define OBJ_id_smime_ct_contentInfo             OBJ_id_smime_ct,6L
+
+#define SN_id_smime_ct_DVCSRequestData          "id-smime-ct-DVCSRequestData"
+#define NID_id_smime_ct_DVCSRequestData         210
+#define OBJ_id_smime_ct_DVCSRequestData         OBJ_id_smime_ct,7L
+
+#define SN_id_smime_ct_DVCSResponseData         "id-smime-ct-DVCSResponseData"
+#define NID_id_smime_ct_DVCSResponseData                211
+#define OBJ_id_smime_ct_DVCSResponseData                OBJ_id_smime_ct,8L
+
+#define SN_id_smime_aa_receiptRequest           "id-smime-aa-receiptRequest"
+#define NID_id_smime_aa_receiptRequest          212
+#define OBJ_id_smime_aa_receiptRequest          OBJ_id_smime_aa,1L
+
+#define SN_id_smime_aa_securityLabel            "id-smime-aa-securityLabel"
+#define NID_id_smime_aa_securityLabel           213
+#define OBJ_id_smime_aa_securityLabel           OBJ_id_smime_aa,2L
+
+#define SN_id_smime_aa_mlExpandHistory          "id-smime-aa-mlExpandHistory"
+#define NID_id_smime_aa_mlExpandHistory         214
+#define OBJ_id_smime_aa_mlExpandHistory         OBJ_id_smime_aa,3L
+
+#define SN_id_smime_aa_contentHint              "id-smime-aa-contentHint"
+#define NID_id_smime_aa_contentHint             215
+#define OBJ_id_smime_aa_contentHint             OBJ_id_smime_aa,4L
+
+#define SN_id_smime_aa_msgSigDigest             "id-smime-aa-msgSigDigest"
+#define NID_id_smime_aa_msgSigDigest            216
+#define OBJ_id_smime_aa_msgSigDigest            OBJ_id_smime_aa,5L
+
+#define SN_id_smime_aa_encapContentType         "id-smime-aa-encapContentType"
+#define NID_id_smime_aa_encapContentType                217
+#define OBJ_id_smime_aa_encapContentType                OBJ_id_smime_aa,6L
+
+#define SN_id_smime_aa_contentIdentifier                "id-smime-aa-contentIdentifier"
+#define NID_id_smime_aa_contentIdentifier               218
+#define OBJ_id_smime_aa_contentIdentifier               OBJ_id_smime_aa,7L
+
+#define SN_id_smime_aa_macValue         "id-smime-aa-macValue"
+#define NID_id_smime_aa_macValue                219
+#define OBJ_id_smime_aa_macValue                OBJ_id_smime_aa,8L
+
+#define SN_id_smime_aa_equivalentLabels         "id-smime-aa-equivalentLabels"
+#define NID_id_smime_aa_equivalentLabels                220
+#define OBJ_id_smime_aa_equivalentLabels                OBJ_id_smime_aa,9L
+
+#define SN_id_smime_aa_contentReference         "id-smime-aa-contentReference"
+#define NID_id_smime_aa_contentReference                221
+#define OBJ_id_smime_aa_contentReference                OBJ_id_smime_aa,10L
+
+#define SN_id_smime_aa_encrypKeyPref            "id-smime-aa-encrypKeyPref"
+#define NID_id_smime_aa_encrypKeyPref           222
+#define OBJ_id_smime_aa_encrypKeyPref           OBJ_id_smime_aa,11L
+
+#define SN_id_smime_aa_signingCertificate               "id-smime-aa-signingCertificate"
+#define NID_id_smime_aa_signingCertificate              223
+#define OBJ_id_smime_aa_signingCertificate              OBJ_id_smime_aa,12L
+
+#define SN_id_smime_aa_smimeEncryptCerts                "id-smime-aa-smimeEncryptCerts"
+#define NID_id_smime_aa_smimeEncryptCerts               224
+#define OBJ_id_smime_aa_smimeEncryptCerts               OBJ_id_smime_aa,13L
+
+#define SN_id_smime_aa_timeStampToken           "id-smime-aa-timeStampToken"
+#define NID_id_smime_aa_timeStampToken          225
+#define OBJ_id_smime_aa_timeStampToken          OBJ_id_smime_aa,14L
+
+#define SN_id_smime_aa_ets_sigPolicyId          "id-smime-aa-ets-sigPolicyId"
+#define NID_id_smime_aa_ets_sigPolicyId         226
+#define OBJ_id_smime_aa_ets_sigPolicyId         OBJ_id_smime_aa,15L
+
+#define SN_id_smime_aa_ets_commitmentType               "id-smime-aa-ets-commitmentType"
+#define NID_id_smime_aa_ets_commitmentType              227
+#define OBJ_id_smime_aa_ets_commitmentType              OBJ_id_smime_aa,16L
+
+#define SN_id_smime_aa_ets_signerLocation               "id-smime-aa-ets-signerLocation"
+#define NID_id_smime_aa_ets_signerLocation              228
+#define OBJ_id_smime_aa_ets_signerLocation              OBJ_id_smime_aa,17L
+
+#define SN_id_smime_aa_ets_signerAttr           "id-smime-aa-ets-signerAttr"
+#define NID_id_smime_aa_ets_signerAttr          229
+#define OBJ_id_smime_aa_ets_signerAttr          OBJ_id_smime_aa,18L
+
+#define SN_id_smime_aa_ets_otherSigCert         "id-smime-aa-ets-otherSigCert"
+#define NID_id_smime_aa_ets_otherSigCert                230
+#define OBJ_id_smime_aa_ets_otherSigCert                OBJ_id_smime_aa,19L
+
+#define SN_id_smime_aa_ets_contentTimestamp             "id-smime-aa-ets-contentTimestamp"
+#define NID_id_smime_aa_ets_contentTimestamp            231
+#define OBJ_id_smime_aa_ets_contentTimestamp            OBJ_id_smime_aa,20L
+
+#define SN_id_smime_aa_ets_CertificateRefs              "id-smime-aa-ets-CertificateRefs"
+#define NID_id_smime_aa_ets_CertificateRefs             232
+#define OBJ_id_smime_aa_ets_CertificateRefs             OBJ_id_smime_aa,21L
+
+#define SN_id_smime_aa_ets_RevocationRefs               "id-smime-aa-ets-RevocationRefs"
+#define NID_id_smime_aa_ets_RevocationRefs              233
+#define OBJ_id_smime_aa_ets_RevocationRefs              OBJ_id_smime_aa,22L
+
+#define SN_id_smime_aa_ets_certValues           "id-smime-aa-ets-certValues"
+#define NID_id_smime_aa_ets_certValues          234
+#define OBJ_id_smime_aa_ets_certValues          OBJ_id_smime_aa,23L
+
+#define SN_id_smime_aa_ets_revocationValues             "id-smime-aa-ets-revocationValues"
+#define NID_id_smime_aa_ets_revocationValues            235
+#define OBJ_id_smime_aa_ets_revocationValues            OBJ_id_smime_aa,24L
+
+#define SN_id_smime_aa_ets_escTimeStamp         "id-smime-aa-ets-escTimeStamp"
+#define NID_id_smime_aa_ets_escTimeStamp                236
+#define OBJ_id_smime_aa_ets_escTimeStamp                OBJ_id_smime_aa,25L
+
+#define SN_id_smime_aa_ets_certCRLTimestamp             "id-smime-aa-ets-certCRLTimestamp"
+#define NID_id_smime_aa_ets_certCRLTimestamp            237
+#define OBJ_id_smime_aa_ets_certCRLTimestamp            OBJ_id_smime_aa,26L
+
+#define SN_id_smime_aa_ets_archiveTimeStamp             "id-smime-aa-ets-archiveTimeStamp"
+#define NID_id_smime_aa_ets_archiveTimeStamp            238
+#define OBJ_id_smime_aa_ets_archiveTimeStamp            OBJ_id_smime_aa,27L
+
+#define SN_id_smime_aa_signatureType            "id-smime-aa-signatureType"
+#define NID_id_smime_aa_signatureType           239
+#define OBJ_id_smime_aa_signatureType           OBJ_id_smime_aa,28L
+
+#define SN_id_smime_aa_dvcs_dvc         "id-smime-aa-dvcs-dvc"
+#define NID_id_smime_aa_dvcs_dvc                240
+#define OBJ_id_smime_aa_dvcs_dvc                OBJ_id_smime_aa,29L
+
+#define SN_id_smime_alg_ESDHwith3DES            "id-smime-alg-ESDHwith3DES"
+#define NID_id_smime_alg_ESDHwith3DES           241
+#define OBJ_id_smime_alg_ESDHwith3DES           OBJ_id_smime_alg,1L
+
+#define SN_id_smime_alg_ESDHwithRC2             "id-smime-alg-ESDHwithRC2"
+#define NID_id_smime_alg_ESDHwithRC2            242
+#define OBJ_id_smime_alg_ESDHwithRC2            OBJ_id_smime_alg,2L
+
+#define SN_id_smime_alg_3DESwrap                "id-smime-alg-3DESwrap"
+#define NID_id_smime_alg_3DESwrap               243
+#define OBJ_id_smime_alg_3DESwrap               OBJ_id_smime_alg,3L
+
+#define SN_id_smime_alg_RC2wrap         "id-smime-alg-RC2wrap"
+#define NID_id_smime_alg_RC2wrap                244
+#define OBJ_id_smime_alg_RC2wrap                OBJ_id_smime_alg,4L
+
+#define SN_id_smime_alg_ESDH            "id-smime-alg-ESDH"
+#define NID_id_smime_alg_ESDH           245
+#define OBJ_id_smime_alg_ESDH           OBJ_id_smime_alg,5L
+
+#define SN_id_smime_alg_CMS3DESwrap             "id-smime-alg-CMS3DESwrap"
+#define NID_id_smime_alg_CMS3DESwrap            246
+#define OBJ_id_smime_alg_CMS3DESwrap            OBJ_id_smime_alg,6L
+
+#define SN_id_smime_alg_CMSRC2wrap              "id-smime-alg-CMSRC2wrap"
+#define NID_id_smime_alg_CMSRC2wrap             247
+#define OBJ_id_smime_alg_CMSRC2wrap             OBJ_id_smime_alg,7L
+
+#define SN_id_smime_cd_ldap             "id-smime-cd-ldap"
+#define NID_id_smime_cd_ldap            248
+#define OBJ_id_smime_cd_ldap            OBJ_id_smime_cd,1L
+
+#define SN_id_smime_spq_ets_sqt_uri             "id-smime-spq-ets-sqt-uri"
+#define NID_id_smime_spq_ets_sqt_uri            249
+#define OBJ_id_smime_spq_ets_sqt_uri            OBJ_id_smime_spq,1L
+
+#define SN_id_smime_spq_ets_sqt_unotice         "id-smime-spq-ets-sqt-unotice"
+#define NID_id_smime_spq_ets_sqt_unotice                250
+#define OBJ_id_smime_spq_ets_sqt_unotice                OBJ_id_smime_spq,2L
+
+#define SN_id_smime_cti_ets_proofOfOrigin               "id-smime-cti-ets-proofOfOrigin"
+#define NID_id_smime_cti_ets_proofOfOrigin              251
+#define OBJ_id_smime_cti_ets_proofOfOrigin              OBJ_id_smime_cti,1L
+
+#define SN_id_smime_cti_ets_proofOfReceipt              "id-smime-cti-ets-proofOfReceipt"
+#define NID_id_smime_cti_ets_proofOfReceipt             252
+#define OBJ_id_smime_cti_ets_proofOfReceipt             OBJ_id_smime_cti,2L
+
+#define SN_id_smime_cti_ets_proofOfDelivery             "id-smime-cti-ets-proofOfDelivery"
+#define NID_id_smime_cti_ets_proofOfDelivery            253
+#define OBJ_id_smime_cti_ets_proofOfDelivery            OBJ_id_smime_cti,3L
+
+#define SN_id_smime_cti_ets_proofOfSender               "id-smime-cti-ets-proofOfSender"
+#define NID_id_smime_cti_ets_proofOfSender              254
+#define OBJ_id_smime_cti_ets_proofOfSender              OBJ_id_smime_cti,4L
+
+#define SN_id_smime_cti_ets_proofOfApproval             "id-smime-cti-ets-proofOfApproval"
+#define NID_id_smime_cti_ets_proofOfApproval            255
+#define OBJ_id_smime_cti_ets_proofOfApproval            OBJ_id_smime_cti,5L
+
+#define SN_id_smime_cti_ets_proofOfCreation             "id-smime-cti-ets-proofOfCreation"
+#define NID_id_smime_cti_ets_proofOfCreation            256
+#define OBJ_id_smime_cti_ets_proofOfCreation            OBJ_id_smime_cti,6L
+
+#define LN_friendlyName         "friendlyName"
+#define NID_friendlyName                156
+#define OBJ_friendlyName                OBJ_pkcs9,20L
+
+#define LN_localKeyID           "localKeyID"
+#define NID_localKeyID          157
+#define OBJ_localKeyID          OBJ_pkcs9,21L
+
+#define OBJ_certTypes           OBJ_pkcs9,22L
+
+#define LN_x509Certificate              "x509Certificate"
+#define NID_x509Certificate             158
+#define OBJ_x509Certificate             OBJ_certTypes,1L
+
+#define LN_sdsiCertificate              "sdsiCertificate"
+#define NID_sdsiCertificate             159
+#define OBJ_sdsiCertificate             OBJ_certTypes,2L
+
+#define OBJ_crlTypes            OBJ_pkcs9,23L
+
+#define LN_x509Crl              "x509Crl"
+#define NID_x509Crl             160
+#define OBJ_x509Crl             OBJ_crlTypes,1L
+
+#define OBJ_pkcs12              OBJ_pkcs,12L
+
+#define OBJ_pkcs12_pbeids               OBJ_pkcs12,1L
+
+#define SN_pbe_WithSHA1And128BitRC4             "PBE-SHA1-RC4-128"
+#define LN_pbe_WithSHA1And128BitRC4             "pbeWithSHA1And128BitRC4"
+#define NID_pbe_WithSHA1And128BitRC4            144
+#define OBJ_pbe_WithSHA1And128BitRC4            OBJ_pkcs12_pbeids,1L
+
+#define SN_pbe_WithSHA1And40BitRC4              "PBE-SHA1-RC4-40"
+#define LN_pbe_WithSHA1And40BitRC4              "pbeWithSHA1And40BitRC4"
+#define NID_pbe_WithSHA1And40BitRC4             145
+#define OBJ_pbe_WithSHA1And40BitRC4             OBJ_pkcs12_pbeids,2L
+
+#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC           "PBE-SHA1-3DES"
+#define LN_pbe_WithSHA1And3_Key_TripleDES_CBC           "pbeWithSHA1And3-KeyTripleDES-CBC"
+#define NID_pbe_WithSHA1And3_Key_TripleDES_CBC          146
+#define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC          OBJ_pkcs12_pbeids,3L
+
+#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC           "PBE-SHA1-2DES"
+#define LN_pbe_WithSHA1And2_Key_TripleDES_CBC           "pbeWithSHA1And2-KeyTripleDES-CBC"
+#define NID_pbe_WithSHA1And2_Key_TripleDES_CBC          147
+#define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC          OBJ_pkcs12_pbeids,4L
+
+#define SN_pbe_WithSHA1And128BitRC2_CBC         "PBE-SHA1-RC2-128"
+#define LN_pbe_WithSHA1And128BitRC2_CBC         "pbeWithSHA1And128BitRC2-CBC"
+#define NID_pbe_WithSHA1And128BitRC2_CBC                148
+#define OBJ_pbe_WithSHA1And128BitRC2_CBC                OBJ_pkcs12_pbeids,5L
+
+#define SN_pbe_WithSHA1And40BitRC2_CBC          "PBE-SHA1-RC2-40"
+#define LN_pbe_WithSHA1And40BitRC2_CBC          "pbeWithSHA1And40BitRC2-CBC"
+#define NID_pbe_WithSHA1And40BitRC2_CBC         149
+#define OBJ_pbe_WithSHA1And40BitRC2_CBC         OBJ_pkcs12_pbeids,6L
+
+#define OBJ_pkcs12_Version1             OBJ_pkcs12,10L
+
+#define OBJ_pkcs12_BagIds               OBJ_pkcs12_Version1,1L
+
+#define LN_keyBag               "keyBag"
+#define NID_keyBag              150
+#define OBJ_keyBag              OBJ_pkcs12_BagIds,1L
+
+#define LN_pkcs8ShroudedKeyBag          "pkcs8ShroudedKeyBag"
+#define NID_pkcs8ShroudedKeyBag         151
+#define OBJ_pkcs8ShroudedKeyBag         OBJ_pkcs12_BagIds,2L
+
+#define LN_certBag              "certBag"
+#define NID_certBag             152
+#define OBJ_certBag             OBJ_pkcs12_BagIds,3L
+
+#define LN_crlBag               "crlBag"
+#define NID_crlBag              153
+#define OBJ_crlBag              OBJ_pkcs12_BagIds,4L
+
+#define LN_secretBag            "secretBag"
+#define NID_secretBag           154
+#define OBJ_secretBag           OBJ_pkcs12_BagIds,5L
+
+#define LN_safeContentsBag              "safeContentsBag"
+#define NID_safeContentsBag             155
+#define OBJ_safeContentsBag             OBJ_pkcs12_BagIds,6L
+
+#define SN_md2          "MD2"
+#define LN_md2          "md2"
+#define NID_md2         3
+#define OBJ_md2         OBJ_rsadsi,2L,2L
+
+#define SN_md4          "MD4"
+#define LN_md4          "md4"
+#define NID_md4         257
+#define OBJ_md4         OBJ_rsadsi,2L,4L
+
+#define SN_md5          "MD5"
+#define LN_md5          "md5"
+#define NID_md5         4
+#define OBJ_md5         OBJ_rsadsi,2L,5L
+
+#define SN_md5_sha1             "MD5-SHA1"
+#define LN_md5_sha1             "md5-sha1"
+#define NID_md5_sha1            114
+
+#define LN_hmacWithSHA1         "hmacWithSHA1"
+#define NID_hmacWithSHA1                163
+#define OBJ_hmacWithSHA1                OBJ_rsadsi,2L,7L
+
+#define SN_rc2_cbc              "RC2-CBC"
+#define LN_rc2_cbc              "rc2-cbc"
+#define NID_rc2_cbc             37
+#define OBJ_rc2_cbc             OBJ_rsadsi,3L,2L
+
+#define SN_rc2_ecb              "RC2-ECB"
+#define LN_rc2_ecb              "rc2-ecb"
+#define NID_rc2_ecb             38
+
+#define SN_rc2_cfb64            "RC2-CFB"
+#define LN_rc2_cfb64            "rc2-cfb"
+#define NID_rc2_cfb64           39
+
+#define SN_rc2_ofb64            "RC2-OFB"
+#define LN_rc2_ofb64            "rc2-ofb"
+#define NID_rc2_ofb64           40
+
+#define SN_rc2_40_cbc           "RC2-40-CBC"
+#define LN_rc2_40_cbc           "rc2-40-cbc"
+#define NID_rc2_40_cbc          98
+
+#define SN_rc2_64_cbc           "RC2-64-CBC"
+#define LN_rc2_64_cbc           "rc2-64-cbc"
+#define NID_rc2_64_cbc          166
+
+#define SN_rc4          "RC4"
+#define LN_rc4          "rc4"
+#define NID_rc4         5
+#define OBJ_rc4         OBJ_rsadsi,3L,4L
+
+#define SN_rc4_40               "RC4-40"
+#define LN_rc4_40               "rc4-40"
+#define NID_rc4_40              97
+
+#define SN_des_ede3_cbc         "DES-EDE3-CBC"
+#define LN_des_ede3_cbc         "des-ede3-cbc"
+#define NID_des_ede3_cbc                44
+#define OBJ_des_ede3_cbc                OBJ_rsadsi,3L,7L
+
+#define SN_rc5_cbc              "RC5-CBC"
+#define LN_rc5_cbc              "rc5-cbc"
+#define NID_rc5_cbc             120
+#define OBJ_rc5_cbc             OBJ_rsadsi,3L,8L
+
+#define SN_rc5_ecb              "RC5-ECB"
+#define LN_rc5_ecb              "rc5-ecb"
+#define NID_rc5_ecb             121
+
+#define SN_rc5_cfb64            "RC5-CFB"
+#define LN_rc5_cfb64            "rc5-cfb"
+#define NID_rc5_cfb64           122
+
+#define SN_rc5_ofb64            "RC5-OFB"
+#define LN_rc5_ofb64            "rc5-ofb"
+#define NID_rc5_ofb64           123
+
+#define SN_ms_ext_req           "msExtReq"
+#define LN_ms_ext_req           "Microsoft Extension Request"
+#define NID_ms_ext_req          171
+#define OBJ_ms_ext_req          1L,3L,6L,1L,4L,1L,311L,2L,1L,14L
+
+#define SN_ms_code_ind          "msCodeInd"
+#define LN_ms_code_ind          "Microsoft Individual Code Signing"
+#define NID_ms_code_ind         134
+#define OBJ_ms_code_ind         1L,3L,6L,1L,4L,1L,311L,2L,1L,21L
+
+#define SN_ms_code_com          "msCodeCom"
+#define LN_ms_code_com          "Microsoft Commercial Code Signing"
+#define NID_ms_code_com         135
+#define OBJ_ms_code_com         1L,3L,6L,1L,4L,1L,311L,2L,1L,22L
+
+#define SN_ms_ctl_sign          "msCTLSign"
+#define LN_ms_ctl_sign          "Microsoft Trust List Signing"
+#define NID_ms_ctl_sign         136
+#define OBJ_ms_ctl_sign         1L,3L,6L,1L,4L,1L,311L,10L,3L,1L
+
+#define SN_ms_sgc               "msSGC"
+#define LN_ms_sgc               "Microsoft Server Gated Crypto"
+#define NID_ms_sgc              137
+#define OBJ_ms_sgc              1L,3L,6L,1L,4L,1L,311L,10L,3L,3L
+
+#define SN_ms_efs               "msEFS"
+#define LN_ms_efs               "Microsoft Encrypted File System"
+#define NID_ms_efs              138
+#define OBJ_ms_efs              1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
+
+#define SN_idea_cbc             "IDEA-CBC"
+#define LN_idea_cbc             "idea-cbc"
+#define NID_idea_cbc            34
+#define OBJ_idea_cbc            1L,3L,6L,1L,4L,1L,188L,7L,1L,1L,2L
+
+#define SN_idea_ecb             "IDEA-ECB"
+#define LN_idea_ecb             "idea-ecb"
+#define NID_idea_ecb            36
+
+#define SN_idea_cfb64           "IDEA-CFB"
+#define LN_idea_cfb64           "idea-cfb"
+#define NID_idea_cfb64          35
+
+#define SN_idea_ofb64           "IDEA-OFB"
+#define LN_idea_ofb64           "idea-ofb"
+#define NID_idea_ofb64          46
+
+#define SN_bf_cbc               "BF-CBC"
+#define LN_bf_cbc               "bf-cbc"
+#define NID_bf_cbc              91
+#define OBJ_bf_cbc              1L,3L,6L,1L,4L,1L,3029L,1L,2L
+
+#define SN_bf_ecb               "BF-ECB"
+#define LN_bf_ecb               "bf-ecb"
+#define NID_bf_ecb              92
+
+#define SN_bf_cfb64             "BF-CFB"
+#define LN_bf_cfb64             "bf-cfb"
+#define NID_bf_cfb64            93
+
+#define SN_bf_ofb64             "BF-OFB"
+#define LN_bf_ofb64             "bf-ofb"
+#define NID_bf_ofb64            94
+
+#define SN_id_pkix              "PKIX"
+#define NID_id_pkix             127
+#define OBJ_id_pkix             1L,3L,6L,1L,5L,5L,7L
+
+#define SN_id_pkix_mod          "id-pkix-mod"
+#define NID_id_pkix_mod         258
+#define OBJ_id_pkix_mod         OBJ_id_pkix,0L
+
+#define SN_id_pe                "id-pe"
+#define NID_id_pe               175
+#define OBJ_id_pe               OBJ_id_pkix,1L
+
+#define SN_id_qt                "id-qt"
+#define NID_id_qt               259
+#define OBJ_id_qt               OBJ_id_pkix,2L
+
+#define SN_id_kp                "id-kp"
+#define NID_id_kp               128
+#define OBJ_id_kp               OBJ_id_pkix,3L
+
+#define SN_id_it                "id-it"
+#define NID_id_it               260
+#define OBJ_id_it               OBJ_id_pkix,4L
+
+#define SN_id_pkip              "id-pkip"
+#define NID_id_pkip             261
+#define OBJ_id_pkip             OBJ_id_pkix,5L
+
+#define SN_id_alg               "id-alg"
+#define NID_id_alg              262
+#define OBJ_id_alg              OBJ_id_pkix,6L
+
+#define SN_id_cmc               "id-cmc"
+#define NID_id_cmc              263
+#define OBJ_id_cmc              OBJ_id_pkix,7L
+
+#define SN_id_on                "id-on"
+#define NID_id_on               264
+#define OBJ_id_on               OBJ_id_pkix,8L
+
+#define SN_id_pda               "id-pda"
+#define NID_id_pda              265
+#define OBJ_id_pda              OBJ_id_pkix,9L
+
+#define SN_id_aca               "id-aca"
+#define NID_id_aca              266
+#define OBJ_id_aca              OBJ_id_pkix,10L
+
+#define SN_id_qcs               "id-qcs"
+#define NID_id_qcs              267
+#define OBJ_id_qcs              OBJ_id_pkix,11L
+
+#define SN_id_cct               "id-cct"
+#define NID_id_cct              268
+#define OBJ_id_cct              OBJ_id_pkix,12L
+
+#define SN_id_ad                "id-ad"
+#define NID_id_ad               176
+#define OBJ_id_ad               OBJ_id_pkix,48L
+
+#define SN_id_pkix1_explicit_88         "id-pkix1-explicit-88"
+#define NID_id_pkix1_explicit_88                269
+#define OBJ_id_pkix1_explicit_88                OBJ_id_pkix_mod,1L
+
+#define SN_id_pkix1_implicit_88         "id-pkix1-implicit-88"
+#define NID_id_pkix1_implicit_88                270
+#define OBJ_id_pkix1_implicit_88                OBJ_id_pkix_mod,2L
+
+#define SN_id_pkix1_explicit_93         "id-pkix1-explicit-93"
+#define NID_id_pkix1_explicit_93                271
+#define OBJ_id_pkix1_explicit_93                OBJ_id_pkix_mod,3L
+
+#define SN_id_pkix1_implicit_93         "id-pkix1-implicit-93"
+#define NID_id_pkix1_implicit_93                272
+#define OBJ_id_pkix1_implicit_93                OBJ_id_pkix_mod,4L
+
+#define SN_id_mod_crmf          "id-mod-crmf"
+#define NID_id_mod_crmf         273
+#define OBJ_id_mod_crmf         OBJ_id_pkix_mod,5L
+
+#define SN_id_mod_cmc           "id-mod-cmc"
+#define NID_id_mod_cmc          274
+#define OBJ_id_mod_cmc          OBJ_id_pkix_mod,6L
+
+#define SN_id_mod_kea_profile_88                "id-mod-kea-profile-88"
+#define NID_id_mod_kea_profile_88               275
+#define OBJ_id_mod_kea_profile_88               OBJ_id_pkix_mod,7L
+
+#define SN_id_mod_kea_profile_93                "id-mod-kea-profile-93"
+#define NID_id_mod_kea_profile_93               276
+#define OBJ_id_mod_kea_profile_93               OBJ_id_pkix_mod,8L
+
+#define SN_id_mod_cmp           "id-mod-cmp"
+#define NID_id_mod_cmp          277
+#define OBJ_id_mod_cmp          OBJ_id_pkix_mod,9L
+
+#define SN_id_mod_qualified_cert_88             "id-mod-qualified-cert-88"
+#define NID_id_mod_qualified_cert_88            278
+#define OBJ_id_mod_qualified_cert_88            OBJ_id_pkix_mod,10L
+
+#define SN_id_mod_qualified_cert_93             "id-mod-qualified-cert-93"
+#define NID_id_mod_qualified_cert_93            279
+#define OBJ_id_mod_qualified_cert_93            OBJ_id_pkix_mod,11L
+
+#define SN_id_mod_attribute_cert                "id-mod-attribute-cert"
+#define NID_id_mod_attribute_cert               280
+#define OBJ_id_mod_attribute_cert               OBJ_id_pkix_mod,12L
+
+#define SN_id_mod_timestamp_protocol            "id-mod-timestamp-protocol"
+#define NID_id_mod_timestamp_protocol           281
+#define OBJ_id_mod_timestamp_protocol           OBJ_id_pkix_mod,13L
+
+#define SN_id_mod_ocsp          "id-mod-ocsp"
+#define NID_id_mod_ocsp         282
+#define OBJ_id_mod_ocsp         OBJ_id_pkix_mod,14L
+
+#define SN_id_mod_dvcs          "id-mod-dvcs"
+#define NID_id_mod_dvcs         283
+#define OBJ_id_mod_dvcs         OBJ_id_pkix_mod,15L
+
+#define SN_id_mod_cmp2000               "id-mod-cmp2000"
+#define NID_id_mod_cmp2000              284
+#define OBJ_id_mod_cmp2000              OBJ_id_pkix_mod,16L
+
+#define SN_info_access          "authorityInfoAccess"
+#define LN_info_access          "Authority Information Access"
+#define NID_info_access         177
+#define OBJ_info_access         OBJ_id_pe,1L
+
+#define SN_biometricInfo                "biometricInfo"
+#define LN_biometricInfo                "Biometric Info"
+#define NID_biometricInfo               285
+#define OBJ_biometricInfo               OBJ_id_pe,2L
+
+#define SN_qcStatements         "qcStatements"
+#define NID_qcStatements                286
+#define OBJ_qcStatements                OBJ_id_pe,3L
+
+#define SN_ac_auditEntity               "ac-auditEntity"
+#define NID_ac_auditEntity              287
+#define OBJ_ac_auditEntity              OBJ_id_pe,4L
+
+#define SN_ac_targeting         "ac-targeting"
+#define NID_ac_targeting                288
+#define OBJ_ac_targeting                OBJ_id_pe,5L
+
+#define SN_aaControls           "aaControls"
+#define NID_aaControls          289
+#define OBJ_aaControls          OBJ_id_pe,6L
+
+#define SN_sbqp_ipAddrBlock             "sbqp-ipAddrBlock"
+#define NID_sbqp_ipAddrBlock            290
+#define OBJ_sbqp_ipAddrBlock            OBJ_id_pe,7L
+
+#define SN_sbqp_autonomousSysNum                "sbqp-autonomousSysNum"
+#define NID_sbqp_autonomousSysNum               291
+#define OBJ_sbqp_autonomousSysNum               OBJ_id_pe,8L
+
+#define SN_sbqp_routerIdentifier                "sbqp-routerIdentifier"
+#define NID_sbqp_routerIdentifier               292
+#define OBJ_sbqp_routerIdentifier               OBJ_id_pe,9L
+
+#define SN_id_qt_cps            "id-qt-cps"
+#define LN_id_qt_cps            "Policy Qualifier CPS"
+#define NID_id_qt_cps           164
+#define OBJ_id_qt_cps           OBJ_id_qt,1L
+
+#define SN_id_qt_unotice                "id-qt-unotice"
+#define LN_id_qt_unotice                "Policy Qualifier User Notice"
+#define NID_id_qt_unotice               165
+#define OBJ_id_qt_unotice               OBJ_id_qt,2L
+
+#define SN_textNotice           "textNotice"
+#define NID_textNotice          293
+#define OBJ_textNotice          OBJ_id_qt,3L
+
+#define SN_server_auth          "serverAuth"
+#define LN_server_auth          "TLS Web Server Authentication"
+#define NID_server_auth         129
+#define OBJ_server_auth         OBJ_id_kp,1L
+
+#define SN_client_auth          "clientAuth"
+#define LN_client_auth          "TLS Web Client Authentication"
+#define NID_client_auth         130
+#define OBJ_client_auth         OBJ_id_kp,2L
+
+#define SN_code_sign            "codeSigning"
+#define LN_code_sign            "Code Signing"
+#define NID_code_sign           131
+#define OBJ_code_sign           OBJ_id_kp,3L
+
+#define SN_email_protect                "emailProtection"
+#define LN_email_protect                "E-mail Protection"
+#define NID_email_protect               132
+#define OBJ_email_protect               OBJ_id_kp,4L
+
+#define SN_ipsecEndSystem               "ipsecEndSystem"
+#define LN_ipsecEndSystem               "IPSec End System"
+#define NID_ipsecEndSystem              294
+#define OBJ_ipsecEndSystem              OBJ_id_kp,5L
+
+#define SN_ipsecTunnel          "ipsecTunnel"
+#define LN_ipsecTunnel          "IPSec Tunnel"
+#define NID_ipsecTunnel         295
+#define OBJ_ipsecTunnel         OBJ_id_kp,6L
+
+#define SN_ipsecUser            "ipsecUser"
+#define LN_ipsecUser            "IPSec User"
+#define NID_ipsecUser           296
+#define OBJ_ipsecUser           OBJ_id_kp,7L
+
+#define SN_time_stamp           "timeStamping"
+#define LN_time_stamp           "Time Stamping"
+#define NID_time_stamp          133
+#define OBJ_time_stamp          OBJ_id_kp,8L
+
+#define SN_OCSP_sign            "OCSPSigning"
+#define LN_OCSP_sign            "OCSP Signing"
+#define NID_OCSP_sign           180
+#define OBJ_OCSP_sign           OBJ_id_kp,9L
+
+#define SN_dvcs         "DVCS"
+#define LN_dvcs         "dvcs"
+#define NID_dvcs                297
+#define OBJ_dvcs                OBJ_id_kp,10L
+
+#define SN_id_it_caProtEncCert          "id-it-caProtEncCert"
+#define NID_id_it_caProtEncCert         298
+#define OBJ_id_it_caProtEncCert         OBJ_id_it,1L
+
+#define SN_id_it_signKeyPairTypes               "id-it-signKeyPairTypes"
+#define NID_id_it_signKeyPairTypes              299
+#define OBJ_id_it_signKeyPairTypes              OBJ_id_it,2L
+
+#define SN_id_it_encKeyPairTypes                "id-it-encKeyPairTypes"
+#define NID_id_it_encKeyPairTypes               300
+#define OBJ_id_it_encKeyPairTypes               OBJ_id_it,3L
+
+#define SN_id_it_preferredSymmAlg               "id-it-preferredSymmAlg"
+#define NID_id_it_preferredSymmAlg              301
+#define OBJ_id_it_preferredSymmAlg              OBJ_id_it,4L
+
+#define SN_id_it_caKeyUpdateInfo                "id-it-caKeyUpdateInfo"
+#define NID_id_it_caKeyUpdateInfo               302
+#define OBJ_id_it_caKeyUpdateInfo               OBJ_id_it,5L
+
+#define SN_id_it_currentCRL             "id-it-currentCRL"
+#define NID_id_it_currentCRL            303
+#define OBJ_id_it_currentCRL            OBJ_id_it,6L
+
+#define SN_id_it_unsupportedOIDs                "id-it-unsupportedOIDs"
+#define NID_id_it_unsupportedOIDs               304
+#define OBJ_id_it_unsupportedOIDs               OBJ_id_it,7L
+
+#define SN_id_it_subscriptionRequest            "id-it-subscriptionRequest"
+#define NID_id_it_subscriptionRequest           305
+#define OBJ_id_it_subscriptionRequest           OBJ_id_it,8L
+
+#define SN_id_it_subscriptionResponse           "id-it-subscriptionResponse"
+#define NID_id_it_subscriptionResponse          306
+#define OBJ_id_it_subscriptionResponse          OBJ_id_it,9L
+
+#define SN_id_it_keyPairParamReq                "id-it-keyPairParamReq"
+#define NID_id_it_keyPairParamReq               307
+#define OBJ_id_it_keyPairParamReq               OBJ_id_it,10L
+
+#define SN_id_it_keyPairParamRep                "id-it-keyPairParamRep"
+#define NID_id_it_keyPairParamRep               308
+#define OBJ_id_it_keyPairParamRep               OBJ_id_it,11L
+
+#define SN_id_it_revPassphrase          "id-it-revPassphrase"
+#define NID_id_it_revPassphrase         309
+#define OBJ_id_it_revPassphrase         OBJ_id_it,12L
+
+#define SN_id_it_implicitConfirm                "id-it-implicitConfirm"
+#define NID_id_it_implicitConfirm               310
+#define OBJ_id_it_implicitConfirm               OBJ_id_it,13L
+
+#define SN_id_it_confirmWaitTime                "id-it-confirmWaitTime"
+#define NID_id_it_confirmWaitTime               311
+#define OBJ_id_it_confirmWaitTime               OBJ_id_it,14L
+
+#define SN_id_it_origPKIMessage         "id-it-origPKIMessage"
+#define NID_id_it_origPKIMessage                312
+#define OBJ_id_it_origPKIMessage                OBJ_id_it,15L
+
+#define SN_id_regCtrl           "id-regCtrl"
+#define NID_id_regCtrl          313
+#define OBJ_id_regCtrl          OBJ_id_pkip,1L
+
+#define SN_id_regInfo           "id-regInfo"
+#define NID_id_regInfo          314
+#define OBJ_id_regInfo          OBJ_id_pkip,2L
+
+#define SN_id_regCtrl_regToken          "id-regCtrl-regToken"
+#define NID_id_regCtrl_regToken         315
+#define OBJ_id_regCtrl_regToken         OBJ_id_regCtrl,1L
+
+#define SN_id_regCtrl_authenticator             "id-regCtrl-authenticator"
+#define NID_id_regCtrl_authenticator            316
+#define OBJ_id_regCtrl_authenticator            OBJ_id_regCtrl,2L
+
+#define SN_id_regCtrl_pkiPublicationInfo                "id-regCtrl-pkiPublicationInfo"
+#define NID_id_regCtrl_pkiPublicationInfo               317
+#define OBJ_id_regCtrl_pkiPublicationInfo               OBJ_id_regCtrl,3L
+
+#define SN_id_regCtrl_pkiArchiveOptions         "id-regCtrl-pkiArchiveOptions"
+#define NID_id_regCtrl_pkiArchiveOptions                318
+#define OBJ_id_regCtrl_pkiArchiveOptions                OBJ_id_regCtrl,4L
+
+#define SN_id_regCtrl_oldCertID         "id-regCtrl-oldCertID"
+#define NID_id_regCtrl_oldCertID                319
+#define OBJ_id_regCtrl_oldCertID                OBJ_id_regCtrl,5L
+
+#define SN_id_regCtrl_protocolEncrKey           "id-regCtrl-protocolEncrKey"
+#define NID_id_regCtrl_protocolEncrKey          320
+#define OBJ_id_regCtrl_protocolEncrKey          OBJ_id_regCtrl,6L
+
+#define SN_id_regInfo_utf8Pairs         "id-regInfo-utf8Pairs"
+#define NID_id_regInfo_utf8Pairs                321
+#define OBJ_id_regInfo_utf8Pairs                OBJ_id_regInfo,1L
+
+#define SN_id_regInfo_certReq           "id-regInfo-certReq"
+#define NID_id_regInfo_certReq          322
+#define OBJ_id_regInfo_certReq          OBJ_id_regInfo,2L
+
+#define SN_id_alg_des40         "id-alg-des40"
+#define NID_id_alg_des40                323
+#define OBJ_id_alg_des40                OBJ_id_alg,1L
+
+#define SN_id_alg_noSignature           "id-alg-noSignature"
+#define NID_id_alg_noSignature          324
+#define OBJ_id_alg_noSignature          OBJ_id_alg,2L
+
+#define SN_id_alg_dh_sig_hmac_sha1              "id-alg-dh-sig-hmac-sha1"
+#define NID_id_alg_dh_sig_hmac_sha1             325
+#define OBJ_id_alg_dh_sig_hmac_sha1             OBJ_id_alg,3L
+
+#define SN_id_alg_dh_pop                "id-alg-dh-pop"
+#define NID_id_alg_dh_pop               326
+#define OBJ_id_alg_dh_pop               OBJ_id_alg,4L
+
+#define SN_id_cmc_statusInfo            "id-cmc-statusInfo"
+#define NID_id_cmc_statusInfo           327
+#define OBJ_id_cmc_statusInfo           OBJ_id_cmc,1L
+
+#define SN_id_cmc_identification                "id-cmc-identification"
+#define NID_id_cmc_identification               328
+#define OBJ_id_cmc_identification               OBJ_id_cmc,2L
+
+#define SN_id_cmc_identityProof         "id-cmc-identityProof"
+#define NID_id_cmc_identityProof                329
+#define OBJ_id_cmc_identityProof                OBJ_id_cmc,3L
+
+#define SN_id_cmc_dataReturn            "id-cmc-dataReturn"
+#define NID_id_cmc_dataReturn           330
+#define OBJ_id_cmc_dataReturn           OBJ_id_cmc,4L
+
+#define SN_id_cmc_transactionId         "id-cmc-transactionId"
+#define NID_id_cmc_transactionId                331
+#define OBJ_id_cmc_transactionId                OBJ_id_cmc,5L
+
+#define SN_id_cmc_senderNonce           "id-cmc-senderNonce"
+#define NID_id_cmc_senderNonce          332
+#define OBJ_id_cmc_senderNonce          OBJ_id_cmc,6L
+
+#define SN_id_cmc_recipientNonce                "id-cmc-recipientNonce"
+#define NID_id_cmc_recipientNonce               333
+#define OBJ_id_cmc_recipientNonce               OBJ_id_cmc,7L
+
+#define SN_id_cmc_addExtensions         "id-cmc-addExtensions"
+#define NID_id_cmc_addExtensions                334
+#define OBJ_id_cmc_addExtensions                OBJ_id_cmc,8L
+
+#define SN_id_cmc_encryptedPOP          "id-cmc-encryptedPOP"
+#define NID_id_cmc_encryptedPOP         335
+#define OBJ_id_cmc_encryptedPOP         OBJ_id_cmc,9L
+
+#define SN_id_cmc_decryptedPOP          "id-cmc-decryptedPOP"
+#define NID_id_cmc_decryptedPOP         336
+#define OBJ_id_cmc_decryptedPOP         OBJ_id_cmc,10L
+
+#define SN_id_cmc_lraPOPWitness         "id-cmc-lraPOPWitness"
+#define NID_id_cmc_lraPOPWitness                337
+#define OBJ_id_cmc_lraPOPWitness                OBJ_id_cmc,11L
+
+#define SN_id_cmc_getCert               "id-cmc-getCert"
+#define NID_id_cmc_getCert              338
+#define OBJ_id_cmc_getCert              OBJ_id_cmc,15L
+
+#define SN_id_cmc_getCRL                "id-cmc-getCRL"
+#define NID_id_cmc_getCRL               339
+#define OBJ_id_cmc_getCRL               OBJ_id_cmc,16L
+
+#define SN_id_cmc_revokeRequest         "id-cmc-revokeRequest"
+#define NID_id_cmc_revokeRequest                340
+#define OBJ_id_cmc_revokeRequest                OBJ_id_cmc,17L
+
+#define SN_id_cmc_regInfo               "id-cmc-regInfo"
+#define NID_id_cmc_regInfo              341
+#define OBJ_id_cmc_regInfo              OBJ_id_cmc,18L
+
+#define SN_id_cmc_responseInfo          "id-cmc-responseInfo"
+#define NID_id_cmc_responseInfo         342
+#define OBJ_id_cmc_responseInfo         OBJ_id_cmc,19L
+
+#define SN_id_cmc_queryPending          "id-cmc-queryPending"
+#define NID_id_cmc_queryPending         343
+#define OBJ_id_cmc_queryPending         OBJ_id_cmc,21L
+
+#define SN_id_cmc_popLinkRandom         "id-cmc-popLinkRandom"
+#define NID_id_cmc_popLinkRandom                344
+#define OBJ_id_cmc_popLinkRandom                OBJ_id_cmc,22L
+
+#define SN_id_cmc_popLinkWitness                "id-cmc-popLinkWitness"
+#define NID_id_cmc_popLinkWitness               345
+#define OBJ_id_cmc_popLinkWitness               OBJ_id_cmc,23L
+
+#define SN_id_cmc_confirmCertAcceptance         "id-cmc-confirmCertAcceptance"
+#define NID_id_cmc_confirmCertAcceptance                346
+#define OBJ_id_cmc_confirmCertAcceptance                OBJ_id_cmc,24L
+
+#define SN_id_on_personalData           "id-on-personalData"
+#define NID_id_on_personalData          347
+#define OBJ_id_on_personalData          OBJ_id_on,1L
+
+#define SN_id_pda_dateOfBirth           "id-pda-dateOfBirth"
+#define NID_id_pda_dateOfBirth          348
+#define OBJ_id_pda_dateOfBirth          OBJ_id_pda,1L
+
+#define SN_id_pda_placeOfBirth          "id-pda-placeOfBirth"
+#define NID_id_pda_placeOfBirth         349
+#define OBJ_id_pda_placeOfBirth         OBJ_id_pda,2L
+
+#define SN_id_pda_pseudonym             "id-pda-pseudonym"
+#define NID_id_pda_pseudonym            350
+#define OBJ_id_pda_pseudonym            OBJ_id_pda,3L
+
+#define SN_id_pda_gender                "id-pda-gender"
+#define NID_id_pda_gender               351
+#define OBJ_id_pda_gender               OBJ_id_pda,4L
+
+#define SN_id_pda_countryOfCitizenship          "id-pda-countryOfCitizenship"
+#define NID_id_pda_countryOfCitizenship         352
+#define OBJ_id_pda_countryOfCitizenship         OBJ_id_pda,5L
+
+#define SN_id_pda_countryOfResidence            "id-pda-countryOfResidence"
+#define NID_id_pda_countryOfResidence           353
+#define OBJ_id_pda_countryOfResidence           OBJ_id_pda,6L
+
+#define SN_id_aca_authenticationInfo            "id-aca-authenticationInfo"
+#define NID_id_aca_authenticationInfo           354
+#define OBJ_id_aca_authenticationInfo           OBJ_id_aca,1L
+
+#define SN_id_aca_accessIdentity                "id-aca-accessIdentity"
+#define NID_id_aca_accessIdentity               355
+#define OBJ_id_aca_accessIdentity               OBJ_id_aca,2L
+
+#define SN_id_aca_chargingIdentity              "id-aca-chargingIdentity"
+#define NID_id_aca_chargingIdentity             356
+#define OBJ_id_aca_chargingIdentity             OBJ_id_aca,3L
+
+#define SN_id_aca_group         "id-aca-group"
+#define NID_id_aca_group                357
+#define OBJ_id_aca_group                OBJ_id_aca,4L
+
+#define SN_id_aca_role          "id-aca-role"
+#define NID_id_aca_role         358
+#define OBJ_id_aca_role         OBJ_id_aca,5L
+
+#define SN_id_qcs_pkixQCSyntax_v1               "id-qcs-pkixQCSyntax-v1"
+#define NID_id_qcs_pkixQCSyntax_v1              359
+#define OBJ_id_qcs_pkixQCSyntax_v1              OBJ_id_qcs,1L
+
+#define SN_id_cct_crs           "id-cct-crs"
+#define NID_id_cct_crs          360
+#define OBJ_id_cct_crs          OBJ_id_cct,1L
+
+#define SN_id_cct_PKIData               "id-cct-PKIData"
+#define NID_id_cct_PKIData              361
+#define OBJ_id_cct_PKIData              OBJ_id_cct,2L
+
+#define SN_id_cct_PKIResponse           "id-cct-PKIResponse"
+#define NID_id_cct_PKIResponse          362
+#define OBJ_id_cct_PKIResponse          OBJ_id_cct,3L
+
+#define SN_ad_OCSP              "OCSP"
+#define LN_ad_OCSP              "OCSP"
+#define NID_ad_OCSP             178
+#define OBJ_ad_OCSP             OBJ_id_ad,1L
+
+#define SN_ad_ca_issuers                "caIssuers"
+#define LN_ad_ca_issuers                "CA Issuers"
+#define NID_ad_ca_issuers               179
+#define OBJ_ad_ca_issuers               OBJ_id_ad,2L
+
+#define SN_ad_timeStamping              "ad_timestamping"
+#define LN_ad_timeStamping              "AD Time Stamping"
+#define NID_ad_timeStamping             363
+#define OBJ_ad_timeStamping             OBJ_id_ad,3L
+
+#define SN_ad_dvcs              "AD_DVCS"
+#define LN_ad_dvcs              "ad dvcs"
+#define NID_ad_dvcs             364
+#define OBJ_ad_dvcs             OBJ_id_ad,4L
+
+#define OBJ_id_pkix_OCSP                OBJ_ad_OCSP
+
+#define SN_id_pkix_OCSP_basic           "basicOCSPResponse"
+#define LN_id_pkix_OCSP_basic           "Basic OCSP Response"
+#define NID_id_pkix_OCSP_basic          365
+#define OBJ_id_pkix_OCSP_basic          OBJ_id_pkix_OCSP,1L
+
+#define SN_id_pkix_OCSP_Nonce           "Nonce"
+#define LN_id_pkix_OCSP_Nonce           "OCSP Nonce"
+#define NID_id_pkix_OCSP_Nonce          366
+#define OBJ_id_pkix_OCSP_Nonce          OBJ_id_pkix_OCSP,2L
+
+#define SN_id_pkix_OCSP_CrlID           "CrlID"
+#define LN_id_pkix_OCSP_CrlID           "OCSP CRL ID"
+#define NID_id_pkix_OCSP_CrlID          367
+#define OBJ_id_pkix_OCSP_CrlID          OBJ_id_pkix_OCSP,3L
+
+#define SN_id_pkix_OCSP_acceptableResponses             "acceptableResponses"
+#define LN_id_pkix_OCSP_acceptableResponses             "Acceptable OCSP Responses"
+#define NID_id_pkix_OCSP_acceptableResponses            368
+#define OBJ_id_pkix_OCSP_acceptableResponses            OBJ_id_pkix_OCSP,4L
+
+#define SN_id_pkix_OCSP_noCheck         "noCheck"
+#define NID_id_pkix_OCSP_noCheck                369
+#define OBJ_id_pkix_OCSP_noCheck                OBJ_id_pkix_OCSP,5L
+
+#define SN_id_pkix_OCSP_archiveCutoff           "archiveCutoff"
+#define LN_id_pkix_OCSP_archiveCutoff           "OCSP Archive Cutoff"
+#define NID_id_pkix_OCSP_archiveCutoff          370
+#define OBJ_id_pkix_OCSP_archiveCutoff          OBJ_id_pkix_OCSP,6L
+
+#define SN_id_pkix_OCSP_serviceLocator          "serviceLocator"
+#define LN_id_pkix_OCSP_serviceLocator          "OCSP Service Locator"
+#define NID_id_pkix_OCSP_serviceLocator         371
+#define OBJ_id_pkix_OCSP_serviceLocator         OBJ_id_pkix_OCSP,7L
+
+#define SN_id_pkix_OCSP_extendedStatus          "extendedStatus"
+#define LN_id_pkix_OCSP_extendedStatus          "Extended OCSP Status"
+#define NID_id_pkix_OCSP_extendedStatus         372
+#define OBJ_id_pkix_OCSP_extendedStatus         OBJ_id_pkix_OCSP,8L
+
+#define SN_id_pkix_OCSP_valid           "valid"
+#define NID_id_pkix_OCSP_valid          373
+#define OBJ_id_pkix_OCSP_valid          OBJ_id_pkix_OCSP,9L
+
+#define SN_id_pkix_OCSP_path            "path"
+#define NID_id_pkix_OCSP_path           374
+#define OBJ_id_pkix_OCSP_path           OBJ_id_pkix_OCSP,10L
+
+#define SN_id_pkix_OCSP_trustRoot               "trustRoot"
+#define LN_id_pkix_OCSP_trustRoot               "Trust Root"
+#define NID_id_pkix_OCSP_trustRoot              375
+#define OBJ_id_pkix_OCSP_trustRoot              OBJ_id_pkix_OCSP,11L
+
+#define SN_algorithm            "algorithm"
+#define LN_algorithm            "algorithm"
+#define NID_algorithm           376
+#define OBJ_algorithm           1L,3L,14L,3L,2L
+
+#define SN_md5WithRSA           "RSA-NP-MD5"
+#define LN_md5WithRSA           "md5WithRSA"
+#define NID_md5WithRSA          104
+#define OBJ_md5WithRSA          OBJ_algorithm,3L
+
+#define SN_des_ecb              "DES-ECB"
+#define LN_des_ecb              "des-ecb"
+#define NID_des_ecb             29
+#define OBJ_des_ecb             OBJ_algorithm,6L
+
+#define SN_des_cbc              "DES-CBC"
+#define LN_des_cbc              "des-cbc"
+#define NID_des_cbc             31
+#define OBJ_des_cbc             OBJ_algorithm,7L
+
+#define SN_des_ofb64            "DES-OFB"
+#define LN_des_ofb64            "des-ofb"
+#define NID_des_ofb64           45
+#define OBJ_des_ofb64           OBJ_algorithm,8L
+
+#define SN_des_cfb64            "DES-CFB"
+#define LN_des_cfb64            "des-cfb"
+#define NID_des_cfb64           30
+#define OBJ_des_cfb64           OBJ_algorithm,9L
+
+#define SN_rsaSignature         "rsaSignature"
+#define NID_rsaSignature                377
+#define OBJ_rsaSignature                OBJ_algorithm,11L
+
+#define SN_dsa_2                "DSA-old"
+#define LN_dsa_2                "dsaEncryption-old"
+#define NID_dsa_2               67
+#define OBJ_dsa_2               OBJ_algorithm,12L
+
+#define SN_dsaWithSHA           "DSA-SHA"
+#define LN_dsaWithSHA           "dsaWithSHA"
+#define NID_dsaWithSHA          66
+#define OBJ_dsaWithSHA          OBJ_algorithm,13L
+
+#define SN_shaWithRSAEncryption         "RSA-SHA"
+#define LN_shaWithRSAEncryption         "shaWithRSAEncryption"
+#define NID_shaWithRSAEncryption                42
+#define OBJ_shaWithRSAEncryption                OBJ_algorithm,15L
+
+#define SN_des_ede              "DES-EDE"
+#define LN_des_ede              "des-ede"
+#define NID_des_ede             32
+#define OBJ_des_ede             OBJ_algorithm,17L
+
+#define SN_des_ede3             "DES-EDE3"
+#define LN_des_ede3             "des-ede3"
+#define NID_des_ede3            33
+
+#define SN_des_ede_cbc          "DES-EDE-CBC"
+#define LN_des_ede_cbc          "des-ede-cbc"
+#define NID_des_ede_cbc         43
+
+#define SN_des_ede_cfb64                "DES-EDE-CFB"
+#define LN_des_ede_cfb64                "des-ede-cfb"
+#define NID_des_ede_cfb64               60
+
+#define SN_des_ede3_cfb64               "DES-EDE3-CFB"
+#define LN_des_ede3_cfb64               "des-ede3-cfb"
+#define NID_des_ede3_cfb64              61
+
+#define SN_des_ede_ofb64                "DES-EDE-OFB"
+#define LN_des_ede_ofb64                "des-ede-ofb"
+#define NID_des_ede_ofb64               62
+
+#define SN_des_ede3_ofb64               "DES-EDE3-OFB"
+#define LN_des_ede3_ofb64               "des-ede3-ofb"
+#define NID_des_ede3_ofb64              63
+
+#define SN_desx_cbc             "DESX-CBC"
+#define LN_desx_cbc             "desx-cbc"
+#define NID_desx_cbc            80
+
+#define SN_sha          "SHA"
+#define LN_sha          "sha"
+#define NID_sha         41
+#define OBJ_sha         OBJ_algorithm,18L
+
+#define SN_sha1         "SHA1"
+#define LN_sha1         "sha1"
+#define NID_sha1                64
+#define OBJ_sha1                OBJ_algorithm,26L
+
+#define SN_dsaWithSHA1_2                "DSA-SHA1-old"
+#define LN_dsaWithSHA1_2                "dsaWithSHA1-old"
+#define NID_dsaWithSHA1_2               70
+#define OBJ_dsaWithSHA1_2               OBJ_algorithm,27L
+
+#define SN_sha1WithRSA          "RSA-SHA1-2"
+#define LN_sha1WithRSA          "sha1WithRSA"
+#define NID_sha1WithRSA         115
+#define OBJ_sha1WithRSA         OBJ_algorithm,29L
+
+#define SN_ripemd160            "RIPEMD160"
+#define LN_ripemd160            "ripemd160"
+#define NID_ripemd160           117
+#define OBJ_ripemd160           1L,3L,36L,3L,2L,1L
+
+#define SN_ripemd160WithRSA             "RSA-RIPEMD160"
+#define LN_ripemd160WithRSA             "ripemd160WithRSA"
+#define NID_ripemd160WithRSA            119
+#define OBJ_ripemd160WithRSA            1L,3L,36L,3L,3L,1L,2L
+
+#define SN_sxnet                "SXNetID"
+#define LN_sxnet                "Strong Extranet ID"
+#define NID_sxnet               143
+#define OBJ_sxnet               1L,3L,101L,1L,4L,1L
+
+#define SN_X500         "X500"
+#define LN_X500         "directory services (X.500)"
+#define NID_X500                11
+#define OBJ_X500                2L,5L
+
+#define SN_X509         "X509"
+#define NID_X509                12
+#define OBJ_X509                OBJ_X500,4L
+
+#define SN_commonName           "CN"
+#define LN_commonName           "commonName"
+#define NID_commonName          13
+#define OBJ_commonName          OBJ_X509,3L
+
+#define SN_surname              "S"
+#define LN_surname              "surname"
+#define NID_surname             100
+#define OBJ_surname             OBJ_X509,4L
+
+#define SN_serialNumber         "SN"
+#define LN_serialNumber         "serialNumber"
+#define NID_serialNumber                105
+#define OBJ_serialNumber                OBJ_X509,5L
+
+#define SN_countryName          "C"
+#define LN_countryName          "countryName"
+#define NID_countryName         14
+#define OBJ_countryName         OBJ_X509,6L
+
+#define SN_localityName         "L"
+#define LN_localityName         "localityName"
+#define NID_localityName                15
+#define OBJ_localityName                OBJ_X509,7L
+
+#define SN_stateOrProvinceName          "ST"
+#define LN_stateOrProvinceName          "stateOrProvinceName"
+#define NID_stateOrProvinceName         16
+#define OBJ_stateOrProvinceName         OBJ_X509,8L
+
+#define SN_organizationName             "O"
+#define LN_organizationName             "organizationName"
+#define NID_organizationName            17
+#define OBJ_organizationName            OBJ_X509,10L
+
+#define SN_organizationalUnitName               "OU"
+#define LN_organizationalUnitName               "organizationalUnitName"
+#define NID_organizationalUnitName              18
+#define OBJ_organizationalUnitName              OBJ_X509,11L
+
+#define SN_title                "T"
+#define LN_title                "title"
+#define NID_title               106
+#define OBJ_title               OBJ_X509,12L
+
+#define SN_description          "D"
+#define LN_description          "description"
+#define NID_description         107
+#define OBJ_description         OBJ_X509,13L
+
+#define SN_name         "name"
+#define LN_name         "name"
+#define NID_name                173
+#define OBJ_name                OBJ_X509,41L
+
+#define SN_givenName            "G"
+#define LN_givenName            "givenName"
+#define NID_givenName           99
+#define OBJ_givenName           OBJ_X509,42L
+
+#define SN_initials             "I"
+#define LN_initials             "initials"
+#define NID_initials            101
+#define OBJ_initials            OBJ_X509,43L
+
+#define SN_uniqueIdentifier             "UID"
+#define LN_uniqueIdentifier             "uniqueIdentifier"
+#define NID_uniqueIdentifier            102
+#define OBJ_uniqueIdentifier            OBJ_X509,45L
+
+#define SN_dnQualifier          "dnQualifier"
+#define LN_dnQualifier          "dnQualifier"
+#define NID_dnQualifier         174
+#define OBJ_dnQualifier         OBJ_X509,46L
+
+#define SN_X500algorithms               "X500algorithms"
+#define LN_X500algorithms               "directory services - algorithms"
+#define NID_X500algorithms              378
+#define OBJ_X500algorithms              OBJ_X500,8L
+
+#define SN_rsa          "RSA"
+#define LN_rsa          "rsa"
+#define NID_rsa         19
+#define OBJ_rsa         OBJ_X500algorithms,1L,1L
+
+#define SN_mdc2WithRSA          "RSA-MDC2"
+#define LN_mdc2WithRSA          "mdc2WithRSA"
+#define NID_mdc2WithRSA         96
+#define OBJ_mdc2WithRSA         OBJ_X500algorithms,3L,100L
+
+#define SN_mdc2         "MDC2"
+#define LN_mdc2         "mdc2"
+#define NID_mdc2                95
+#define OBJ_mdc2                OBJ_X500algorithms,3L,101L
+
+#define SN_id_ce                "id-ce"
+#define NID_id_ce               81
+#define OBJ_id_ce               OBJ_X500,29L
+
+#define SN_subject_key_identifier               "subjectKeyIdentifier"
+#define LN_subject_key_identifier               "X509v3 Subject Key Identifier"
+#define NID_subject_key_identifier              82
+#define OBJ_subject_key_identifier              OBJ_id_ce,14L
+
+#define SN_key_usage            "keyUsage"
+#define LN_key_usage            "X509v3 Key Usage"
+#define NID_key_usage           83
+#define OBJ_key_usage           OBJ_id_ce,15L
+
+#define SN_private_key_usage_period             "privateKeyUsagePeriod"
+#define LN_private_key_usage_period             "X509v3 Private Key Usage Period"
+#define NID_private_key_usage_period            84
+#define OBJ_private_key_usage_period            OBJ_id_ce,16L
+
+#define SN_subject_alt_name             "subjectAltName"
+#define LN_subject_alt_name             "X509v3 Subject Alternative Name"
+#define NID_subject_alt_name            85
+#define OBJ_subject_alt_name            OBJ_id_ce,17L
+
+#define SN_issuer_alt_name              "issuerAltName"
+#define LN_issuer_alt_name              "X509v3 Issuer Alternative Name"
+#define NID_issuer_alt_name             86
+#define OBJ_issuer_alt_name             OBJ_id_ce,18L
+
+#define SN_basic_constraints            "basicConstraints"
+#define LN_basic_constraints            "X509v3 Basic Constraints"
+#define NID_basic_constraints           87
+#define OBJ_basic_constraints           OBJ_id_ce,19L
+
+#define SN_crl_number           "crlNumber"
+#define LN_crl_number           "X509v3 CRL Number"
+#define NID_crl_number          88
+#define OBJ_crl_number          OBJ_id_ce,20L
+
+#define SN_crl_reason           "CRLReason"
+#define LN_crl_reason           "X509v3 CRL Reason Code"
+#define NID_crl_reason          141
+#define OBJ_crl_reason          OBJ_id_ce,21L
+
+#define SN_invalidity_date              "invalidityDate"
+#define LN_invalidity_date              "Invalidity Date"
+#define NID_invalidity_date             142
+#define OBJ_invalidity_date             OBJ_id_ce,24L
+
+#define SN_delta_crl            "deltaCRL"
+#define LN_delta_crl            "X509v3 Delta CRL Indicator"
+#define NID_delta_crl           140
+#define OBJ_delta_crl           OBJ_id_ce,27L
+
+#define SN_crl_distribution_points              "crlDistributionPoints"
+#define LN_crl_distribution_points              "X509v3 CRL Distribution Points"
+#define NID_crl_distribution_points             103
+#define OBJ_crl_distribution_points             OBJ_id_ce,31L
+
+#define SN_certificate_policies         "certificatePolicies"
+#define LN_certificate_policies         "X509v3 Certificate Policies"
+#define NID_certificate_policies                89
+#define OBJ_certificate_policies                OBJ_id_ce,32L
+
+#define SN_authority_key_identifier             "authorityKeyIdentifier"
+#define LN_authority_key_identifier             "X509v3 Authority Key Identifier"
+#define NID_authority_key_identifier            90
+#define OBJ_authority_key_identifier            OBJ_id_ce,35L
+
+#define SN_ext_key_usage                "extendedKeyUsage"
+#define LN_ext_key_usage                "X509v3 Extended Key Usage"
+#define NID_ext_key_usage               126
+#define OBJ_ext_key_usage               OBJ_id_ce,37L
+
+#define SN_netscape             "Netscape"
+#define LN_netscape             "Netscape Communications Corp."
+#define NID_netscape            57
+#define OBJ_netscape            2L,16L,840L,1L,113730L
+
+#define SN_netscape_cert_extension              "nsCertExt"
+#define LN_netscape_cert_extension              "Netscape Certificate Extension"
+#define NID_netscape_cert_extension             58
+#define OBJ_netscape_cert_extension             OBJ_netscape,1L
+
+#define SN_netscape_data_type           "nsDataType"
+#define LN_netscape_data_type           "Netscape Data Type"
+#define NID_netscape_data_type          59
+#define OBJ_netscape_data_type          OBJ_netscape,2L
+
+#define SN_netscape_cert_type           "nsCertType"
+#define LN_netscape_cert_type           "Netscape Cert Type"
+#define NID_netscape_cert_type          71
+#define OBJ_netscape_cert_type          OBJ_netscape_cert_extension,1L
+
+#define SN_netscape_base_url            "nsBaseUrl"
+#define LN_netscape_base_url            "Netscape Base Url"
+#define NID_netscape_base_url           72
+#define OBJ_netscape_base_url           OBJ_netscape_cert_extension,2L
+
+#define SN_netscape_revocation_url              "nsRevocationUrl"
+#define LN_netscape_revocation_url              "Netscape Revocation Url"
+#define NID_netscape_revocation_url             73
+#define OBJ_netscape_revocation_url             OBJ_netscape_cert_extension,3L
+
+#define SN_netscape_ca_revocation_url           "nsCaRevocationUrl"
+#define LN_netscape_ca_revocation_url           "Netscape CA Revocation Url"
+#define NID_netscape_ca_revocation_url          74
+#define OBJ_netscape_ca_revocation_url          OBJ_netscape_cert_extension,4L
+
+#define SN_netscape_renewal_url         "nsRenewalUrl"
+#define LN_netscape_renewal_url         "Netscape Renewal Url"
+#define NID_netscape_renewal_url                75
+#define OBJ_netscape_renewal_url                OBJ_netscape_cert_extension,7L
+
+#define SN_netscape_ca_policy_url               "nsCaPolicyUrl"
+#define LN_netscape_ca_policy_url               "Netscape CA Policy Url"
+#define NID_netscape_ca_policy_url              76
+#define OBJ_netscape_ca_policy_url              OBJ_netscape_cert_extension,8L
+
+#define SN_netscape_ssl_server_name             "nsSslServerName"
+#define LN_netscape_ssl_server_name             "Netscape SSL Server Name"
+#define NID_netscape_ssl_server_name            77
+#define OBJ_netscape_ssl_server_name            OBJ_netscape_cert_extension,12L
+
+#define SN_netscape_comment             "nsComment"
+#define LN_netscape_comment             "Netscape Comment"
+#define NID_netscape_comment            78
+#define OBJ_netscape_comment            OBJ_netscape_cert_extension,13L
+
+#define SN_netscape_cert_sequence               "nsCertSequence"
+#define LN_netscape_cert_sequence               "Netscape Certificate Sequence"
+#define NID_netscape_cert_sequence              79
+#define OBJ_netscape_cert_sequence              OBJ_netscape_data_type,5L
+
+#define SN_ns_sgc               "nsSGC"
+#define LN_ns_sgc               "Netscape Server Gated Crypto"
+#define NID_ns_sgc              139
+#define OBJ_ns_sgc              OBJ_netscape,4L,1L
+
+#define SN_org          "ORG"
+#define LN_org          "org"
+#define NID_org         379
+#define OBJ_org         OBJ_iso,3L
+
+#define SN_dod          "DOD"
+#define LN_dod          "dod"
+#define NID_dod         380
+#define OBJ_dod         OBJ_org,6L
+
+#define SN_iana         "IANA"
+#define LN_iana         "iana"
+#define NID_iana                381
+#define OBJ_iana                OBJ_dod,1L
+
+#define OBJ_internet            OBJ_iana
+
+#define SN_Directory            "directory"
+#define LN_Directory            "Directory"
+#define NID_Directory           382
+#define OBJ_Directory           OBJ_internet,1L
+
+#define SN_Management           "mgmt"
+#define LN_Management           "Management"
+#define NID_Management          383
+#define OBJ_Management          OBJ_internet,2L
+
+#define SN_Experimental         "experimental"
+#define LN_Experimental         "Experimental"
+#define NID_Experimental                384
+#define OBJ_Experimental                OBJ_internet,3L
+
+#define SN_Private              "private"
+#define LN_Private              "Private"
+#define NID_Private             385
+#define OBJ_Private             OBJ_internet,4L
+
+#define SN_Security             "security"
+#define LN_Security             "Security"
+#define NID_Security            386
+#define OBJ_Security            OBJ_internet,5L
+
+#define SN_SNMPv2               "snmpv2"
+#define LN_SNMPv2               "SNMPv2"
+#define NID_SNMPv2              387
+#define OBJ_SNMPv2              OBJ_internet,6L
+
+#define SN_Mail         "mail"
+#define LN_Mail         "Mail"
+#define NID_Mail                388
+#define OBJ_Mail                OBJ_internet,7L
+
+#define SN_Enterprises          "enterprises"
+#define LN_Enterprises          "Enterprises"
+#define NID_Enterprises         389
+#define OBJ_Enterprises         OBJ_private,1L
+
+#define SN_dcObject             "dcobject"
+#define LN_dcObject             "dcObject"
+#define NID_dcObject            390
+#define OBJ_dcObject            OBJ_enterprises,1466L,344L
+
+#define SN_domainComponent              "DC"
+#define LN_domainComponent              "domainComponent"
+#define NID_domainComponent             391
+#define OBJ_domainComponent             0L,9L,2342L,19200300L,100L,1L,25L
+
+#define SN_Domain               "domain"
+#define LN_Domain               "Domain"
+#define NID_Domain              392
+#define OBJ_Domain              0L,9L,2342L,19200300L,100L,4L,13L
+
+#define SN_rle_compression              "RLE"
+#define LN_rle_compression              "run length compression"
+#define NID_rle_compression             124
+#define OBJ_rle_compression             1L,1L,1L,1L,666L,1L
+
+#define SN_zlib_compression             "ZLIB"
+#define LN_zlib_compression             "zlib compression"
+#define NID_zlib_compression            125
+#define OBJ_zlib_compression            1L,1L,1L,1L,666L,2L
+
diff --git a/src/lib/libssl/src/crypto/objects/obj_mac.num b/src/lib/libssl/src/crypto/objects/obj_mac.num
new file mode 100644
index 0000000000..d73a51370f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/objects/obj_mac.num
@@ -0,0 +1,392 @@
+undef           0
+rsadsi          1
+pkcs            2
+md2             3
+md5             4
+rc4             5
+rsaEncryption           6
+md2WithRSAEncryption            7
+md5WithRSAEncryption            8
+pbeWithMD2AndDES_CBC            9
+pbeWithMD5AndDES_CBC            10
+X500            11
+X509            12
+commonName              13
+countryName             14
+localityName            15
+stateOrProvinceName             16
+organizationName                17
+organizationalUnitName          18
+rsa             19
+pkcs7           20
+pkcs7_data              21
+pkcs7_signed            22
+pkcs7_enveloped         23
+pkcs7_signedAndEnveloped                24
+pkcs7_digest            25
+pkcs7_encrypted         26
+pkcs3           27
+dhKeyAgreement          28
+des_ecb         29
+des_cfb64               30
+des_cbc         31
+des_ede         32
+des_ede3                33
+idea_cbc                34
+idea_cfb64              35
+idea_ecb                36
+rc2_cbc         37
+rc2_ecb         38
+rc2_cfb64               39
+rc2_ofb64               40
+sha             41
+shaWithRSAEncryption            42
+des_ede_cbc             43
+des_ede3_cbc            44
+des_ofb64               45
+idea_ofb64              46
+pkcs9           47
+pkcs9_emailAddress              48
+pkcs9_unstructuredName          49
+pkcs9_contentType               50
+pkcs9_messageDigest             51
+pkcs9_signingTime               52
+pkcs9_countersignature          53
+pkcs9_challengePassword         54
+pkcs9_unstructuredAddress               55
+pkcs9_extCertAttributes         56
+netscape                57
+netscape_cert_extension         58
+netscape_data_type              59
+des_ede_cfb64           60
+des_ede3_cfb64          61
+des_ede_ofb64           62
+des_ede3_ofb64          63
+sha1            64
+sha1WithRSAEncryption           65
+dsaWithSHA              66
+dsa_2           67
+pbeWithSHA1AndRC2_CBC           68
+id_pbkdf2               69
+dsaWithSHA1_2           70
+netscape_cert_type              71
+netscape_base_url               72
+netscape_revocation_url         73
+netscape_ca_revocation_url              74
+netscape_renewal_url            75
+netscape_ca_policy_url          76
+netscape_ssl_server_name                77
+netscape_comment                78
+netscape_cert_sequence          79
+desx_cbc                80
+id_ce           81
+subject_key_identifier          82
+key_usage               83
+private_key_usage_period                84
+subject_alt_name                85
+issuer_alt_name         86
+basic_constraints               87
+crl_number              88
+certificate_policies            89
+authority_key_identifier                90
+bf_cbc          91
+bf_ecb          92
+bf_cfb64                93
+bf_ofb64                94
+mdc2            95
+mdc2WithRSA             96
+rc4_40          97
+rc2_40_cbc              98
+givenName               99
+surname         100
+initials                101
+uniqueIdentifier                102
+crl_distribution_points         103
+md5WithRSA              104
+serialNumber            105
+title           106
+description             107
+cast5_cbc               108
+cast5_ecb               109
+cast5_cfb64             110
+cast5_ofb64             111
+pbeWithMD5AndCast5_CBC          112
+dsaWithSHA1             113
+md5_sha1                114
+sha1WithRSA             115
+dsa             116
+ripemd160               117
+ripemd160WithRSA                119
+rc5_cbc         120
+rc5_ecb         121
+rc5_cfb64               122
+rc5_ofb64               123
+rle_compression         124
+zlib_compression                125
+ext_key_usage           126
+id_pkix         127
+id_kp           128
+server_auth             129
+client_auth             130
+code_sign               131
+email_protect           132
+time_stamp              133
+ms_code_ind             134
+ms_code_com             135
+ms_ctl_sign             136
+ms_sgc          137
+ms_efs          138
+ns_sgc          139
+delta_crl               140
+crl_reason              141
+invalidity_date         142
+sxnet           143
+pbe_WithSHA1And128BitRC4                144
+pbe_WithSHA1And40BitRC4         145
+pbe_WithSHA1And3_Key_TripleDES_CBC              146
+pbe_WithSHA1And2_Key_TripleDES_CBC              147
+pbe_WithSHA1And128BitRC2_CBC            148
+pbe_WithSHA1And40BitRC2_CBC             149
+keyBag          150
+pkcs8ShroudedKeyBag             151
+certBag         152
+crlBag          153
+secretBag               154
+safeContentsBag         155
+friendlyName            156
+localKeyID              157
+x509Certificate         158
+sdsiCertificate         159
+x509Crl         160
+pbes2           161
+pbmac1          162
+hmacWithSHA1            163
+id_qt_cps               164
+id_qt_unotice           165
+rc2_64_cbc              166
+SMIMECapabilities               167
+pbeWithMD2AndRC2_CBC            168
+pbeWithMD5AndRC2_CBC            169
+pbeWithSHA1AndDES_CBC           170
+ms_ext_req              171
+ext_req         172
+name            173
+dnQualifier             174
+id_pe           175
+id_ad           176
+info_access             177
+ad_OCSP         178
+ad_ca_issuers           179
+OCSP_sign               180
+iso             181
+member_body             182
+ISO_US          183
+X9_57           184
+X9cm            185
+pkcs1           186
+pkcs5           187
+SMIME           188
+id_smime_mod            189
+id_smime_ct             190
+id_smime_aa             191
+id_smime_alg            192
+id_smime_cd             193
+id_smime_spq            194
+id_smime_cti            195
+id_smime_mod_cms                196
+id_smime_mod_ess                197
+id_smime_mod_oid                198
+id_smime_mod_msg_v3             199
+id_smime_mod_ets_eSignature_88          200
+id_smime_mod_ets_eSignature_97          201
+id_smime_mod_ets_eSigPolicy_88          202
+id_smime_mod_ets_eSigPolicy_97          203
+id_smime_ct_receipt             204
+id_smime_ct_authData            205
+id_smime_ct_publishCert         206
+id_smime_ct_TSTInfo             207
+id_smime_ct_TDTInfo             208
+id_smime_ct_contentInfo         209
+id_smime_ct_DVCSRequestData             210
+id_smime_ct_DVCSResponseData            211
+id_smime_aa_receiptRequest              212
+id_smime_aa_securityLabel               213
+id_smime_aa_mlExpandHistory             214
+id_smime_aa_contentHint         215
+id_smime_aa_msgSigDigest                216
+id_smime_aa_encapContentType            217
+id_smime_aa_contentIdentifier           218
+id_smime_aa_macValue            219
+id_smime_aa_equivalentLabels            220
+id_smime_aa_contentReference            221
+id_smime_aa_encrypKeyPref               222
+id_smime_aa_signingCertificate          223
+id_smime_aa_smimeEncryptCerts           224
+id_smime_aa_timeStampToken              225
+id_smime_aa_ets_sigPolicyId             226
+id_smime_aa_ets_commitmentType          227
+id_smime_aa_ets_signerLocation          228
+id_smime_aa_ets_signerAttr              229
+id_smime_aa_ets_otherSigCert            230
+id_smime_aa_ets_contentTimestamp                231
+id_smime_aa_ets_CertificateRefs         232
+id_smime_aa_ets_RevocationRefs          233
+id_smime_aa_ets_certValues              234
+id_smime_aa_ets_revocationValues                235
+id_smime_aa_ets_escTimeStamp            236
+id_smime_aa_ets_certCRLTimestamp                237
+id_smime_aa_ets_archiveTimeStamp                238
+id_smime_aa_signatureType               239
+id_smime_aa_dvcs_dvc            240
+id_smime_alg_ESDHwith3DES               241
+id_smime_alg_ESDHwithRC2                242
+id_smime_alg_3DESwrap           243
+id_smime_alg_RC2wrap            244
+id_smime_alg_ESDH               245
+id_smime_alg_CMS3DESwrap                246
+id_smime_alg_CMSRC2wrap         247
+id_smime_cd_ldap                248
+id_smime_spq_ets_sqt_uri                249
+id_smime_spq_ets_sqt_unotice            250
+id_smime_cti_ets_proofOfOrigin          251
+id_smime_cti_ets_proofOfReceipt         252
+id_smime_cti_ets_proofOfDelivery                253
+id_smime_cti_ets_proofOfSender          254
+id_smime_cti_ets_proofOfApproval                255
+id_smime_cti_ets_proofOfCreation                256
+md4             257
+id_pkix_mod             258
+id_qt           259
+id_it           260
+id_pkip         261
+id_alg          262
+id_cmc          263
+id_on           264
+id_pda          265
+id_aca          266
+id_qcs          267
+id_cct          268
+id_pkix1_explicit_88            269
+id_pkix1_implicit_88            270
+id_pkix1_explicit_93            271
+id_pkix1_implicit_93            272
+id_mod_crmf             273
+id_mod_cmc              274
+id_mod_kea_profile_88           275
+id_mod_kea_profile_93           276
+id_mod_cmp              277
+id_mod_qualified_cert_88                278
+id_mod_qualified_cert_93                279
+id_mod_attribute_cert           280
+id_mod_timestamp_protocol               281
+id_mod_ocsp             282
+id_mod_dvcs             283
+id_mod_cmp2000          284
+biometricInfo           285
+qcStatements            286
+ac_auditEntity          287
+ac_targeting            288
+aaControls              289
+sbqp_ipAddrBlock                290
+sbqp_autonomousSysNum           291
+sbqp_routerIdentifier           292
+textNotice              293
+ipsecEndSystem          294
+ipsecTunnel             295
+ipsecUser               296
+dvcs            297
+id_it_caProtEncCert             298
+id_it_signKeyPairTypes          299
+id_it_encKeyPairTypes           300
+id_it_preferredSymmAlg          301
+id_it_caKeyUpdateInfo           302
+id_it_currentCRL                303
+id_it_unsupportedOIDs           304
+id_it_subscriptionRequest               305
+id_it_subscriptionResponse              306
+id_it_keyPairParamReq           307
+id_it_keyPairParamRep           308
+id_it_revPassphrase             309
+id_it_implicitConfirm           310
+id_it_confirmWaitTime           311
+id_it_origPKIMessage            312
+id_regCtrl              313
+id_regInfo              314
+id_regCtrl_regToken             315
+id_regCtrl_authenticator                316
+id_regCtrl_pkiPublicationInfo           317
+id_regCtrl_pkiArchiveOptions            318
+id_regCtrl_oldCertID            319
+id_regCtrl_protocolEncrKey              320
+id_regInfo_utf8Pairs            321
+id_regInfo_certReq              322
+id_alg_des40            323
+id_alg_noSignature              324
+id_alg_dh_sig_hmac_sha1         325
+id_alg_dh_pop           326
+id_cmc_statusInfo               327
+id_cmc_identification           328
+id_cmc_identityProof            329
+id_cmc_dataReturn               330
+id_cmc_transactionId            331
+id_cmc_senderNonce              332
+id_cmc_recipientNonce           333
+id_cmc_addExtensions            334
+id_cmc_encryptedPOP             335
+id_cmc_decryptedPOP             336
+id_cmc_lraPOPWitness            337
+id_cmc_getCert          338
+id_cmc_getCRL           339
+id_cmc_revokeRequest            340
+id_cmc_regInfo          341
+id_cmc_responseInfo             342
+id_cmc_queryPending             343
+id_cmc_popLinkRandom            344
+id_cmc_popLinkWitness           345
+id_cmc_confirmCertAcceptance            346
+id_on_personalData              347
+id_pda_dateOfBirth              348
+id_pda_placeOfBirth             349
+id_pda_pseudonym                350
+id_pda_gender           351
+id_pda_countryOfCitizenship             352
+id_pda_countryOfResidence               353
+id_aca_authenticationInfo               354
+id_aca_accessIdentity           355
+id_aca_chargingIdentity         356
+id_aca_group            357
+id_aca_role             358
+id_qcs_pkixQCSyntax_v1          359
+id_cct_crs              360
+id_cct_PKIData          361
+id_cct_PKIResponse              362
+ad_timeStamping         363
+ad_dvcs         364
+id_pkix_OCSP_basic              365
+id_pkix_OCSP_Nonce              366
+id_pkix_OCSP_CrlID              367
+id_pkix_OCSP_acceptableResponses                368
+id_pkix_OCSP_noCheck            369
+id_pkix_OCSP_archiveCutoff              370
+id_pkix_OCSP_serviceLocator             371
+id_pkix_OCSP_extendedStatus             372
+id_pkix_OCSP_valid              373
+id_pkix_OCSP_path               374
+id_pkix_OCSP_trustRoot          375
+algorithm               376
+rsaSignature            377
+X500algorithms          378
+org             379
+dod             380
+iana            381
+Directory               382
+Management              383
+Experimental            384
+Private         385
+Security                386
+SNMPv2          387
+Mail            388
+Enterprises             389
+dcObject                390
+domainComponent         391
+Domain          392
diff --git a/src/lib/libssl/src/crypto/objects/objects.README b/src/lib/libssl/src/crypto/objects/objects.README
new file mode 100644
index 0000000000..4d745508d8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/objects/objects.README
@@ -0,0 +1,44 @@
+objects.txt syntax
+------------------
+
+To cover all the naming hacks that were previously in objects.h needed some
+kind of hacks in objects.txt.
+
+The basic syntax for adding an object is as follows:
+
+        1 2 3 4         : shortName     : Long Name
+
+                If the long name doesn't contain spaces, or no short name
+                exists, the long name is used as basis for the base name
+                in C.  Otherwise, the short name is used.
+
+                The base name (let's call it 'base') will then be used to
+                create the C macros SN_base, LN_base, NID_base and OBJ_base.
+
+                Note that if the base name contains spaces, dashes or periods,
+                those will be converte to underscore.
+
+Then there are some extra commands:
+
+        !Alias foo 1 2 3 4
+
+                This juts makes a name foo for an OID.  The C macro
+                OBJ_foo will be created as a result.
+
+        !Cname foo
+
+                This makes sure that the name foo will be used as base name
+                in C.
+
+        !module foo
+        1 2 3 4         : shortName     : Long Name
+        !global
+
+                The !module command was meant to define a kind of modularity.
+                What it does is to make sure the module name is prepended
+                to the base name.  !global turns this off.  This construction
+                is not recursive.
+
+Lines starting with # are treated as comments, as well as any line starting
+with ! and not matching the commands above.
+
diff --git a/src/lib/libssl/src/crypto/objects/objects.pl b/src/lib/libssl/src/crypto/objects/objects.pl
new file mode 100644
index 0000000000..c956bbb841
--- /dev/null
+++ b/src/lib/libssl/src/crypto/objects/objects.pl
@@ -0,0 +1,224 @@
+#!/usr/local/bin/perl
+
+open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
+$max_nid=0;
+$o=0;
+while(<NUMIN>)
+        {
+        chop;
+        $o++;
+        s/#.*$//;
+        next if /^\s*$/;
+        ($Cname,$mynum) = split;
+        if (defined($nidn{$mynum}))
+                { die "$ARGV[1]:$o:There's already an object with NID ",$mynum," on line ",$order{$mynum},"\n"; }
+        $nid{$Cname} = $mynum;
+        $nidn{$mynum} = $Cname;
+        $order{$mynum} = $o;
+        $max_nid = $mynum if $mynum > $max_nid;
+        }
+close NUMIN;
+
+open (IN,"$ARGV[0]") || die "Can't open input file $ARGV[0]";
+$Cname="";
+$o=0;
+while (<IN>)
+        {
+        chop;
+        $o++;
+        if (/^!module\s+(.*)$/)
+                {
+                $module = $1."-";
+                $module =~ s/\./_/g;
+                $module =~ s/-/_/g;
+                }
+        if (/^!global$/)
+                { $module = ""; }
+        if (/^!Cname\s+(.*)$/)
+                { $Cname = $1; }
+        if (/^!Alias\s+(.+?)\s+(.*)$/)
+                {
+                $Cname = $module.$1;
+                $myoid = $2;
+                $myoid = &process_oid($myoid);
+                $Cname =~ s/-/_/g;
+                $ordern{$o} = $Cname;
+                $order{$Cname} = $o;
+                $obj{$Cname} = $myoid;
+                $_ = "";
+                $Cname = "";
+                }
+        s/!.*$//;
+        s/#.*$//;
+        next if /^\s*$/;
+        ($myoid,$mysn,$myln) = split ':';
+        $mysn =~ s/^\s*//;
+        $mysn =~ s/\s*$//;
+        $myln =~ s/^\s*//;
+        $myln =~ s/\s*$//;
+        $myoid =~ s/^\s*//;
+        $myoid =~ s/\s*$//;
+        if ($myoid ne "")
+                {
+                $myoid = &process_oid($myoid);
+                }
+
+        if ($Cname eq "" && !($myln =~ / /))
+                {
+                $Cname = $myln;
+                $Cname =~ s/\./_/g;
+                $Cname =~ s/-/_/g;
+                if ($Cname ne "" && defined($ln{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with long name ",$ln{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        if ($Cname eq "")
+                {
+                $Cname = $mysn;
+                $Cname =~ s/-/_/g;
+                if ($Cname ne "" && defined($sn{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with short name ",$sn{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        if ($Cname eq "")
+                {
+                $Cname = $myln;
+                $Cname =~ s/-/_/g;
+                $Cname =~ s/\./_/g;
+                $Cname =~ s/ /_/g;
+                if ($Cname ne "" && defined($ln{$module.$Cname}))
+                        { die "objects.txt:$o:There's already an object with long name ",$ln{$module.$Cname}," on line ",$order{$module.$Cname},"\n"; }
+                }
+        $Cname =~ s/\./_/g;
+        $Cname =~ s/-/_/g;
+        $Cname = $module.$Cname;
+        $ordern{$o} = $Cname;
+        $order{$Cname} = $o;
+        $sn{$Cname} = $mysn;
+        $ln{$Cname} = $myln;
+        $obj{$Cname} = $myoid;
+        if (!defined($nid{$Cname}))
+                {
+                $max_nid++;
+                $nid{$Cname} = $max_nid;
+                $nidn{$max_nid} = $Cname;
+                }
+        $Cname="";
+        }
+close IN;
+
+open (NUMOUT,">$ARGV[1]") || die "Can't open output file $ARGV[1]";
+foreach (sort { $a <=> $b } keys %nidn)
+        {
+        print NUMOUT $nidn{$_},"\t\t",$_,"\n";
+        }
+close NUMOUT;
+
+open (OUT,">$ARGV[2]") || die "Can't open output file $ARGV[2]";
+print OUT <<'EOF';
+/* lib/obj/obj_mac.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
+ * following command:
+ * perl objects.pl objects.txt obj_mac.num obj_mac.h
+ */
+
+#define SN_undef                        "UNDEF"
+#define LN_undef                        "undefined"
+#define NID_undef                       0
+#define OBJ_undef                       0L
+
+EOF
+
+foreach (sort { $a <=> $b } keys %ordern)
+        {
+        $Cname=$ordern{$_};
+        print OUT "#define SN_",$Cname,"\t\t\"",$sn{$Cname},"\"\n" if $sn{$Cname} ne "";
+        print OUT "#define LN_",$Cname,"\t\t\"",$ln{$Cname},"\"\n" if $ln{$Cname} ne "";
+        print OUT "#define NID_",$Cname,"\t\t",$nid{$Cname},"\n" if $nid{$Cname} ne "";
+        print OUT "#define OBJ_",$Cname,"\t\t",$obj{$Cname},"\n" if $obj{$Cname} ne "";
+        print OUT "\n";
+        }
+
+close OUT;
+
+sub process_oid
+        {
+        local($oid)=@_;
+        local(@a,$oid_pref);
+
+        @a = split(/\s+/,$myoid);
+        $pref_oid = "";
+        $pref_sep = "";
+        if (!($a[0] =~ /^[0-9]+$/))
+                {
+                $a[0] =~ s/-/_/g;
+                $pref_oid = "OBJ_" . $a[0];
+                $pref_sep = ",";
+                shift @a;
+                }
+        $oids = join('L,',@a) . "L";
+        if ($oids ne "L")
+                {
+                $oids = $pref_oid . $pref_sep . $oids;
+                }
+        else
+                {
+                $oids = $pref_oid;
+                }
+        return($oids);
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp.h b/src/lib/libssl/src/crypto/ocsp/ocsp.h
new file mode 100644
index 0000000000..fab3c03182
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp.h
@@ -0,0 +1,619 @@
+/* ocsp.h */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OCSP_H
+#define HEADER_OCSP_H
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Various flags and values */
+
+#define OCSP_DEFAULT_NONCE_LENGTH       16
+
+#define OCSP_NOCERTS                    0x1
+#define OCSP_NOINTERN                   0x2
+#define OCSP_NOSIGS                     0x4
+#define OCSP_NOCHAIN                    0x8
+#define OCSP_NOVERIFY                   0x10
+#define OCSP_NOEXPLICIT                 0x20
+#define OCSP_NOCASIGN                   0x40
+#define OCSP_NODELEGATED                0x80
+#define OCSP_NOCHECKS                   0x100
+#define OCSP_TRUSTOTHER                 0x200
+#define OCSP_RESPID_KEY                 0x400
+#define OCSP_NOTIME                     0x800
+
+/*   CertID ::= SEQUENCE {
+ *       hashAlgorithm            AlgorithmIdentifier,
+ *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+ *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
+ *       serialNumber       CertificateSerialNumber }
+ */
+typedef struct ocsp_cert_id_st
+        {
+        X509_ALGOR *hashAlgorithm;
+        ASN1_OCTET_STRING *issuerNameHash;
+        ASN1_OCTET_STRING *issuerKeyHash;
+        ASN1_INTEGER *serialNumber;
+        } OCSP_CERTID;
+
+DECLARE_STACK_OF(OCSP_CERTID)
+
+/*   Request ::=     SEQUENCE {
+ *       reqCert                    CertID,
+ *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_one_request_st
+        {
+        OCSP_CERTID *reqCert;
+        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+        } OCSP_ONEREQ;
+
+DECLARE_STACK_OF(OCSP_ONEREQ)
+DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
+
+
+/*   TBSRequest      ::=     SEQUENCE {
+ *       version             [0] EXPLICIT Version DEFAULT v1,
+ *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+ *       requestList             SEQUENCE OF Request,
+ *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_req_info_st
+        {
+        ASN1_INTEGER *version;
+        GENERAL_NAME *requestorName;
+        STACK_OF(OCSP_ONEREQ) *requestList;
+        STACK_OF(X509_EXTENSION) *requestExtensions;
+        } OCSP_REQINFO;
+
+/*   Signature       ::=     SEQUENCE {
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING,
+ *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+typedef struct ocsp_signature_st
+        {
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_SIGNATURE;
+
+/*   OCSPRequest     ::=     SEQUENCE {
+ *       tbsRequest                  TBSRequest,
+ *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+ */
+typedef struct ocsp_request_st
+        {
+        OCSP_REQINFO *tbsRequest;
+        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
+        } OCSP_REQUEST;
+
+/*   OCSPResponseStatus ::= ENUMERATED {
+ *       successful            (0),      --Response has valid confirmations
+ *       malformedRequest      (1),      --Illegal confirmation request
+ *       internalError         (2),      --Internal error in issuer
+ *       tryLater              (3),      --Try again later
+ *                                       --(4) is not used
+ *       sigRequired           (5),      --Must sign the request
+ *       unauthorized          (6)       --Request unauthorized
+ *   }
+ */
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
+#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
+#define OCSP_RESPONSE_STATUS_TRYLATER             3
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
+
+/*   ResponseBytes ::=       SEQUENCE {
+ *       responseType   OBJECT IDENTIFIER,
+ *       response       OCTET STRING }
+ */
+typedef struct ocsp_resp_bytes_st
+        {
+        ASN1_OBJECT *responseType;
+        ASN1_OCTET_STRING *response;
+        } OCSP_RESPBYTES;
+
+/*   OCSPResponse ::= SEQUENCE {
+ *      responseStatus         OCSPResponseStatus,
+ *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+typedef struct ocsp_response_st
+        {
+        ASN1_ENUMERATED *responseStatus;
+        OCSP_RESPBYTES  *responseBytes;
+        } OCSP_RESPONSE;
+
+/*   ResponderID ::= CHOICE {
+ *      byName   [1] Name,
+ *      byKey    [2] KeyHash }
+ */
+#define V_OCSP_RESPID_NAME 0
+#define V_OCSP_RESPID_KEY  1
+typedef struct ocsp_responder_id_st
+        {
+        int type;
+        union   {
+                X509_NAME* byName;
+                ASN1_OCTET_STRING *byKey;
+                } value;
+        } OCSP_RESPID;
+/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ *                            --(excluding the tag and length fields)
+ */
+
+/*   RevokedInfo ::= SEQUENCE {
+ *       revocationTime              GeneralizedTime,
+ *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+ */
+typedef struct ocsp_revoked_info_st
+        {
+        ASN1_GENERALIZEDTIME *revocationTime;
+        ASN1_ENUMERATED *revocationReason;
+        } OCSP_REVOKEDINFO;
+
+/*   CertStatus ::= CHOICE {
+ *       good                [0]     IMPLICIT NULL,
+ *       revoked             [1]     IMPLICIT RevokedInfo,
+ *       unknown             [2]     IMPLICIT UnknownInfo }
+ */
+#define V_OCSP_CERTSTATUS_GOOD    0
+#define V_OCSP_CERTSTATUS_REVOKED 1
+#define V_OCSP_CERTSTATUS_UNKNOWN 2
+typedef struct ocsp_cert_status_st
+        {
+        int type;
+        union   {
+                ASN1_NULL *good;
+                OCSP_REVOKEDINFO *revoked;
+                ASN1_NULL *unknown;
+                } value;
+        } OCSP_CERTSTATUS;
+
+/*   SingleResponse ::= SEQUENCE {
+ *      certID                       CertID,
+ *      certStatus                   CertStatus,
+ *      thisUpdate                   GeneralizedTime,
+ *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+ *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_single_response_st
+        {
+        OCSP_CERTID *certId;
+        OCSP_CERTSTATUS *certStatus;
+        ASN1_GENERALIZEDTIME *thisUpdate;
+        ASN1_GENERALIZEDTIME *nextUpdate;
+        STACK_OF(X509_EXTENSION) *singleExtensions;
+        } OCSP_SINGLERESP;
+
+DECLARE_STACK_OF(OCSP_SINGLERESP)
+DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
+
+/*   ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_response_data_st
+        {
+        ASN1_INTEGER *version;
+        OCSP_RESPID  *responderId;
+        ASN1_GENERALIZEDTIME *producedAt;
+        STACK_OF(OCSP_SINGLERESP) *responses;
+        STACK_OF(X509_EXTENSION) *responseExtensions;
+        } OCSP_RESPDATA;
+
+/*   BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+  /* Note 1:
+     The value for "signature" is specified in the OCSP rfc2560 as follows:
+     "The value for the signature SHALL be computed on the hash of the DER
+     encoding ResponseData."  This means that you must hash the DER-encoded
+     tbsResponseData, and then run it through a crypto-signing function, which
+     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
+     a bit odd, but that's the spec.  Also note that the data structures do not
+     leave anywhere to independently specify the algorithm used for the initial
+     hash. So, we look at the signature-specification algorithm, and try to do
+     something intelligent.     -- Kathy Weinhold, CertCo */
+  /* Note 2:
+     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
+     for interpretation.  I've done tests against another responder, and found
+     that it doesn't do the double hashing that the RFC seems to say one
+     should.  Therefore, all relevant functions take a flag saying which
+     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
+typedef struct ocsp_basic_response_st
+        {
+        OCSP_RESPDATA *tbsResponseData;
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_BASICRESP;
+
+/*
+ *   CRLReason ::= ENUMERATED {
+ *        unspecified             (0),
+ *        keyCompromise           (1),
+ *        cACompromise            (2),
+ *        affiliationChanged      (3),
+ *        superseded              (4),
+ *        cessationOfOperation    (5),
+ *        certificateHold         (6),
+ *        removeFromCRL           (8) }
+ */
+#define OCSP_REVOKED_STATUS_NOSTATUS               -1
+#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
+#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
+#define OCSP_REVOKED_STATUS_SUPERSEDED              4
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+
+/* CrlID ::= SEQUENCE {
+ *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+ *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
+ *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
+ */
+typedef struct ocsp_crl_id_st
+        {
+        ASN1_IA5STRING *crlUrl;
+        ASN1_INTEGER *crlNum;
+        ASN1_GENERALIZEDTIME *crlTime;
+        } OCSP_CRLID;
+
+/* ServiceLocator ::= SEQUENCE {
+ *      issuer    Name,
+ *      locator   AuthorityInfoAccessSyntax OPTIONAL }
+ */
+typedef struct ocsp_service_locator_st
+        {
+        X509_NAME* issuer;
+        STACK_OF(ACCESS_DESCRIPTION) *locator;
+        } OCSP_SERVICELOC;
+ 
+#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
+#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
+
+#define d2i_OCSP_REQUEST_bio(bp,p) (OCSP_REQUEST*)ASN1_d2i_bio((char*(*)()) \
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_REQUEST, (bp),\
+                (unsigned char **)(p))
+
+#define d2i_OCSP_RESPONSE_bio(bp,p) (OCSP_RESPONSE*)ASN1_d2i_bio((char*(*)())\
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_RESPONSE, (bp),\
+                (unsigned char **)(p))
+
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
+     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+
+#define PEM_write_bio_OCSP_REQUEST(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_RESPONSE,bp,\
+                (unsigned char *)o)
+
+#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_REQUEST,bp,\
+                (unsigned char *)o)
+
+#define OCSP_REQUEST_sign(o,pkey,md) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                o->optionalSignature->signatureAlgorithm,NULL,\
+                o->optionalSignature->signature,o->tbsRequest,pkey,md)
+
+#define OCSP_BASICRESP_sign(o,pkey,md,d) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
+                o->signature,o->tbsResponseData,pkey,md)
+
+#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+        a->optionalSignature->signatureAlgorithm,\
+        a->optionalSignature->signature,a->tbsRequest,r)
+
+#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
+
+#define ASN1_BIT_STRING_digest(data,type,md,len) \
+        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+
+#define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
+                (char *(*)())d2i_OCSP_CERTID,(char *)(cid))
+
+#define OCSP_CERTSTATUS_dup(cs)\
+                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber);
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags);
+
+int OCSP_response_status(OCSP_RESPONSE *resp);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
+
+int OCSP_resp_count(OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+                        ASN1_GENERALIZEDTIME *nextupd,
+                        long sec, long maxsec);
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+int OCSP_request_is_signed(OCSP_REQUEST *req);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags);
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk);
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
+
+X509_EXTENSION *OCSP_accept_responses_new(char **oids);
+
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
+
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+
+DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
+DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
+DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
+
+char *OCSP_response_status_str(long s);
+char *OCSP_cert_status_str(long s);
+char *OCSP_crl_reason_str(long s);
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_OCSP_strings(void);
+
+/* Error codes for the OCSP functions. */
+
+/* Function codes. */
+#define OCSP_F_ASN1_STRING_ENCODE                        100
+#define OCSP_F_CERT_ID_NEW                               101
+#define OCSP_F_D2I_OCSP_NONCE                            102
+#define OCSP_F_OCSP_BASIC_ADD1_STATUS                    103
+#define OCSP_F_OCSP_BASIC_SIGN                           104
+#define OCSP_F_OCSP_BASIC_VERIFY                         105
+#define OCSP_F_OCSP_CHECK_DELEGATED                      106
+#define OCSP_F_OCSP_CHECK_IDS                            107
+#define OCSP_F_OCSP_CHECK_ISSUER                         108
+#define OCSP_F_OCSP_CHECK_VALIDITY                       115
+#define OCSP_F_OCSP_MATCH_ISSUERID                       109
+#define OCSP_F_OCSP_PARSE_URL                            114
+#define OCSP_F_OCSP_REQUEST_SIGN                         110
+#define OCSP_F_OCSP_REQUEST_VERIFY                       116
+#define OCSP_F_OCSP_RESPONSE_GET1_BASIC                  111
+#define OCSP_F_OCSP_SENDREQ_BIO                          112
+#define OCSP_F_REQUEST_VERIFY                            113
+
+/* Reason codes. */
+#define OCSP_R_BAD_DATA                                  100
+#define OCSP_R_CERTIFICATE_VERIFY_ERROR                  101
+#define OCSP_R_DIGEST_ERR                                102
+#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD                 122
+#define OCSP_R_ERROR_IN_THISUPDATE_FIELD                 123
+#define OCSP_R_ERROR_PARSING_URL                         121
+#define OCSP_R_MISSING_OCSPSIGNING_USAGE                 103
+#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE              124
+#define OCSP_R_NOT_BASIC_RESPONSE                        104
+#define OCSP_R_NO_CERTIFICATES_IN_CHAIN                  105
+#define OCSP_R_NO_CONTENT                                106
+#define OCSP_R_NO_PUBLIC_KEY                             107
+#define OCSP_R_NO_RESPONSE_DATA                          108
+#define OCSP_R_NO_REVOKED_TIME                           109
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE    110
+#define OCSP_R_REQUEST_NOT_SIGNED                        128
+#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA      111
+#define OCSP_R_ROOT_CA_NOT_TRUSTED                       112
+#define OCSP_R_SERVER_READ_ERROR                         113
+#define OCSP_R_SERVER_RESPONSE_ERROR                     114
+#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR               115
+#define OCSP_R_SERVER_WRITE_ERROR                        116
+#define OCSP_R_SIGNATURE_FAILURE                         117
+#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND              118
+#define OCSP_R_STATUS_EXPIRED                            125
+#define OCSP_R_STATUS_NOT_YET_VALID                      126
+#define OCSP_R_STATUS_TOO_OLD                            127
+#define OCSP_R_UNKNOWN_MESSAGE_DIGEST                    119
+#define OCSP_R_UNKNOWN_NID                               120
+#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE            129
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
new file mode 100644
index 0000000000..8c148cda6a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
@@ -0,0 +1,182 @@
+/* ocsp_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ocsp.h>
+
+ASN1_SEQUENCE(OCSP_SIGNATURE) = {
+        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
+        ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+
+ASN1_SEQUENCE(OCSP_CERTID) = {
+        ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OCSP_CERTID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
+
+ASN1_SEQUENCE(OCSP_ONEREQ) = {
+        ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END(OCSP_ONEREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
+
+ASN1_SEQUENCE(OCSP_REQINFO) = {
+        ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
+        ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
+        ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
+} ASN1_SEQUENCE_END(OCSP_REQINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
+
+ASN1_SEQUENCE(OCSP_REQUEST) = {
+        ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
+        ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
+} ASN1_SEQUENCE_END(OCSP_REQUEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
+
+/* OCSP_RESPONSE templates */
+
+ASN1_SEQUENCE(OCSP_RESPBYTES) = {
+            ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
+            ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+
+ASN1_SEQUENCE(OCSP_RESPONSE) = {
+        ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
+        ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
+} ASN1_SEQUENCE_END(OCSP_RESPONSE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
+
+ASN1_CHOICE(OCSP_RESPID) = {
+           ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
+           ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
+} ASN1_CHOICE_END(OCSP_RESPID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
+
+ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
+        ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
+        ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
+} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+
+ASN1_CHOICE(OCSP_CERTSTATUS) = {
+        ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
+        ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
+        ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
+} ASN1_CHOICE_END(OCSP_CERTSTATUS)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+
+ASN1_SEQUENCE(OCSP_SINGLERESP) = {
+           ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
+           ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
+           ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
+           ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+
+ASN1_SEQUENCE(OCSP_RESPDATA) = {
+           ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
+           ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
+           ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
+           ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_RESPDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
+
+ASN1_SEQUENCE(OCSP_BASICRESP) = {
+           ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
+           ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
+           ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_BASICRESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
+
+ASN1_SEQUENCE(OCSP_CRLID) = {
+           ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
+           ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
+           ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
+} ASN1_SEQUENCE_END(OCSP_CRLID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
+
+ASN1_SEQUENCE(OCSP_SERVICELOC) = {
+        ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
+        ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
+} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
new file mode 100644
index 0000000000..9b3e6dd8ca
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
@@ -0,0 +1,370 @@
+/* ocsp_cl.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP requests and extracting
+ * relevant information from the response.
+ */
+
+/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
+ * pointer: useful if we want to add extensions.
+ */
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+        {
+        OCSP_ONEREQ *one = NULL;
+
+        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+        one->reqCert = cid;
+        if (req &&
+                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                                goto err;
+        return one;
+err:
+        OCSP_ONEREQ_free(one);
+        return NULL;
+        }
+
+/* Set requestorName from an X509_NAME structure */
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+        {
+        GENERAL_NAME *gen;
+        gen = GENERAL_NAME_new();
+        if (!X509_NAME_set(&gen->d.directoryName, nm))
+                {
+                GENERAL_NAME_free(gen);
+                return 0;
+                }
+        gen->type = GEN_DIRNAME;
+        if (req->tbsRequest->requestorName)
+                GENERAL_NAME_free(req->tbsRequest->requestorName);
+        req->tbsRequest->requestorName = gen;
+        return 1;
+        }
+        
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+        {
+        OCSP_SIGNATURE *sig;
+        if (!req->optionalSignature)
+                req->optionalSignature = OCSP_SIGNATURE_new();
+        sig = req->optionalSignature;
+        if (!sig) return 0;
+        if (!cert) return 1;
+        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(sig->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+/* Sign an OCSP request set the requestorName to the subjec
+ * name of an optional signers certificate and include one
+ * or more optional certificates in the request. Behaves
+ * like PKCS7_sign().
+ */
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags)
+        {
+        int i;
+        OCSP_SIGNATURE *sig;
+        X509 *x;
+
+        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                        goto err;
+
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
+        if (!dgst) dgst = EVP_sha1();
+        if (key)
+                {
+                if (!X509_check_private_key(signer, key))
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                        goto err;
+                        }
+                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+                }
+
+        if (!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        x = sk_X509_value(certs, i);
+                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        }
+                }
+
+        return 1;
+err:
+        OCSP_SIGNATURE_free(req->optionalSignature);
+        req->optionalSignature = NULL;
+        return 0;
+        }
+
+/* Get response status */
+
+int OCSP_response_status(OCSP_RESPONSE *resp)
+        {
+        return ASN1_ENUMERATED_get(resp->responseStatus);
+        }
+
+/* Extract basic response from OCSP_RESPONSE or NULL if
+ * no basic response present.
+ */
+ 
+
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+        {
+        OCSP_RESPBYTES *rb;
+        rb = resp->responseBytes;
+        if (!rb)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                return NULL;
+                }
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                return NULL;
+                }
+
+        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
+        }
+
+/* Return number of OCSP_SINGLERESP reponses present in
+ * a basic response.
+ */
+
+int OCSP_resp_count(OCSP_BASICRESP *bs)
+        {
+        if (!bs) return -1;
+        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
+        }
+
+/* Extract an OCSP_SINGLERESP response with a given index */
+
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+        {
+        if (!bs) return NULL;
+        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
+        }
+
+/* Look single response matching a given certificate ID */
+
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+        {
+        int i;
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        OCSP_SINGLERESP *single;
+        if (!bs) return -1;
+        if (last < 0) last = 0;
+        else last++;
+        sresp = bs->tbsResponseData->responses;
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                {
+                single = sk_OCSP_SINGLERESP_value(sresp, i);
+                if (!OCSP_id_cmp(id, single->certId)) return i;
+                }
+        return -1;
+        }
+
+/* Extract status information from an OCSP_SINGLERESP structure.
+ * Note: the revtime and reason values are only set if the 
+ * certificate status is revoked. Returns numerical value of
+ * status.
+ */
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int ret;
+        OCSP_CERTSTATUS *cst;
+        if(!single) return -1;
+        cst = single->certStatus;
+        ret = cst->type;
+        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+                {
+                OCSP_REVOKEDINFO *rev = cst->value.revoked;
+                if (revtime) *revtime = rev->revocationTime;
+                if (reason) 
+                        {
+                        if(rev->revocationReason)
+                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
+                        else *reason = -1;
+                        }
+                }
+        if(thisupd) *thisupd = single->thisUpdate;
+        if(nextupd) *nextupd = single->nextUpdate;
+        return ret;
+        }
+
+/* This function combines the previous ones: look up a certificate ID and
+ * if found extract status information. Return 0 is successful.
+ */
+
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int i;
+        OCSP_SINGLERESP *single;
+        i = OCSP_resp_find(bs, id, -1);
+        /* Maybe check for multiple responses and give an error? */
+        if(i < 0) return 0;
+        single = OCSP_resp_get0(bs, i);
+        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
+        if(status) *status = i;
+        return 1;
+        }
+
+/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
+ * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
+ * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
+ * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
+ * parameter specifies the maximum age the thisUpdate field can be.
+ */
+
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+        {
+        int ret = 1;
+        time_t t_now, t_tmp;
+        time(&t_now);
+        /* Check thisUpdate is valid and not more than nsec in the future */
+        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                        t_tmp = t_now + nsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
+                        ret = 0;
+                        }
+
+                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
+                if (maxsec >= 0)
+                        {
+                        t_tmp = t_now - maxsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                ret = 0;
+                                }
+                        }
+                }
+                
+
+        if (!nextupd) return ret;
+
+        /* Check nextUpdate is valid and not more than nsec in the past */
+        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                t_tmp = t_now - nsec;
+                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                        ret = 0;
+                        }
+                }
+
+        /* Also don't allow nextUpdate to precede thisUpdate */
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                ret = 0;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_err.c b/src/lib/libssl/src/crypto/ocsp/ocsp_err.c
new file mode 100644
index 0000000000..4c4d8306f8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_err.c
@@ -0,0 +1,139 @@
+/* crypto/ocsp/ocsp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA OCSP_str_functs[]=
+        {
+{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),       "ASN1_STRING_encode"},
+{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),      "CERT_ID_NEW"},
+{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),   "D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),   "OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),  "OCSP_basic_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),        "OCSP_basic_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),     "OCSP_CHECK_DELEGATED"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),   "OCSP_CHECK_IDS"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),        "OCSP_CHECK_ISSUER"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),      "OCSP_check_validity"},
+{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),      "OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),   "OCSP_parse_url"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),        "OCSP_request_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),      "OCSP_request_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
+{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
+{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),   "REQUEST_VERIFY"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA OCSP_str_reasons[]=
+        {
+{OCSP_R_BAD_DATA                         ,"bad data"},
+{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
+{OCSP_R_DIGEST_ERR                       ,"digest err"},
+{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
+{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
+{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
+{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
+{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
+{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
+{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
+{OCSP_R_NO_CONTENT                       ,"no content"},
+{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
+{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
+{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
+{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
+{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
+{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
+{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
+{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
+{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
+{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
+{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
+{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
+{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
+{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
+{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
+{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
+{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
+{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_OCSP_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
new file mode 100644
index 0000000000..d6c8899f58
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
@@ -0,0 +1,528 @@
+/* ocsp_ext.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/ocsp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* Standard wrapper functions for extensions */
+
+/* OCSP request extensions */
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+        {
+        return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
+        }
+
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
+        }
+
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
+        }
+
+/* Single extensions */
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+        {
+        return(X509v3_get_ext_count(x->singleRequestExtensions));
+        }
+
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleRequestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleRequestExtensions,loc));
+        }
+
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
+        }
+
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP Basic response */
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+        {
+        return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
+        }
+
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
+        }
+
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP single response extensions */
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+        {
+        return(X509v3_get_ext_count(x->singleExtensions));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleExtensions,loc));
+        }
+
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
+        }
+
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
+        }
+
+/* also CRL Entry Extensions */
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk)
+        {
+        int i;
+        unsigned char *p, *b = NULL;
+
+        if (data)
+                {
+                if ((i=i2d(data,NULL)) <= 0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d(data, &p) <= 0) goto err;
+                }
+        else if (sk)
+                {
+                if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
+                                   V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
+                                 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
+                }
+        else
+                {
+                OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+                goto err;
+                }
+        if (!s && !(s = ASN1_STRING_new())) goto err;
+        if (!(ASN1_STRING_set(s, b, i))) goto err;
+        OPENSSL_free(b);
+        return s;
+err:
+        if (b) OPENSSL_free(b);
+        return NULL;
+        }
+
+/* Nonce handling functions */
+
+/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
+ * a random nonce will be generated.
+ */
+
+static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+        {
+        unsigned char *tmpval;
+        ASN1_OCTET_STRING os;
+        int ret = 0;
+        if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+        if (val) tmpval = val;
+        else
+                {
+                if (!(tmpval = OPENSSL_malloc(len))) goto err;
+                RAND_pseudo_bytes(tmpval, len);
+                }
+        os.data = tmpval;
+        os.length = len;
+        if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
+                        &os, 0, X509V3_ADD_REPLACE))
+                                goto err;
+        ret = 1;
+        err:
+        if(!val) OPENSSL_free(tmpval);
+        return ret;
+        }
+
+
+/* Add nonce to an OCSP request */
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
+        }
+
+/* Same as above but for a response */
+
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+        }
+
+/* Check nonce validity in a request and response.
+ * Return value reflects result:
+ *  1: nonces present and equal.
+ *  2: nonces both absent.
+ *  3: nonce present in response only.
+ *  0: nonces both present and not equal.
+ * -1: nonce in request only.
+ *
+ *  For most responders clients can check return > 0.
+ *  If responder doesn't handle nonces return != 0 may be
+ *  necessary. return == 0 is always an error.
+ */
+
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+        {
+        /*
+         * Since we are only interested in the presence or absence of
+         * the nonce and comparing its value there is no need to use
+         * the X509V3 routines: this way we can avoid them allocating an
+         * ASN1_OCTET_STRING structure for the value which would be
+         * freed immediately anyway.
+         */
+
+        int req_idx, resp_idx;
+        X509_EXTENSION *req_ext, *resp_ext;
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
+        /* Check both absent */
+        if((req_idx < 0) && (resp_idx < 0))
+                return 2;
+        /* Check in request only */
+        if((req_idx >= 0) && (resp_idx < 0))
+                return -1;
+        /* Check in response but not request */
+        if((req_idx < 0) && (resp_idx >= 0))
+                return 3;
+        /* Otherwise nonce in request and response so retrieve the extensions */
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
+        if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+                return 0;
+        return 1;
+        }
+
+/* Copy the nonce value (if any) from an OCSP request to 
+ * a response.
+ */
+
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+        {
+        X509_EXTENSION *req_ext;
+        int req_idx;
+        /* Check for nonce in request */
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        /* If no nonce that's OK */
+        if (req_idx < 0) return 2;
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
+        }
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
+        {
+        X509_EXTENSION *x = NULL;
+        OCSP_CRLID *cid = NULL;
+        
+        if (!(cid = OCSP_CRLID_new())) goto err;
+        if (url)
+                {
+                if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
+                if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
+                }
+        if (n)
+                {
+                if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
+                if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
+                }
+        if (tim)
+                {
+                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+                if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
+                        goto err;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
+                goto err;
+        OCSP_CRLID_free(cid);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (cid) OCSP_CRLID_free(cid);
+        return NULL;
+        }
+
+/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
+X509_EXTENSION *OCSP_accept_responses_new(char **oids)
+        {
+        int nid;
+        STACK_OF(ASN1_OBJECT) *sk = NULL;
+        ASN1_OBJECT *o = NULL;
+        X509_EXTENSION *x = NULL;
+
+        if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
+        while (oids && *oids)
+                {
+                if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
+                        sk_ASN1_OBJECT_push(sk, o);
+                oids++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
+                goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
+                goto err;
+        sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return NULL;
+        }
+
+/*  ArchiveCutoff ::= GeneralizedTime */
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
+        {
+        X509_EXTENSION *x=NULL;
+        ASN1_GENERALIZEDTIME *gt = NULL;
+
+        if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
+        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
+                                 (char*)gt,NULL))) goto err;
+        ASN1_GENERALIZEDTIME_free(gt);
+        return x;
+err:
+        if (gt) ASN1_GENERALIZEDTIME_free(gt);
+        if (x) X509_EXTENSION_free(x);
+        return NULL;
+        }
+
+/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
+ * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This
+ * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
+ */
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+        {
+        X509_EXTENSION *x = NULL;
+        ASN1_IA5STRING *ia5 = NULL;
+        OCSP_SERVICELOC *sloc = NULL;
+        ACCESS_DESCRIPTION *ad = NULL;
+        
+        if (!(sloc = OCSP_SERVICELOC_new())) goto err;
+        if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
+        if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
+        while (urls && *urls)
+                {
+                if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
+                if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
+                if (!(ad->location = GENERAL_NAME_new())) goto err;
+                if (!(ia5 = ASN1_IA5STRING_new())) goto err;
+                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+                ad->location->type = GEN_URI;
+                ad->location->d.ia5 = ia5;
+                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+                urls++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) 
+                goto err;
+        if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
+                                 (char*)sloc, NULL))) goto err;
+        OCSP_SERVICELOC_free(sloc);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sloc) OCSP_SERVICELOC_free(sloc);
+        return NULL;
+        }
+
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
new file mode 100644
index 0000000000..b78cd37092
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
@@ -0,0 +1,164 @@
+/* ocsp_ht.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/asn1.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <openssl/buffer.h>
+
+/* Quick and dirty HTTP OCSP request handler.
+ * Could make this a bit cleverer by adding
+ * support for non blocking BIOs and a few
+ * other refinements.
+ */
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+{
+        BIO *mem = NULL;
+        char tmpbuf[1024];
+        OCSP_RESPONSE *resp = NULL;
+        char *p, *q, *r;
+        int len, retcode;
+        static char req_txt[] =
+"POST %s HTTP/1.0\r\n\
+Content-Type: application/ocsp-request\r\n\
+Content-Length: %d\r\n\r\n";
+
+        len = i2d_OCSP_REQUEST(req, NULL);
+        if(BIO_printf(b, req_txt, path, len) < 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(i2d_OCSP_REQUEST_bio(b, req) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(!(mem = BIO_new(BIO_s_mem()))) goto err;
+        /* Copy response to a memory BIO: socket bios can't do gets! */
+        while ((len = BIO_read(b, tmpbuf, 1024))) {
+                if(len < 0) {
+                        OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
+                        goto err;
+                }
+                BIO_write(mem, tmpbuf, len);
+        }
+        if(BIO_gets(mem, tmpbuf, 512) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Parse the HTTP response. This will look like this:
+         * "HTTP/1.0 200 OK". We need to obtain the numeric code and
+         * informational message.
+         */
+
+        /* Skip to first white space (passed protocol info) */
+        for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Skip past white space to start of response code */
+        while(*p && isspace((unsigned char)*p)) p++;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Find end of response code: first whitespace after start of code */
+        for(q = p; *q && !isspace((unsigned char)*q); q++) continue;
+        if(!*q) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Set end of response code and start of message */ 
+        *q++ = 0;
+        /* Attempt to parse numeric code */
+        retcode = strtoul(p, &r, 10);
+        if(*r) goto err;
+        /* Skip over any leading white space in message */
+        while(*q && isspace((unsigned char)*q))  q++;
+        if(!*q) goto err;
+        /* Finally zap any trailing white space in message (include CRLF) */
+        /* We know q has a non white space character so this is OK */
+        for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+        if(retcode != 200) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
+                ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                goto err;
+        }
+        /* Find blank line marking beginning of content */      
+        while(BIO_gets(mem, tmpbuf, 512) > 0)
+        {
+                for(p = tmpbuf; *p && isspace((unsigned char)*p); p++) continue;
+                if(!*p) break;
+        }
+        if(*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT);
+                goto err;
+        }
+        if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+        }
+        err:
+        BIO_free(mem);
+        return resp;
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
new file mode 100644
index 0000000000..3875af165c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
@@ -0,0 +1,261 @@
+/* ocsp_lib.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Convert a certificate and its issuer to an OCSP_CERTID */
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+{
+        X509_NAME *iname;
+        ASN1_INTEGER *serial;
+        ASN1_BIT_STRING *ikey;
+#ifndef OPENSSL_NO_SHA1
+        if(!dgst) dgst = EVP_sha1();
+#endif
+        if (subject)
+                {
+                iname = X509_get_issuer_name(subject);
+                serial = X509_get_serialNumber(subject);
+                }
+        else
+                {
+                iname = X509_get_subject_name(issuer);
+                serial = NULL;
+                }
+        ikey = X509_get0_pubkey_bitstr(issuer);
+        return OCSP_cert_id_new(dgst, iname, ikey, serial);
+}
+
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber)
+        {
+        int nid;
+        unsigned int i;
+        X509_ALGOR *alg;
+        OCSP_CERTID *cid = NULL;
+        unsigned char md[EVP_MAX_MD_SIZE];
+
+        if (!(cid = OCSP_CERTID_new())) goto err;
+
+        alg = cid->hashAlgorithm;
+        if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
+        if ((nid = EVP_MD_type(dgst)) == NID_undef)
+                {
+                OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+                goto err;
+                }
+        if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
+        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
+        alg->parameter->type=V_ASN1_NULL;
+
+        if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+
+        /* Calculate the issuerKey hash, excluding tag and length */
+        EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
+
+        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+
+        if (serialNumber)
+                {
+                ASN1_INTEGER_free(cid->serialNumber);
+                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+                }
+        return cid;
+digerr:
+        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+err:
+        if (cid) OCSP_CERTID_free(cid);
+        return NULL;
+        }
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
+        if (ret) return ret;
+        ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
+        if (ret) return ret;
+        return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
+        }
+
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OCSP_id_issuer_cmp(a, b);
+        if (ret) return ret;
+        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
+        }
+
+
+/* Parse a URL and split it up into host, port and path components and whether
+ * it is SSL.
+ */
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+        {
+        char *p, *buf;
+
+        char *host, *port;
+
+        /* dup the buffer since we are going to mess with it */
+        buf = BUF_strdup(url);
+        if (!buf) goto mem_err;
+
+        *phost = NULL;
+        *pport = NULL;
+        *ppath = NULL;
+
+        /* Check for initial colon */
+        p = strchr(buf, ':');
+
+        if (!p) goto parse_err;
+
+        *(p++) = '\0';
+
+        if (!strcmp(buf, "http"))
+                {
+                *pssl = 0;
+                port = "80";
+                }
+        else if (!strcmp(buf, "https"))
+                {
+                *pssl = 1;
+                port = "443";
+                }
+        else
+                goto parse_err;
+
+        /* Check for double slash */
+        if ((p[0] != '/') || (p[1] != '/'))
+                goto parse_err;
+
+        p += 2;
+
+        host = p;
+
+        /* Check for trailing part of path */
+
+        p = strchr(p, '/');
+
+        if (!p) 
+                *ppath = BUF_strdup("/");
+        else
+                {
+                *ppath = BUF_strdup(p);
+                /* Set start of path to 0 so hostname is valid */
+                *p = '\0';
+                }
+
+        if (!*ppath) goto mem_err;
+
+        /* Look for optional ':' for port number */
+        if ((p = strchr(host, ':')))
+                {
+                *p = 0;
+                port = p + 1;
+                }
+        else
+                {
+                /* Not found: set default port */
+                if (*pssl) port = "443";
+                else port = "80";
+                }
+
+        *pport = BUF_strdup(port);
+        if (!*pport) goto mem_err;
+
+        *phost = BUF_strdup(host);
+
+        if (!*phost) goto mem_err;
+
+        OPENSSL_free(buf);
+
+        return 1;
+
+        mem_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
+        goto err;
+
+        parse_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+
+
+        err:
+        if (*ppath) OPENSSL_free(*ppath);
+        if (*pport) OPENSSL_free(*pport);
+        if (*phost) OPENSSL_free(*phost);
+        return 0;
+
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
new file mode 100644
index 0000000000..4b7bc28769
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
@@ -0,0 +1,291 @@
+/* ocsp_prn.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was originally part of ocsp.c and was transfered to Richard
+   Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
+   in OpenSSL or released as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+#include <openssl/pem.h>
+
+static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+        {
+        BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
+        indent += 2;
+        BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
+        i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
+        BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
+        i2a_ASN1_INTEGER(bp, a->serialNumber);
+        BIO_printf(bp, "\n");
+        return 1;
+        }
+
+typedef struct
+        {
+        long t;
+        char *m;
+        } OCSP_TBLSTR;
+
+static char *table2string(long s, OCSP_TBLSTR *ts, int len)
+{
+        OCSP_TBLSTR *p;
+        for (p=ts; p < ts + len; p++)
+                if (p->t == s)
+                         return p->m;
+        return "(UNKNOWN)";
+}
+
+char *OCSP_response_status_str(long s)
+        {
+        static OCSP_TBLSTR rstat_tbl[] = {
+                { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+                { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+                { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+                { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+                { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+                { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+        return table2string(s, rstat_tbl, 6);
+        } 
+
+char *OCSP_cert_status_str(long s)
+        {
+        static OCSP_TBLSTR cstat_tbl[] = {
+                { V_OCSP_CERTSTATUS_GOOD, "good" },
+                { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+                { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+        return table2string(s, cstat_tbl, 3);
+        } 
+
+char *OCSP_crl_reason_str(long s)
+        {
+        OCSP_TBLSTR reason_tbl[] = {
+          { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+          { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+          { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+          { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+          { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+          { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+          { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+          { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+        return table2string(s, reason_tbl, 8);
+        } 
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+        {
+        int i;
+        long l;
+        OCSP_CERTID* cid = NULL;
+        OCSP_ONEREQ *one = NULL;
+        OCSP_REQINFO *inf = o->tbsRequest;
+        OCSP_SIGNATURE *sig = o->optionalSignature;
+
+        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
+        l=ASN1_INTEGER_get(inf->version);
+        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
+        if (inf->requestorName != NULL)
+                {
+                if (BIO_write(bp,"\n    Requestor Name: ",21) <= 0) 
+                        goto err;
+                GENERAL_NAME_print(bp, inf->requestorName);
+                }
+        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
+        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
+                {
+                one = sk_OCSP_ONEREQ_value(inf->requestList, i);
+                cid = one->reqCert;
+                ocsp_certid_print(bp, cid, 8);
+                if (!X509V3_extensions_print(bp,
+                                        "Request Single Extensions",
+                                        one->singleRequestExtensions, flags, 8))
+                                                        goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Request Extensions",
+                        inf->requestExtensions, flags, 4))
+                                                        goto err;
+        if (sig)
+                {
+                X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
+                for (i=0; i<sk_X509_num(sig->certs); i++)
+                        {
+                        X509_print(bp, sk_X509_value(sig->certs,i));
+                        PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
+                        }
+                }
+        return 1;
+err:
+        return 0;
+        }
+
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+        {
+        int i, ret = 0;
+        long l;
+        unsigned char *p;
+        OCSP_CERTID *cid = NULL;
+        OCSP_BASICRESP *br = NULL;
+        OCSP_RESPID *rid = NULL;
+        OCSP_RESPDATA  *rd = NULL;
+        OCSP_CERTSTATUS *cst = NULL;
+        OCSP_REVOKEDINFO *rev = NULL;
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_RESPBYTES *rb = o->responseBytes;
+
+        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
+        l=ASN1_ENUMERATED_get(o->responseStatus);
+        if (BIO_printf(bp,"    OCSP Response Status: %s (0x%x)\n",
+                       OCSP_response_status_str(l), l) <= 0) goto err;
+        if (rb == NULL) return 1;
+        if (BIO_puts(bp,"    Response Type: ") <= 0)
+                goto err;
+        if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
+                goto err;
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
+                {
+                BIO_puts(bp," (unknown response type)\n");
+                return 1;
+                }
+
+        p = ASN1_STRING_data(rb->response);
+        i = ASN1_STRING_length(rb->response);
+        if (!(br = OCSP_response_get1_basic(o))) goto err;
+        rd = br->tbsResponseData;
+        l=ASN1_INTEGER_get(rd->version);
+        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
+                       l+1,l) <= 0) goto err;
+        if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;
+
+        rid =  rd->responderId;
+        switch (rid->type)
+                {
+                case V_OCSP_RESPID_NAME:
+                        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+                        break;
+                case V_OCSP_RESPID_KEY:
+                        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+                        break;
+                }
+
+        if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
+        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
+        if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
+        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
+                {
+                if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+                single = sk_OCSP_SINGLERESP_value(rd->responses, i);
+                cid = single->certId;
+                if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+                cst = single->certStatus;
+                if (BIO_printf(bp,"    Cert Status: %s",
+                               OCSP_cert_status_str(cst->type)) <= 0)
+                        goto err;
+                if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
+                        {
+                        rev = cst->value.revoked;
+                        if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
+                                goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp, 
+                                                        rev->revocationTime)) 
+                                goto err;
+                        if (rev->revocationReason) 
+                                {
+                                l=ASN1_ENUMERATED_get(rev->revocationReason);
+                                if (BIO_printf(bp, 
+                                         "\n    Revocation Reason: %s (0x%x)",
+                                               OCSP_crl_reason_str(l), l) <= 0)
+                                        goto err;
+                                }
+                        }
+                if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
+                        goto err;
+                if (single->nextUpdate)
+                        {
+                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
+                                goto err;
+                        }
+                if (!BIO_write(bp,"\n",1)) goto err;
+                if (!X509V3_extensions_print(bp,
+                                        "Response Single Extensions",
+                                        single->singleExtensions, flags, 8))
+                                                        goto err;
+                if (!BIO_write(bp,"\n",1)) goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Response Extensions",
+                                        rd->responseExtensions, flags, 4))
+        if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
+                                                        goto err;
+
+        for (i=0; i<sk_X509_num(br->certs); i++)
+                {
+                X509_print(bp, sk_X509_value(br->certs,i));
+                PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
+                }
+
+        ret = 1;
+err:
+        OCSP_BASICRESP_free(br);
+        return ret;
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
new file mode 100644
index 0000000000..fffa134e75
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -0,0 +1,264 @@
+/* ocsp_srv.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP responses and extracting
+ * relevant information from the request.
+ */
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req)
+        {
+        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
+        }
+
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+        {
+        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
+        }
+
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+        {
+        return one->reqCert;
+        }
+
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+        {
+        if (!cid) return 0;
+        if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+        if(piNameHash) *piNameHash = cid->issuerNameHash;
+        if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+        if (pserial) *pserial = cid->serialNumber;
+        return 1;
+        }
+
+int OCSP_request_is_signed(OCSP_REQUEST *req)
+        {
+        if(req->optionalSignature) return 1;
+        return 0;
+        }
+
+/* Create an OCSP response and encode an optional basic response */
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+        {
+        OCSP_RESPONSE *rsp = NULL;
+
+        if (!(rsp = OCSP_RESPONSE_new())) goto err;
+        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+        if (!bs) return rsp;
+        if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
+        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
+                                goto err;
+        return rsp;
+err:
+        if (rsp) OCSP_RESPONSE_free(rsp);
+        return NULL;
+        }
+
+
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+        {
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_CERTSTATUS *cs;
+        OCSP_REVOKEDINFO *ri;
+
+        if(!rsp->tbsResponseData->responses &&
+            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
+                goto err;
+
+        if (!(single = OCSP_SINGLERESP_new()))
+                goto err;
+
+
+
+        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
+                goto err;
+        if (nextupd &&
+                !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+                goto err;
+
+        OCSP_CERTID_free(single->certId);
+
+        if(!(single->certId = OCSP_CERTID_dup(cid)))
+                goto err;
+
+        cs = single->certStatus;
+        switch(cs->type = status)
+                {
+        case V_OCSP_CERTSTATUS_REVOKED:
+                if (!revtime)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                        goto err;
+                        }
+                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
+                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
+                        goto err;       
+                if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                        {
+                        if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
+                                goto err;
+                        if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                                                  reason)))
+                                goto err;       
+                        }
+                break;
+
+        case V_OCSP_CERTSTATUS_GOOD:
+                cs->value.good = ASN1_NULL_new();
+                break;
+
+        case V_OCSP_CERTSTATUS_UNKNOWN:
+                cs->value.unknown = ASN1_NULL_new();
+                break;
+
+        default:
+                goto err;
+
+                }
+        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
+                goto err;
+        return single;
+err:
+        OCSP_SINGLERESP_free(single);
+        return NULL;
+        }
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+        {
+        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(resp->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags)
+        {
+        int i;
+        OCSP_RESPID *rid;
+
+        if (!X509_check_private_key(signer, key))
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                goto err;
+                }
+
+        if(!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_basic_add1_cert(brsp, signer))
+                        goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        X509 *tmpcert = sk_X509_value(certs, i);
+                        if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                                goto err;
+                        }
+                }
+
+        rid = brsp->tbsResponseData->responderId;
+        if (flags & OCSP_RESPID_KEY)
+                {
+                unsigned char md[SHA_DIGEST_LENGTH];
+                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
+                        goto err;
+                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_KEY;
+                }
+        else
+                {
+                if (!X509_NAME_set(&rid->value.byName,
+                                        X509_get_subject_name(signer)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_NAME;
+                }
+
+        if (!(flags & OCSP_NOTIME) &&
+                !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+                goto err;
+
+        /* Right now, I think that not doing double hashing is the right
+           thing.       -- Richard Levitte */
+
+        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
new file mode 100644
index 0000000000..1f5fda7ca3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
@@ -0,0 +1,444 @@
+/* ocsp_vfy.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <string.h>
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* Verify a basic response message */
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer, *x;
+        STACK_OF(X509) *chain = NULL;
+        X509_STORE_CTX ctx;
+        int i, ret = 0;
+        ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+        if (!ret)
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                goto end;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_BASICRESP_verify(bs, skey, 0);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        goto end;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                        goto end;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                ret = X509_verify_cert(&ctx);
+                chain = X509_STORE_CTX_get1_chain(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        i = X509_STORE_CTX_get_error(&ctx);     
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(i));
+                        goto end;
+                        }
+                if(flags & OCSP_NOCHECKS)
+                        {
+                        ret = 1;
+                        goto end;
+                        }
+                /* At this point we have a valid certificate chain
+                 * need to verify it against the OCSP issuer criteria.
+                 */
+                ret = ocsp_check_issuer(bs, chain, flags);
+
+                /* If fatal error or valid match then finish */
+                if (ret != 0) goto end;
+
+                /* Easy case: explicitly trusted. Get root CA and
+                 * check for explicit trust
+                 */
+                if(flags & OCSP_NOEXPLICIT) goto end;
+
+                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
+                if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+                        goto end;
+                        }
+                ret = 1;
+                }
+
+
+
+        end:
+        if(chain) sk_X509_pop_free(chain, X509_free);
+        return ret;
+        }
+
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+        if ((signer = ocsp_find_signer_sk(certs, rid)))
+                {
+                *psigner = signer;
+                return 2;
+                }
+        if(!(flags & OCSP_NOINTERN) &&
+            (signer = ocsp_find_signer_sk(bs->certs, rid)))
+                {
+                *psigner = signer;
+                return 1;
+                }
+        /* Maybe lookup from store if by subject name */
+
+        *psigner = NULL;
+        return 0;
+        }
+
+
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+        {
+        int i;
+        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+        X509 *x;
+
+        /* Easy if lookup by name */
+        if (id->type == V_OCSP_RESPID_NAME)
+                return X509_find_by_subject(certs, id->value.byName);
+
+        /* Lookup by key hash */
+
+        /* If key hash isn't SHA1 length then forget it */
+        if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+        keyhash = id->value.byKey->data;
+        /* Calculate hash of each key and compare */
+        for (i = 0; i < sk_X509_num(certs); i++)
+                {
+                x = sk_X509_value(certs, i);
+                X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
+                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+                        return x;
+                }
+        return NULL;
+        }
+
+
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
+        {
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        X509 *signer, *sca;
+        OCSP_CERTID *caid = NULL;
+        int i;
+        sresp = bs->tbsResponseData->responses;
+
+        if (sk_X509_num(chain) <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+                return -1;
+                }
+
+        /* See if the issuer IDs match. */
+        i = ocsp_check_ids(sresp, &caid);
+
+        /* If ID mismatch or other error then return */
+        if (i <= 0) return i;
+
+        signer = sk_X509_value(chain, 0);
+        /* Check to see if OCSP responder CA matches request CA */
+        if (sk_X509_num(chain) > 1)
+                {
+                sca = sk_X509_value(chain, 1);
+                i = ocsp_match_issuerid(sca, caid, sresp);
+                if (i < 0) return i;
+                if (i)
+                        {
+                        /* We have a match, if extensions OK then success */
+                        if (ocsp_check_delegated(signer, flags)) return 1;
+                        return 0;
+                        }
+                }
+
+        /* Otherwise check if OCSP request signed directly by request CA */
+        return ocsp_match_issuerid(signer, caid, sresp);
+        }
+
+
+/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
+ * algorithm then there's no point trying to match any certificates against the issuer.
+ * If the issuer IDs all match then we just need to check equality against one of them.
+ */
+        
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+        {
+        OCSP_CERTID *tmpid, *cid;
+        int i, idcount;
+
+        idcount = sk_OCSP_SINGLERESP_num(sresp);
+        if (idcount <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+                return -1;
+                }
+
+        cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+
+        *ret = NULL;
+
+        for (i = 1; i < idcount; i++)
+                {
+                tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                /* Check to see if IDs match */
+                if (OCSP_id_issuer_cmp(cid, tmpid))
+                        {
+                        /* If algoritm mismatch let caller deal with it */
+                        if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
+                                        cid->hashAlgorithm->algorithm))
+                                        return 2;
+                        /* Else mismatch */
+                        return 0;
+                        }
+                }
+
+        /* All IDs match: only need to check one ID */
+        *ret = cid;
+        return 1;
+        }
+
+
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+                        STACK_OF(OCSP_SINGLERESP) *sresp)
+        {
+        /* If only one ID to match then do it */
+        if(cid)
+                {
+                const EVP_MD *dgst;
+                X509_NAME *iname;
+                int mdlen;
+                unsigned char md[EVP_MAX_MD_SIZE];
+                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
+                        {
+                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+                        return -1;
+                        }
+
+                mdlen = EVP_MD_size(dgst);
+                if ((cid->issuerNameHash->length != mdlen) ||
+                   (cid->issuerKeyHash->length != mdlen))
+                        return 0;
+                iname = X509_get_subject_name(cert);
+                if (!X509_NAME_digest(iname, dgst, md, NULL))
+                        return -1;
+                if (memcmp(md, cid->issuerNameHash->data, mdlen))
+                        return 0;
+                X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
+                if (memcmp(md, cid->issuerKeyHash->data, mdlen))
+                        return 0;
+
+                return 1;
+
+                }
+        else
+                {
+                /* We have to match the whole lot */
+                int i, ret;
+                OCSP_CERTID *tmpid;
+                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                        {
+                        tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
+                        if (ret <= 0) return ret;
+                        }
+                return 1;
+                }
+                        
+        }
+
+static int ocsp_check_delegated(X509 *x, int flags)
+        {
+        X509_check_purpose(x, -1, 0);
+        if ((x->ex_flags & EXFLAG_XKUSAGE) &&
+            (x->ex_xkusage & XKU_OCSP_SIGN))
+                return 1;
+        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
+        return 0;
+        }
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * response verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+        X509 *signer;
+        X509_NAME *nm;
+        GENERAL_NAME *gen;
+        int ret;
+        X509_STORE_CTX ctx;
+        if (!req->optionalSignature) 
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+                return 0;
+                }
+        gen = req->tbsRequest->requestorName;
+        if (gen->type != GEN_DIRNAME)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+                return 0;
+                }
+        nm = gen->d.directoryName;
+        ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+        if (ret <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                return 0;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_REQUEST_verify(req, skey);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        return 0;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                                        req->optionalSignature->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+                        return 0;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+                ret = X509_verify_cert(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        ret = X509_STORE_CTX_get_error(&ctx);   
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(ret));
+                        return 0;
+                        }
+                }
+        return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        if(!(flags & OCSP_NOINTERN))
+                {
+                signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+                *psigner = signer;
+                return 1;
+                }
+
+        signer = X509_find_by_subject(certs, nm);
+        if (signer)
+                {
+                *psigner = signer;
+                return 2;
+                }
+        return 0;
+        }
diff --git a/src/lib/libssl/src/crypto/opensslconf.h.in b/src/lib/libssl/src/crypto/opensslconf.h.in
new file mode 100644
index 0000000000..e4a8f8ad54
--- /dev/null
+++ b/src/lib/libssl/src/crypto/opensslconf.h.in
@@ -0,0 +1,142 @@
+/* crypto/opensslconf.h */
+/* WARNING: This file is autogenerated by Configure */
+
+/* Generate 80386 code? */
+#undef I386_ONLY
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define OPENSSLDIR "/usr/local/ssl"
+#endif
+#endif
+
+#define OPENSSL_UNISTD <unistd.h>
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+#define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+#define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+#define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H) && !defined(RC4_INT)
+/* using int types make the structure larger but make the code faster
+ * on most boxes I have tested - up to %20 faster. */
+#define RC4_INT unsigned int
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+#ifndef DES_LONG
+#define DES_LONG unsigned long
+#endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#define CONFIG_HEADER_BN_H
+#undef BN_LLONG
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+#undef SIXTEEN_BIT
+#undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+#define CONFIG_HEADER_RC4_LOCL_H
+/* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
+#undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+#define CONFIG_HEADER_BF_LOCL_H
+#undef BF_PTR
+#endif /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+#define CONFIG_HEADER_DES_LOCL_H
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#undef DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#undef DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#undef DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )              /* Newer Sparc's */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#elif defined( __ultrix )       /* Older MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( __osf1__ )       /* Alpha */
+#  define DES_PTR
+#  define DES_RISC2
+#elif defined ( _AIX )          /* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )         /* HP-PA */
+  /* Unknown */
+#elif defined( __aux )          /* 68K */
+  /* Unknown */
+#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
+#  define DES_UNROLL
+#elif defined( __sgi )          /* Newer MIPS */
+#  define DES_PTR
+#  define DES_RISC2
+#  define DES_UNROLL
+#elif defined( i386 )           /* x86 boxes, should be gcc */
+#  define DES_PTR
+#  define DES_RISC1
+#  define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
new file mode 100644
index 0000000000..b841347f05
--- /dev/null
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -0,0 +1,21 @@
+#ifndef HEADER_OPENSSLV_H
+#define HEADER_OPENSSLV_H
+
+/* Numeric release version identifier:
+ * MMNNFFRBB: major minor fix final beta/patch
+ * For example:
+ * 0.9.3-dev      0x00903000
+ * 0.9.3beta1     0x00903001
+ * 0.9.3beta2-dev 0x00903002
+ * 0.9.3beta2     0x00903002
+ * 0.9.3          0x00903100
+ * 0.9.3a         0x00903101
+ * 0.9.4          0x00904100
+ * 1.2.3z         0x1020311a
+ * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
+ */
+#define OPENSSL_VERSION_NUMBER  0x00904100L
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.4 09 Aug 1999"
+#define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
+
+#endif /* HEADER_OPENSSLV_H */
diff --git a/src/lib/libssl/src/crypto/ossl_typ.h b/src/lib/libssl/src/crypto/ossl_typ.h
new file mode 100644
index 0000000000..6bd42aee4d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ossl_typ.h
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OPENSSL_TYPES_H
+#define HEADER_OPENSSL_TYPES_H
+
+#ifdef NO_ASN1_TYPEDEFS
+#define ASN1_INTEGER            ASN1_STRING
+#define ASN1_ENUMERATED         ASN1_STRING
+#define ASN1_BIT_STRING         ASN1_STRING
+#define ASN1_OCTET_STRING       ASN1_STRING
+#define ASN1_PRINTABLESTRING    ASN1_STRING
+#define ASN1_T61STRING          ASN1_STRING
+#define ASN1_IA5STRING          ASN1_STRING
+#define ASN1_UTCTIME            ASN1_STRING
+#define ASN1_GENERALIZEDTIME    ASN1_STRING
+#define ASN1_TIME               ASN1_STRING
+#define ASN1_GENERALSTRING      ASN1_STRING
+#define ASN1_UNIVERSALSTRING    ASN1_STRING
+#define ASN1_BMPSTRING          ASN1_STRING
+#define ASN1_VISIBLESTRING      ASN1_STRING
+#define ASN1_UTF8STRING         ASN1_STRING
+#define ASN1_BOOLEAN            int
+#define ASN1_NULL               int
+#else
+typedef struct asn1_string_st ASN1_INTEGER;
+typedef struct asn1_string_st ASN1_ENUMERATED;
+typedef struct asn1_string_st ASN1_BIT_STRING;
+typedef struct asn1_string_st ASN1_OCTET_STRING;
+typedef struct asn1_string_st ASN1_PRINTABLESTRING;
+typedef struct asn1_string_st ASN1_T61STRING;
+typedef struct asn1_string_st ASN1_IA5STRING;
+typedef struct asn1_string_st ASN1_GENERALSTRING;
+typedef struct asn1_string_st ASN1_UNIVERSALSTRING;
+typedef struct asn1_string_st ASN1_BMPSTRING;
+typedef struct asn1_string_st ASN1_UTCTIME;
+typedef struct asn1_string_st ASN1_TIME;
+typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
+typedef struct asn1_string_st ASN1_VISIBLESTRING;
+typedef struct asn1_string_st ASN1_UTF8STRING;
+typedef int ASN1_BOOLEAN;
+typedef int ASN1_NULL;
+#endif
+
+#ifdef OPENSSL_SYS_WIN32
+#undef X509_NAME
+#undef PKCS7_ISSUER_AND_SERIAL
+#endif
+
+typedef struct evp_cipher_st EVP_CIPHER;
+typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
+typedef struct env_md_st EVP_MD;
+typedef struct env_md_ctx_st EVP_MD_CTX;
+typedef struct evp_pkey_st EVP_PKEY;
+
+typedef struct x509_st X509;
+typedef struct X509_algor_st X509_ALGOR;
+typedef struct X509_crl_st X509_CRL;
+typedef struct X509_name_st X509_NAME;
+typedef struct x509_store_st X509_STORE;
+typedef struct x509_store_ctx_st X509_STORE_CTX;
+
+typedef struct engine_st ENGINE;
+
+  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
+
+#endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/src/lib/libssl/src/crypto/pem/pem2.h b/src/lib/libssl/src/crypto/pem/pem2.h
new file mode 100644
index 0000000000..4a016aacd2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem2.h
@@ -0,0 +1,60 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This header only exists to break a circular dependency between pem and err
+ * Ben 30 Jan 1999.
+ */
+
+void ERR_load_PEM_strings(void);
diff --git a/src/lib/libssl/src/crypto/pem/pem_oth.c b/src/lib/libssl/src/crypto/pem/pem_oth.c
new file mode 100644
index 0000000000..8d9064ea7c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem_oth.c
@@ -0,0 +1,85 @@
+/* crypto/pem/pem_oth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/* Handle 'other' PEMs: not private keys */
+
+char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
+             pem_password_cb *cb, void *u)
+        {
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        char *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, NULL, name, bp, cb, u))
+                return NULL;
+        p = data;
+        ret=d2i(x,&p,len);
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+        OPENSSL_free(data);
+        return(ret);
+        }
diff --git a/src/lib/libssl/src/crypto/pem/pem_pk8.c b/src/lib/libssl/src/crypto/pem/pem_pk8.c
new file mode 100644
index 0000000000..f44182ffb5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem_pk8.c
@@ -0,0 +1,243 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
+ */
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        X509_SIG *p8;
+        PKCS8_PRIV_KEY_INFO *p8inf;
+        char buf[PEM_BUFSIZE];
+        int ret;
+        if(!(p8inf = EVP_PKEY2PKCS8(x))) {
+                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                        PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+                return 0;
+        }
+        if(enc || (nid != -1)) {
+                if(!kstr) {
+                        if(!cb) klen = PEM_def_callback(buf, PEM_BUFSIZE, 1, u);
+                        else klen = cb(buf, PEM_BUFSIZE, 1, u);
+                        if(klen <= 0) {
+                                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                                                PEM_R_READ_KEY);
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                return 0;
+                        }
+                                
+                        kstr = buf;
+                }
+                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
+                if(kstr == buf) memset(buf, 0, klen);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                if(isder) ret = i2d_PKCS8_bio(bp, p8);
+                else ret = PEM_write_bio_PKCS8(bp, p8);
+                X509_SIG_free(p8);
+                return ret;
+        } else {
+                if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+                else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                return ret;
+        }
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+        X509_SIG *p8 = NULL;
+        int klen;
+        EVP_PKEY *ret;
+        char psbuf[PEM_BUFSIZE];
+        p8 = d2i_PKCS8_bio(bp, NULL);
+        if(!p8) return NULL;
+        if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+        else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+        if (klen <= 0) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+                X509_SIG_free(p8);
+                return NULL;    
+        }
+        p8inf = PKCS8_decrypt(p8, psbuf, klen);
+        X509_SIG_free(p8);
+        if(!p8inf) return NULL;
+        ret = EVP_PKCS82PKEY(p8inf);
+        PKCS8_PRIV_KEY_INFO_free(p8inf);
+        if(!ret) return NULL;
+        if(x) {
+                if(*x) EVP_PKEY_free(*x);
+                *x = ret;
+        }
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                              char *kstr, int klen, pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        int ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+                return(0);
+        }
+        ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        EVP_PKEY *ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+#endif
+
+IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
+IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
+                                                         PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libssl/src/crypto/pem/pem_pkey.c b/src/lib/libssl/src/crypto/pem/pem_pkey.c
new file mode 100644
index 0000000000..270892d72b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem_pkey.c
@@ -0,0 +1,139 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+
+EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        char *nm=NULL;
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        EVP_PKEY *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u))
+                return NULL;
+        p = data;
+
+        if (strcmp(nm,PEM_STRING_RSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_RSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_DSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_DSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
+                ret = EVP_PKCS82PKEY(p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                X509_SIG *p8;
+                int klen;
+                char psbuf[PEM_BUFSIZE];
+                p8 = d2i_X509_SIG(NULL, &p, len);
+                if(!p8) goto p8err;
+                if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+                else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+                if (klen <= 0) {
+                        PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+                                        PEM_R_BAD_PASSWORD_READ);
+                        goto err;
+                }
+                p8inf = PKCS8_decrypt(p8, psbuf, klen);
+                X509_SIG_free(p8);
+                if(!p8inf) goto p8err;
+                ret = EVP_PKCS82PKEY(p8inf);
+                if(x) {
+                        if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+                        *x = ret;
+                }
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        }
+p8err:
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+err:
+        OPENSSL_free(nm);
+        OPENSSL_free(data);
+        return(ret);
+        }
+
+#ifndef OPENSSL_NO_FP_API
+EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        BIO *b;
+        EVP_PKEY *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_read_bio_PrivateKey(b,x,cb,u);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/pem/pem_x509.c b/src/lib/libssl/src/crypto/pem/pem_x509.c
new file mode 100644
index 0000000000..19f88d8d3a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem_x509.c
@@ -0,0 +1,69 @@
+/* pem_x509.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
+
diff --git a/src/lib/libssl/src/crypto/pem/pem_xaux.c b/src/lib/libssl/src/crypto/pem/pem_xaux.c
new file mode 100644
index 0000000000..2f579b5421
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pem/pem_xaux.c
@@ -0,0 +1,68 @@
+/* pem_xaux.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
diff --git a/src/lib/libssl/src/crypto/perlasm/alpha.pl b/src/lib/libssl/src/crypto/perlasm/alpha.pl
new file mode 100644
index 0000000000..3dac571743
--- /dev/null
+++ b/src/lib/libssl/src/crypto/perlasm/alpha.pl
@@ -0,0 +1,434 @@
+#!/usr/local/bin/perl
+
+package alpha;
+use Carp qw(croak cluck);
+
+$label="100";
+
+$n_debug=0;
+$smear_regs=1;
+$reg_alloc=1;
+
+$align="3";
+$com_start="#";
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+sub main'external_label { push(@labels,@_); }
+
+# General registers
+
+%regs=( 'r0',   '$0',
+        'r1',   '$1',
+        'r2',   '$2',
+        'r3',   '$3',
+        'r4',   '$4',
+        'r5',   '$5',
+        'r6',   '$6',
+        'r7',   '$7',
+        'r8',   '$8',
+        'r9',   '$22',
+        'r10',  '$23',
+        'r11',  '$24',
+        'r12',  '$25',
+        'r13',  '$27',
+        'r14',  '$28',
+        'r15',  '$21', # argc == 5
+        'r16',  '$20', # argc == 4
+        'r17',  '$19', # argc == 3
+        'r18',  '$18', # argc == 2
+        'r19',  '$17', # argc == 1
+        'r20',  '$16', # argc == 0
+        'r21',  '$9',  # save 0
+        'r22',  '$10', # save 1
+        'r23',  '$11', # save 2
+        'r24',  '$12', # save 3
+        'r25',  '$13', # save 4
+        'r26',  '$14', # save 5
+
+        'a0',   '$16',
+        'a1',   '$17',
+        'a2',   '$18',
+        'a3',   '$19',
+        'a4',   '$20',
+        'a5',   '$21',
+
+        's0',   '$9',
+        's1',   '$10',
+        's2',   '$11',
+        's3',   '$12',
+        's4',   '$13',
+        's5',   '$14',
+        'zero', '$31',
+        'sp',   '$30',
+        );
+
+$main'reg_s0="r21";
+$main'reg_s1="r22";
+$main'reg_s2="r23";
+$main'reg_s3="r24";
+$main'reg_s4="r25";
+$main'reg_s5="r26";
+
+@reg=(  '$0', '$1' ,'$2' ,'$3' ,'$4' ,'$5' ,'$6' ,'$7' ,'$8',
+        '$22','$23','$24','$25','$20','$21','$27','$28');
+
+
+sub main'sub    { &out3("subq",@_); }
+sub main'add    { &out3("addq",@_); }
+sub main'mov    { &out3("bis",$_[0],$_[0],$_[1]); }
+sub main'or     { &out3("bis",@_); }
+sub main'bis    { &out3("bis",@_); }
+sub main'br     { &out1("br",@_); }
+sub main'ld     { &out2("ldq",@_); }
+sub main'st     { &out2("stq",@_); }
+sub main'cmpult { &out3("cmpult",@_); }
+sub main'cmplt  { &out3("cmplt",@_); }
+sub main'bgt    { &out2("bgt",@_); }
+sub main'ble    { &out2("ble",@_); }
+sub main'blt    { &out2("blt",@_); }
+sub main'mul    { &out3("mulq",@_); }
+sub main'muh    { &out3("umulh",@_); }
+
+$main'QWS=8;
+
+sub main'asm_add
+        {
+        push(@out,@_);
+        }
+
+sub main'asm_finish
+        {
+        &main'file_end();
+        print &main'asm_get_output();
+        }
+
+sub main'asm_init
+        {
+        ($type,$fn)=@_;
+        $filename=$fn;
+
+        &main'asm_init_output();
+        &main'comment("Don't even think of reading this code");
+        &main'comment("It was automatically generated by $filename");
+        &main'comment("Which is a perl program used to generate the alpha assember.");
+        &main'comment("eric <eay\@cryptsoft.com>");
+        &main'comment("");
+
+        $filename =~ s/\.pl$//;
+        &main'file($filename);
+        }
+
+sub conv
+        {
+        local($r)=@_;
+        local($v);
+
+        return($regs{$r}) if defined($regs{$r});
+        return($r);
+        }
+
+sub main'QWPw
+        {
+        local($off,$reg)=@_;
+
+        return(&main'QWP($off*8,$reg));
+        }
+
+sub main'QWP
+        {
+        local($off,$reg)=@_;
+
+        $ret="$off(".&conv($reg).")";
+        return($ret);
+        }
+
+sub out3
+        {
+        local($name,$p1,$p2,$p3)=@_;
+
+        $p1=&conv($p1);
+        $p2=&conv($p2);
+        $p3=&conv($p3);
+        push(@out,"\t$name\t");
+        $l=length($p1)+1;
+        push(@out,$p1.",");
+        $ll=3-($l+9)/8;
+        $tmp1=sprintf("\t" x $ll);
+        push(@out,$tmp1);
+
+        $l=length($p2)+1;
+        push(@out,$p2.",");
+        $ll=3-($l+9)/8;
+        $tmp1=sprintf("\t" x $ll);
+        push(@out,$tmp1);
+
+        push(@out,&conv($p3)."\n");
+        }
+
+sub out2
+        {
+        local($name,$p1,$p2,$p3)=@_;
+
+        $p1=&conv($p1);
+        $p2=&conv($p2);
+        push(@out,"\t$name\t");
+        $l=length($p1)+1;
+        push(@out,$p1.",");
+        $ll=3-($l+9)/8;
+        $tmp1=sprintf("\t" x $ll);
+        push(@out,$tmp1);
+
+        push(@out,&conv($p2)."\n");
+        }
+
+sub out1
+        {
+        local($name,$p1)=@_;
+
+        $p1=&conv($p1);
+        push(@out,"\t$name\t".$p1."\n");
+        }
+
+sub out0
+        {
+        push(@out,"\t$_[0]\n");
+        }
+
+sub main'file
+        {
+        local($file)=@_;
+
+        local($tmp)=<<"EOF";
+ # DEC Alpha assember
+ # Generated from perl scripts contains in SSLeay
+        .file   1 "$file.s"
+        .set noat
+EOF
+        push(@out,$tmp);
+        }
+
+sub main'function_begin
+        {
+        local($func)=@_;
+
+print STDERR "$func\n";
+        local($tmp)=<<"EOF";
+        .text
+        .align $align
+        .globl $func
+        .ent $func
+${func}:
+${func}..ng:
+        .frame \$30,0,\$26,0
+        .prologue 0
+EOF
+        push(@out,$tmp);
+        $stack=0;
+        }
+
+sub main'function_end
+        {
+        local($func)=@_;
+
+        local($tmp)=<<"EOF";
+        ret     \$31,(\$26),1
+        .end $func
+EOF
+        push(@out,$tmp);
+        $stack=0;
+        %label=();
+        }
+
+sub main'function_end_A
+        {
+        local($func)=@_;
+
+        local($tmp)=<<"EOF";
+        ret     \$31,(\$26),1
+EOF
+        push(@out,$tmp);
+        }
+
+sub main'function_end_B
+        {
+        local($func)=@_;
+
+        $func=$under.$func;
+
+        push(@out,"\t.end $func\n");
+        $stack=0;
+        %label=();
+        }
+
+sub main'wparam
+        {
+        local($num)=@_;
+
+        if ($num < 6)
+                {
+                $num=20-$num;
+                return("r$num");
+                }
+        else
+                { return(&main'QWP($stack+$num*8,"sp")); }
+        }
+
+sub main'stack_push
+        {
+        local($num)=@_;
+        $stack+=$num*8;
+        &main'sub("sp",$num*8,"sp");
+        }
+
+sub main'stack_pop
+        {
+        local($num)=@_;
+        $stack-=$num*8;
+        &main'add("sp",$num*8,"sp");
+        }
+
+sub main'swtmp
+        {
+        return(&main'QWP(($_[0])*8,"sp"));
+        }
+
+# Should use swtmp, which is above sp.  Linix can trash the stack above esp
+#sub main'wtmp
+#       {
+#       local($num)=@_;
+#
+#       return(&main'QWP(-($num+1)*4,"esp","",0));
+#       }
+
+sub main'comment
+        {
+        foreach (@_)
+                {
+                if (/^\s*$/)
+                        { push(@out,"\n"); }
+                else
+                        { push(@out,"\t$com_start $_ $com_end\n"); }
+                }
+        }
+
+sub main'label
+        {
+        if (!defined($label{$_[0]}))
+                {
+                $label{$_[0]}=$label;
+                $label++;
+                }
+        return('$'.$label{$_[0]});
+        }
+
+sub main'set_label
+        {
+        if (!defined($label{$_[0]}))
+                {
+                $label{$_[0]}=$label;
+                $label++;
+                }
+#       push(@out,".align $align\n") if ($_[1] != 0);
+        push(@out,'$'."$label{$_[0]}:\n");
+        }
+
+sub main'file_end
+        {
+        }
+
+sub main'data_word
+        {
+        push(@out,"\t.long $_[0]\n");
+        }
+
+@pool_free=();
+@pool_taken=();
+$curr_num=0;
+$max=0;
+
+sub main'init_pool
+        {
+        local($args)=@_;
+        local($i);
+
+        @pool_free=();
+        for ($i=(14+(6-$args)); $i >= 0; $i--)
+                {
+                push(@pool_free,"r$i");
+                }
+        print STDERR "START :register pool:@pool_free\n";
+        $curr_num=$max=0;
+        }
+
+sub main'fin_pool
+        {
+        printf STDERR "END %2d:register pool:@pool_free\n",$max;
+        }
+
+sub main'GR
+        {
+        local($r)=@_;
+        local($i,@n,$_);
+
+        foreach (@pool_free)
+                {
+                if ($r ne $_)
+                        { push(@n,$_); }
+                else
+                        {
+                        $curr_num++;
+                        $max=$curr_num if ($curr_num > $max);
+                        }
+                }
+        @pool_free=@n;
+print STDERR "GR:@pool_free\n" if $reg_alloc;
+        return(@_);
+        }
+
+sub main'NR
+        {
+        local($num)=@_;
+        local(@ret);
+
+        $num=1 if $num == 0;
+        ($#pool_free >= ($num-1)) || croak "out of registers: want $num, have @pool_free";
+        while ($num > 0)
+                {
+                push(@ret,pop @pool_free);
+                $curr_num++;
+                $max=$curr_num if ($curr_num > $max);
+                $num--
+                }
+        print STDERR "nr @ret\n" if $n_debug;
+print STDERR "NR:@pool_free\n" if $reg_alloc;
+        return(@ret);
+
+        }
+
+sub main'FR
+        {
+        local(@r)=@_;
+        local(@a,$v,$w);
+
+        print STDERR "fr @r\n" if $n_debug;
+#       cluck "fr @r";
+        for $w (@pool_free)
+                {
+                foreach $v (@r)
+                        {
+                        croak "double register free of $v (@pool_free)" if $w eq $v;
+                        }
+                }
+        foreach $v (@r)
+                {
+                croak "bad argument to FR" if ($v !~ /^r\d+$/);
+                if ($smear_regs)
+                        { unshift(@pool_free,$v); }
+                else    { push(@pool_free,$v); }
+                $curr_num--;
+                }
+print STDERR "FR:@pool_free\n" if $reg_alloc;
+        }
+1;
diff --git a/src/lib/libssl/src/crypto/perlasm/x86nasm.pl b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
new file mode 100644
index 0000000000..b4da364bbf
--- /dev/null
+++ b/src/lib/libssl/src/crypto/perlasm/x86nasm.pl
@@ -0,0 +1,342 @@
+#!/usr/local/bin/perl
+
+package x86nasm;
+
+$label="L000";
+
+%lb=(   'eax',  'al',
+        'ebx',  'bl',
+        'ecx',  'cl',
+        'edx',  'dl',
+        'ax',   'al',
+        'bx',   'bl',
+        'cx',   'cl',
+        'dx',   'dl',
+        );
+
+%hb=(   'eax',  'ah',
+        'ebx',  'bh',
+        'ecx',  'ch',
+        'edx',  'dh',
+        'ax',   'ah',
+        'bx',   'bh',
+        'cx',   'ch',
+        'dx',   'dh',
+        );
+
+sub main'asm_init_output { @out=(); }
+sub main'asm_get_output { return(@out); }
+sub main'get_labels { return(@labels); }
+
+sub main'external_label
+{
+        push(@labels,@_);
+        foreach (@_) {
+                push(@out, "extern\t_$_\n");
+        }
+}
+
+sub main'LB
+        {
+        (defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
+        return($lb{$_[0]});
+        }
+
+sub main'HB
+        {
+        (defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
+        return($hb{$_[0]});
+        }
+
+sub main'BP
+        {
+        &get_mem("BYTE",@_);
+        }
+
+sub main'DWP
+        {
+        &get_mem("DWORD",@_);
+        }
+
+sub main'BC
+        {
+        return "BYTE @_";
+        }
+
+sub main'DWC
+        {
+        return "DWORD @_";
+        }
+
+sub main'stack_push
+        {
+        my($num)=@_;
+        $stack+=$num*4;
+        &main'sub("esp",$num*4);
+        }
+
+sub main'stack_pop
+        {
+        my($num)=@_;
+        $stack-=$num*4;
+        &main'add("esp",$num*4);
+        }
+
+sub get_mem
+        {
+        my($size,$addr,$reg1,$reg2,$idx)=@_;
+        my($t,$post);
+        my($ret)="[";
+        $addr =~ s/^\s+//;
+        if ($addr =~ /^(.+)\+(.+)$/)
+                {
+                $reg2=&conv($1);
+                $addr="_$2";
+                }
+        elsif ($addr =~ /^[_a-zA-Z]/)
+                {
+                $addr="_$addr";
+                }
+
+        $reg1="$regs{$reg1}" if defined($regs{$reg1});
+        $reg2="$regs{$reg2}" if defined($regs{$reg2});
+        if (($addr ne "") && ($addr ne 0))
+                {
+                if ($addr !~ /^-/)
+                        { $ret.="${addr}+"; }
+                else    { $post=$addr; }
+                }
+        if ($reg2 ne "")
+                {
+                $t="";
+                $t="*$idx" if ($idx != 0);
+                $reg1="+".$reg1 if ("$reg1$post" ne "");
+                $ret.="$reg2$t$reg1$post]";
+                }
+        else
+                {
+                $ret.="$reg1$post]"
+                }
+        return($ret);
+        }
+
+sub main'mov    { &out2("mov",@_); }
+sub main'movb   { &out2("mov",@_); }
+sub main'and    { &out2("and",@_); }
+sub main'or     { &out2("or",@_); }
+sub main'shl    { &out2("shl",@_); }
+sub main'shr    { &out2("shr",@_); }
+sub main'xor    { &out2("xor",@_); }
+sub main'xorb   { &out2("xor",@_); }
+sub main'add    { &out2("add",@_); }
+sub main'adc    { &out2("adc",@_); }
+sub main'sub    { &out2("sub",@_); }
+sub main'rotl   { &out2("rol",@_); }
+sub main'rotr   { &out2("ror",@_); }
+sub main'exch   { &out2("xchg",@_); }
+sub main'cmp    { &out2("cmp",@_); }
+sub main'lea    { &out2("lea",@_); }
+sub main'mul    { &out1("mul",@_); }
+sub main'div    { &out1("div",@_); }
+sub main'dec    { &out1("dec",@_); }
+sub main'inc    { &out1("inc",@_); }
+sub main'jmp    { &out1("jmp",@_); }
+sub main'jmp_ptr { &out1p("jmp",@_); }
+
+# This is a bit of a kludge: declare all branches as NEAR.
+sub main'je     { &out1("je NEAR",@_); }
+sub main'jle    { &out1("jle NEAR",@_); }
+sub main'jz     { &out1("jz NEAR",@_); }
+sub main'jge    { &out1("jge NEAR",@_); }
+sub main'jl     { &out1("jl NEAR",@_); }
+sub main'jb     { &out1("jb NEAR",@_); }
+sub main'jc     { &out1("jc NEAR",@_); }
+sub main'jnc    { &out1("jnc NEAR",@_); }
+sub main'jnz    { &out1("jnz NEAR",@_); }
+sub main'jne    { &out1("jne NEAR",@_); }
+sub main'jno    { &out1("jno NEAR",@_); }
+
+sub main'push   { &out1("push",@_); $stack+=4; }
+sub main'pop    { &out1("pop",@_); $stack-=4; }
+sub main'bswap  { &out1("bswap",@_); &using486(); }
+sub main'not    { &out1("not",@_); }
+sub main'call   { &out1("call",'_'.$_[0]); }
+sub main'ret    { &out0("ret"); }
+sub main'nop    { &out0("nop"); }
+
+sub out2
+        {
+        my($name,$p1,$p2)=@_;
+        my($l,$t);
+
+        push(@out,"\t$name\t");
+        $t=&conv($p1).",";
+        $l=length($t);
+        push(@out,$t);
+        $l=4-($l+9)/8;
+        push(@out,"\t" x $l);
+        push(@out,&conv($p2));
+        push(@out,"\n");
+        }
+
+sub out0
+        {
+        my($name)=@_;
+
+        push(@out,"\t$name\n");
+        }
+
+sub out1
+        {
+        my($name,$p1)=@_;
+        my($l,$t);
+        push(@out,"\t$name\t".&conv($p1)."\n");
+        }
+
+sub conv
+        {
+        my($p)=@_;
+        $p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
+        return $p;
+        }
+
+sub using486
+        {
+        return if $using486;
+        $using486++;
+        grep(s/\.386/\.486/,@out);
+        }
+
+sub main'file
+        {
+        push(@out, "segment .text\n");
+        }
+
+sub main'function_begin
+        {
+        my($func,$extra)=@_;
+
+        push(@labels,$func);
+        my($tmp)=<<"EOF";
+global  _$func
+_$func:
+        push    ebp
+        push    ebx
+        push    esi
+        push    edi
+EOF
+        push(@out,$tmp);
+        $stack=20;
+        }
+
+sub main'function_begin_B
+        {
+        my($func,$extra)=@_;
+        my($tmp)=<<"EOF";
+global  _$func
+_$func:
+EOF
+        push(@out,$tmp);
+        $stack=4;
+        }
+
+sub main'function_end
+        {
+        my($func)=@_;
+
+        my($tmp)=<<"EOF";
+        pop     edi
+        pop     esi
+        pop     ebx
+        pop     ebp
+        ret
+EOF
+        push(@out,$tmp);
+        $stack=0;
+        %label=();
+        }
+
+sub main'function_end_B
+        {
+        $stack=0;
+        %label=();
+        }
+
+sub main'function_end_A
+        {
+        my($func)=@_;
+
+        my($tmp)=<<"EOF";
+        pop     edi
+        pop     esi
+        pop     ebx
+        pop     ebp
+        ret
+EOF
+        push(@out,$tmp);
+        }
+
+sub main'file_end
+        {
+        }
+
+sub main'wparam
+        {
+        my($num)=@_;
+
+        return(&main'DWP($stack+$num*4,"esp","",0));
+        }
+
+sub main'swtmp
+        {
+        return(&main'DWP($_[0]*4,"esp","",0));
+        }
+
+# Should use swtmp, which is above esp.  Linix can trash the stack above esp
+#sub main'wtmp
+#       {
+#       my($num)=@_;
+#
+#       return(&main'DWP(-(($num+1)*4),"esp","",0));
+#       }
+
+sub main'comment
+        {
+        foreach (@_)
+                {
+                push(@out,"\t; $_\n");
+                }
+        }
+
+sub main'label
+        {
+        if (!defined($label{$_[0]}))
+                {
+                $label{$_[0]}="\$${label}${_[0]}";
+                $label++;
+                }
+        return($label{$_[0]});
+        }
+
+sub main'set_label
+        {
+        if (!defined($label{$_[0]}))
+                {
+                $label{$_[0]}="${label}${_[0]}";
+                $label++;
+                }
+        push(@out,"$label{$_[0]}:\n");
+        }
+
+sub main'data_word
+        {
+        push(@out,"\tDD\t$_[0]\n");
+        }
+
+sub out1p
+        {
+        my($name,$p1)=@_;
+        my($l,$t);
+
+        push(@out,"\t$name\t ".&conv($p1)."\n");
+        }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_add.c b/src/lib/libssl/src/crypto/pkcs12/p12_add.c
new file mode 100644
index 0000000000..ae3d9de3b4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_add.c
@@ -0,0 +1,214 @@
+/* p12_add.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Pack an object into an OCTET STRING and turn into a safebag */
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag (char *obj, int (*i2d)(), int nid1,
+             int nid2)
+{
+        PKCS12_BAGS *bag;
+        PKCS12_SAFEBAG *safebag;
+        if (!(bag = PKCS12_BAGS_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        bag->type = OBJ_nid2obj(nid1);
+        if (!ASN1_pack_string(obj, i2d, &bag->value.octet)) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (!(safebag = PKCS12_SAFEBAG_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        safebag->value.bag = bag;
+        safebag->type = OBJ_nid2obj(nid2);
+        return safebag;
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG (PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+        if (!(bag = PKCS12_SAFEBAG_new())) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        bag->type = OBJ_nid2obj(NID_keyBag);
+        bag->value.keybag = p8;
+        return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG (int pbe_nid, const char *pass,
+             int passlen, unsigned char *salt, int saltlen, int iter,
+             PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        /* Set up the safe bag */
+        if (!(bag = PKCS12_SAFEBAG_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+        if (!(bag->value.shkeybag = 
+          PKCS8_encrypt(pbe_nid, NULL, pass, passlen, salt, saltlen, iter,
+                                                                         p8))) {
+                PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        return bag;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
+PKCS7 *PKCS12_pack_p7data (STACK *sk)
+{
+        PKCS7 *p7;
+        if (!(p7 = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p7->type = OBJ_nid2obj(NID_pkcs7_data);
+        if (!(p7->d.data = ASN1_OCTET_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        
+        if (!ASN1_seq_pack(sk, i2d_PKCS12_SAFEBAG, &p7->d.data->data,
+                                        &p7->d.data->length)) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
+                return NULL;
+        }
+        return p7;
+}
+
+/* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
+
+PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
+             unsigned char *salt, int saltlen, int iter, STACK *bags)
+{
+        PKCS7 *p7;
+        X509_ALGOR *pbe;
+        if (!(p7 = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p7->type = OBJ_nid2obj(NID_pkcs7_encrypted);
+        if (!(p7->d.encrypted = PKCS7_ENCRYPT_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (p7->d.encrypted->version, 0);
+        p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
+        if (!(pbe = PKCS5_pbe_set (pbe_nid, iter, salt, saltlen))) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
+        p7->d.encrypted->enc_data->algorithm = pbe;
+        ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
+        if (!(p7->d.encrypted->enc_data->enc_data =
+        PKCS12_i2d_encrypt (pbe, i2d_PKCS12_SAFEBAG, pass, passlen,
+                                 (char *)bags, 1))) {
+                PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
+                return NULL;
+        }
+
+        return p7;
+}
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+                         const char *pass, int passlen,
+                         unsigned char *salt, int saltlen, int iter,
+                                                PKCS8_PRIV_KEY_INFO *p8inf)
+{
+        X509_SIG *p8;
+        X509_ALGOR *pbe;
+
+        if (!(p8 = X509_SIG_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+        if(!pbe) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        X509_ALGOR_free(p8->algor);
+        p8->algor = pbe;
+        ASN1_OCTET_STRING_free(p8->digest);
+        if (!(p8->digest = 
+        PKCS12_i2d_encrypt (pbe, i2d_PKCS8_PRIV_KEY_INFO, pass, passlen,
+                                                 (char *)p8inf, 0))) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+                return NULL;
+        }
+
+        return p8;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_asn.c b/src/lib/libssl/src/crypto/pkcs12/p12_asn.c
new file mode 100644
index 0000000000..c327bdba03
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_asn.c
@@ -0,0 +1,125 @@
+/* p12_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 ASN1 module */
+
+ASN1_SEQUENCE(PKCS12) = {
+        ASN1_SIMPLE(PKCS12, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS12, authsafes, PKCS7),
+        ASN1_OPT(PKCS12, mac, PKCS12_MAC_DATA)
+} ASN1_SEQUENCE_END(PKCS12)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12)
+
+ASN1_SEQUENCE(PKCS12_MAC_DATA) = {
+        ASN1_SIMPLE(PKCS12_MAC_DATA, dinfo, X509_SIG),
+        ASN1_SIMPLE(PKCS12_MAC_DATA, salt, ASN1_OCTET_STRING),
+        ASN1_OPT(PKCS12_MAC_DATA, iter, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS12_MAC_DATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
+
+ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_BAGS) = {
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
+} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_BAGS) = {
+        ASN1_SIMPLE(PKCS12_BAGS, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_BAGS),
+} ASN1_SEQUENCE_END(PKCS12_BAGS)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS)
+
+ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_SAFEBAG) = {
+        ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
+        ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, X509_SIG, 0)),
+        ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
+        ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
+} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
+        ASN1_SIMPLE(PKCS12_SAFEBAG, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_SAFEBAG),
+        ASN1_SET_OF_OPT(PKCS12_SAFEBAG, attrib, X509_ATTRIBUTE)
+} ASN1_SEQUENCE_END(PKCS12_SAFEBAG)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
+
+/* SEQUENCE OF SafeBag */
+ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG)
+ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS)
+
+/* Authsafes: SEQUENCE OF PKCS7 */
+ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7)
+ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES)
+
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_attr.c b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c
new file mode 100644
index 0000000000..31c9782b77
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_attr.c
@@ -0,0 +1,238 @@
+/* p12_attr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Add a local keyid to a safebag */
+
+int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
+             int namelen)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BMPSTRING *oct;
+        ASN1_TYPE *keyid;
+        if (!(keyid = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->type = V_ASN1_OCTET_STRING;
+        if (!(oct = ASN1_OCTET_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!ASN1_OCTET_STRING_set(oct, name, namelen)) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->value.octet_string = oct;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_localKeyID);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,keyid);
+        attrib->set = 1;
+        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+        return 1;
+}
+
+/* Add key usage to PKCS#8 structure */
+
+int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BIT_STRING *bstr;
+        ASN1_TYPE *keyid;
+        unsigned char us_val;
+        us_val = (unsigned char) usage;
+        if (!(keyid = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->type = V_ASN1_BIT_STRING;
+        if (!(bstr = ASN1_BIT_STRING_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        keyid->value.bit_string = bstr;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_key_usage);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,keyid);
+        attrib->set = 1;
+        if (!p8->attributes
+            && !(p8->attributes = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (p8->attributes, attrib);
+        return 1;
+}
+
+/* Add a friendlyname to a safebag */
+
+int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
+                                 int namelen)
+{
+        unsigned char *uniname;
+        int ret, unilen;
+        if (!asc2uni(name, &uniname, &unilen)) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ret = PKCS12_add_friendlyname_uni (bag, uniname, unilen);
+        Free(uniname);
+        return ret;
+}
+        
+
+int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
+                                 const unsigned char *name, int namelen)
+{
+        X509_ATTRIBUTE *attrib;
+        ASN1_BMPSTRING *bmp;
+        ASN1_TYPE *fname;
+        /* Zap ending double null if included */
+        if(!name[namelen - 1] && !name[namelen - 2]) namelen -= 2;
+        if (!(fname = ASN1_TYPE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        fname->type = V_ASN1_BMPSTRING;
+        if (!(bmp = ASN1_BMPSTRING_new())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!(bmp->data = Malloc (namelen))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        memcpy (bmp->data, name, namelen);
+        bmp->length = namelen;
+        fname->value.bmpstring = bmp;
+        if (!(attrib = X509_ATTRIBUTE_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        attrib->object = OBJ_nid2obj(NID_friendlyName);
+        if (!(attrib->value.set = sk_ASN1_TYPE_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_ASN1_TYPE_push (attrib->value.set,fname);
+        attrib->set = 1;
+        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
+                                                        ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
+        return PKCS12_OK;
+}
+
+ASN1_TYPE *PKCS12_get_attr_gen (STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
+{
+        X509_ATTRIBUTE *attrib;
+        int i;
+        if (!attrs) return NULL;
+        for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
+                attrib = sk_X509_ATTRIBUTE_value (attrs, i);
+                if (OBJ_obj2nid (attrib->object) == attr_nid) {
+                        if (sk_ASN1_TYPE_num (attrib->value.set))
+                            return sk_ASN1_TYPE_value(attrib->value.set, 0);
+                        else return NULL;
+                }
+        }
+        return NULL;
+}
+
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
+{
+        ASN1_TYPE *atype;
+        if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) return NULL;
+        if (atype->type != V_ASN1_BMPSTRING) return NULL;
+        return uni2asc(atype->value.bmpstring->data,
+                                 atype->value.bmpstring->length);
+}
+
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
new file mode 100644
index 0000000000..6de6f8128f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crpt.c
@@ -0,0 +1,122 @@
+/* p12_crpt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 specific PBE functions */
+
+void PKCS12_PBE_add(void)
+{
+#ifndef NO_RC4
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
+                                                         PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
+                                                         PKCS12_PBE_keyivgen);
+#endif
+EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+                        EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 
+                        EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
+#ifndef NO_RC2
+EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
+                                        EVP_sha1(), PKCS12_PBE_keyivgen);
+EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
+                                        EVP_sha1(), PKCS12_PBE_keyivgen);
+#endif
+}
+
+int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de)
+{
+        PBEPARAM *pbe;
+        int saltlen, iter;
+        unsigned char *salt, *pbuf;
+        unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+
+        /* Extract useful info from parameter */
+        pbuf = param->value.sequence->data;
+        if (!param || (param->type != V_ASN1_SEQUENCE) ||
+           !(pbe = d2i_PBEPARAM (NULL, &pbuf, param->value.sequence->length))) {
+                EVPerr(PKCS12_F_PKCS12_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+                return 0;
+        }
+
+        if (!pbe->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (pbe->iter);
+        salt = pbe->salt->data;
+        saltlen = pbe->salt->length;
+        if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+                             iter, EVP_CIPHER_key_length(cipher), key, md)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_KEY_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
+                                iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN,PKCS12_R_IV_GEN_ERROR);
+                PBEPARAM_free(pbe);
+                return 0;
+        }
+        PBEPARAM_free(pbe);
+        EVP_CipherInit(ctx, cipher, key, iv, en_de);
+        memset(key, 0, EVP_MAX_KEY_LENGTH);
+        memset(iv, 0, EVP_MAX_IV_LENGTH);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_crt.c b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
new file mode 100644
index 0000000000..56d88b0759
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_crt.c
@@ -0,0 +1,159 @@
+/* p12_crt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+             STACK *ca, int nid_key, int nid_cert, int iter, int mac_iter,
+             int keytype)
+{
+        PKCS12 *p12;
+        STACK *bags, *safes;
+        PKCS12_SAFEBAG *bag;
+        PKCS8_PRIV_KEY_INFO *p8;
+        PKCS7 *authsafe;
+        X509 *tcert;
+        int i;
+        unsigned char keyid[EVP_MAX_MD_SIZE];
+        unsigned int keyidlen;
+
+        /* Set defaults */
+        if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+        if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+        if(!iter) iter = PKCS12_DEFAULT_ITER;
+        if(!mac_iter) mac_iter = 1;
+
+        if(!pkey || !cert) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+
+        if(!(bags = sk_new (NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Add user certificate */
+        if(!(bag = M_PKCS12_x5092certbag(cert))) return NULL;
+        if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
+        X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
+        if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
+
+        if(!sk_push(bags, (char *)bag)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        
+        /* Add all other certificates */
+        if(ca) {
+                for(i = 0; i < sk_num(ca); i++) {
+                        tcert = (X509 *)sk_value(ca, i);
+                        if(!(bag = M_PKCS12_x5092certbag(tcert))) return NULL;
+                        if(!sk_push(bags, (char *)bag)) {
+                                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                                return NULL;
+                        }
+                }
+        }
+
+        /* Turn certbags into encrypted authsafe */
+        authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0,
+                                          iter, bags);
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+
+        if (!authsafe) return NULL;
+
+        if(!(safes = sk_new (NULL)) || !sk_push(safes, (char *)authsafe)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Make a shrouded key bag */
+        if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL;
+        if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL;
+        bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8);
+        if(!bag) return NULL;
+        PKCS8_PRIV_KEY_INFO_free(p8);
+        if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL;
+        if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL;
+        if(!(bags = sk_new(NULL)) || !sk_push (bags, (char *)bag)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        /* Turn it into unencrypted safe bag */
+        if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL;
+        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+        if(!sk_push(safes, (char *)authsafe)) {
+                PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
+
+        if(!M_PKCS12_pack_authsafes (p12, safes)) return NULL;
+
+        sk_pop_free(safes, PKCS7_free);
+
+        if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL))
+            return NULL;
+
+        return p12;
+
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_decr.c b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
new file mode 100644
index 0000000000..d3d288e187
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_decr.c
@@ -0,0 +1,185 @@
+/* p12_decr.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Define this to dump decrypted output to files called DERnnn */
+/*#define DEBUG_DECRYPT*/
+
+
+/* Encrypt/Decrypt a buffer based on password and algor, result in a
+ * Malloc'ed buffer
+ */
+
+unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
+             int passlen, unsigned char *in, int inlen, unsigned char **data,
+             int *datalen, int en_de)
+{
+        unsigned char *out;
+        int outlen, i;
+        EVP_CIPHER_CTX ctx;
+
+        /* Decrypt data */
+        if (!EVP_PBE_CipherInit (algor->algorithm, pass, passlen,
+                                         algor->parameter, &ctx, en_de)) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
+                return NULL;
+        }
+
+        if(!(out = Malloc (inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        EVP_CipherUpdate (&ctx, out, &i, in, inlen);
+        outlen = i;
+        if(!EVP_CipherFinal (&ctx, out + i, &i)) {
+                Free (out);
+                PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
+                return NULL;
+        }
+        outlen += i;
+        if (datalen) *datalen = outlen;
+        if (data) *data = out;
+        return out;
+
+}
+
+/* Decrypt an OCTET STRING and decode ASN1 structure 
+ * if seq & 1 'obj' is a stack of structures to be encoded
+ * if seq & 2 zero buffer after use
+ * as a sequence.
+ */
+
+char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
+             void (*free_func)(), const char *pass, int passlen,
+             ASN1_OCTET_STRING *oct, int seq)
+{
+        unsigned char *out, *p;
+        char *ret;
+        int outlen;
+
+        if (!PKCS12_pbe_crypt (algor, pass, passlen, oct->data, oct->length,
+                               &out, &outlen, 0)) {
+                PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+                return NULL;
+        }
+        p = out;
+#ifdef DEBUG_DECRYPT
+        {
+                FILE *op;
+
+                char fname[30];
+                static int fnm = 1;
+                sprintf(fname, "DER%d", fnm++);
+                op = fopen(fname, "wb");
+                fwrite (p, 1, outlen, op);
+                fclose(op);
+        }
+#endif
+        if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
+                                free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+        else ret = d2i(NULL, &p, outlen);
+        if (seq & 2) memset(out, 0, outlen);
+        if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
+        Free (out);
+        return ret;
+}
+
+/* Encode ASN1 structure and encrypt, return OCTET STRING 
+ * if 'seq' is non-zero 'obj' is a stack of structures to be encoded
+ * as a sequence
+ */
+
+ASN1_OCTET_STRING *PKCS12_i2d_encrypt (X509_ALGOR *algor, int (*i2d)(),
+                                       const char *pass, int passlen,
+                                       char *obj, int seq)
+{
+        ASN1_OCTET_STRING *oct;
+        unsigned char *in, *p;
+        int inlen;
+        if (!(oct = ASN1_OCTET_STRING_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (seq) inlen = i2d_ASN1_SET((STACK *)obj, NULL, i2d, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        else inlen = i2d (obj, NULL);
+        if (!inlen) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!(in = Malloc (inlen))) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = in;
+        if (seq) i2d_ASN1_SET((STACK *)obj, &p, i2d, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        else i2d (obj, &p);
+        if (!PKCS12_pbe_crypt (algor, pass, passlen, in, inlen, &oct->data,
+                                 &oct->length, 1)) {
+                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
+                Free(in);
+                return NULL;
+        }
+        Free (in);
+        return oct;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_init.c b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
new file mode 100644
index 0000000000..dc6ab41db8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_init.c
@@ -0,0 +1,98 @@
+/* p12_init.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Initialise a PKCS12 structure to take data */
+
+PKCS12 *PKCS12_init (int mode)
+{
+        PKCS12 *pkcs12;
+        if (!(pkcs12 = PKCS12_new())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        if (!(pkcs12->version = ASN1_INTEGER_new ())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        ASN1_INTEGER_set (pkcs12->version, 3);
+        if (!(pkcs12->authsafes = PKCS7_new())) {
+                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        pkcs12->authsafes->type = OBJ_nid2obj(mode);
+        switch (mode) {
+                case NID_pkcs7_data:
+                        if (!(pkcs12->authsafes->d.data =
+                                 ASN1_OCTET_STRING_new())) {
+                        PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                break;
+                default:
+                        PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE);
+                        PKCS12_free(pkcs12);
+                        return NULL;
+                break;
+        }
+                
+        return pkcs12;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_key.c b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
new file mode 100644
index 0000000000..25d8cdae57
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_key.c
@@ -0,0 +1,182 @@
+/* p12_key.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+
+/* Uncomment out this line to get debugging info about key generation */
+/*#define DEBUG_KEYGEN*/
+#ifdef DEBUG_KEYGEN
+#include <bio.h>
+extern BIO *bio_err;
+void h__dump (unsigned char *p, int len);
+#endif
+
+/* PKCS12 compatible key/IV generation */
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+int PKCS12_key_gen_asc (const char *pass, int passlen, unsigned char *salt,
+             int saltlen, int id, int iter, int n, unsigned char *out,
+             const EVP_MD *md_type)
+{
+        int ret;
+        unsigned char *unipass;
+        int uniplen;
+        if (!asc2uni (pass, &unipass, &uniplen)) {
+                PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ret = PKCS12_key_gen_uni (unipass, uniplen, salt, saltlen,
+                                                 id, iter, n, out, md_type);
+        memset(unipass, 0, uniplen);    /* Clear password from memory */
+        Free(unipass);
+        return ret;
+}
+
+int PKCS12_key_gen_uni (unsigned char *pass, int passlen, unsigned char *salt,
+             int saltlen, int id, int iter, int n, unsigned char *out,
+             const EVP_MD *md_type)
+{
+        unsigned char *B, *D, *I, *p, *Ai;
+        int Slen, Plen, Ilen;
+        int i, j, u, v;
+        BIGNUM *Ij, *Bpl1;      /* These hold Ij and B + 1 */
+        EVP_MD_CTX ctx;
+#ifdef  DEBUG_KEYGEN
+        unsigned char *tmpout = out;
+        int tmpn = n;
+        BIO_printf (bio_err, "KEYGEN DEBUG\n");
+        BIO_printf (bio_err, "ID %d, ITER %d\n", id, iter);
+        BIO_printf (bio_err, "Password (length %d):\n", passlen);
+        h__dump (pass, passlen);
+        BIO_printf (bio_err, "Salt (length %d):\n", saltlen);
+        h__dump (salt, saltlen);
+        BIO_printf (bio_err, "ID %d, ITER %d\n\n", id, iter);
+#endif
+        v = EVP_MD_block_size (md_type);
+        u = EVP_MD_size (md_type);
+        D = Malloc (v);
+        Ai = Malloc (u);
+        B = Malloc (v + 1);
+        Slen = v * ((saltlen+v-1)/v);
+        Plen = v * ((passlen+v-1)/v);
+        Ilen = Slen + Plen;
+        I = Malloc (Ilen);
+        Ij = BN_new();
+        Bpl1 = BN_new();
+        if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
+                PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        for (i = 0; i < v; i++) D[i] = id;
+        p = I;
+        for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
+        for (i = 0; i < Plen; i++) *p++ = pass[i % passlen];
+        for (;;) {
+                EVP_DigestInit (&ctx, md_type);
+                EVP_DigestUpdate (&ctx, D, v);
+                EVP_DigestUpdate (&ctx, I, Ilen);
+                EVP_DigestFinal (&ctx, Ai, NULL);
+                for (j = 1; j < iter; j++) {
+                        EVP_DigestInit (&ctx, md_type);
+                        EVP_DigestUpdate (&ctx, Ai, u);
+                        EVP_DigestFinal (&ctx, Ai, NULL);
+                }
+                memcpy (out, Ai, min (n, u));
+                if (u >= n) {
+                        Free (Ai);
+                        Free (B);
+                        Free (D);
+                        Free (I);
+                        BN_free (Ij);
+                        BN_free (Bpl1);
+#ifdef DEBUG_KEYGEN
+                        BIO_printf (bio_err, "Output KEY (length %d)\n", tmpn);
+                        h__dump (tmpout, tmpn);
+#endif
+                        return 1;       
+                }
+                n -= u;
+                out += u;
+                for (j = 0; j < v; j++) B[j] = Ai[j % u];
+                /* Work out B + 1 first then can use B as tmp space */
+                BN_bin2bn (B, v, Bpl1);
+                BN_add_word (Bpl1, 1);
+                for (j = 0; j < Ilen ; j+=v) {
+                        BN_bin2bn (I + j, v, Ij);
+                        BN_add (Ij, Ij, Bpl1);
+                        BN_bn2bin (Ij, B);
+                        /* If more than 2^(v*8) - 1 cut off MSB */
+                        if (BN_num_bytes (Ij) > v) {
+                                BN_bn2bin (Ij, B);
+                                memcpy (I + j, B + 1, v);
+                        } else BN_bn2bin (Ij, I + j);
+                }
+        }
+}
+#ifdef DEBUG_KEYGEN
+void h__dump (unsigned char *p, int len)
+{
+        for (; len --; p++) BIO_printf (bio_err, "%02X", *p);
+        BIO_printf (bio_err, "\n");     
+}
+#endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
new file mode 100644
index 0000000000..767e1303da
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_kiss.c
@@ -0,0 +1,238 @@
+/* p12_kiss.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Simplified PKCS#12 routines */
+
+static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca);
+static int parse_bags( STACK *bags, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca, ASN1_OCTET_STRING **keyid, char *keymatch);
+static int parse_bag( PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey, X509 **cert, STACK **ca, ASN1_OCTET_STRING **keyid, char *keymatch);
+/* Parse and decrypt a PKCS#12 structure returning user key, user cert
+ * and other (CA) certs. Note either ca should be NULL, *ca should be NULL,
+ * or it should point to a valid STACK structure. pkey and cert can be
+ * passed unitialised.
+ */
+
+int PKCS12_parse (PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+             STACK **ca)
+{
+
+/* Check for NULL PKCS12 structure */
+
+if(!p12) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+        return 0;
+}
+
+/* Allocate stack for ca certificates if needed */
+if ((ca != NULL) && (*ca == NULL)) {
+        if (!(*ca = sk_new(NULL))) {
+                PKCS12err(PKCS12_F_PKCS12_PARSE,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+}
+
+if(pkey) *pkey = NULL;
+if(cert) *cert = NULL;
+
+/* Check the mac */
+
+if (!PKCS12_verify_mac (p12, pass, -1)) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE);
+        goto err;
+}
+
+if (!parse_pk12 (p12, pass, -1, pkey, cert, ca)) {
+        PKCS12err(PKCS12_F_PKCS12_PARSE,PKCS12_R_PARSE_ERROR);
+        goto err;
+}
+
+return 1;
+
+err:
+
+if (pkey && *pkey) EVP_PKEY_free (*pkey);
+if (cert && *cert) X509_free (*cert);
+if (ca) sk_pop_free (*ca, X509_free);
+return 0;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
+             EVP_PKEY **pkey, X509 **cert, STACK **ca)
+{
+        STACK *asafes, *bags;
+        int i, bagnid;
+        PKCS7 *p7;
+        ASN1_OCTET_STRING *keyid = NULL;
+        char keymatch = 0;
+        if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+        for (i = 0; i < sk_num (asafes); i++) {
+                p7 = (PKCS7 *) sk_value (asafes, i);
+                bagnid = OBJ_obj2nid (p7->type);
+                if (bagnid == NID_pkcs7_data) {
+                        bags = M_PKCS12_unpack_p7data (p7);
+                } else if (bagnid == NID_pkcs7_encrypted) {
+                        bags = M_PKCS12_unpack_p7encdata (p7, pass, passlen);
+                } else continue;
+                if (!bags) {
+                        sk_pop_free (asafes, PKCS7_free);
+                        return 0;
+                }
+                if (!parse_bags (bags, pass, passlen, pkey, cert, ca,
+                                                         &keyid, &keymatch)) {
+                        sk_pop_free (bags, PKCS12_SAFEBAG_free);
+                        sk_pop_free (asafes, PKCS7_free);
+                        return 0;
+                }
+                sk_pop_free (bags, PKCS12_SAFEBAG_free);
+        }
+        sk_pop_free (asafes, PKCS7_free);
+        if (keyid) ASN1_OCTET_STRING_free (keyid);
+        return 1;
+}
+
+
+static int parse_bags (STACK *bags, const char *pass, int passlen,
+                       EVP_PKEY **pkey, X509 **cert, STACK **ca,
+                       ASN1_OCTET_STRING **keyid, char *keymatch)
+{
+        int i;
+        for (i = 0; i < sk_num (bags); i++) {
+                if (!parse_bag ((PKCS12_SAFEBAG *)sk_value (bags, i),
+                         pass, passlen, pkey, cert, ca, keyid,
+                                                         keymatch)) return 0;
+        }
+        return 1;
+}
+
+#define MATCH_KEY  0x1
+#define MATCH_CERT 0x2
+#define MATCH_ALL  0x3
+
+static int parse_bag (PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+                      EVP_PKEY **pkey, X509 **cert, STACK **ca,
+                      ASN1_OCTET_STRING **keyid,
+             char *keymatch)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+        X509 *x509;
+        ASN1_OCTET_STRING *lkey = NULL;
+        ASN1_TYPE *attrib;
+
+
+        if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
+                                            lkey = attrib->value.octet_string;
+
+        /* Check for any local key id matching (if needed) */
+        if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
+                if (*keyid) {
+                        if (ASN1_OCTET_STRING_cmp (*keyid, lkey)) lkey = NULL;
+                } else {
+                        if (!(*keyid = ASN1_OCTET_STRING_dup (lkey))) {
+                                PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE);
+                                return 0;
+                    }
+                }
+        }
+        
+        switch (M_PKCS12_bag_type(bag))
+        {
+        case NID_keyBag:
+                if (!lkey || !pkey) return 1;   
+                if (!(*pkey = EVP_PKCS82PKEY (bag->value.keybag))) return 0;
+                *keymatch |= MATCH_KEY;
+        break;
+
+        case NID_pkcs8ShroudedKeyBag:
+                if (!lkey || !pkey) return 1;   
+                if (!(p8 = M_PKCS12_decrypt_skey (bag, pass, passlen)))
+                                return 0;
+                *pkey = EVP_PKCS82PKEY (p8);
+                PKCS8_PRIV_KEY_INFO_free (p8);
+                if (!(*pkey)) return 0;
+                *keymatch |= MATCH_KEY;
+        break;
+
+        case NID_certBag:
+                if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
+                                                                 return 1;
+                if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+                if (lkey) {
+                        *keymatch |= MATCH_CERT;
+                        if (cert) *cert = x509;
+                } else if (ca) sk_push (*ca, (char *)x509);
+        break;
+
+        case NID_safeContentsBag:
+                return parse_bags(bag->value.safes, pass, passlen,
+                                        pkey, cert, ca, keyid, keymatch);
+        break;
+
+        default:
+                return 1;
+        break;
+        }
+        return 1;
+}
+
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
new file mode 100644
index 0000000000..bac558d6b9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
@@ -0,0 +1,170 @@
+/* p12_mutl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef NO_HMAC
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/pkcs12.h>
+
+/* Generate a MAC */
+int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
+                    unsigned char *mac, unsigned int *maclen)
+{
+        const EVP_MD *md_type;
+        HMAC_CTX hmac;
+        unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
+        int saltlen, iter;
+        salt = p12->mac->salt->data;
+        saltlen = p12->mac->salt->length;
+        if (!p12->mac->iter) iter = 1;
+        else iter = ASN1_INTEGER_get (p12->mac->iter);
+        if(!(md_type =
+                 EVP_get_digestbyobj (p12->mac->dinfo->algor->algorithm))) {
+                PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
+                return 0;
+        }
+        if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
+                                 PKCS12_MAC_KEY_LENGTH, key, md_type)) {
+                PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
+                return 0;
+        }
+        HMAC_Init (&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type);
+        HMAC_Update (&hmac, p12->authsafes->d.data->data,
+                                         p12->authsafes->d.data->length);
+        HMAC_Final (&hmac, mac, maclen);
+        return 1;
+}
+
+/* Verify the mac */
+int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
+{
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+        if(p12->mac == NULL) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_ABSENT);
+                return 0;
+        }
+        if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+                return 0;
+        }
+        if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
+        || memcmp (mac, p12->mac->dinfo->digest->data, maclen)) {
+                PKCS12err(PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_VERIFY_ERROR);
+                return 0;
+        }
+        return 1;
+}
+
+/* Set a mac */
+
+int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
+             unsigned char *salt, int saltlen, int iter, EVP_MD *md_type)
+{
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+
+        if (!md_type) md_type = EVP_sha1();
+        if (PKCS12_setup_mac (p12, iter, salt, saltlen, md_type) ==
+                                        PKCS12_ERROR) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_SETUP_ERROR);
+                return 0;
+        }
+        if (!PKCS12_gen_mac (p12, pass, passlen, mac, &maclen)) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_GENERATION_ERROR);
+                return 0;
+        }
+        if (!(ASN1_OCTET_STRING_set (p12->mac->dinfo->digest, mac, maclen))) {
+                PKCS12err(PKCS12_F_PKCS12_SET_MAC,PKCS12_R_MAC_STRING_SET_ERROR);
+                                                return 0;
+        }
+        return 1;
+}
+
+/* Set up a mac structure */
+int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
+             EVP_MD *md_type)
+{
+        if (!(p12->mac = PKCS12_MAC_DATA_new ())) return PKCS12_ERROR;
+        if (iter > 1) {
+                if(!(p12->mac->iter = ASN1_INTEGER_new())) {
+                        PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ASN1_INTEGER_set (p12->mac->iter, iter);
+        }
+        if (!saltlen) saltlen = PKCS12_SALT_LEN;
+        p12->mac->salt->length = saltlen;
+        if (!(p12->mac->salt->data = Malloc (saltlen))) {
+                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+        else memcpy (p12->mac->salt->data, salt, saltlen);
+        p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
+        if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
+                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
+        
+        return 1;
+}
+#endif
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_npas.c b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
new file mode 100644
index 0000000000..ee71707e2c
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_npas.c
@@ -0,0 +1,212 @@
+/* p12_npas.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 password change routine */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass);
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
+
+/* 
+ * Change the password on a PKCS#12 structure.
+ */
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
+{
+
+/* Check for NULL PKCS12 structure */
+
+if(!p12) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_INVALID_NULL_PKCS12_POINTER);
+        return 0;
+}
+
+/* Check the mac */
+
+if (!PKCS12_verify_mac(p12, oldpass, -1)) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_MAC_VERIFY_FAILURE);
+        return 0;
+}
+
+if (!newpass_p12(p12, oldpass, newpass)) {
+        PKCS12err(PKCS12_F_PKCS12_NEWPASS,PKCS12_R_PARSE_ERROR);
+        return 0;
+}
+
+return 1;
+
+}
+
+/* Parse the outer PKCS#12 structure */
+
+static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
+{
+        STACK *asafes, *newsafes, *bags;
+        int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+        PKCS7 *p7, *p7new;
+        ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
+        unsigned char mac[EVP_MAX_MD_SIZE];
+        unsigned int maclen;
+        if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0;
+        if(!(newsafes = sk_new(NULL))) return 0;
+        for (i = 0; i < sk_num (asafes); i++) {
+                p7 = (PKCS7 *) sk_value(asafes, i);
+                bagnid = OBJ_obj2nid(p7->type);
+                if (bagnid == NID_pkcs7_data) {
+                        bags = M_PKCS12_unpack_p7data(p7);
+                } else if (bagnid == NID_pkcs7_encrypted) {
+                        bags = M_PKCS12_unpack_p7encdata(p7, oldpass, -1);
+                        alg_get(p7->d.encrypted->enc_data->algorithm,
+                                &pbe_nid, &pbe_iter, &pbe_saltlen);
+                } else continue;
+                if (!bags) {
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                if (!newpass_bags(bags, oldpass, newpass)) {
+                        sk_pop_free(bags, PKCS12_SAFEBAG_free);
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                /* Repack bag in same form with new password */
+                if (bagnid == NID_pkcs7_data) p7new = PKCS12_pack_p7data(bags);
+                else p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL,
+                                                 pbe_saltlen, pbe_iter, bags);
+                sk_pop_free(bags, PKCS12_SAFEBAG_free);
+                if(!p7new) {
+                        sk_pop_free(asafes, PKCS7_free);
+                        return 0;
+                }
+                sk_push(newsafes, (char *)p7new);
+        }
+        sk_pop_free(asafes, PKCS7_free);
+
+        /* Repack safe: save old safe in case of error */
+
+        p12_data_tmp = p12->authsafes->d.data;
+        if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr;
+        if(!M_PKCS12_pack_authsafes(p12, newsafes)) goto saferr;
+
+        if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr;
+        if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr;
+        if(!ASN1_OCTET_STRING_set(macnew, mac, maclen)) goto saferr;
+        ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
+        p12->mac->dinfo->digest = macnew;
+        ASN1_OCTET_STRING_free(p12_data_tmp);
+
+        return 1;
+
+        saferr:
+        /* Restore old safe */
+        ASN1_OCTET_STRING_free(p12->authsafes->d.data);
+        ASN1_OCTET_STRING_free(macnew);
+        p12->authsafes->d.data = p12_data_tmp;
+        return 0;
+
+}
+
+
+static int newpass_bags(STACK *bags, char *oldpass,  char *newpass)
+{
+        int i;
+        for (i = 0; i < sk_num(bags); i++) {
+                if (!newpass_bag((PKCS12_SAFEBAG *)sk_value(bags, i),
+                                                 oldpass, newpass)) return 0;
+        }
+        return 1;
+}
+
+/* Change password of safebag: only needs handle shrouded keybags */
+
+static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
+{
+        PKCS8_PRIV_KEY_INFO *p8;
+        X509_SIG *p8new;
+        int p8_nid, p8_saltlen, p8_iter;
+
+        if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;
+
+        if (!(p8 = M_PKCS12_decrypt_skey(bag, oldpass, -1))) return 0;
+        alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen);
+        if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
+                                                     p8_iter, p8))) return 0;
+        X509_SIG_free(bag->value.shkeybag);
+        bag->value.shkeybag = p8new;
+        return 1;
+}
+
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
+{
+        PBEPARAM *pbe;
+        unsigned char *p;
+        p = alg->parameter->value.sequence->data;
+        pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
+        *pnid = OBJ_obj2nid(alg->algorithm);
+        *piter = ASN1_INTEGER_get(pbe->iter);
+        *psaltlen = pbe->salt->length;
+        PBEPARAM_free(pbe);
+        return 0;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c b/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c
new file mode 100644
index 0000000000..3c6f377933
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_p8d.c
@@ -0,0 +1,68 @@
+/* p12_p8d.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen)
+{
+        return PKCS12_item_decrypt_d2i(p8->algor, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
+                                        passlen, p8->digest, 1);
+}
+
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c b/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c
new file mode 100644
index 0000000000..3d47956652
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_p8e.c
@@ -0,0 +1,97 @@
+/* p12_p8e.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+                         const char *pass, int passlen,
+                         unsigned char *salt, int saltlen, int iter,
+                                                PKCS8_PRIV_KEY_INFO *p8inf)
+{
+        X509_SIG *p8 = NULL;
+        X509_ALGOR *pbe;
+
+        if (!(p8 = X509_SIG_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+        if(!pbe) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
+                goto err;
+        }
+        X509_ALGOR_free(p8->algor);
+        p8->algor = pbe;
+        M_ASN1_OCTET_STRING_free(p8->digest);
+        p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO),
+                                        pass, passlen, p8inf, 1);
+        if(!p8->digest) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+                goto err;
+        }
+
+        return p8;
+
+        err:
+        X509_SIG_free(p8);
+        return NULL;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_utl.c b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c
new file mode 100644
index 0000000000..2adcbc95e1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_utl.c
@@ -0,0 +1,118 @@
+/* p12_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+/* Cheap and nasty Unicode stuff */
+
+unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
+{
+        int ulen, i;
+        unsigned char *unitmp;
+        ulen = strlen(asc)*2  + 2;
+        if (!(unitmp = Malloc (ulen))) return NULL;
+        for (i = 0; i < ulen; i+=2) {
+                unitmp[i] = 0;
+                unitmp[i + 1] = asc[i>>1];
+        }
+        if (unilen) *unilen = ulen;
+        if (uni) *uni = unitmp;
+        return unitmp;
+}
+
+char *uni2asc (unsigned char *uni, int unilen)
+{
+        int asclen, i;
+        char *asctmp;
+        asclen = unilen / 2;
+        /* If no terminating zero allow for one */
+        if (uni[unilen - 1]) asclen++;
+        uni++;
+        if (!(asctmp = Malloc (asclen))) return NULL;
+        for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
+        asctmp[asclen - 1] = 0;
+        return asctmp;
+}
+
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
+{
+        return ASN1_i2d_bio((int(*)())i2d_PKCS12, bp, (unsigned char *)p12);
+}
+
+#ifndef NO_FP_API
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
+{
+        return ASN1_i2d_fp((int(*)())i2d_PKCS12, fp, (unsigned char *)p12);
+}
+#endif
+
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
+{
+        return (PKCS12 *)ASN1_d2i_bio((char *(*)())PKCS12_new,
+         (char *(*)())d2i_PKCS12, bp, (unsigned char **)p12);
+}
+#ifndef NO_FP_API
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
+{
+        return (PKCS12 *)ASN1_d2i_fp((char *(*)())PKCS12_new, 
+         (char *(*)())d2i_PKCS12, fp, (unsigned char **)(p12));
+}
+#endif
+
diff --git a/src/lib/libssl/src/crypto/pkcs12/pk12err.c b/src/lib/libssl/src/crypto/pkcs12/pk12err.c
new file mode 100644
index 0000000000..38d7be7675
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/pk12err.c
@@ -0,0 +1,136 @@
+/* crypto/pkcs12/pk12err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA PKCS12_str_functs[]=
+        {
+{ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),     "PARSE_BAGS"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME,0),        "PKCS12_ADD_FRIENDLYNAME"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,0),    "PKCS12_add_friendlyname_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,0),    "PKCS12_add_friendlyname_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_ADD_LOCALKEYID,0),  "PKCS12_add_localkeyid"},
+{ERR_PACK(0,PKCS12_F_PKCS12_CREATE,0),  "PKCS12_create"},
+{ERR_PACK(0,PKCS12_F_PKCS12_DECRYPT_D2I,0),     "PKCS12_decrypt_d2i"},
+{ERR_PACK(0,PKCS12_F_PKCS12_GEN_MAC,0), "PKCS12_gen_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_I2D_ENCRYPT,0),     "PKCS12_i2d_encrypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_INIT,0),    "PKCS12_init"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_ASC,0),     "PKCS12_key_gen_asc"},
+{ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0),     "PKCS12_key_gen_uni"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0),     "PKCS12_MAKE_KEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0),   "PKCS12_MAKE_SHKEYBAG"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0),     "PKCS12_pack_p7data"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0),  "PKCS12_pack_p7encdata"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0),    "PKCS12_pack_safebag"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PARSE,0),   "PKCS12_parse"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_CRYPT,0),       "PKCS12_pbe_crypt"},
+{ERR_PACK(0,PKCS12_F_PKCS12_PBE_KEYIVGEN,0),    "PKCS12_PBE_keyivgen"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SETUP_MAC,0),       "PKCS12_setup_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS12_SET_MAC,0), "PKCS12_set_mac"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ADD_KEYUSAGE,0),     "PKCS8_add_keyusage"},
+{ERR_PACK(0,PKCS12_F_PKCS8_ENCRYPT,0),  "PKCS8_encrypt"},
+{ERR_PACK(0,PKCS12_F_VERIFY_MAC,0),     "VERIFY_MAC"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA PKCS12_str_reasons[]=
+        {
+{PKCS12_R_CANT_PACK_STRUCTURE            ,"cant pack structure"},
+{PKCS12_R_DECODE_ERROR                   ,"decode error"},
+{PKCS12_R_ENCODE_ERROR                   ,"encode error"},
+{PKCS12_R_ENCRYPT_ERROR                  ,"encrypt error"},
+{PKCS12_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{PKCS12_R_INVALID_NULL_PKCS12_POINTER    ,"invalid null pkcs12 pointer"},
+{PKCS12_R_IV_GEN_ERROR                   ,"iv gen error"},
+{PKCS12_R_KEY_GEN_ERROR                  ,"key gen error"},
+{PKCS12_R_MAC_ABSENT                     ,"mac absent"},
+{PKCS12_R_MAC_GENERATION_ERROR           ,"mac generation error"},
+{PKCS12_R_MAC_SETUP_ERROR                ,"mac setup error"},
+{PKCS12_R_MAC_STRING_SET_ERROR           ,"mac string set error"},
+{PKCS12_R_MAC_VERIFY_ERROR               ,"mac verify error"},
+{PKCS12_R_MAC_VERIFY_FAILURE             ,"mac verify failure"},
+{PKCS12_R_PARSE_ERROR                    ,"parse error"},
+{PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR  ,"pkcs12 algor cipherinit error"},
+{PKCS12_R_PKCS12_CIPHERFINAL_ERROR       ,"pkcs12 cipherfinal error"},
+{PKCS12_R_PKCS12_PBE_CRYPT_ERROR         ,"pkcs12 pbe crypt error"},
+{PKCS12_R_UNKNOWN_DIGEST_ALGORITHM       ,"unknown digest algorithm"},
+{PKCS12_R_UNSUPPORTED_PKCS12_MODE        ,"unsupported pkcs12 mode"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_PKCS12_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
+                ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/pkcs12/pkcs12.h b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h
new file mode 100644
index 0000000000..4cfba5e6c6
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs12/pkcs12.h
@@ -0,0 +1,337 @@
+/* pkcs12.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_PKCS12_H
+#define HEADER_PKCS12_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+
+#define PKCS12_KEY_ID   1
+#define PKCS12_IV_ID    2
+#define PKCS12_MAC_ID   3
+
+/* Default iteration count */
+#ifndef PKCS12_DEFAULT_ITER
+#define PKCS12_DEFAULT_ITER     PKCS5_DEFAULT_ITER
+#endif
+
+#define PKCS12_MAC_KEY_LENGTH 20
+
+#define PKCS12_SALT_LEN 8
+
+/* Uncomment out next line for unicode password and names, otherwise ASCII */
+
+/*#define PBE_UNICODE*/
+
+#ifdef PBE_UNICODE
+#define PKCS12_key_gen PKCS12_key_gen_uni
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_uni
+#else
+#define PKCS12_key_gen PKCS12_key_gen_asc
+#define PKCS12_add_friendlyname PKCS12_add_friendlyname_asc
+#endif
+
+/* MS key usage constants */
+
+#define KEY_EX  0x10
+#define KEY_SIG 0x80
+
+typedef struct {
+X509_SIG *dinfo;
+ASN1_OCTET_STRING *salt;
+ASN1_INTEGER *iter;     /* defaults to 1 */
+} PKCS12_MAC_DATA;
+
+typedef struct {
+ASN1_INTEGER *version;
+PKCS12_MAC_DATA *mac;
+PKCS7 *authsafes;
+} PKCS12;
+
+typedef struct {
+ASN1_OBJECT *type;
+union {
+        struct pkcs12_bag_st *bag; /* secret, crl and certbag */
+        struct pkcs8_priv_key_info_st   *keybag; /* keybag */
+        X509_SIG *shkeybag; /* shrouded key bag */
+        STACK /* PKCS12_SAFEBAG */ *safes;
+        ASN1_TYPE *other;
+}value;
+STACK_OF(X509_ATTRIBUTE) *attrib;
+ASN1_TYPE *rest;
+} PKCS12_SAFEBAG;
+
+typedef struct pkcs12_bag_st {
+ASN1_OBJECT *type;
+union {
+        ASN1_OCTET_STRING *x509cert;
+        ASN1_OCTET_STRING *x509crl;
+        ASN1_OCTET_STRING *octet;
+        ASN1_IA5STRING *sdsicert;
+        ASN1_TYPE *other; /* Secret or other bag */
+}value;
+} PKCS12_BAGS;
+
+#define PKCS12_ERROR    0
+#define PKCS12_OK       1
+
+#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
+#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
+
+#define M_PKCS12_x5092certbag(x509) \
+PKCS12_pack_safebag ((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)
+
+#define M_PKCS12_x509crl2certbag(crl) \
+PKCS12_pack_safebag ((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)
+
+#define M_PKCS12_certbag2x509(bg) \
+(X509 *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509)
+
+#define M_PKCS12_certbag2x509crl(bg) \
+(X509CRL *) ASN1_unpack_string ((bg)->value.bag->value.octet, \
+(char *(*)())d2i_X509CRL)
+
+/*#define M_PKCS12_pkcs82rsa(p8) \
+(RSA *) ASN1_unpack_string ((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/
+
+#define M_PKCS12_unpack_p7data(p7) \
+ASN1_seq_unpack ((p7)->d.data->data, p7->d.data->length, \
+                         (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free)
+
+#define M_PKCS12_pack_authsafes(p12, safes) \
+ASN1_seq_pack((safes), (int (*)())i2d_PKCS7,\
+        &(p12)->authsafes->d.data->data, &(p12)->authsafes->d.data->length)
+
+#define M_PKCS12_unpack_authsafes(p12) \
+ASN1_seq_unpack((p12)->authsafes->d.data->data, \
+                (p12)->authsafes->d.data->length, (char *(*)())d2i_PKCS7, \
+                                                        PKCS7_free)
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
+(STACK *) PKCS12_decrypt_d2i ((p7)->d.encrypted->enc_data->algorithm,\
+                         (char *(*)())d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free, \
+                                                        (pass), (passlen), \
+                        (p7)->d.encrypted->enc_data->enc_data, 3)
+
+#define M_PKCS12_decrypt_skey(bag, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((bag)->value.shkeybag->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free, \
+                                                (pass), (passlen), \
+                         (bag)->value.shkeybag->digest, 2)
+
+#define M_PKCS8_decrypt(p8, pass, passlen) \
+(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i ((p8)->algor, \
+(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free,\
+                         (pass), (passlen), (p8)->digest, 2)
+
+#define PKCS12_get_attr(bag, attr_nid) \
+                         PKCS12_get_attr_gen(bag->attrib, attr_nid)
+
+#define PKCS8_get_attr(p8, attr_nid) \
+                PKCS12_get_attr_gen(p8->attributes, attr_nid)
+
+#define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
+
+
+PKCS12_SAFEBAG *PKCS12_pack_safebag(char *obj, int (*i2d)(), int nid1, int nid2);
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 
+                        const char *pass, int passlen,
+                        unsigned char *salt, int saltlen, int iter,
+                        PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+                                     int passlen, unsigned char *salt,
+                                     int saltlen, int iter,
+                                     PKCS8_PRIV_KEY_INFO *p8);
+PKCS7 *PKCS12_pack_p7data(STACK *sk);
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
+                             unsigned char *salt, int saltlen, int iter,
+                             STACK *bags);
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen);
+int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
+                                int namelen);
+int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
+                                int namelen);
+int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid);
+char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
+unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
+                                int passlen, unsigned char *in, int inlen,
+                                unsigned char **data, int *datalen, int en_de);
+char *PKCS12_decrypt_d2i(X509_ALGOR *algor, char *(*d2i)(),
+                         void (*free_func)(), const char *pass, int passlen,
+                         ASN1_STRING *oct, int seq);
+ASN1_STRING *PKCS12_i2d_encrypt(X509_ALGOR *algor, int (*i2d)(),
+                                const char *pass, int passlen, char *obj,
+                                int seq);
+PKCS12 *PKCS12_init(int mode);
+int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
+                       int saltlen, int id, int iter, int n,
+                       unsigned char *out, const EVP_MD *md_type);
+int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type);
+int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
+                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md_type,
+                         int en_de);
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+                         unsigned char *mac, unsigned int *maclen);
+int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
+int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
+                   unsigned char *salt, int saltlen, int iter,
+                   EVP_MD *md_type);
+int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
+                                         int saltlen, EVP_MD *md_type);
+unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
+char *uni2asc(unsigned char *uni, int unilen);
+int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
+PKCS12_BAGS *PKCS12_BAGS_new(void);
+PKCS12_BAGS *d2i_PKCS12_BAGS(PKCS12_BAGS **a, unsigned char **pp, long length);
+void PKCS12_BAGS_free(PKCS12_BAGS *a);
+int i2d_PKCS12(PKCS12 *a, unsigned char **pp);
+PKCS12 *d2i_PKCS12(PKCS12 **a, unsigned char **pp, long length);
+PKCS12 *PKCS12_new(void);
+void PKCS12_free(PKCS12 *a);
+int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **pp);
+PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void);
+PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
+                                                                 long length);
+void PKCS12_MAC_DATA_free(PKCS12_MAC_DATA *a);
+int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **pp);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void);
+PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
+                                                                 long length);
+void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a);
+void ERR_load_PKCS12_strings(void);
+void PKCS12_PBE_add(void);
+int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+                 STACK **ca);
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+                         STACK *ca, int nid_key, int nid_cert, int iter,
+                                                 int mac_iter, int keytype);
+int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
+int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
+PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
+PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the PKCS12 functions. */
+
+/* Function codes. */
+#define PKCS12_F_PARSE_BAGS                              103
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME                 100
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC             127
+#define PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI             102
+#define PKCS12_F_PKCS12_ADD_LOCALKEYID                   104
+#define PKCS12_F_PKCS12_CREATE                           105
+#define PKCS12_F_PKCS12_DECRYPT_D2I                      106
+#define PKCS12_F_PKCS12_GEN_MAC                          107
+#define PKCS12_F_PKCS12_I2D_ENCRYPT                      108
+#define PKCS12_F_PKCS12_INIT                             109
+#define PKCS12_F_PKCS12_KEY_GEN_ASC                      110
+#define PKCS12_F_PKCS12_KEY_GEN_UNI                      111
+#define PKCS12_F_PKCS12_MAKE_KEYBAG                      112
+#define PKCS12_F_PKCS12_MAKE_SHKEYBAG                    113
+#define PKCS12_F_PKCS12_PACK_P7DATA                      114
+#define PKCS12_F_PKCS12_PACK_P7ENCDATA                   115
+#define PKCS12_F_PKCS12_PACK_SAFEBAG                     117
+#define PKCS12_F_PKCS12_PARSE                            118
+#define PKCS12_F_PKCS12_PBE_CRYPT                        119
+#define PKCS12_F_PKCS12_PBE_KEYIVGEN                     120
+#define PKCS12_F_PKCS12_SETUP_MAC                        122
+#define PKCS12_F_PKCS12_SET_MAC                          123
+#define PKCS12_F_PKCS8_ADD_KEYUSAGE                      124
+#define PKCS12_F_PKCS8_ENCRYPT                           125
+#define PKCS12_F_VERIFY_MAC                              126
+
+/* Reason codes. */
+#define PKCS12_R_CANT_PACK_STRUCTURE                     100
+#define PKCS12_R_DECODE_ERROR                            101
+#define PKCS12_R_ENCODE_ERROR                            102
+#define PKCS12_R_ENCRYPT_ERROR                           103
+#define PKCS12_R_INVALID_NULL_ARGUMENT                   104
+#define PKCS12_R_INVALID_NULL_PKCS12_POINTER             105
+#define PKCS12_R_IV_GEN_ERROR                            106
+#define PKCS12_R_KEY_GEN_ERROR                           107
+#define PKCS12_R_MAC_ABSENT                              108
+#define PKCS12_R_MAC_GENERATION_ERROR                    109
+#define PKCS12_R_MAC_SETUP_ERROR                         110
+#define PKCS12_R_MAC_STRING_SET_ERROR                    111
+#define PKCS12_R_MAC_VERIFY_ERROR                        112
+#define PKCS12_R_MAC_VERIFY_FAILURE                      113
+#define PKCS12_R_PARSE_ERROR                             114
+#define PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR           115
+#define PKCS12_R_PKCS12_CIPHERFINAL_ERROR                116
+#define PKCS12_R_PKCS12_PBE_CRYPT_ERROR                  117
+#define PKCS12_R_UNKNOWN_DIGEST_ALGORITHM                118
+#define PKCS12_R_UNSUPPORTED_PKCS12_MODE                 119
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/bio_ber.c b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c
new file mode 100644
index 0000000000..2f17723e98
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/bio_ber.c
@@ -0,0 +1,450 @@
+/* crypto/evp/bio_ber.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/evp.h>
+
+static int ber_write(BIO *h,char *buf,int num);
+static int ber_read(BIO *h,char *buf,int size);
+/*static int ber_puts(BIO *h,char *str); */
+/*static int ber_gets(BIO *h,char *str,int size); */
+static long ber_ctrl(BIO *h,int cmd,long arg1,char *arg2);
+static int ber_new(BIO *h);
+static int ber_free(BIO *data);
+#define BER_BUF_SIZE    (32)
+
+/* This is used to hold the state of the BER objects being read. */
+typedef struct ber_struct
+        {
+        int tag;
+        int class;
+        long length;
+        int inf;
+        int num_left;
+        int depth;
+        } BER_CTX;
+
+typedef struct bio_ber_struct
+        {
+        int tag;
+        int class;
+        long length;
+        int inf;
+
+        /* most of the following are used when doing non-blocking IO */
+        /* reading */
+        long num_left;  /* number of bytes still to read/write in block */
+        int depth;      /* used with idefinite encoding. */
+        int finished;   /* No more read data */
+
+        /* writting */ 
+        char *w_addr;
+        int w_offset;
+        int w_left;
+
+        int buf_len;
+        int buf_off;
+        unsigned char buf[BER_BUF_SIZE];
+        } BIO_BER_CTX;
+
+static BIO_METHOD methods_ber=
+        {
+        BIO_TYPE_CIPHER,"cipher",
+        ber_write,
+        ber_read,
+        NULL, /* ber_puts, */
+        NULL, /* ber_gets, */
+        ber_ctrl,
+        ber_new,
+        ber_free,
+        };
+
+BIO_METHOD *BIO_f_ber(void)
+        {
+        return(&methods_ber);
+        }
+
+static int ber_new(BIO *bi)
+        {
+        BIO_BER_CTX *ctx;
+
+        ctx=(BIO_BER_CTX *)Malloc(sizeof(BIO_BER_CTX));
+        if (ctx == NULL) return(0);
+
+        memset((char *)ctx,0,sizeof(BIO_BER_CTX));
+
+        bi->init=0;
+        bi->ptr=(char *)ctx;
+        bi->flags=0;
+        return(1);
+        }
+
+static int ber_free(BIO *a)
+        {
+        BIO_BER_CTX *b;
+
+        if (a == NULL) return(0);
+        b=(BIO_BER_CTX *)a->ptr;
+        memset(a->ptr,0,sizeof(BIO_BER_CTX));
+        Free(a->ptr);
+        a->ptr=NULL;
+        a->init=0;
+        a->flags=0;
+        return(1);
+        }
+
+int bio_ber_get_header(BIO *bio, BIO_BER_CTX *ctx)
+        {
+        char buf[64];
+        int i,j,n;
+        int ret;
+        unsigned char *p;
+        unsigned long length
+        int tag;
+        int class;
+        long max;
+
+        BIO_clear_retry_flags(b);
+
+        /* Pack the buffer down if there is a hole at the front */
+        if (ctx->buf_off != 0)
+                {
+                p=ctx->buf;
+                j=ctx->buf_off;
+                n=ctx->buf_len-j;
+                for (i=0; i<n; i++)
+                        {
+                        p[0]=p[j];
+                        p++;
+                        }
+                ctx->buf_len-j;
+                ctx->buf_off=0;
+                }
+
+        /* If there is more room, read some more data */
+        i=BER_BUF_SIZE-ctx->buf_len;
+        if (i)
+                {
+                i=BIO_read(bio->next_bio,&(ctx->buf[ctx->buf_len]),i);
+                if (i <= 0)
+                        {
+                        BIO_copy_next_retry(b);
+                        return(i);
+                        }
+                else
+                        ctx->buf_len+=i;
+                }
+
+        max=ctx->buf_len;
+        p=ctx->buf;
+        ret=ASN1_get_object(&p,&length,&tag,&class,max);
+
+        if (ret & 0x80)
+                {
+                if ((ctx->buf_len < BER_BUF_SIZE) &&
+                        (ERR_GET_REASON(ERR_peek_error()) == ASN1_R_TOO_LONG))
+                        {
+                        ERR_get_error(); /* clear the error */
+                        BIO_set_retry_read(b);
+                        }
+                return(-1);
+                }
+
+        /* We have no error, we have a header, so make use of it */
+
+        if ((ctx->tag  >= 0) && (ctx->tag != tag))
+                {
+                BIOerr(BIO_F_BIO_BER_GET_HEADER,BIO_R_TAG_MISMATCH);
+                sprintf(buf,"tag=%d, got %d",ctx->tag,tag);
+                ERR_add_error_data(1,buf);
+                return(-1);
+                }
+        if (ret & 0x01)
+        if (ret & V_ASN1_CONSTRUCTED)
+        }
+        
+static int ber_read(BIO *b, char *out, int outl)
+        {
+        int ret=0,i,n;
+        BIO_BER_CTX *ctx;
+
+        BIO_clear_retry_flags(b);
+
+        if (out == NULL) return(0);
+        ctx=(BIO_BER_CTX *)b->ptr;
+
+        if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
+
+        if (ctx->finished) return(0);
+
+again:
+        /* First see if we are half way through reading a block */
+        if (ctx->num_left > 0)
+                {
+                if (ctx->num_left < outl)
+                        n=ctx->num_left;
+                else
+                        n=outl;
+                i=BIO_read(b->next_bio,out,n);
+                if (i <= 0)
+                        {
+                        BIO_copy_next_retry(b);
+                        return(i);
+                        }
+                ctx->num_left-=i;
+                outl-=i;
+                ret+=i;
+                if (ctx->num_left <= 0)
+                        {
+                        ctx->depth--;
+                        if (ctx->depth <= 0)
+                                ctx->finished=1;
+                        }
+                if (outl <= 0)
+                        return(ret);
+                else
+                        goto again;
+                }
+        else    /* we need to read another BER header */
+                {
+                }
+        }
+
+static int ber_write(BIO *b, char *in, int inl)
+        {
+        int ret=0,n,i;
+        BIO_ENC_CTX *ctx;
+
+        ctx=(BIO_ENC_CTX *)b->ptr;
+        ret=inl;
+
+        BIO_clear_retry_flags(b);
+        n=ctx->buf_len-ctx->buf_off;
+        while (n > 0)
+                {
+                i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+                if (i <= 0)
+                        {
+                        BIO_copy_next_retry(b);
+                        return(i);
+                        }
+                ctx->buf_off+=i;
+                n-=i;
+                }
+        /* at this point all pending data has been written */
+
+        if ((in == NULL) || (inl <= 0)) return(0);
+
+        ctx->buf_off=0;
+        while (inl > 0)
+                {
+                n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
+                EVP_CipherUpdate(&(ctx->cipher),
+                        (unsigned char *)ctx->buf,&ctx->buf_len,
+                        (unsigned char *)in,n);
+                inl-=n;
+                in+=n;
+
+                ctx->buf_off=0;
+                n=ctx->buf_len;
+                while (n > 0)
+                        {
+                        i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
+                        if (i <= 0)
+                                {
+                                BIO_copy_next_retry(b);
+                                return(i);
+                                }
+                        n-=i;
+                        ctx->buf_off+=i;
+                        }
+                ctx->buf_len=0;
+                ctx->buf_off=0;
+                }
+        BIO_copy_next_retry(b);
+        return(ret);
+        }
+
+static long ber_ctrl(BIO *b, int cmd, long num, char *ptr)
+        {
+        BIO *dbio;
+        BIO_ENC_CTX *ctx,*dctx;
+        long ret=1;
+        int i;
+
+        ctx=(BIO_ENC_CTX *)b->ptr;
+
+        switch (cmd)
+                {
+        case BIO_CTRL_RESET:
+                ctx->ok=1;
+                ctx->finished=0;
+                EVP_CipherInit(&(ctx->cipher),NULL,NULL,NULL,
+                        ctx->cipher.berrypt);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_EOF:      /* More to read */
+                if (ctx->cont <= 0)
+                        ret=1;
+                else
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_WPENDING:
+                ret=ctx->buf_len-ctx->buf_off;
+                if (ret <= 0)
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_PENDING: /* More to read in buffer */
+                ret=ctx->buf_len-ctx->buf_off;
+                if (ret <= 0)
+                        ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_CTRL_FLUSH:
+                /* do a final write */
+again:
+                while (ctx->buf_len != ctx->buf_off)
+                        {
+                        i=ber_write(b,NULL,0);
+                        if (i < 0)
+                                {
+                                ret=i;
+                                break;
+                                }
+                        }
+
+                if (!ctx->finished)
+                        {
+                        ctx->finished=1;
+                        ctx->buf_off=0;
+                        ret=EVP_CipherFinal(&(ctx->cipher),
+                                (unsigned char *)ctx->buf,
+                                &(ctx->buf_len));
+                        ctx->ok=(int)ret;
+                        if (ret <= 0) break;
+
+                        /* push out the bytes */
+                        goto again;
+                        }
+                
+                /* Finally flush the underlying BIO */
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+        case BIO_C_GET_CIPHER_STATUS:
+                ret=(long)ctx->ok;
+                break;
+        case BIO_C_DO_STATE_MACHINE:
+                BIO_clear_retry_flags(b);
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                BIO_copy_next_retry(b);
+                break;
+
+        case BIO_CTRL_DUP:
+                dbio=(BIO *)ptr;
+                dctx=(BIO_ENC_CTX *)dbio->ptr;
+                memcpy(&(dctx->cipher),&(ctx->cipher),sizeof(ctx->cipher));
+                dbio->init=1;
+                break;
+        default:
+                ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+                break;
+                }
+        return(ret);
+        }
+
+/*
+void BIO_set_cipher_ctx(b,c)
+BIO *b;
+EVP_CIPHER_ctx *c;
+        {
+        if (b == NULL) return;
+
+        if ((b->callback != NULL) &&
+                (b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
+                return;
+
+        b->init=1;
+        ctx=(BIO_ENC_CTX *)b->ptr;
+        memcpy(ctx->cipher,c,sizeof(EVP_CIPHER_CTX));
+        
+        if (b->callback != NULL)
+                b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
+        }
+*/
+
+void BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *k, unsigned char *i,
+             int e)
+        {
+        BIO_ENC_CTX *ctx;
+
+        if (b == NULL) return;
+
+        if ((b->callback != NULL) &&
+                (b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
+                return;
+
+        b->init=1;
+        ctx=(BIO_ENC_CTX *)b->ptr;
+        EVP_CipherInit(&(ctx->cipher),c,k,i,e);
+        
+        if (b->callback != NULL)
+                b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
+        }
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/dec.c b/src/lib/libssl/src/crypto/pkcs7/dec.c
new file mode 100644
index 0000000000..b3661f28d3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/dec.c
@@ -0,0 +1,246 @@
+/* crypto/pkcs7/verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/asn1.h>
+
+int verify_callback(int ok, X509_STORE_CTX *ctx);
+
+BIO *bio_err=NULL;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+        {
+        char *keyfile=NULL;
+        BIO *in;
+        EVP_PKEY *pkey;
+        X509 *x509;
+        PKCS7 *p7;
+        PKCS7_SIGNER_INFO *si;
+        X509_STORE_CTX cert_ctx;
+        X509_STORE *cert_store=NULL;
+        BIO *data,*detached=NULL,*p7bio=NULL;
+        char buf[1024*4];
+        unsigned char *pp;
+        int i,printit=0;
+        STACK_OF(PKCS7_SIGNER_INFO) *sk;
+
+        SSLeay_add_all_algorithms();
+        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+        data=BIO_new(BIO_s_file());
+        pp=NULL;
+        while (argc > 1)
+                {
+                argc--;
+                argv++;
+                if (strcmp(argv[0],"-p") == 0)
+                        {
+                        printit=1;
+                        }
+                else if ((strcmp(argv[0],"-k") == 0) && (argc >= 2)) {
+                        keyfile = argv[1];
+                        argc-=1;
+                        argv+=1;
+                } else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
+                        {
+                        detached=BIO_new(BIO_s_file());
+                        if (!BIO_read_filename(detached,argv[1]))
+                                goto err;
+                        argc-=1;
+                        argv+=1;
+                        }
+                else break;
+                }
+
+         if (!BIO_read_filename(data,argv[0])) goto err; 
+
+        if(!keyfile) {
+                fprintf(stderr, "No private key file specified\n");
+                goto err;
+        }
+
+        if ((in=BIO_new_file(keyfile,"r")) == NULL) goto err;
+        if ((x509=PEM_read_bio_X509(in,NULL,NULL)) == NULL) goto err;
+        BIO_reset(in);
+        if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
+        BIO_free(in);
+
+        if (pp == NULL)
+                BIO_set_fp(data,stdin,BIO_NOCLOSE);
+
+
+        /* Load the PKCS7 object from a file */
+        if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL)) == NULL) goto err;
+
+
+
+        /* This stuff is being setup for certificate verification.
+         * When using SSL, it could be replaced with a 
+         * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
+        cert_store=X509_STORE_new();
+        X509_STORE_set_default_paths(cert_store);
+        X509_STORE_load_locations(cert_store,NULL,"../../certs");
+        X509_STORE_set_verify_cb_func(cert_store,verify_callback);
+
+        ERR_clear_error();
+
+        /* We need to process the data */
+        /* We cannot support detached encryption */
+        p7bio=PKCS7_dataDecode(p7,pkey,detached,x509);
+        
+        if (p7bio == NULL)
+                {
+                printf("problems decoding\n");
+                goto err;
+                }
+
+        /* We now have to 'read' from p7bio to calculate digests etc. */
+        for (;;)
+                {
+                i=BIO_read(p7bio,buf,sizeof(buf));
+                /* print it? */
+                if (i <= 0) break;
+                fwrite(buf,1, i, stdout);
+                }
+
+        /* We can now verify signatures */
+        sk=PKCS7_get_signer_info(p7);
+        if (sk == NULL)
+                {
+                fprintf(stderr, "there are no signatures on this data\n");
+                }
+        else
+                {
+                /* Ok, first we need to, for each subject entry,
+                 * see if we can verify */
+                ERR_clear_error();
+                for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
+                        {
+                        si=sk_PKCS7_SIGNER_INFO_value(sk,i);
+                        i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
+                        if (i <= 0)
+                                goto err;
+                        else
+                                fprintf(stderr,"Signature verified\n");
+                        }
+                }
+        X509_STORE_free(cert_store);
+
+        exit(0);
+err:
+        ERR_load_crypto_strings();
+        ERR_print_errors_fp(stderr);
+        exit(1);
+        }
+
+/* should be X509 * but we can just have them as char *. */
+int verify_callback(int ok, X509_STORE_CTX *ctx)
+        {
+        char buf[256];
+        X509 *err_cert;
+        int err,depth;
+
+        err_cert=X509_STORE_CTX_get_current_cert(ctx);
+        err=    X509_STORE_CTX_get_error(ctx);
+        depth=  X509_STORE_CTX_get_error_depth(ctx);
+
+        X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+        BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
+        if (!ok)
+                {
+                BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
+                        X509_verify_cert_error_string(err));
+                if (depth < 6)
+                        {
+                        ok=1;
+                        X509_STORE_CTX_set_error(ctx,X509_V_OK);
+                        }
+                else
+                        {
+                        ok=0;
+                        X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
+                        }
+                }
+        switch (ctx->error)
+                {
+        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+                X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+                BIO_printf(bio_err,"issuer= %s\n",buf);
+                break;
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+                BIO_printf(bio_err,"notBefore=");
+                ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
+                BIO_printf(bio_err,"\n");
+                break;
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+                BIO_printf(bio_err,"notAfter=");
+                ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
+                BIO_printf(bio_err,"\n");
+                break;
+                }
+        BIO_printf(bio_err,"verify return:%d\n",ok);
+        return(ok);
+        }
diff --git a/src/lib/libssl/src/crypto/pkcs7/des.pem b/src/lib/libssl/src/crypto/pkcs7/des.pem
new file mode 100644
index 0000000000..62d1657e3e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/des.pem
@@ -0,0 +1,15 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
+/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
+WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
+lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
+5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/es1.pem b/src/lib/libssl/src/crypto/pkcs7/es1.pem
new file mode 100644
index 0000000000..47112a238f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/es1.pem
@@ -0,0 +1,66 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqGSIb3DQEBAQUABEDWak0y/5XZJhQJeCLo
+KECcHXkTEbjzYkYNHIinbiPmRK4QbNfs9z2mA3z/c2ykQ4eAqFR2jyNrUMN/+I5XEiv6MIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEAWg9+KgtCjc77Jdj1Ve4wGgHjVHbbSYEA1ZqKFDoi15vSr9hfpHmC4
+ycZzcRo16JkTfolefiHZzmyjVz94vSN6MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQI7X4Tk4mcbV6ggASBsHl1mCaJ3RhXWlNPCgCRU53d7M5x6TDZRkvwdtdvW96m1lupT03F
+XtonkBqk7oMkH7kGfs5/REQOPjx0QE2Ixmgt1W3szum82EZwA7pZNppcraK7W/odw/7bYZO+
+II3HPmRklE2N9qiu1LPaPUsnYogkO6SennyeL5tZ382vBweL/8pnG0qsbT1OBb65v+llnsjT
+pa1T/p+fIx/iJJGE6K9fYFokC6gXLQ6ozXRdOu5oBDB8mPCYYvAqKycidM/MrGGUkpEtS4f0
+lS31PwQi5YTim8Ig3/TOwVpPX32i46FTuEIEIMHkD/OvpfwCCzXUHHJnKnKUAUvIsSY3vGBs
+8ezpUDfBBBj9LHDy32hZ2tQilkDefP5VM2LLdrWgamYEgfiyITQvn08Ul5lQOQxbFKBheFq5
+otCCN4MR+w5eq12xQu6y+f9z0159ag2ru87D0lLtUtXXtCELbO1nUkT2sJ0k/iDs9TOXr6Cx
+go1XKYho83hlkXYiCteVizdAbgVGNsNRD4wtIdajsorET/LuJECgp11YeL9w1dlDB0HLEZfi
+XCsUphH4jGagba3hDeUSibnjSiJlN0ukfuQurBBbI2UkBAujiEAubKPn7C1FZJRSw6CPPX5t
+KEpmcqT1JNk6LO8Js6/1sCmmBh1VGCy1+EuTI9J1p7Dagf4nQ8cHitoCRpHuKZlFHnZyv7tw
+Rn/KOhHaYP2VzAh40gQIvKMAAWh9oFsEEIMwIoOmLwLH5wf+8QdbDhoECH8HwZt9a12dBAjL
+r4j2zlvtfgQIt7nmEM3wz1EECKlc3EIy1irCBBCAKINcermK3A+jI6ISN2RzBFA3dsh/xwMu
+l61aWMBBZzEz/SF92k6n35KZhCC0d6fIVC/1WMv0fnCwQ8oEDynSre216VEFiYKBaQLJe5o/
+mTAxC7Ht3goXnuc+i1FItOkLrgRI/wyvTICEn2WsNZiMADnGaee2bqPnUopo+VMGexJEtCPk
+l0ZNlDJGquPDkpUwaEtecVZzCNyVPYyyF4J/l8rmGDhDdYUIC8IKBEg/ip/E0BuubBLWVbv+
+HRl4QrnGpyCyeXRXXK603QP3sT1Zbbm1v5pI/loOhVHi724LmtXHSyp5qv9MDcxE1PoX10LY
+gBRtlwwESPeCF8bK5jk4xIQMhK5NMHj1Y1KQWTZ9NGITBL4hjRq2qp4Qk5GIpGgOVPopAuCo
+TIyPikpqBRNtLSPRSsDs6QPUPzWBh6JgxwRQblnDKKUkxUcnJiD4i9QtGa/ZabMn4KxtNOBL
+5JSh1nJkaLXCZY070131WWPAByLcd5TiXq8x84pmzV5NNk4tiMpoXhJNsx8e4rskQQlKd6ME
+SCe2eYDHKcKPX3WJbUzhrJSQ92/aWnI2iUY8WQ+kSNyiZ2QUjyuUg9Z66g/0d2STlvPOBHT/
+y5ODP2CwbcWX4QmCbUc9TT66fQRIrRVuwvtOfnUueyGgYhJ3HpAJfVaB/7kap5bj7Fi/azW4
+9JDfd1bC/W9h0Kyk7RO2gxvE0hIHc26mZJHTm9MNP5D328MnM2MdBEjKjQBtgrp+lFIii7MP
+nGHFTKUkG4WAIZJCf/CsT+p6/SW0qG71Me/YcSw5STB24j+a+HgMV8RVIeUlkP4z0IWWrSoB
+Gh4d/Z0EUMCVHs/HZ/bWgiyhtHpvuVAzidm8D81p1LJ5BQX5/5f/m+q5+fS/npL27dTEbNqs
+LSB6ij3MZAi7LwHWpTn9zWnDajCMEj9vlaV7mcKtHK5iBEg85agFi1h3MvicqLtoFe5hVv9T
+tG0j6CRkjkixPzivltlrf44KHv14gLM0XJxCGyq7vd3l8QYr3+9at0zNnX/yqTiBnsnE5dUE
+SIgrYuz87M2gi/ER9PcDoTtONH3+CkcqVy03q/Sj8cVWD/b1KgEhqnNOfc8Ak9PctyR/ItcR
+8Me5XVn1GJKkQJk4O29fxvgNoAQIrIESvUWGshAEQByXiFoFTDUByjTlgjcy77H1lrH+y3P/
+wAInJjJAut9kCNyGJV0PA4kdPB5USWltuO6t8gk4Pd2YBMl09zqUWkAEUCjFrtZ3mapjcGZI
+uQTASKR5LSjXoWxTT5gae/+64MerF/oCEeO3ehRTpjnPrsiRDo0rWIQTaj9+Nro8Z2xtWstw
+RnfoAHIxV1lEamPwjsceBEi2SD9hiifFeO5ECiVoaE1FdXUXhU+jwYAMx6jHWO9hMkYzS9pM
+Y3IyWR5ybtOjiQgkUdvRJPUPGf5DVVMPnymGX25aDh5PYpIESPbsM9akCpOOVuscywcUswmU
+o7dXvlB48WWCfg/al3BQKAZbn5ZXtWNwpUZkrEdHsrxAVv3rxRcdkT3Z1fzUbIuYkLJN200o
+WgRIJvn6RO8KEj7/HOg2sYuuM8nz1kR0TSgwX7/0y/7JfjBa0JIlP7o75sNJscE8oyoIMzuy
+Dvn6/U9g3BCDXn83A/s+ke60qn9gBFC6NAeLOlXal1YVWYhMQNOqCyUfAjiXBTawaysQb1Mk
+YgeNlF8xuEFcUQWIP+vNG7FJ5JPMaMRL4YEoaQ3sVFhYOERJR1cSb+8xt4QCYtBKQgRIUOmJ
+CHW5o1hXJWJiTkZK2qWFcEMzTINSj5EpYFySr8aVBjkRnI7vxegRT/+XZZXoYedQ3UNsnGI3
+DdkWii5VzX0PNF6C60pfBEiVpausYuX7Wjb3Lfm8cBj7GgN69i6Pm2gxtobVcmpo2nS4D714
+ePyhlX9n8kJ6QAcqWMRj22smDPrHVGNTizfzHBh5zNllK9gESJizILOWI327og3ZWp+qUht5
+kNDJCzMK7Z09UAy+h+vq0VTQuEo3FgLzVdqkJujjSL4Nx97lXg51AovrEn3nd4evydwcjKLX
+1wRIo72NaeWuUEQ+rt1SlCsOJ7k1ioJSqhrPOfvwcaFcb4beVet1JWiy4yvowTjLDGbUje2s
+xjrlVt4BJWI/uA6jbQsrxSe89ADZBAi5YAlR4qszeAQIXD3VSBVKbRUECNTtyvw9vvqXBAhb
+IZNn4H4cxgQI+XW7GkfL+ekECCCCg2reMyGDBAh1PYqkg3lw3gQQkNlggEPU+BH8eh7Gm7n7
+7AQIjC5EWbkil5cEEKcpuqwTWww/X89KnQAg8TcECJPomqHvrlZFBBiRSuIiHpmN+PaujXpv
+qZV2VhjkB2j09GEECOIdv8AVOJgKBAjlHgIqAD9jZQQIXHbs44+wogcEIGGqTACRJxrhMcMG
+X8drNjksIPt+snxTXUBIkTVpZWoABAh6unXPTyIr8QQgBF8xKoX27MWk7iTNmkSNZggZXa2a
+DWCGHSYLngbSOHIECD9XmO6VsvTgBAjfqB70CEW4WwQIVIBkbCocznUEEHB/zFXy/sR4OYHe
+UfbNPnIEEDWBB/NTCLMGE+o8BfyujcAECFik7GQnnF9VBBAhLXExQeWAofZNc6NtN7qZBCC1
+gVIS3ruTwKltmcrgx3heT3M8ZJhCfWa+6KzchnmKygQQ+1NL5sSzR4m/fdrqxHFyUAQYCT2x
+PamQr3wK3h0lyZER+4H0zPM86AhFBBC3CkmvL2vjflMfujnzPBVpBBge9rMbI5+0q9DLrTiT
+5F3AIgXLpD8PQWAECHkHVo6RomV3BAgMbi8E271UeAQIqtS8wnI3XngECG3TWmOMb3/iBEha
+y+mvCS6I3n3JfL8e1B5P4qX9/czJRaERLuKpGNjLiL4A+zxN0LZ0UHd0qfmJjwOTxAx3iJAC
+lGXX4nB9ATYPUT5EU+o1Y4sECN01pP6vWNIdBDAsiE0Ts8/9ltJlqX2B3AoOM4qOt9EaCjXf
+lB+aEmrhtjUwuZ6GqS5Ke7P6XnakTk4ECCLIMatNdootAAAAAAAAAAAAAA==
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/example.c b/src/lib/libssl/src/crypto/pkcs7/example.c
new file mode 100644
index 0000000000..7354890084
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/example.c
@@ -0,0 +1,327 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/pkcs7.h>
+#include <openssl/asn1_mac.h>
+
+int add_signed_time(PKCS7_SIGNER_INFO *si)
+        {
+        ASN1_UTCTIME *sign_time;
+
+        /* The last parameter is the amount to add/subtract from the current
+         * time (in seconds) */
+        sign_time=X509_gmtime_adj(NULL,0);
+        PKCS7_add_signed_attribute(si,NID_pkcs9_signingTime,
+                V_ASN1_UTCTIME,(char *)sign_time);
+        return(1);
+        }
+
+ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si)
+        {
+        ASN1_TYPE *so;
+
+        so=PKCS7_get_signed_attribute(si,NID_pkcs9_signingTime);
+        if (so->type == V_ASN1_UTCTIME)
+            return so->value.utctime;
+        return NULL;
+        }
+        
+static int signed_string_nid= -1;
+
+void add_signed_string(PKCS7_SIGNER_INFO *si, char *str)
+        {
+        ASN1_OCTET_STRING *os;
+
+        /* To a an object of OID 1.2.3.4.5, which is an octet string */
+        if (signed_string_nid == -1)
+                signed_string_nid=
+                        OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+        os=ASN1_OCTET_STRING_new();
+        ASN1_OCTET_STRING_set(os,str,strlen(str));
+        /* When we add, we do not free */
+        PKCS7_add_signed_attribute(si,signed_string_nid,
+                V_ASN1_OCTET_STRING,(char *)os);
+        }
+
+int get_signed_string(PKCS7_SIGNER_INFO *si, char *buf, int len)
+        {
+        ASN1_TYPE *so;
+        ASN1_OCTET_STRING *os;
+        int i;
+
+        if (signed_string_nid == -1)
+                signed_string_nid=
+                        OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+        /* To retrieve */
+        so=PKCS7_get_signed_attribute(si,signed_string_nid);
+        if (so != NULL)
+                {
+                if (so->type == V_ASN1_OCTET_STRING)
+                        {
+                        os=so->value.octet_string;
+                        i=os->length;
+                        if ((i+1) > len)
+                                i=len-1;
+                        memcpy(buf,os->data,i);
+                        return(i);
+                        }
+                }
+        return(0);
+        }
+
+static signed_seq2string_nid= -1;
+/* ########################################### */
+int add_signed_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
+        {
+        /* To add an object of OID 1.9.999, which is a sequence containing
+         * 2 octet strings */
+        unsigned char *p;
+        ASN1_OCTET_STRING *os1,*os2;
+        ASN1_STRING *seq;
+        unsigned char *data;
+        int i,total;
+
+        if (signed_seq2string_nid == -1)
+                signed_seq2string_nid=
+                        OBJ_create("1.9.9999","OID_example","Our example OID");
+
+        os1=ASN1_OCTET_STRING_new();
+        os2=ASN1_OCTET_STRING_new();
+        ASN1_OCTET_STRING_set(os1,str1,strlen(str1));
+        ASN1_OCTET_STRING_set(os2,str1,strlen(str1));
+        i =i2d_ASN1_OCTET_STRING(os1,NULL);
+        i+=i2d_ASN1_OCTET_STRING(os2,NULL);
+        total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+
+        data=malloc(total);
+        p=data;
+        ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+        i2d_ASN1_OCTET_STRING(os1,&p);
+        i2d_ASN1_OCTET_STRING(os2,&p);
+
+        seq=ASN1_STRING_new();
+        ASN1_STRING_set(seq,data,total);
+        free(data);
+        ASN1_OCTET_STRING_free(os1);
+        ASN1_OCTET_STRING_free(os2);
+
+        PKCS7_add_signed_attribute(si,signed_seq2string_nid,
+                V_ASN1_SEQUENCE,(char *)seq);
+        return(1);
+        }
+
+/* For this case, I will malloc the return strings */
+int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2)
+        {
+        ASN1_TYPE *so;
+
+        if (signed_seq2string_nid == -1)
+                signed_seq2string_nid=
+                        OBJ_create("1.9.9999","OID_example","Our example OID");
+        /* To retrieve */
+        so=PKCS7_get_signed_attribute(si,signed_seq2string_nid);
+        if (so && (so->type == V_ASN1_SEQUENCE))
+                {
+                ASN1_CTX c;
+                ASN1_STRING *s;
+                long length;
+                ASN1_OCTET_STRING *os1,*os2;
+
+                s=so->value.sequence;
+                c.p=ASN1_STRING_data(s);
+                c.max=c.p+ASN1_STRING_length(s);
+                if (!asn1_GetSequence(&c,&length)) goto err;
+                /* Length is the length of the seqence */
+
+                c.q=c.p;
+                if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+                        goto err;
+                c.slen-=(c.p-c.q);
+
+                c.q=c.p;
+                if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+                        goto err;
+                c.slen-=(c.p-c.q);
+
+                if (!asn1_Finish(&c)) goto err;
+                *str1=malloc(os1->length+1);
+                *str2=malloc(os2->length+1);
+                memcpy(*str1,os1->data,os1->length);
+                memcpy(*str2,os2->data,os2->length);
+                (*str1)[os1->length]='\0';
+                (*str2)[os2->length]='\0';
+                ASN1_OCTET_STRING_free(os1);
+                ASN1_OCTET_STRING_free(os2);
+                return(1);
+                }
+err:
+        return(0);
+        }
+
+
+/* #######################################
+ * THE OTHER WAY TO DO THINGS
+ * #######################################
+ */
+X509_ATTRIBUTE *create_time(void)
+        {
+        ASN1_UTCTIME *sign_time;
+        X509_ATTRIBUTE *ret;
+
+        /* The last parameter is the amount to add/subtract from the current
+         * time (in seconds) */
+        sign_time=X509_gmtime_adj(NULL,0);
+        ret=X509_ATTRIBUTE_create(NID_pkcs9_signingTime,
+                V_ASN1_UTCTIME,(char *)sign_time);
+        return(ret);
+        }
+
+ASN1_UTCTIME *sk_get_time(STACK_OF(X509_ATTRIBUTE) *sk)
+        {
+        ASN1_TYPE *so;
+        PKCS7_SIGNER_INFO si;
+
+        si.auth_attr=sk;
+        so=PKCS7_get_signed_attribute(&si,NID_pkcs9_signingTime);
+        if (so->type == V_ASN1_UTCTIME)
+            return so->value.utctime;
+        return NULL;
+        }
+        
+X509_ATTRIBUTE *create_string(char *str)
+        {
+        ASN1_OCTET_STRING *os;
+        X509_ATTRIBUTE *ret;
+
+        /* To a an object of OID 1.2.3.4.5, which is an octet string */
+        if (signed_string_nid == -1)
+                signed_string_nid=
+                        OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+        os=ASN1_OCTET_STRING_new();
+        ASN1_OCTET_STRING_set(os,str,strlen(str));
+        /* When we add, we do not free */
+        ret=X509_ATTRIBUTE_create(signed_string_nid,
+                V_ASN1_OCTET_STRING,(char *)os);
+        return(ret);
+        }
+
+int sk_get_string(STACK_OF(X509_ATTRIBUTE) *sk, char *buf, int len)
+        {
+        ASN1_TYPE *so;
+        ASN1_OCTET_STRING *os;
+        int i;
+        PKCS7_SIGNER_INFO si;
+
+        si.auth_attr=sk;
+
+        if (signed_string_nid == -1)
+                signed_string_nid=
+                        OBJ_create("1.2.3.4.5","OID_example","Our example OID");
+        /* To retrieve */
+        so=PKCS7_get_signed_attribute(&si,signed_string_nid);
+        if (so != NULL)
+                {
+                if (so->type == V_ASN1_OCTET_STRING)
+                        {
+                        os=so->value.octet_string;
+                        i=os->length;
+                        if ((i+1) > len)
+                                i=len-1;
+                        memcpy(buf,os->data,i);
+                        return(i);
+                        }
+                }
+        return(0);
+        }
+
+X509_ATTRIBUTE *add_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
+        {
+        /* To add an object of OID 1.9.999, which is a sequence containing
+         * 2 octet strings */
+        unsigned char *p;
+        ASN1_OCTET_STRING *os1,*os2;
+        ASN1_STRING *seq;
+        X509_ATTRIBUTE *ret;
+        unsigned char *data;
+        int i,total;
+
+        if (signed_seq2string_nid == -1)
+                signed_seq2string_nid=
+                        OBJ_create("1.9.9999","OID_example","Our example OID");
+
+        os1=ASN1_OCTET_STRING_new();
+        os2=ASN1_OCTET_STRING_new();
+        ASN1_OCTET_STRING_set(os1,str1,strlen(str1));
+        ASN1_OCTET_STRING_set(os2,str1,strlen(str1));
+        i =i2d_ASN1_OCTET_STRING(os1,NULL);
+        i+=i2d_ASN1_OCTET_STRING(os2,NULL);
+        total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+
+        data=malloc(total);
+        p=data;
+        ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
+        i2d_ASN1_OCTET_STRING(os1,&p);
+        i2d_ASN1_OCTET_STRING(os2,&p);
+
+        seq=ASN1_STRING_new();
+        ASN1_STRING_set(seq,data,total);
+        free(data);
+        ASN1_OCTET_STRING_free(os1);
+        ASN1_OCTET_STRING_free(os2);
+
+        ret=X509_ATTRIBUTE_create(signed_seq2string_nid,
+                V_ASN1_SEQUENCE,(char *)seq);
+        return(ret);
+        }
+
+/* For this case, I will malloc the return strings */
+int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2)
+        {
+        ASN1_TYPE *so;
+        PKCS7_SIGNER_INFO si;
+
+        if (signed_seq2string_nid == -1)
+                signed_seq2string_nid=
+                        OBJ_create("1.9.9999","OID_example","Our example OID");
+
+        si.auth_attr=sk;
+        /* To retrieve */
+        so=PKCS7_get_signed_attribute(&si,signed_seq2string_nid);
+        if (so->type == V_ASN1_SEQUENCE)
+                {
+                ASN1_CTX c;
+                ASN1_STRING *s;
+                long length;
+                ASN1_OCTET_STRING *os1,*os2;
+
+                s=so->value.sequence;
+                c.p=ASN1_STRING_data(s);
+                c.max=c.p+ASN1_STRING_length(s);
+                if (!asn1_GetSequence(&c,&length)) goto err;
+                /* Length is the length of the seqence */
+
+                c.q=c.p;
+                if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+                        goto err;
+                c.slen-=(c.p-c.q);
+
+                c.q=c.p;
+                if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
+                        goto err;
+                c.slen-=(c.p-c.q);
+
+                if (!asn1_Finish(&c)) goto err;
+                *str1=malloc(os1->length+1);
+                *str2=malloc(os2->length+1);
+                memcpy(*str1,os1->data,os1->length);
+                memcpy(*str2,os2->data,os2->length);
+                (*str1)[os1->length]='\0';
+                (*str2)[os2->length]='\0';
+                ASN1_OCTET_STRING_free(os1);
+                ASN1_OCTET_STRING_free(os2);
+                return(1);
+                }
+err:
+        return(0);
+        }
+
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/example.h b/src/lib/libssl/src/crypto/pkcs7/example.h
new file mode 100644
index 0000000000..96167de188
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/example.h
@@ -0,0 +1,57 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+int add_signed_time(PKCS7_SIGNER_INFO *si);
+ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si);
+int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2);
diff --git a/src/lib/libssl/src/crypto/pkcs7/info.pem b/src/lib/libssl/src/crypto/pkcs7/info.pem
new file mode 100644
index 0000000000..989baf8709
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/info.pem
@@ -0,0 +1,57 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/infokey.pem b/src/lib/libssl/src/crypto/pkcs7/infokey.pem
new file mode 100644
index 0000000000..1e2acc954d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/infokey.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_asn1.c b/src/lib/libssl/src/crypto/pkcs7/pk7_asn1.c
new file mode 100644
index 0000000000..46f0fc9375
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_asn1.c
@@ -0,0 +1,213 @@
+/* pk7_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+
+/* PKCS#7 ASN1 module */
+
+/* This is the ANY DEFINED BY table for the top level PKCS#7 structure */
+
+ASN1_ADB_TEMPLATE(p7default) = ASN1_EXP_OPT(PKCS7, d.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS7) = {
+        ADB_ENTRY(NID_pkcs7_data, ASN1_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_pkcs7_signed, ASN1_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)),
+        ADB_ENTRY(NID_pkcs7_enveloped, ASN1_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_digest, ASN1_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)),
+        ADB_ENTRY(NID_pkcs7_encrypted, ASN1_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0))
+} ASN1_ADB_END(PKCS7, 0, type, 0, &p7default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS7) = {
+        ASN1_SIMPLE(PKCS7, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS7)
+}ASN1_SEQUENCE_END(PKCS7)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7)
+IMPLEMENT_ASN1_DUP_FUNCTION(PKCS7)
+
+ASN1_SEQUENCE(PKCS7_SIGNED) = {
+        ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGNED)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNED)
+
+/* Minor tweak to operation: free up EVP_PKEY */
+static int si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_SIGNER_INFO *si = (PKCS7_SIGNER_INFO *)*pval;
+                EVP_PKEY_free(si->pkey);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_SIGNER_INFO, si_cb) = {
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_alg, X509_ALGOR),
+        /* NB this should be a SET OF but we use a SEQUENCE OF so the
+         * original order * is retained when the structure is reencoded.
+         * Since the attributes are implicitly tagged this will not affect
+         * the encoding.
+         */
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNER_INFO, auth_attr, X509_ATTRIBUTE, 0),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_enc_alg, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, enc_digest, ASN1_OCTET_STRING),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNER_INFO, unauth_attr, X509_ATTRIBUTE, 1)
+} ASN1_SEQUENCE_END_cb(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
+
+ASN1_SEQUENCE(PKCS7_ISSUER_AND_SERIAL) = {
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, issuer, X509_NAME),
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, serial, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SERIAL)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
+
+ASN1_SEQUENCE(PKCS7_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SIMPLE(PKCS7_ENVELOPE, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
+
+/* Minor tweak to operation: free up X509 */
+static int ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_RECIP_INFO *ri = (PKCS7_RECIP_INFO *)*pval;
+                X509_free(ri->cert);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_RECIP_INFO, ri_cb) = {
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, key_enc_algor, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, enc_key, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(PKCS7_RECIP_INFO, PKCS7_RECIP_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
+
+ASN1_SEQUENCE(PKCS7_ENC_CONTENT) = {
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, content_type, ASN1_OBJECT),
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, algorithm, X509_ALGOR),
+        ASN1_IMP_OPT(PKCS7_ENC_CONTENT, enc_data, ASN1_OCTET_STRING, 0)
+} ASN1_SEQUENCE_END(PKCS7_ENC_CONTENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
+
+ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, enc_data, PKCS7_ENC_CONTENT),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGN_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
+
+ASN1_SEQUENCE(PKCS7_ENCRYPT) = {
+        ASN1_SIMPLE(PKCS7_ENCRYPT, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_ENCRYPT, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENCRYPT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
+
+ASN1_SEQUENCE(PKCS7_DIGEST) = {
+        ASN1_SIMPLE(PKCS7_DIGEST, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_DIGEST, md, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_DIGEST, contents, PKCS7),
+        ASN1_SIMPLE(PKCS7_DIGEST, digest, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(PKCS7_DIGEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_DIGEST)
+
+/* Specials for authenticated attributes */
+
+/* When signing attributes we want to reorder them to match the sorted
+ * encoding.
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_SIGN) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_ORDER, 0, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_SIGN)
+
+/* When verifying attributes we need to use the received order. So 
+ * we use SEQUENCE OF and tag it to SET OF
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_VERIFY) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL,
+                                V_ASN1_SET, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_VERIFY)
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c b/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c
new file mode 100644
index 0000000000..3b9c0fe3f2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_attr.c
@@ -0,0 +1,85 @@
+/* pk7_attr.c */
+/* S/MIME code.
+ * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) 
+ * All Rights Reserved. 
+ * Redistribution of this code without the authors permission is expressly
+ * prohibited.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/err.h>
+
+int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap)
+{
+        ASN1_STRING *seq;
+        unsigned char *p, *pp;
+        int len;
+        len=i2d_ASN1_SET(cap,NULL,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+                                                V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        if(!(pp=(unsigned char *)Malloc(len))) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        p=pp;
+        i2d_ASN1_SET(cap,&p,i2d_X509_ALGOR, V_ASN1_SEQUENCE,
+                                                V_ASN1_UNIVERSAL, IS_SEQUENCE);
+        if(!(seq = ASN1_STRING_new())) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!ASN1_STRING_set (seq, pp, len)) {
+                PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        Free (pp);
+        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+                                                        V_ASN1_SEQUENCE, seq);
+}
+
+STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
+{
+        ASN1_TYPE *cap;
+        unsigned char *p;
+        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
+        if (!cap) return NULL;
+        p = cap->value.sequence->data;
+        return d2i_ASN1_SET (NULL, &p, cap->value.sequence->length, 
+                (char *(*)())d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE,
+                                                         V_ASN1_UNIVERSAL);
+}
+
+/* Basic smime-capabilities OID and optional integer arg */
+int PKCS7_simple_smimecap(STACK *sk, int nid, int arg)
+{
+        X509_ALGOR *alg;
+        if(!(alg = X509_ALGOR_new())) {
+                PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        ASN1_OBJECT_free(alg->algorithm);
+        alg->algorithm = OBJ_nid2obj (nid);
+        if (arg > 0) {
+                ASN1_INTEGER *nbit;
+                if(!(alg->parameter = ASN1_TYPE_new())) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!(nbit = ASN1_INTEGER_new())) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!ASN1_INTEGER_set (nbit, arg)) {
+                        PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                alg->parameter->value.integer = nbit;
+                alg->parameter->type = V_ASN1_INTEGER;
+        }
+        sk_push (sk, (char *)alg);
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c
new file mode 100644
index 0000000000..734643be28
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_mime.c
@@ -0,0 +1,673 @@
+/* pk7_mime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+
+/* MIME and related routines */
+
+/* MIME format structures
+ * Note that all are translated to lower case apart from
+ * parameter values. Quotes are stripped off
+ */
+
+typedef struct {
+char *name;                             /* Name of line e.g. "content-type" */
+char *value;                            /* Value of line e.g. "text/plain" */
+STACK /* MIME_PARAM */ *params;         /* Zero or more parameters */
+} MIME_HEADER;
+
+typedef struct {
+char *param_name;                       /* Param name e.g. "micalg" */
+char *param_value;                      /* Param value e.g. "sha1" */
+} MIME_PARAM;
+
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7);
+static PKCS7 *B64_read_PKCS7(BIO *bio);
+static char * strip_ends(char *name);
+static char * strip_start(char *name);
+static char * strip_end(char *name);
+static MIME_HEADER *mime_hdr_new(char *name, char *value);
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value);
+static STACK *mime_parse_hdr(BIO *bio);
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b);
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b);
+static void mime_param_free(MIME_PARAM *param);
+static int mime_bound_check(char *line, int linelen, char *bound, int blen);
+static int multi_split(BIO *bio, char *bound, STACK **ret);
+static int iscrlf(char c);
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name);
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
+static void mime_hdr_free(MIME_HEADER *hdr);
+
+#define MAX_SMLEN 1024
+#define mime_debug(x) /* x */
+
+
+typedef void (*stkfree)();
+
+/* Base 64 read and write of PKCS#7 structure */
+
+static int B64_write_PKCS7(BIO *bio, PKCS7 *p7)
+{
+        BIO *b64;
+        if(!(b64 = BIO_new(BIO_f_base64()))) {
+                PKCS7err(PKCS7_F_B64_WRITE_PKCS7,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        bio = BIO_push(b64, bio);
+        i2d_PKCS7_bio(bio, p7);
+        BIO_flush(bio);
+        bio = BIO_pop(bio);
+        BIO_free(b64);
+        return 1;
+}
+
+static PKCS7 *B64_read_PKCS7(BIO *bio)
+{
+        BIO *b64;
+        PKCS7 *p7;
+        if(!(b64 = BIO_new(BIO_f_base64()))) {
+                PKCS7err(PKCS7_F_B64_READ_PKCS7,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        bio = BIO_push(b64, bio);
+        if(!(p7 = d2i_PKCS7_bio(bio, NULL))) 
+                PKCS7err(PKCS7_F_B64_READ_PKCS7,PKCS7_R_DECODE_ERROR);
+        BIO_flush(bio);
+        bio = BIO_pop(bio);
+        BIO_free(b64);
+        return p7;
+}
+
+/* SMIME sender */
+
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+{
+        char linebuf[MAX_SMLEN];
+        char bound[33], c;
+        int i;
+        if((flags & PKCS7_DETACHED) && data) {
+        /* We want multipart/signed */
+                /* Generate a random boundary */
+                RAND_pseudo_bytes((unsigned char *)bound, 32);
+                for(i = 0; i < 32; i++) {
+                        c = bound[i] & 0xf;
+                        if(c < 10) c += '0';
+                        else c += 'A' - 10;
+                        bound[i] = c;
+                }
+                bound[32] = 0;
+                BIO_printf(bio, "MIME-Version: 1.0\n");
+                BIO_printf(bio, "Content-Type: multipart/signed ; ");
+                BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
+                BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
+                BIO_printf(bio, "This is an S/MIME signed message\n\n");
+                /* Now write out the first part */
+                BIO_printf(bio, "------%s\r\n", bound);
+                if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
+                while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) 
+                                                BIO_write(bio, linebuf, i);
+                BIO_printf(bio, "\n------%s\n", bound);
+
+                /* Headers for signature */
+
+                BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
+                BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
+                BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+                B64_write_PKCS7(bio, p7);
+                BIO_printf(bio,"\n------%s--\n\n", bound);
+                return 1;
+        }
+        /* MIME headers */
+        BIO_printf(bio, "MIME-Version: 1.0\n");
+        BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
+        BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
+        BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+        B64_write_PKCS7(bio, p7);
+        BIO_printf(bio, "\n");
+        return 1;
+}
+
+/* SMIME reader: handle multipart/signed and opaque signing.
+ * in multipart case the content is placed in a memory BIO
+ * pointed to by "bcont". In opaque this is set to NULL
+ */
+
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont)
+{
+        BIO *p7in;
+        STACK *headers = NULL;
+        STACK *parts = NULL;
+        MIME_HEADER *hdr;
+        MIME_PARAM *prm;
+        PKCS7 *p7;
+        int ret;
+
+        if(bcont) *bcont = NULL;
+
+        if (!(headers = mime_parse_hdr(bio))) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_PARSE_ERROR);
+                return NULL;
+        }
+
+        if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+                sk_pop_free(headers, mime_hdr_free);
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_CONTENT_TYPE);
+                return NULL;
+        }
+
+        /* Handle multipart/signed */
+
+        if(!strcmp(hdr->value, "multipart/signed")) {
+                /* Split into two parts */
+                prm = mime_param_find(hdr, "boundary");
+                if(!prm || !prm->param_value) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BOUNDARY);
+                        return NULL;
+                }
+                ret = multi_split(bio, prm->param_value, &parts);
+                sk_pop_free(headers, mime_hdr_free);
+                if(!ret || (sk_num(parts) != 2) ) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BODY_FAILURE);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                /* Parse the signature piece */
+                p7in = (BIO *)sk_value(parts, 1);
+
+                if (!(headers = mime_parse_hdr(p7in))) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_SIG_PARSE_ERROR);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                /* Get content type */
+
+                if(!(hdr = mime_hdr_find(headers, "content-type")) ||
+                                                                 !hdr->value) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_SIG_CONTENT_TYPE);
+                        return NULL;
+                }
+
+                if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
+                        strcmp(hdr->value, "application/pkcs7-signature")) {
+                        sk_pop_free(headers, mime_hdr_free);
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
+                        ERR_add_error_data(2, "type: ", hdr->value);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+                sk_pop_free(headers, mime_hdr_free);
+                /* Read in PKCS#7 */
+                if(!(p7 = B64_read_PKCS7(p7in))) {
+                        PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_PKCS7_SIG_PARSE_ERROR);
+                        sk_pop_free(parts, (stkfree)BIO_free);
+                        return NULL;
+                }
+
+                if(bcont) {
+                        *bcont = (BIO *)sk_value(parts, 0);
+                        BIO_free(p7in);
+                        sk_free(parts);
+                } else sk_pop_free(parts, (stkfree)BIO_free);
+                return p7;
+        }
+                
+        /* OK, if not multipart/signed try opaque signature */
+
+        if (strcmp (hdr->value, "application/x-pkcs7-mime") &&
+            strcmp (hdr->value, "application/pkcs7-mime")) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_INVALID_MIME_TYPE);
+                ERR_add_error_data(2, "type: ", hdr->value);
+                sk_pop_free(headers, mime_hdr_free);
+                return NULL;
+        }
+
+        sk_pop_free(headers, mime_hdr_free);
+        
+        if(!(p7 = B64_read_PKCS7(bio))) {
+                PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_PKCS7_PARSE_ERROR);
+                return NULL;
+        }
+        return p7;
+
+}
+
+/* Copy text from one BIO to another making the output CRLF at EOL */
+int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
+{
+        char eol;
+        int len;
+        char linebuf[MAX_SMLEN];
+        if(flags & PKCS7_BINARY) {
+                while((len = BIO_read(in, linebuf, MAX_SMLEN)) > 0)
+                                                BIO_write(out, linebuf, len);
+                return 1;
+        }
+        if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
+        while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
+                eol = 0;
+                while(iscrlf(linebuf[len - 1])) {
+                        len--;
+                        eol = 1;
+                }       
+                BIO_write(out, linebuf, len);
+                if(eol) BIO_write(out, "\r\n", 2);
+        }
+        return 1;
+}
+
+/* Strip off headers if they are text/plain */
+int SMIME_text(BIO *in, BIO *out)
+{
+        char iobuf[4096];
+        int len;
+        STACK *headers;
+        MIME_HEADER *hdr;
+        if (!(headers = mime_parse_hdr(in))) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_PARSE_ERROR);
+                return 0;
+        }
+        if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_MIME_NO_CONTENT_TYPE);
+                sk_pop_free(headers, mime_hdr_free);
+                return 0;
+        }
+        if (strcmp (hdr->value, "text/plain")) {
+                PKCS7err(PKCS7_F_SMIME_TEXT,PKCS7_R_INVALID_MIME_TYPE);
+                ERR_add_error_data(2, "type: ", hdr->value);
+                sk_pop_free(headers, mime_hdr_free);
+                return 0;
+        }
+        sk_pop_free(headers, mime_hdr_free);
+        while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
+                                                BIO_write(out, iobuf, len);
+        return 1;
+}
+
+/* Split a multipart/XXX message body into component parts: result is
+ * canonical parts in a STACK of bios
+ */
+
+static int multi_split(BIO *bio, char *bound, STACK **ret)
+{
+        char linebuf[MAX_SMLEN];
+        int len, blen;
+        BIO *bpart = NULL;
+        STACK *parts;
+        char state, part, first;
+        blen = strlen(bound);
+        part = 0;
+        state = 0;
+        first = 1;
+        parts = sk_new(NULL);
+        *ret = parts;
+        while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+                state = mime_bound_check(linebuf, len, bound, blen);
+                if(state == 1) {
+                        first = 1;
+                        part++;
+                } else if(state == 2) {
+                        sk_push(parts, (char *)bpart);
+                        return 1;
+                } else if(part) {
+                        if(first) {
+                                first = 0;
+                                if(bpart) sk_push(parts, (char *)bpart);
+                                bpart = BIO_new(BIO_s_mem());
+                                
+                        } else BIO_write(bpart, "\r\n", 2);
+                        /* Strip CR+LF from linebuf */
+                        while(iscrlf(linebuf[len - 1])) len--;
+                        BIO_write(bpart, linebuf, len);
+                }
+        }
+        return 0;
+}
+
+static int iscrlf(char c)
+{
+        if(c == '\r' || c == '\n') return 1;
+        return 0;
+}
+
+/* This is the big one: parse MIME header lines up to message body */
+
+#define MIME_INVALID    0
+#define MIME_START      1
+#define MIME_TYPE       2
+#define MIME_NAME       3
+#define MIME_VALUE      4
+#define MIME_QUOTE      5
+#define MIME_COMMENT    6
+
+
+static STACK *mime_parse_hdr(BIO *bio)
+{
+        char *p, *q, c;
+        char *ntmp;
+        char linebuf[MAX_SMLEN];
+        MIME_HEADER *mhdr = NULL;
+        STACK *headers;
+        int len, state, save_state = 0;
+        headers = sk_new(mime_hdr_cmp);
+        while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
+        /* If whitespace at line start then continuation line */
+        if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
+        else state = MIME_START;
+        ntmp = NULL;
+        /* Go through all characters */
+        for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+        /* State machine to handle MIME headers
+         * if this looks horrible that's because it *is*
+         */
+
+                switch(state) {
+                        case MIME_START:
+                        if(c == ':') {
+                                state = MIME_TYPE;
+                                *p = 0;
+                                ntmp = strip_ends(q);
+                                q = p + 1;
+                        }
+                        break;
+
+                        case MIME_TYPE:
+                        if(c == ';') {
+                                mime_debug("Found End Value\n");
+                                *p = 0;
+                                mhdr = mime_hdr_new(ntmp, strip_ends(q));
+                                sk_push(headers, (char *)mhdr);
+                                ntmp = NULL;
+                                q = p + 1;
+                                state = MIME_NAME;
+                        } else if(c == '(') {
+                                save_state = state;
+                                state = MIME_COMMENT;
+                        }
+                        break;
+
+                        case MIME_COMMENT:
+                        if(c == ')') {
+                                state = save_state;
+                        }
+                        break;
+
+                        case MIME_NAME:
+                        if(c == '=') {
+                                state = MIME_VALUE;
+                                *p = 0;
+                                ntmp = strip_ends(q);
+                                q = p + 1;
+                        }
+                        break ;
+
+                        case MIME_VALUE:
+                        if(c == ';') {
+                                state = MIME_NAME;
+                                *p = 0;
+                                mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+                                ntmp = NULL;
+                                q = p + 1;
+                        } else if (c == '"') {
+                                mime_debug("Found Quote\n");
+                                state = MIME_QUOTE;
+                        } else if(c == '(') {
+                                save_state = state;
+                                state = MIME_COMMENT;
+                        }
+                        break;
+
+                        case MIME_QUOTE:
+                        if(c == '"') {
+                                mime_debug("Found Match Quote\n");
+                                state = MIME_VALUE;
+                        }
+                        break;
+                }
+        }
+
+        if(state == MIME_TYPE) {
+                mhdr = mime_hdr_new(ntmp, strip_ends(q));
+                sk_push(headers, (char *)mhdr);
+        } else if(state == MIME_VALUE)
+                         mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
+        if(p == linebuf) break; /* Blank line means end of headers */
+}
+
+return headers;
+
+}
+
+static char *strip_ends(char *name)
+{
+        return strip_end(strip_start(name));
+}
+
+/* Strip a parameter of whitespace from start of param */
+static char *strip_start(char *name)
+{
+        char *p, c;
+        /* Look for first non white space or quote */
+        for(p = name; (c = *p) ;p++) {
+                if(c == '"') {
+                        /* Next char is start of string if non null */
+                        if(p[1]) return p + 1;
+                        /* Else null string */
+                        return NULL;
+                }
+                if(!isspace((unsigned char)c)) return p;
+        }
+        return NULL;
+}
+
+/* As above but strip from end of string : maybe should handle brackets? */
+static char *strip_end(char *name)
+{
+        char *p, c;
+        if(!name) return NULL;
+        /* Look for first non white space or quote */
+        for(p = name + strlen(name) - 1; p >= name ;p--) {
+                c = *p;
+                if(c == '"') {
+                        if(p - 1 == name) return NULL;
+                        *p = 0;
+                        return name;
+                }
+                if(isspace((unsigned char)c)) *p = 0;   
+                else return name;
+        }
+        return NULL;
+}
+
+static MIME_HEADER *mime_hdr_new(char *name, char *value)
+{
+        MIME_HEADER *mhdr;
+        char *tmpname, *tmpval, *p;
+        int c;
+        if(name) {
+                if(!(tmpname = BUF_strdup(name))) return NULL;
+                for(p = tmpname ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpname = NULL;
+        if(value) {
+                if(!(tmpval = BUF_strdup(value))) return NULL;
+                for(p = tmpval ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpval = NULL;
+        mhdr = (MIME_HEADER *) Malloc(sizeof(MIME_HEADER));
+        if(!mhdr) return NULL;
+        mhdr->name = tmpname;
+        mhdr->value = tmpval;
+        if(!(mhdr->params = sk_new(mime_param_cmp))) return NULL;
+        return mhdr;
+}
+                
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
+{
+        char *tmpname, *tmpval, *p;
+        int c;
+        MIME_PARAM *mparam;
+        if(name) {
+                tmpname = BUF_strdup(name);
+                if(!tmpname) return 0;
+                for(p = tmpname ; *p; p++) {
+                        c = *p;
+                        if(isupper(c)) {
+                                c = tolower(c);
+                                *p = c;
+                        }
+                }
+        } else tmpname = NULL;
+        if(value) {
+                tmpval = BUF_strdup(value);
+                if(!tmpval) return 0;
+        } else tmpval = NULL;
+        /* Parameter values are case sensitive so leave as is */
+        mparam = (MIME_PARAM *) Malloc(sizeof(MIME_PARAM));
+        if(!mparam) return 0;
+        mparam->param_name = tmpname;
+        mparam->param_value = tmpval;
+        sk_push(mhdr->params, (char *)mparam);
+        return 1;
+}
+
+static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b)
+{
+        return(strcmp((*a)->name, (*b)->name));
+}
+
+static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b)
+{
+        return(strcmp((*a)->param_name, (*b)->param_name));
+}
+
+/* Find a header with a given name (if possible) */
+
+static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name)
+{
+        MIME_HEADER htmp;
+        int idx;
+        htmp.name = name;
+        idx = sk_find(hdrs, (char *)&htmp);
+        if(idx < 0) return NULL;
+        return (MIME_HEADER *)sk_value(hdrs, idx);
+}
+
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name)
+{
+        MIME_PARAM param;
+        int idx;
+        param.param_name = name;
+        idx = sk_find(hdr->params, (char *)&param);
+        if(idx < 0) return NULL;
+        return (MIME_PARAM *)sk_value(hdr->params, idx);
+}
+
+static void mime_hdr_free(MIME_HEADER *hdr)
+{
+        if(hdr->name) Free(hdr->name);
+        if(hdr->value) Free(hdr->value);
+        if(hdr->params) sk_pop_free(hdr->params, mime_param_free);
+        Free(hdr);
+}
+
+static void mime_param_free(MIME_PARAM *param)
+{
+        if(param->param_name) Free(param->param_name);
+        if(param->param_value) Free(param->param_value);
+        Free(param);
+}
+
+/* Check for a multipart boundary. Returns:
+ * 0 : no boundary
+ * 1 : part boundary
+ * 2 : final boundary
+ */
+static int mime_bound_check(char *line, int linelen, char *bound, int blen)
+{
+        if(linelen == -1) linelen = strlen(line);
+        if(blen == -1) blen = strlen(bound);
+        /* Quickly eliminate if line length too short */
+        if(blen + 2 > linelen) return 0;
+        /* Check for part boundary */
+        if(!strncmp(line, "--", 2) && !strncmp(line + 2, bound, blen)) {
+                if(!strncmp(line + blen + 2, "--", 2)) return 2;
+                else return 1;
+        }
+        return 0;
+}
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
new file mode 100644
index 0000000000..b41f42ed04
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_smime.c
@@ -0,0 +1,427 @@
+/* pk7_smime.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple PKCS#7 processing functions */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+                                                        BIO *data, int flags)
+{
+        PKCS7 *p7;
+        PKCS7_SIGNER_INFO *si;
+        BIO *p7bio;
+        STACK *smcap;
+        int i;
+
+        if(!X509_check_private_key(signcert, pkey)) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                return NULL;
+        }
+
+        if(!(p7 = PKCS7_new())) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        PKCS7_set_type(p7, NID_pkcs7_signed);
+
+        PKCS7_content_new(p7, NID_pkcs7_data);
+
+        if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+                return NULL;
+        }
+
+        if(!(flags & PKCS7_NOCERTS)) {
+                PKCS7_add_certificate(p7, signcert);
+                if(certs) for(i = 0; i < sk_X509_num(certs); i++)
+                        PKCS7_add_certificate(p7, sk_X509_value(certs, i));
+        }
+
+        if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+
+        SMIME_crlf_copy(data, p7bio, flags);
+
+        if(!(flags & PKCS7_NOATTR)) {
+                PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
+                                V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
+                /* Add SMIMECapabilities */
+                if(!(smcap = sk_new(NULL))) {
+                        PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+#ifndef NO_DES
+                PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1);
+#endif
+#ifndef NO_RC2
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128);
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64);
+#endif
+#ifndef NO_DES
+                PKCS7_simple_smimecap (smcap, NID_des_cbc, -1);
+#endif
+#ifndef NO_RC2
+                PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40);
+#endif
+                PKCS7_add_attrib_smimecap (si, smcap);
+                sk_pop_free(smcap, X509_ALGOR_free);
+        }
+
+        if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+                PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
+                return NULL;
+        }
+
+        BIO_free_all(p7bio);
+        return p7;
+}
+
+int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+                                        BIO *indata, BIO *out, int flags)
+{
+        STACK_OF(X509) *signers;
+        X509 *signer;
+        STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+        PKCS7_SIGNER_INFO *si;
+        X509_STORE_CTX cert_ctx;
+        char buf[4096];
+        int i, j=0;
+        BIO *p7bio;
+        BIO *tmpout;
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER);
+                return 0;
+        }
+
+        if(!PKCS7_type_is_signed(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_WRONG_CONTENT_TYPE);
+                return 0;
+        }
+
+        /* Check for no data and no content: no data to verify signature */
+        if(PKCS7_get_detached(p7) && !indata) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_CONTENT);
+                return 0;
+        }
+
+        /* Check for data and content: two sets of data */
+        if(!PKCS7_get_detached(p7) && indata) {
+                                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CONTENT_AND_DATA_PRESENT);
+                return 0;
+        }
+
+        sinfos = PKCS7_get_signer_info(p7);
+
+        if(!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) {
+                PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_SIGNATURES_ON_DATA);
+                return 0;
+        }
+
+
+        signers = PKCS7_get0_signers(p7, certs, flags);
+
+        if(!signers) return 0;
+
+        /* Now verify the certificates */
+
+        if (!(flags & PKCS7_NOVERIFY)) for (i = 0; i < sk_X509_num(signers); i++) {
+                signer = sk_X509_value (signers, i);
+                if (!(flags & PKCS7_NOCHAIN)) {
+                        X509_STORE_CTX_init(&cert_ctx, store, signer,
+                                                        p7->d.sign->cert);
+                        X509_STORE_CTX_set_purpose(&cert_ctx,
+                                                X509_PURPOSE_SMIME_SIGN);
+                } else X509_STORE_CTX_init (&cert_ctx, store, signer, NULL);
+                i = X509_verify_cert(&cert_ctx);
+                if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
+                X509_STORE_CTX_cleanup(&cert_ctx);
+                if (i <= 0) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                         X509_verify_cert_error_string(j));
+                        sk_X509_free(signers);
+                        return 0;
+                }
+                /* Check for revocation status here */
+        }
+
+        p7bio=PKCS7_dataInit(p7,indata);
+
+        if(flags & PKCS7_TEXT) {
+                if(!(tmpout = BIO_new(BIO_s_mem()))) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+        } else tmpout = out;
+
+        /* We now have to 'read' from p7bio to calculate digests etc. */
+        for (;;)
+        {
+                i=BIO_read(p7bio,buf,sizeof(buf));
+                if (i <= 0) break;
+                if (tmpout) BIO_write(tmpout, buf, i);
+        }
+
+        if(flags & PKCS7_TEXT) {
+                if(!SMIME_text(tmpout, out)) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SMIME_TEXT_ERROR);
+                        BIO_free(tmpout);
+                        goto err;
+                }
+                BIO_free(tmpout);
+        }
+
+        /* Now Verify All Signatures */
+        if (!(flags & PKCS7_NOSIGS))
+            for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+                {
+                si=sk_PKCS7_SIGNER_INFO_value(sinfos,i);
+                signer = sk_X509_value (signers, i);
+                j=PKCS7_signatureVerify(p7bio,p7,si, signer);
+                if (j <= 0) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_SIGNATURE_FAILURE);
+                        goto err;
+                }
+        }
+
+        sk_X509_free(signers);
+        if(indata) BIO_pop(p7bio);
+        BIO_free_all(p7bio);
+
+        return 1;
+
+        err:
+
+        sk_X509_free(signers);
+        BIO_free(p7bio);
+
+        return 0;
+}
+
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
+{
+        STACK_OF(X509) *signers;
+        STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+        PKCS7_SIGNER_INFO *si;
+        PKCS7_ISSUER_AND_SERIAL *ias;
+        X509 *signer;
+        int i;
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_INVALID_NULL_POINTER);
+                return NULL;
+        }
+
+        if(!PKCS7_type_is_signed(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE);
+                return NULL;
+        }
+        if(!(signers = sk_X509_new(NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        /* Collect all the signers together */
+
+        sinfos = PKCS7_get_signer_info(p7);
+
+        if(sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) {
+                PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_NO_SIGNERS);
+                return 0;
+        }
+
+        for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
+        {
+            si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
+            ias = si->issuer_and_serial;
+            signer = NULL;
+                /* If any certificates passed they take priority */
+            if (certs) signer = X509_find_by_issuer_and_serial (certs,
+                                                ias->issuer, ias->serial);
+            if (!signer && !(flags & PKCS7_NOINTERN)
+                        && p7->d.sign->cert) signer =
+                              X509_find_by_issuer_and_serial (p7->d.sign->cert,
+                                                ias->issuer, ias->serial);
+            if (!signer) {
+                        PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                        sk_X509_free(signers);
+                        return 0;
+            }
+
+            sk_X509_push(signers, signer);
+        }
+        return signers;
+}
+
+
+/* Build a complete PKCS#7 enveloped data */
+
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+                                                                int flags)
+{
+        PKCS7 *p7;
+        BIO *p7bio = NULL;
+        int i;
+        X509 *x509;
+        if(!(p7 = PKCS7_new())) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        PKCS7_set_type(p7, NID_pkcs7_enveloped);
+        if(!PKCS7_set_cipher(p7, cipher)) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_ERROR_SETTING_CIPHER);
+                goto err;
+        }
+
+        for(i = 0; i < sk_X509_num(certs); i++) {
+                x509 = sk_X509_value(certs, i);
+                if(!PKCS7_add_recipient(p7, x509)) {
+                        PKCS7err(PKCS7_F_PKCS7_ENCRYPT,
+                                        PKCS7_R_ERROR_ADDING_RECIPIENT);
+                        goto err;
+                }
+        }
+
+        if(!(p7bio = PKCS7_dataInit(p7, NULL))) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        SMIME_crlf_copy(in, p7bio, flags);
+
+        BIO_flush(p7bio);
+
+        if (!PKCS7_dataFinal(p7,p7bio)) {
+                PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_PKCS7_DATAFINAL_ERROR);
+                goto err;
+        }
+        BIO_free_all(p7bio);
+
+        return p7;
+
+        err:
+
+        BIO_free(p7bio);
+        PKCS7_free(p7);
+        return NULL;
+
+}
+
+int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
+{
+        BIO *tmpmem;
+        int ret, i;
+        char buf[4096];
+
+        if(!p7) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_INVALID_NULL_POINTER);
+                return 0;
+        }
+
+        if(!PKCS7_type_is_enveloped(p7)) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,PKCS7_R_WRONG_CONTENT_TYPE);
+                return 0;
+        }
+
+        if(!X509_check_private_key(cert, pkey)) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT,
+                                PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                return 0;
+        }
+
+        if(!(tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert))) {
+                PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_DECRYPT_ERROR);
+                return 0;
+        }
+
+        if (flags & PKCS7_TEXT) {
+                BIO *tmpbuf, *bread;
+                /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */
+                if(!(tmpbuf = BIO_new(BIO_f_buffer()))) {
+                        PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if(!(bread = BIO_push(tmpbuf, tmpmem))) {
+                        PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ret = SMIME_text(bread, data);
+                BIO_free_all(bread);
+                return ret;
+        } else {
+                for(;;) {
+                        i = BIO_read(tmpmem, buf, sizeof(buf));
+                        if(i <= 0) break;
+                        BIO_write(data, buf, i);
+                }
+                BIO_free_all(tmpmem);
+                return 1;
+        }
+}
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/3des.pem b/src/lib/libssl/src/crypto/pkcs7/t/3des.pem
new file mode 100644
index 0000000000..b2b5081a10
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/3des.pem
@@ -0,0 +1,16 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
+/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
+CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
+WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
+lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
+5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
+-----END PKCS7-----
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/3dess.pem b/src/lib/libssl/src/crypto/pkcs7/t/3dess.pem
new file mode 100644
index 0000000000..23f013516a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/3dess.pem
@@ -0,0 +1,32 @@
+-----BEGIN PKCS7-----
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/c.pem b/src/lib/libssl/src/crypto/pkcs7/t/c.pem
new file mode 100644
index 0000000000..a4b55e321a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/c.pem
@@ -0,0 +1,48 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/ff b/src/lib/libssl/src/crypto/pkcs7/t/ff
new file mode 100644
index 0000000000..23f013516a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/ff
@@ -0,0 +1,32 @@
+-----BEGIN PKCS7-----
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-e b/src/lib/libssl/src/crypto/pkcs7/t/msie-e
new file mode 100644
index 0000000000..aafae69fc9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-e
@@ -0,0 +1,20 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECMzu8y
+wQ/qZbO8cAGMRBF+mPruv3+Dvb9aWNZ2k8njUgqF6mcdhVB2MkGcsG3memRXJBixvMYWVkU3qK4Z
+VuKsMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABEBcWwYFHJbJGhiztt7lzue3Lc9CH5WAbyR+2BZ3uv+JxZfRs1PuaWPOwRa0Vgs3
+YwSJoRfxQj2Gk0wFqG1qt6d1MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI8vRlP/Nx
+2iSggASCAZhR5srxyspy7DfomRJ9ff8eMCtaNwEoEx7G25PZRonC57hBvGoScLtEPU3Wp9FEbPN7
+oJESeC+AqMTyTLNy8aQsyC5s53E9UkoIvg62ekYZBbXZqXsrxx4PhiiX3NH8GVh42phB0Chjw0nK
+HZeRDmxGY3Cmk+J+l0uVKxbNIfJIKOguLBnhqmnKH/PrnzDt591u0ULy2aTLqRm+4/1Yat/QPb6J
+eoKGwNPBbS9ogBdrCNCp9ZFg3Xar2AtQHzyTQIfYeH3SRQUpKmRm5U5o9p5emgEdT+ZfJm/J4tSH
+OmbgAFsbHQakA4MBZ4J5qfDJhOA2g5lWk1hIeu5Dn/AaLRZd0yz3oY0Ieo/erPWx/bCqtBzYbMe9
+qSFTedKlbc9EGe3opOTdBZVzK8KH3w3zsy5luxKdOUG59YYb5F1IZiWGiDyuo/HuacX+griu5LeD
+bEzOtZnko+TZXvWIko30fD79j3T4MRRhWXbgj2HKza+4vJ0mzcC/1+GPsJjAEAA/JgIEDU4w6/DI
+/HQHhLAO3G+9xKD7MvmrzkoAAAAAAAAAAAAA
+
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-e.pem b/src/lib/libssl/src/crypto/pkcs7/t/msie-e.pem
new file mode 100644
index 0000000000..a2a5e24e74
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-e.pem
@@ -0,0 +1,22 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIIDkAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQIzO7zLBD+pls7xwAYxEEX6Y+u6/f4O9
+v1pY1naTyeNSCoXqZx2FUHYyQZywbeZ6ZFckGLG8xhZWRTeorhlW4qwwgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFxbBgUclskaGLO23uXO57ctz0If
+lYBvJH7YFne6/4nFl9GzU+5pY87BFrRWCzdjBImhF/FCPYaTTAWobWq3p3UwggHD
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECPL0ZT/zcdokgIIBmFHmyvHK
+ynLsN+iZEn19/x4wK1o3ASgTHsbbk9lGicLnuEG8ahJwu0Q9Tdan0URs83ugkRJ4
+L4CoxPJMs3LxpCzILmzncT1SSgi+DrZ6RhkFtdmpeyvHHg+GKJfc0fwZWHjamEHQ
+KGPDScodl5EObEZjcKaT4n6XS5UrFs0h8kgo6C4sGeGqacof8+ufMO3n3W7RQvLZ
+pMupGb7j/Vhq39A9vol6gobA08FtL2iAF2sI0Kn1kWDddqvYC1AfPJNAh9h4fdJF
+BSkqZGblTmj2nl6aAR1P5l8mb8ni1Ic6ZuAAWxsdBqQDgwFngnmp8MmE4DaDmVaT
+WEh67kOf8BotFl3TLPehjQh6j96s9bH9sKq0HNhsx72pIVN50qVtz0QZ7eik5N0F
+lXMrwoffDfOzLmW7Ep05Qbn1hhvkXUhmJYaIPK6j8e5pxf6CuK7kt4NsTM61meSj
+5Nle9YiSjfR8Pv2PdPgxFGFZduCPYcrNr7i8nSbNwL/X4Y+wmMAQAD8mAgQNTjDr
+8Mj8dAeEsA7cb73EoPsy+avOSgAAAAA=
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01 b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01
new file mode 100644
index 0000000000..2c93ab6462
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01
@@ -0,0 +1,62 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxgfMwgfACAQAwgZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0
+IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMT
+EkRFTU8gWkVSTyBWQUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKvMaW8xh6oF/X+CJivz
+IZV7yHxlp4O3NHQtWG0A8MOZB+CtKlU7/6g5e/a9Du/TOqxRMqtYRp63pa2Q/mM4IYMwgAYJ
+KoZIhvcNAQcBMBoGCCqGSIb3DQMCMA4CAgCgBAifz6RvzOPYlKCABIGwxtGA/FLBBRs1wbBP
+gDCbSG0yCwjJNsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrI
+pd8WiSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqrcWTm
+STSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sgQki4t2g4/Saq
+Kl4EMISgluk6swdND0tiHY7v5d6YR29ePCl2/STJ98eJpWkEEC22GNNvOy7ru/Rv2He4MgQg
+optd7sk9MMd9xhJppg7CcH/yDx//HrtgpOcWmn6VxpgECFqon4uXkQtIBIH4PaNclFn7/hLx
+Pw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5mYXfw+b81lh1kutxaPaV4YJ9
+ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/t
+Mnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVwNx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78Y
+M+NaIpIQ3On4DokJA2ZHtjBjZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3Te
+dvKJsbZuu0stErbvWcRy11I328l557EECAJT7d44OJ3rBBBj6bnnx6dDU2SRqp2CEoQaBAhK
+RBuyhNxkygQIOY9/NhwqAJAECOvX0Zd0DqgoBAjobPpMHhVV3gQQWLU2vEoZ51BwzxdzCmxO
+wwQI4oKfudaNqoAESKzBNAqv5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQ
+NUEM1dNU+EYslL4o3RoSHRjUgPU+2t9c0prS9A/bPARIEOP94PynaTNxwHi3VTK7SzuQmgzA
+4n942E9joSiqsQPlsKAb3sPUaLC3SuUxSjNBgfpvD0bmrA/5h+WZoYXvIogFpwjkSmnFBEie
+0lh5Ov1aRrvCw5/j3Q/W/4ZtN5U+aeVBJMtA8n0Mxd5kPxHbNVh4oGprZ6wEegV8ht3voyZa
+mZ5Cyxc8ffMYnM/JJI6/oEYEUEMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62r5HgNbdD
+FHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3PbfknszCEBEh4PdXYbbaR
+3AacN3Q5kYYmWsq3WW6xgrg0mmEGosGvwSQxBBuiXZrxScCa4ivEq05UZwyShePvKduOvnUE
+2zDO6IXFLZxhTZAESEm9/FovLgGAiJ7iMGmYvsISLJScwG4n+wrSaQNQXizs9N3ykys54wBN
+d/+BQ4F7pncHhDQ2Dyt5MekB8Y8iNOocUTFCu524vQRIaWCXmXP3vU7D21dp0XnAMzRQJ565
+JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6BFDK
+6CmKbnyyjOfE2iLGJmTFa905V2KrVDCmlEu/xyGMs80yTyZC+ySzM83FMVvLEQmSzcTNUZVp
+DfA1kNXbXkPouBXXT6g8r8JCRljaKKABmgRIlMheOJQRUUU4cgvhMreXPayhq5Ao4VMSCkA5
+hYRCBczm4Di/MMohF0SxIsdRY6gY9CPnrBXAsY6h1RbR7Tw0iQZmeXi52DCiBEj0by+SYMAa
+9z0CReIzl8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
+955HlAoEQBOGJbcESCgd5XSirZ9Y3AbCfuKOqoMBvEUGn+w/pMaqnGvnr5FZhuBDKrhRXqtx
+QsxA//drGUxsrZOuSL/0+fbvo7n2h1Z8Ny86jOvVZAQIAjw2l1Yc5RAESNc9i3I8pKEOVQf/
+UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs/4n+Vu3SVYU3cAxo
+lUTiCGUSlARIF+TD57SI5+RI+MNtnD9rs4E1ml51YoHGWFj3UPriDmY0FKEwIgqtMXMY3fZ9
+Kq8d83bjDzxwbDX7WwR7KbSeJWT42pCz7kM+BEjjPsOnZHuusXT3x2rrsBnYtYsbt98mSFiS
+KzTtFmXfkOBbCQdit1P76QnYJ1aXMGs6zP6GypQTadK/zYWvlm38QkVwueaJ0woESKW2pqKA
+70h2UMDHOrpepU1lj0YMzmotDHSTU3L909VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1Yda
+KPmgsv62RWLYl80wXQRQwG0e/mgG75jp9lOhJdVXqcYbQpS9viwVaVkwH+69mu/bQI4gjoEs
+UYX6O71Re2z+cYhcm9UrK+DXuSFBXQOIlAFxKMW4B0apd6fU84FsZLMESOorXE5OE0A2B2ji
+J8QI0Exk4hUvWrMNJfUZwFyS7E05xV9ORuX1xmsKqkT4tVR5Nqln4vhvAY860VBoloz0CDkd
+8seSBEjeMgRI9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
+F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCbBEjdlI1c+IQGA/IuTDMJYCuQ/v+8BG5ZeWVH
+icPZmXfRat9eFK1dGKAJef6+Tf9HPuDjSpDyffrifsp7Dc34lmm7GN1+ON3ZMtwEUNm6epb8
+1RKWjoI7jIKUV/M2p/0eeGSqs4b06KF/VR6dBwsJVL5DpnTsp3MV4j/CAOlRdSPZ5++tsKbM
+aplk+ceqQtpEFz1MYTtVV4+rlrWaBEA1okJyNZ5/tNOwM7B+XfOZ0xw+uyVi9v4byTZM2Qds
+J+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNedXPHtBAiBKX+Mdy3wFQQIqE9gVgvrFNUE
+CKKoTFoMGqnPBAjDPgLCklNfrwQI3Ek1vSq68w8ECBodu2FOZJVkBAgzwjfSr2N9WQQQTCoQ
+KkAbrS9tnjXn1I3+ZwQIrPx3eINo/YUECIeYWCFskxlYBAiDUdvZXwD3vgQIkEyZbbZWbUUE
+CH4+odl1Isk3BBj68fkqJ0fKJRWVLWuW/O3VE4BOPKwFlaIECFseVTdDUho8BAj+cOKvV2WA
+hgQgaXr+wwq+ItblG0Qxz8IVUXX6PV2mIdHwz4SCCvnCsaIECJhBYxdfLI/XBCDswamPn9MR
+yXi2HVQBineV+GtWVkIoZ2dCLFB9mQRMoAQI0nUR5a5AOJoECA+AunKlAlx8BAi5RtFeF4g1
+FQQIz/ie+16LlQcECOmNuVg5DXjMBAjH2nkfpXZgWwQIVdLuO/+kuHAECO/5rEHmyI9vBBD4
+16BU4Rd3YerDQnHtrwOQBCCkho1XxK5Maz8KLCNi20wvcGt8wsIXlj2h5q9ITBq7IgQQvKVY
+4OfJ7bKbItP2dylwQgQYPIGxwkkbRXNraONYvN19G8UdF35rFOuIBAjf0sKz/618ZQQIxObr
+xJkRe0sECIC+ssnjEb2NBBBI+XM4OntVWGsRV9Td3sFgBAinGwIroo8O0gQQMGAwgc9PaLaG
+gBCiwSTrYQQIVHjfCQgOtygEUIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/g0thR0lM
++Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy043GNZBAhOqjyB2JbD
+NwQoR23XCYD9x6E20ChHJRXmaHwyMdYXKl5CUxypl7ois+sy2D7jDukS3wQIsTyyPgJi0GsA
+AAAAAAAAAAAA
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01.pem b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01.pem
new file mode 100644
index 0000000000..9abf00b2f2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-01.pem
@@ -0,0 +1,66 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIILyAIBADGB8zCB8AIBADCBmTCBkjELMAkGA1UEBhMC
+QVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYD
+VQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBAgIEbjANBgkq
+hkiG9w0BAQEFAARAq8xpbzGHqgX9f4ImK/MhlXvIfGWng7c0dC1YbQDww5kH4K0q
+VTv/qDl79r0O79M6rFEyq1hGnrelrZD+YzghgzCCCssGCSqGSIb3DQEHATAaBggq
+hkiG9w0DAjAOAgIAoAQIn8+kb8zj2JSAggqgxtGA/FLBBRs1wbBPgDCbSG0yCwjJ
+NsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrIpd8W
+iSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqr
+cWTmSTSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sg
+Qki4t2g4/SaqKl6EoJbpOrMHTQ9LYh2O7+XemEdvXjwpdv0kyffHiaVpBBAtthjT
+bzsu67v0b9h3uDKim13uyT0wx33GEmmmDsJwf/IPH/8eu2Ck5xaafpXGmFqon4uX
+kQtIPaNclFn7/hLxPw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5
+mYXfw+b81lh1kutxaPaV4YJ9ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/
+GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/tMnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVw
+Nx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78YM+NaIpIQ3On4DokJA2ZHtjBj
+ZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3TedvKJsbZuu0stErbv
+WcRy11I328l557ECU+3eODid62PpuefHp0NTZJGqnYIShBpKRBuyhNxkyjmPfzYc
+KgCQ69fRl3QOqCjobPpMHhVV3li1NrxKGedQcM8XcwpsTsPigp+51o2qgKzBNAqv
+5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQNUEM1dNU+EYslL4o
+3RoSHRjUgPU+2t9c0prS9A/bPBDj/eD8p2kzccB4t1Uyu0s7kJoMwOJ/eNhPY6Eo
+qrED5bCgG97D1Giwt0rlMUozQYH6bw9G5qwP+YflmaGF7yKIBacI5EppxZ7SWHk6
+/VpGu8LDn+PdD9b/hm03lT5p5UEky0DyfQzF3mQ/Eds1WHigamtnrAR6BXyG3e+j
+JlqZnkLLFzx98xicz8kkjr+gRkMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62
+r5HgNbdDFHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3Pbfkn
+szCEeD3V2G22kdwGnDd0OZGGJlrKt1lusYK4NJphBqLBr8EkMQQbol2a8UnAmuIr
+xKtOVGcMkoXj7ynbjr51BNswzuiFxS2cYU2QSb38Wi8uAYCInuIwaZi+whIslJzA
+bif7CtJpA1BeLOz03fKTKznjAE13/4FDgXumdweENDYPK3kx6QHxjyI06hxRMUK7
+nbi9aWCXmXP3vU7D21dp0XnAMzRQJ565JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW
+7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6yugpim58soznxNoixiZkxWvdOVdi
+q1QwppRLv8chjLPNMk8mQvskszPNxTFbyxEJks3EzVGVaQ3wNZDV215D6LgV10+o
+PK/CQkZY2iigAZqUyF44lBFRRThyC+Eyt5c9rKGrkCjhUxIKQDmFhEIFzObgOL8w
+yiEXRLEix1FjqBj0I+esFcCxjqHVFtHtPDSJBmZ5eLnYMKL0by+SYMAa9z0CReIz
+l8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
+955HlAoEQBOGJbcoHeV0oq2fWNwGwn7ijqqDAbxFBp/sP6TGqpxr56+RWYbgQyq4
+UV6rcULMQP/3axlMbK2Trki/9Pn276O59odWfDcvOozr1WQCPDaXVhzlENc9i3I8
+pKEOVQf/UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs
+/4n+Vu3SVYU3cAxolUTiCGUSlBfkw+e0iOfkSPjDbZw/a7OBNZpedWKBxlhY91D6
+4g5mNBShMCIKrTFzGN32fSqvHfN24w88cGw1+1sEeym0niVk+NqQs+5DPuM+w6dk
+e66xdPfHauuwGdi1ixu33yZIWJIrNO0WZd+Q4FsJB2K3U/vpCdgnVpcwazrM/obK
+lBNp0r/Nha+WbfxCRXC55onTCqW2pqKA70h2UMDHOrpepU1lj0YMzmotDHSTU3L9
+09VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1YdaKPmgsv62RWLYl80wXcBtHv5o
+Bu+Y6fZToSXVV6nGG0KUvb4sFWlZMB/uvZrv20COII6BLFGF+ju9UXts/nGIXJvV
+Kyvg17khQV0DiJQBcSjFuAdGqXen1POBbGSz6itcTk4TQDYHaOInxAjQTGTiFS9a
+sw0l9RnAXJLsTTnFX05G5fXGawqqRPi1VHk2qWfi+G8BjzrRUGiWjPQIOR3yx5IE
+SN4y9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
+F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCb3ZSNXPiEBgPyLkwzCWArkP7/vARu
+WXllR4nD2Zl30WrfXhStXRigCXn+vk3/Rz7g40qQ8n364n7Kew3N+JZpuxjdfjjd
+2TLc2bp6lvzVEpaOgjuMgpRX8zan/R54ZKqzhvTooX9VHp0HCwlUvkOmdOyncxXi
+P8IA6VF1I9nn762wpsxqmWT5x6pC2kQXPUxhO1VXj6uWtZo1okJyNZ5/tNOwM7B+
+XfOZ0xw+uyVi9v4byTZM2QdsJ+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNed
+XPHtgSl/jHct8BWoT2BWC+sU1aKoTFoMGqnPwz4CwpJTX6/cSTW9KrrzDxodu2FO
+ZJVkM8I30q9jfVlMKhAqQButL22eNefUjf5nrPx3eINo/YWHmFghbJMZWINR29lf
+APe+kEyZbbZWbUV+PqHZdSLJN/rx+SonR8olFZUta5b87dUTgE48rAWVolseVTdD
+Uho8/nDir1dlgIZpev7DCr4i1uUbRDHPwhVRdfo9XaYh0fDPhIIK+cKxophBYxdf
+LI/X7MGpj5/TEcl4th1UAYp3lfhrVlZCKGdnQixQfZkETKDSdRHlrkA4mg+AunKl
+Alx8uUbRXheINRXP+J77XouVB+mNuVg5DXjMx9p5H6V2YFtV0u47/6S4cO/5rEHm
+yI9v+NegVOEXd2Hqw0Jx7a8DkKSGjVfErkxrPwosI2LbTC9wa3zCwheWPaHmr0hM
+GrsivKVY4OfJ7bKbItP2dylwQjyBscJJG0Vza2jjWLzdfRvFHRd+axTriN/SwrP/
+rXxlxObrxJkRe0uAvrLJ4xG9jUj5czg6e1VYaxFX1N3ewWCnGwIroo8O0jBgMIHP
+T2i2hoAQosEk62FUeN8JCA63KIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/
+g0thR0lM+Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy04
+3GNZTqo8gdiWwzdHbdcJgP3HoTbQKEclFeZofDIx1hcqXkJTHKmXuiKz6zLYPuMO
+6RLfsTyyPgJi0GsAAAAA
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02 b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02
new file mode 100644
index 0000000000..7017055965
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02
@@ -0,0 +1,90 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABEACr4tn
+kSzvo3aIlHfJLGbfokNCV6FjdDP1vQhL+kdXONqcFCEf9ReETCvaHslIr/Wepc5j2hjZselzgqLn
+rM1ZMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABEBanBxKOvUoRn3DiFY55lly2TPu2Cv+dI/GLrzW6qvnUMZPWGPGaUlPyWLMZrXJ
+xGXZUiRJKTBwDu91fnodUEK9MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQImxKZEDWP
+EuOggASCBACBi1bX/qc3geqFyfRpX7JyIo/g4CDr62GlwvassAGlIO8zJ5Z/UDIIooeV6QS4D4OW
+PymKd0WXhwcJI0yBcJTWEoxND27LM7CWFJpA07AoxVCRHTOPgm794NynLecNUOqVTFyS4CRuLhVG
+PAk0nFZG/RE2yMtx4rAkSiVgOexES7wq/xWuoDSSmuTMNQOTbKfkEKqdFLkM/d62gD2wnaph7vKk
+PPK82wdZP8rF3nUUC5c4ahbNoa8g+5B3tIF/Jz3ZZK3vGLU0IWO+i7W451dna13MglDDjXOeikNl
+XLsQdAVo0nsjfGu+f66besJojPzysNA+IEZl6gNWUetl9lim4SqrxubUExdS2rmXnXXmEuEW/HC7
+dlTAeYq5Clqx5id6slhC2C2oegMww3XH9yxHw6OqzvXY6pVPEScEtBMQLgaKFQT+m2SRtbTVFG7c
+QcnUODyVB1IbpQTF1DHeeOX1W/HfpWZym8dzkti6SCyeumHmqO406xDiIMVKtHOqM86nEHuAMZsr
+cLy+ey6TEJvR6S4N8QRzng8JJDZDTJXQN6q84aEudsnOrw2KyOVwPpI6ey4qBsHUgQ8kAFy5lsQa
+WV45h6exgUwbBcKLgPZGFj+OdD2RKJsTb83/UqbJS5Q/lGXhzBlnaYucyJxEprRxbntmcnOEPFJe
++tRDUwOTd7qlJljdhIJL+uDcooL9Ahgo6Cwep6tduekv2cSEohJeTE8Dvy34YRhMbLvnFNdmnpNy
+rNZDYVVxxaKoyd2AfB8NPFZh1VdAYfI3R1QAQ2kXEef5NNIfVQfMzD9akJn4RP+Kv32Qaxm4FrnK
+xmwRyGJShavIBc2ax+F1r1+NZXuSBHn5vfoRTxOk0ST4dXsw74dnlYUMRaSu4qqUdM9jsXSyeX4Z
+gQgkR2bkaYO6ezFgenFIa7QWVw8rXZAEZ5aibCxbnY1VE41PYIvhlLdbFJhH9gY22s+fFAuwnzyA
+SRjC40A9aAEItRlaPStWSGiqlLRgNkBBwdpv2l2YPBd2QzHx6ek6XGrvRJuAC+Nh62rtQKwpNH54
+YAOHW55maBFW2SQ3TF+cZ6NbbqhCmHTyyR7mcSYc9sXSVDWEhYKQ1iyU870zhHWVpvglZizZetJC
+ZFjYex3b1ngVdcgargOvpPq9urCKKi2mbkqv/EFpzSWGXkKSpfCG/XfMnEOtkNrB8S06vnk2JcJB
+OBqJot+uuSH5hOg0vTpxX2DuONJSiWSWyfRE/lTfJJFXwhod7SXclUyXPeSyibcSic2hVAzDmwjD
+31js/j2k02PI/agPhr3UQ8cMgcNAiaoCKbNaWfn6BGbCAbTchxzUlo2cSJiLlrX2IDZmfXbXmZCo
+m1smWIG+BIIEALiuAxDb6dWLAYyVBoN9hYI4AiPeZAY9MtvQ6AV8o2/EFm6PvYGXy3Hei5830CH0
+PBeX7Kdd6ff1y33TW/l5qSkIL1ULTGR7okFfJePHDmq1dFt6/JOMptiQ8WSu7CsJQvZ9VTFXeYFc
+ZqCPPZc1NrPegNK70Zf9QxWIbDAevJ5KLBf1c6j8pU2/6LnvDY6VjaTvYSgr7vTR8eVzH4Rm77W0
+iOHxg5VcODv6cGSVyuvbX8UAGo8Cmb58ERDtBDJBQXVpWKLNAuDJ9GX8n2zNkpjZLbPSkcmuhqGa
+BJBE/BaCTkUQWlY9dIbRtEnxIU1mfbPPdx1Ppa8DqGDjSOsQdKcKYNNZtayEw++EIpmpdBNsKphC
+fB8UEK2Wkk4ZVW+qyGoi/r0MFsvO1NmSOOZ0o/jy/YHmoeURHhPy97AO3eVTkEAa5CfJEJybmo56
+7CDw/FwoGAUCgsoz7rlxzMudr/IhHIH+APinncxXlHO2ecvHD9i8DaHGA8tVifgsUhqQoZieULut
+eF94O5UAxOkv41UZssYTwN4nYrN1QkesZl3BX4ORS4EE30/PQ23ARf3WZptZrCJevGm2ZYzGeh8x
+g17mCDfiLO+bff4qP/4mC96Pu4ia6j4to5BwKIJS/+DCuoD8WeSKF4pugXQkMUiHdQnNnVP9Sp2O
+/4ly5mO8JzrQC59V2bnTNBqPhpno8kfJvK5TypPSVC+bTzern3rJ6UceB3srcn9zxKx9GdNydJQj
+yWjv8ec3n3d1nuQwhz5Q053NBhIjwoGg3Go7LO6i78ZOlpF7dcoAO13NfHLyNjnyHCaiWtVRTct9
+rLf5vN00urSn8YJngHk1eTKK8nHGIcOg6YdYDOD2nE5XwRijKmieG8Xa3eKRzfbL06GrBQENle6J
+mC131bp3cRVxpjq+o6RAbGoMm4yICsL4eTarCQrsyHmoPHqr91UHo91avyxU7knWmEhX27ybmsrs
+8aeZwPHixL14TeyhruCqRVvkf1Ks7P+z8MPUboGNqQe2WLN8ktCGEr15O8MJR/em86G03Jfo4oaw
+/DVUH5RwLT6acedOGuzMh/2r8BcmemhVQ8/cWvV4YJ0tOW4hzyVHC5hQf8sZ3LzxXLH6Ohnrbprh
+xvrdbaSdChWZDDP0bCCbxEhkwuBkBeKZrMbwRTP+TPTPYLVTH/CmKLzKh/114tkGkyO3hHS4qExU
+V39F2Sj4mylx+hD0+20D9pntpNi7htccGlOm6yNM69at/3+kLgJJyoIlaxLcCUYHNMifDt+T3p/t
+5U4XmD53uUQ6M8dvj/udqPekNSUfse15yrd9pjOt5PcJuqW28q0sFHf9pHIgz3XZFMe5PD7ppw6r
+S+C6Ir4PrYIEggQA7ZDVtiCm+BbtNNB/UJm79/OQ5mp5bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOB
+DICj7jHOXSHT7JlGyX6aSFJUltucAnZvwzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwf
+WSDRtIHkWTjly+pe4yy5K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/y
+NH8Wy3qvb2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6KCEi
+LgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili20hCn4hVfsqUQk2PT
+8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvlSVIfY+/v/FR8feKOjaGhyGF51BAx
+aM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKmCMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vP
+Ko/mQCfWy/9icUaIfKQldvkllUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnl
+m89saTJxRb7NWHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
+hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUDsvjgjgLQ3P2U
+p2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1IyKqHFoB7h48OXxXKKY94DY0TG
+x6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJGObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuF
+yhdPZyuniIcmtLNxRZ1duYHErcAyX56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT
+7lTcXvDJgOUNnBRaIcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxy
+Xg4pkneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7VKHtXrNyj
+dPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/6EIHBy2hZ7ukfjHmdP4L
+yQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8Ro9eo6mfjjQ45z8adC43a47klwTEzvod
+3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5
+BpRD9Tgm3u6HPQSCBADgkWEN75Mu9TGosXY0xm1k6K6sPv8L949CrLWo4r1I2LA072bTGvQP28Vs
+hUA76jgcT1ocC++9PoktIK10YCq5w+FfMAQ04KeCXuAdmiY2iAT4Slea61PMCMta3mVGyLUZCLEm
+P+I0UKR5mlO0fGEcjU9j8TmbjZqxNFqloLsU7oSi7Os0EtYHkdAVrExUyOc/ZDie6fBjdLTmLdCm
+bE9JNwjlbXypdTZupGgLNhKGDIskUAAMwZYayI6YfSIMkNCeAYTnjOuGZZ1msCXGXsfMBR1sfUIj
+9UeGjwD8gq+UVVHX/oeoH/m0eJ5ppqi3+nUlgc9DvpYsC/Fg0G2KuYb9B+VJ+a4GMzQSPREoFtQp
+B9dtLkBb7Ha/hpGWTIdqzW0eAo5llyN8FNvl2Fu2IcLaNmWFO69gLjRKQopp0dvFOuwAVI6fvGDj
+p1WigoNbFZl8N+iiWmzKOjoG2ZLbez1clZCms/JPJrXhEMMOxWpVzkQyN336VWHmGgMcjaKCGSeA
+2nnESIGuiCXMrkHlGfabYIsKcHFCo2t13uXyZPf0zSPTkuD0Eh92wqC9pvA3gvrrCUfo9Mn3bs+e
+KWKmDlpcs8mDn032oIg+zrQhIduMqXVn3evzeVM3B5MBOGMvg51/SXg7R+MC/463juQQEb9IVe/I
+YGnO//oWm9lw/377Af/qH+FnN02obJw1FvesQIs9e5RHNQykKbO+vmVJQl1nd9DZWrHDNO7/80Yz
+2hCm7Tws5nSRN2iFlyRaYJHr7ypxkU2rCak2r6ua7XDwu1qU2RT3+qPjT1RuxQ2oTlHyGkKPMZGC
+Rc+CSWz5aeeCmHZVwdb3nC8YpfsujMiYqygLeuQ82pjKuR7DIKGmnfcOLdv5F+Ek2Wyy0D98iSgk
++aoQGYLhL9llU13pn21uRsDY5uGcXiIw1IETFlTdgENEv8futZuJsegrp7fmFXyNoNyFNyypeDrM
+6ZqR4vKxFjg3tKKeVpkw/W4EAklzMxmNiazGNDBHsnYV3rwPlKa+HeeE2YxnsKwGLCNgRYUXTaJk
+461vS160z3dvh/mLfdZ7MYCkmO3bNE3ELUDAw7YQkSuo9ujzdFKte9LC34sjg9fOex3ThAg5Y50n
+wYm4zBmGM7yEqL8O6QgnM6tIDFS9XryDaLNzcGhMWqMvhzO6sC/AA2WfLgwS517Cp03IkJQWqG9q
+w52+E+GAtpioJfczEhlv9BrhjttdugRSjJrG8SYVYE4zG3Aur5eNBoGaALIOHOtPw8+JovQmIWcF
+oaJ/WQuglFrWtew51IK6F8RiHAOBVavZOuZcO7tV+5enVfreOd0rX8ZOy4hYmHhmF1hOrrWOn+Ee
+E0SYKonXN01BM9xMBIIBSLCvNAppnGPTUGjwbMJRg1VJ2KMiBWH5oJp8tyfIAxMuWFdtaLYbRSOD
+XbOAshPVK8JAY8DQDkzqaCTAkLTfSRAt9yY6SbUpMsRv7xa8nMZNJBJzJT9b/wNjgiOJgaGuJMkV
+2g/DX2jfP3PrMM/Sbnz7edORXHj1Pa5XTT8nG5MS0FuZgvevdq3o/gVVAz+ZCKOH3ShMzZvfp01l
+SX5gaJTflmU6cdNwtn2yZ6IScF7OrjUeA9iEoSVR9dQcA+4lB3RAG3LMwcnxXY35D7+PMJzHIZdF
+cSnq+n03ACY2/E/T31iijRH29rvYHGI+mP/ieYs45iq4fTWo6i1HofeWLdP0fX7xW3XO0/hWYFiw
+BxKu66whAbRhaib3XJNvetVs25ToYXyiDpjG+cd5rCMei8sGQwTBj9Zeh0URoeMW1inTP0JvCmMU
+rZgAAAAAAAAAAAAA
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02.pem b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02.pem
new file mode 100644
index 0000000000..279c5d830b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-enc-02.pem
@@ -0,0 +1,106 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIITQAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQAKvi2eRLO+jdoiUd8ksZt+iQ0JXoWN0
+M/W9CEv6R1c42pwUIR/1F4RMK9oeyUiv9Z6lzmPaGNmx6XOCoueszVkwgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFqcHEo69ShGfcOIVjnmWXLZM+7Y
+K/50j8YuvNbqq+dQxk9YY8ZpSU/JYsxmtcnEZdlSJEkpMHAO73V+eh1QQr0wghFz
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECJsSmRA1jxLjgIIRSIGLVtf+
+pzeB6oXJ9GlfsnIij+DgIOvrYaXC9qywAaUg7zMnln9QMgiih5XpBLgPg5Y/KYp3
+RZeHBwkjTIFwlNYSjE0PbsszsJYUmkDTsCjFUJEdM4+Cbv3g3Kct5w1Q6pVMXJLg
+JG4uFUY8CTScVkb9ETbIy3HisCRKJWA57ERLvCr/Fa6gNJKa5Mw1A5Nsp+QQqp0U
+uQz93raAPbCdqmHu8qQ88rzbB1k/ysXedRQLlzhqFs2hryD7kHe0gX8nPdlkre8Y
+tTQhY76LtbjnV2drXcyCUMONc56KQ2VcuxB0BWjSeyN8a75/rpt6wmiM/PKw0D4g
+RmXqA1ZR62X2WKbhKqvG5tQTF1LauZeddeYS4Rb8cLt2VMB5irkKWrHmJ3qyWELY
+Lah6AzDDdcf3LEfDo6rO9djqlU8RJwS0ExAuBooVBP6bZJG1tNUUbtxBydQ4PJUH
+UhulBMXUMd545fVb8d+lZnKbx3OS2LpILJ66Yeao7jTrEOIgxUq0c6ozzqcQe4Ax
+mytwvL57LpMQm9HpLg3xBHOeDwkkNkNMldA3qrzhoS52yc6vDYrI5XA+kjp7LioG
+wdSBDyQAXLmWxBpZXjmHp7GBTBsFwouA9kYWP450PZEomxNvzf9SpslLlD+UZeHM
+GWdpi5zInESmtHFue2Zyc4Q8Ul761ENTA5N3uqUmWN2Egkv64Nyigv0CGCjoLB6n
+q1256S/ZxISiEl5MTwO/LfhhGExsu+cU12aek3Ks1kNhVXHFoqjJ3YB8Hw08VmHV
+V0Bh8jdHVABDaRcR5/k00h9VB8zMP1qQmfhE/4q/fZBrGbgWucrGbBHIYlKFq8gF
+zZrH4XWvX41le5IEefm9+hFPE6TRJPh1ezDvh2eVhQxFpK7iqpR0z2OxdLJ5fhmB
+CCRHZuRpg7p7MWB6cUhrtBZXDytdkARnlqJsLFudjVUTjU9gi+GUt1sUmEf2Bjba
+z58UC7CfPIBJGMLjQD1oAQi1GVo9K1ZIaKqUtGA2QEHB2m/aXZg8F3ZDMfHp6Tpc
+au9Em4AL42Hrau1ArCk0fnhgA4dbnmZoEVbZJDdMX5xno1tuqEKYdPLJHuZxJhz2
+xdJUNYSFgpDWLJTzvTOEdZWm+CVmLNl60kJkWNh7HdvWeBV1yBquA6+k+r26sIoq
+LaZuSq/8QWnNJYZeQpKl8Ib9d8ycQ62Q2sHxLTq+eTYlwkE4Gomi3665IfmE6DS9
+OnFfYO440lKJZJbJ9ET+VN8kkVfCGh3tJdyVTJc95LKJtxKJzaFUDMObCMPfWOz+
+PaTTY8j9qA+GvdRDxwyBw0CJqgIps1pZ+foEZsIBtNyHHNSWjZxImIuWtfYgNmZ9
+dteZkKibWyZYgb64rgMQ2+nViwGMlQaDfYWCOAIj3mQGPTLb0OgFfKNvxBZuj72B
+l8tx3oufN9Ah9DwXl+ynXen39ct901v5eakpCC9VC0xke6JBXyXjxw5qtXRbevyT
+jKbYkPFkruwrCUL2fVUxV3mBXGagjz2XNTaz3oDSu9GX/UMViGwwHryeSiwX9XOo
+/KVNv+i57w2OlY2k72EoK+700fHlcx+EZu+1tIjh8YOVXDg7+nBklcrr21/FABqP
+Apm+fBEQ7QQyQUF1aViizQLgyfRl/J9szZKY2S2z0pHJroahmgSQRPwWgk5FEFpW
+PXSG0bRJ8SFNZn2zz3cdT6WvA6hg40jrEHSnCmDTWbWshMPvhCKZqXQTbCqYQnwf
+FBCtlpJOGVVvqshqIv69DBbLztTZkjjmdKP48v2B5qHlER4T8vewDt3lU5BAGuQn
+yRCcm5qOeuwg8PxcKBgFAoLKM+65cczLna/yIRyB/gD4p53MV5RztnnLxw/YvA2h
+xgPLVYn4LFIakKGYnlC7rXhfeDuVAMTpL+NVGbLGE8DeJ2KzdUJHrGZdwV+DkUuB
+BN9Pz0NtwEX91mabWawiXrxptmWMxnofMYNe5gg34izvm33+Kj/+Jgvej7uImuo+
+LaOQcCiCUv/gwrqA/FnkiheKboF0JDFIh3UJzZ1T/Uqdjv+JcuZjvCc60AufVdm5
+0zQaj4aZ6PJHybyuU8qT0lQvm083q596yelHHgd7K3J/c8SsfRnTcnSUI8lo7/Hn
+N593dZ7kMIc+UNOdzQYSI8KBoNxqOyzuou/GTpaRe3XKADtdzXxy8jY58hwmolrV
+UU3Lfay3+bzdNLq0p/GCZ4B5NXkyivJxxiHDoOmHWAzg9pxOV8EYoyponhvF2t3i
+kc32y9OhqwUBDZXuiZgtd9W6d3EVcaY6vqOkQGxqDJuMiArC+Hk2qwkK7Mh5qDx6
+q/dVB6PdWr8sVO5J1phIV9u8m5rK7PGnmcDx4sS9eE3soa7gqkVb5H9SrOz/s/DD
+1G6BjakHtlizfJLQhhK9eTvDCUf3pvOhtNyX6OKGsPw1VB+UcC0+mnHnThrszIf9
+q/AXJnpoVUPP3Fr1eGCdLTluIc8lRwuYUH/LGdy88Vyx+joZ626a4cb63W2knQoV
+mQwz9Gwgm8RIZMLgZAXimazG8EUz/kz0z2C1Ux/wpii8yof9deLZBpMjt4R0uKhM
+VFd/Rdko+JspcfoQ9PttA/aZ7aTYu4bXHBpTpusjTOvWrf9/pC4CScqCJWsS3AlG
+BzTInw7fk96f7eVOF5g+d7lEOjPHb4/7naj3pDUlH7Htecq3faYzreT3CbqltvKt
+LBR3/aRyIM912RTHuTw+6acOq0vguiK+D62C7ZDVtiCm+BbtNNB/UJm79/OQ5mp5
+bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOBDICj7jHOXSHT7JlGyX6aSFJUltucAnZv
+wzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwfWSDRtIHkWTjly+pe4yy5
+K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/yNH8Wy3qv
+b2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6
+KCEiLgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili2
+0hCn4hVfsqUQk2PT8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvl
+SVIfY+/v/FR8feKOjaGhyGF51BAxaM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKm
+CMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vPKo/mQCfWy/9icUaIfKQldvkl
+lUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnlm89saTJxRb7N
+WHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
+hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUD
+svjgjgLQ3P2Up2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1Iy
+KqHFoB7h48OXxXKKY94DY0TGx6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJ
+GObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuFyhdPZyuniIcmtLNxRZ1duYHErcAy
+X56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT7lTcXvDJgOUNnBRa
+IcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxyXg4p
+kneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7V
+KHtXrNyjdPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/
+6EIHBy2hZ7ukfjHmdP4LyQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8
+Ro9eo6mfjjQ45z8adC43a47klwTEzvod3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK
+0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5BpRD9Tgm3u6HPeCRYQ3v
+ky71MaixdjTGbWTorqw+/wv3j0KstajivUjYsDTvZtMa9A/bxWyFQDvqOBxPWhwL
+770+iS0grXRgKrnD4V8wBDTgp4Je4B2aJjaIBPhKV5rrU8wIy1reZUbItRkIsSY/
+4jRQpHmaU7R8YRyNT2PxOZuNmrE0WqWguxTuhKLs6zQS1geR0BWsTFTI5z9kOJ7p
+8GN0tOYt0KZsT0k3COVtfKl1Nm6kaAs2EoYMiyRQAAzBlhrIjph9IgyQ0J4BhOeM
+64ZlnWawJcZex8wFHWx9QiP1R4aPAPyCr5RVUdf+h6gf+bR4nmmmqLf6dSWBz0O+
+liwL8WDQbYq5hv0H5Un5rgYzNBI9ESgW1CkH120uQFvsdr+GkZZMh2rNbR4CjmWX
+I3wU2+XYW7Yhwto2ZYU7r2AuNEpCimnR28U67ABUjp+8YOOnVaKCg1sVmXw36KJa
+bMo6OgbZktt7PVyVkKaz8k8mteEQww7FalXORDI3ffpVYeYaAxyNooIZJ4DaecRI
+ga6IJcyuQeUZ9ptgiwpwcUKja3Xe5fJk9/TNI9OS4PQSH3bCoL2m8DeC+usJR+j0
+yfduz54pYqYOWlyzyYOfTfagiD7OtCEh24ypdWfd6/N5UzcHkwE4Yy+DnX9JeDtH
+4wL/jreO5BARv0hV78hgac7/+hab2XD/fvsB/+of4Wc3TahsnDUW96xAiz17lEc1
+DKQps76+ZUlCXWd30NlascM07v/zRjPaEKbtPCzmdJE3aIWXJFpgkevvKnGRTasJ
+qTavq5rtcPC7WpTZFPf6o+NPVG7FDahOUfIaQo8xkYJFz4JJbPlp54KYdlXB1vec
+Lxil+y6MyJirKAt65DzamMq5HsMgoaad9w4t2/kX4STZbLLQP3yJKCT5qhAZguEv
+2WVTXemfbW5GwNjm4ZxeIjDUgRMWVN2AQ0S/x+61m4mx6Cunt+YVfI2g3IU3LKl4
+OszpmpHi8rEWODe0op5WmTD9bgQCSXMzGY2JrMY0MEeydhXevA+Upr4d54TZjGew
+rAYsI2BFhRdNomTjrW9LXrTPd2+H+Yt91nsxgKSY7ds0TcQtQMDDthCRK6j26PN0
+Uq170sLfiyOD1857HdOECDljnSfBibjMGYYzvISovw7pCCczq0gMVL1evINos3Nw
+aExaoy+HM7qwL8ADZZ8uDBLnXsKnTciQlBaob2rDnb4T4YC2mKgl9zMSGW/0GuGO
+2126BFKMmsbxJhVgTjMbcC6vl40GgZoAsg4c60/Dz4mi9CYhZwWhon9ZC6CUWta1
+7DnUgroXxGIcA4FVq9k65lw7u1X7l6dV+t453Stfxk7LiFiYeGYXWE6utY6f4R4T
+RJgqidc3TUEz3EywrzQKaZxj01Bo8GzCUYNVSdijIgVh+aCafLcnyAMTLlhXbWi2
+G0Ujg12zgLIT1SvCQGPA0A5M6mgkwJC030kQLfcmOkm1KTLEb+8WvJzGTSQScyU/
+W/8DY4IjiYGhriTJFdoPw19o3z9z6zDP0m58+3nTkVx49T2uV00/JxuTEtBbmYL3
+r3at6P4FVQM/mQijh90oTM2b36dNZUl+YGiU35ZlOnHTcLZ9smeiEnBezq41HgPY
+hKElUfXUHAPuJQd0QBtyzMHJ8V2N+Q+/jzCcxyGXRXEp6vp9NwAmNvxP099Yoo0R
+9va72BxiPpj/4nmLOOYquH01qOotR6H3li3T9H1+8Vt1ztP4VmBYsAcSruusIQG0
+YWom91yTb3rVbNuU6GF8og6YxvnHeawjHovLBkMEwY/WXodFEaHjFtYp0z9Cbwpj
+FK2YAAAAAA==
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e b/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e
new file mode 100644
index 0000000000..0067794d70
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e
@@ -0,0 +1,91 @@
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
+BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
+aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECjscaS
+G0U299fqiEAgTqTFQBp8Ai6zzjl557cVb3k6z4QZ7CbqBjSXAjLbh5e7S5Hd/FrFcDnxl1Ka06ha
+VHGPMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
+BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
+SIb3DQEBAQUABECsyHXZ1xaiv0UQRvOmVYsaF38AL2XX75wxbCsz5/wOg7g3RP4aicZxaR4sBog0
+f2G1o9om/hu+A0rIYF/L4/GUMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIsozQrnwj
+cc2ggASCBAAQz/LPoJe/+iYWeTwSebz6Q9UeKZzQ2UWm7GLtEM3s3c9SCvpmkwIRdEhLjWaBJMyI
+DiL7t1I1vMf9inB8LXgAcIEYkpNScjS8ERA9Ebb7ieNKSBg7w7B8ATHFxLSlDADqRgoZrB1Ctfgf
+ximp3EgxTgnhtyQhZxXW7kBQyFRwumplrJXOp7albP7IothrOKncw30IJT1fwPxWNMItI9juXF0U
+CbWVSjPzGBo4+XNXMvUO6MplOQEz/ywEQ9E8OZAQex1Zw9qq5ppsXB2pMsYV5sLJGikukMYKquiz
+3YK+tN6J8ahLcDUs+VGwqvZi17gpBTlbEP+ZmXJpnO63t1yTEB0V5AZcRKWUOhzlCBM5YUagqNoY
+cpsmSvOK6bYzkUKOrzWpDCAtGZ/Dvul5dTZZmxs2WpM+iyeHXMxO3huy8K1brPTqt1f1sHhuq1jD
+1eXedaCjIgUW9qV18vNAQCof/Yb6T/1fxztf/jD7pPLQJ+7LJkKCAEHGcaizpoKqhYcttaEhLq1G
+O+Ohqf7yFegMdTJ3wwP324w5ZYSU5fLo2Z34/Edf6EGvXyTIqVfAmEBALd6JGVdN5GlYYTxrL+eO
+P80Z4ao4YKoxwEmRp5bmQsQ8B29QhOFKmC6eiG5B96qLMtp7Zmu1grDNxTd6OXShWVwYARD0/B1P
+Sy0PAfk9Gb4fAkO9fZJDQYZ7s0mM5iOPEeSR7820TolOb+KfRabLA9d714jsc2jEykKlpP66Bh4j
+aCsyqJ0uUQcE8SnzrKAqGwgWiCGQpiTa+HBiP6eRlRGOKQj5Y06vcNx6Ija4cGe6+yCN8HV8tCY0
+okZK98NQCl5t79R/ZB2c3NvBJH+/g3ulU48ikT3tVmDxE3mOZofZyGFEM99P+YCMScLDxTl3hzGy
+0YkI8U855P7qOAbcFfh2T5n+LSELwLhbkymEfZT917GWTfmypBWMvJx0WHeDhKwQYPdzbKgWETnc
+yeKasaCW+oLdhBwrd6Ws2r4MA8cwiYXDLbwYmCxJA8VF++8kubF2HJOjSyMBS+QT2PSV/0D9UWoi
+Vfk7R4OvWBJVvq7nV+lXS0O5igjExxlmx1OaBfg7+Cr/MbK4zVNrKSJn82NnKKt6LC6RaTmvFYay
+0sDFxQ7Xo+Th6tDNKmKWJt6Kegfjc+qTWJTKb3kL+UI8vS0zTLy1+M/rZ4ekos/JiS5rYIcAswvg
+58kBgp/0rc6upBeWjBaK5O0aLAeBQfLulo1axWX04OSVKmYeoAltyR6UO9ME3acurQyg7Ta24yqO
+whi/PrIaEiO7dsWvFtzsshVzBLic02NlAkPkMUzliPYnZHWQglDAVxL5K2qhvK1OFCkQpIgBsBDM
+6KYRL/mkBIIEALIl927rIkaN37/BQIcxLcSa05YfC0Hl3mxWESt1A0D4lA37A9S8EbYmDfAYlMc0
+3HhZGdZEtawfpJFyDHzNZceNWBch6nxeNZCY4YFdsbzuGS0RKpwNA9S/czOJ4p9ymBCxuhGepI3U
+PKbC8C749Www1/wMdAot1n+K7M/PBGR8hWmaH5SS7U3yMwAB1fq2NDjx4ur+Um+MclSdN01MDXzG
+EO+eAo1pdAY8479234l8dB2YVAhZ1ZlJ4KmbqMKJrGJXnQUEYS6/cTDRjsUocsoW7uGg1ci2GiHa
+qjlkfpBfie3SdhFW/K8hwAH0HALs56oFN66wUkP/AaJAPfIUNhR6RpHKzZ9zCC42oB2mNawQRMnF
+ETBl1s/SwMxLKRp7jAfKs4NZxSY6I9z/2dTpzS3tsHMjxVDuxkolvRNWBILEMeL1CBvip2HhmoUw
+/Sz5NDgyzk1aQLV6DQNJ2RZLMZDRCtSwZSBu6lhhSgTJGazP0+NbqXXC5aQTrqrFIcWyDXz+ADle
+kszzYM/gSaQTCALTwfDDaU9Ek3xVgW+XBtExtJ3U+0AN3l0j86rUIdIvp6eWdxWQqv9LtpoorKMD
+KfUc5PYV09Z1JgsT4X51Zzq+74l5dz7udIM7UNbdTpmRm9PDj3TUbGCvNR9hqOEGTLbkvb1ZR24a
+h6uGRl2znB25IpDAGRhNRb9is/pO2tvHwHTDMOjrgvZG/pNvXgSUxz0pRjUjXIcqBe2X2gcQfeal
+r8gY76o83WEGL6ODryV9vTQVHt52+izgpYoBZaVlpgqbZl54c+OE0Zxf9RwXwDbcYu5Ku5E0MPL0
+qUjc0y2+Y6E4P5bAWaZGMGT+ORkyVUzcaWmM/+XlO7PER5wrWlCIMZCX1L/nvioY0q0CKqALn7DJ
+QU+qenbwrb6uwS7uNZY6V86s0aDYpU7yRyqxC5SbuyNJb02gdxUCgpIscFaMUjMVRml4M4BIjX/b
+U+HgHoVMUm8SnN9gRcT2izPrgOGVcMTJjfenzoCKoCPo9RjgGMctgB4DvKamErNU7OrilIfuoqzE
+PNSeP9SPw/zkDmNvMebM499We9CVnsHUWqF00/ZJWoua77+0f1bLS/tmci1JBvIcMo/4SJvgH+KF
+o0gijP9gqAPd5iCOnpnJlHUqRIym42SmyKEDuzdSwXKjAR6j7uXda39JyMJr8gGzEsu0jYRkAmj1
+YdiqwKXUcLMkcj1AKeU/PxTUVw0YKsv/rowrPYww3xQUWqNivrXB7GCHE3BzsYNdHsmziaGIXQbA
++EBHdkuKrM8BcC+fxhF/l/KUxngsD1E75IcUv8zFDF+sk4CBYHqks9S4JYlcubuizqsILbdGzIMN
+Z7w34k0XT+sEggQAyzr8MHeIJGsT+AYnZr08PeTbyr01JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzY
+CXrxZcUmuay6/MV8w/f5T6vQXdoSw5puWodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSV
+OWSvST0AtAX57fFOTckm+facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4Eg
+XBLNvOZY9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ40BQD
+c6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q53DvKVtXp9Ycam5J
+TmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp6B+06HljUwQLBJs9XtCfqH5Zgdz9
+gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/TH68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4
+zVkwsn203bUmKLyz+yl1zItDpn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeD
+JJVld3ac6F8+3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
+95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUCQkJyqTeTeGgH
+rn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrVuh6V9m7Mpl9hzpogg++EZqah
+fzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUt
+j2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRI
+Ipi+7tX0FsilqEbmjG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRm
+hOhGqUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38Bw10ERap
+m8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6L7IwJWotIUx8E0XH0/cU
+xS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+NtgabrZ6SsKGthGa7eULTpz0McWTLRU0y/
+/tkckpm5pDnXSFbIMskwwjECz82UZBSPpigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9P
+O1tQd60EO+3awASCBAAZQvWV3/yJ6FxPttbP+qeURpJoPEZfpN2UYZmd8HqtR0YbaOZ6Rln9nvpd
+K9fylXdw9z2xeCbjDWUttJB4VqZxGJM8eCTC1VDVyAOsQ5n7SY55dMkQbU+o4Z/4J5m8+wz50BBI
+LfruL1eZ6/CF6CdvxVRiJ10sXc0Tn2sVMXqkw7Adp1GYoCI9c6VFSFK74+n+y7LVFQ5HBnbQyKJc
+dvdLOXwZOPaFHC5UNXRmOpcwdPqyXUe+xIsOMYbzdlAnI9eGDNeRDktUa/Rh0CbZCxjmJzoZEYOE
+ZjsYZlEfp1Kb61t8z4m28hGLEg88T1Ihmxa2HeUWes1RpmgIOP+/2Lb3smj/l/fpSu4gabFgyCAV
+H5HdCYMScUv8SVu55+tpeO8ELoHHQUXV4rr084O4budzhgNSOPyLGDl5sfDUXiyusPCxS4JVO/KY
+6V2Qrtg/q2wtmXpEkZnGT+Qi3WDzwt4W81alztnYMP17oGLmxX71KV9OEiMZjI4WaaGt+OOINLtR
+qefioZ1NI2L1s5M0tybwTsyU9WERM+3pUwXIfJVsbMZRlNaO2OogcHbaR4UWvhOj+3CTG1sThiYQ
+MxMnp1Rpqx3nhyzqLO3TRrkYvxnA3cdPBn9EeqpgBMg7X3hCiMV3Fl5cj/WOMhtHYgY7BgeCXo46
+EFVZ4+WroGZ46xGiRDiIblo8bzLd7QCxvukzxy3mUDgsZQ8pds4N28weSUhBk5MAPbfBpRvXUVJx
+MhKqXucQU1Md1qSGLbuuIQuz9pAGp1JFUx/vEkCgm74daSoVWCZuB+1ZE4f48clvrBj51xMNf8CP
+EFE7vySzVb6X2H1i5X3Z+Y3DdIcWw4Y2FClfcJk4Mwq8Cq2GALGFEge9YSEE9YmyuU6OFeU0ICon
+iXAgZ72SM8fBwJPruLFbdsNYKW+oAfmPisXSWMcZmdSbfk0GYv+vKtu3eegSbWw1UsCVtZOh9E5Z
+uQ83l59CBqO9sV/SFU3WrrJ0qNWxrmXu9nJn5Qf5iCRoFGYNHYHkIG5FS6N00GEDZxGkxmro2d++
+Adj5LVHc/b1cYWmrux+jEqI8ZK8cyTB0XMbBA/HYbx9NXazr7znP4/Mlv3pZToEcYt+lgLHAArtU
+AdhybhbLIwNMq0gr6EwtDklBa3ns4Wx/rJU8H7LGs6gV8uqeaSketv+nz+sQhfctxZ1rx+5qzXfy
+FOQVpO23KDQunBi1Bl9k61Di4q9JWcyADBXPHXJzp7mL8Fk7zdvMAEfuED1phdRm6GgDYoYUs4yQ
+IrhSjFlWyk7hT8475xk3BIv++obvWSAv/3+pF6A6U2RXDChVmnG0JnPa9wYYtdzBmLfZKBjX+DjD
+yEMsuhPsCzuN4R6tBIIBWCVRKmKwdkatmpsQBgDw48u0/Arffl5/DRlS9ee+QffFecUitDdCK+kt
+X5L2fGYrL5g6SltncMIeV1ptx4nuSjC/O944q1KYtqvQiPFWJqEXIRMNbbYOC47sjLza0tEFrimN
+wxcrWGSzsy5R9beFQ1aHPcMrDWfCoviNRk2qPtxuKIC5Qk2ZuOmJLjCiLwUGEb0/1Mpzv3MqQa7d
+mRayXg3DZWJPajxNZv6eS357ElMvwGQmqafb2mlQJwWLsg9m9PG7uqEoyrqSc6MiuY+icLEFib9j
+OfRQrx70rTSKUfTr4MtP0aZZAefjCrpVIyTekhFDOk0Nmx057eonlyGgmGpl5/Uo+t1J1Z11Ya/l
+bNbfmebRISJeTVW0I8FhseAZMI1GSwp/ludJxSLYOgyRkh+GX134MexNo7O9F1SxLCfWaSG9Fc3s
+5ify04ua9/t8SGrYZPm/l3MkAAAAAAAAAAAAAA==
+
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e.pem b/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e.pem
new file mode 100644
index 0000000000..55dbd8f80b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/msie-s-a-e.pem
@@ -0,0 +1,106 @@
+-----BEGIN PKCS7-----
+MIAGCSqGSIb3DQEHA6CAMIITUAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
+bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
+aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
+uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQKOxxpIbRTb31+qIQCBOpMVAGnwCLrPO
+OXnntxVveTrPhBnsJuoGNJcCMtuHl7tLkd38WsVwOfGXUprTqFpUcY8wgfACAQAw
+gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
+EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
+GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
+QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKzIddnXFqK/RRBG86ZVixoXfwAv
+ZdfvnDFsKzPn/A6DuDdE/hqJxnFpHiwGiDR/YbWj2ib+G74DSshgX8vj8ZQwghGD
+BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECLKM0K58I3HNgIIRWBDP8s+g
+l7/6JhZ5PBJ5vPpD1R4pnNDZRabsYu0Qzezdz1IK+maTAhF0SEuNZoEkzIgOIvu3
+UjW8x/2KcHwteABwgRiSk1JyNLwRED0RtvuJ40pIGDvDsHwBMcXEtKUMAOpGChms
+HUK1+B/GKancSDFOCeG3JCFnFdbuQFDIVHC6amWslc6ntqVs/sii2Gs4qdzDfQgl
+PV/A/FY0wi0j2O5cXRQJtZVKM/MYGjj5c1cy9Q7oymU5ATP/LARD0Tw5kBB7HVnD
+2qrmmmxcHakyxhXmwskaKS6Qxgqq6LPdgr603onxqEtwNSz5UbCq9mLXuCkFOVsQ
+/5mZcmmc7re3XJMQHRXkBlxEpZQ6HOUIEzlhRqCo2hhymyZK84rptjORQo6vNakM
+IC0Zn8O+6Xl1NlmbGzZakz6LJ4dczE7eG7LwrVus9Oq3V/WweG6rWMPV5d51oKMi
+BRb2pXXy80BAKh/9hvpP/V/HO1/+MPuk8tAn7ssmQoIAQcZxqLOmgqqFhy21oSEu
+rUY746Gp/vIV6Ax1MnfDA/fbjDllhJTl8ujZnfj8R1/oQa9fJMipV8CYQEAt3okZ
+V03kaVhhPGsv544/zRnhqjhgqjHASZGnluZCxDwHb1CE4UqYLp6IbkH3qosy2ntm
+a7WCsM3FN3o5dKFZXBgBEPT8HU9LLQ8B+T0Zvh8CQ719kkNBhnuzSYzmI48R5JHv
+zbROiU5v4p9FpssD13vXiOxzaMTKQqWk/roGHiNoKzKonS5RBwTxKfOsoCobCBaI
+IZCmJNr4cGI/p5GVEY4pCPljTq9w3HoiNrhwZ7r7II3wdXy0JjSiRkr3w1AKXm3v
+1H9kHZzc28Ekf7+De6VTjyKRPe1WYPETeY5mh9nIYUQz30/5gIxJwsPFOXeHMbLR
+iQjxTznk/uo4BtwV+HZPmf4tIQvAuFuTKYR9lP3XsZZN+bKkFYy8nHRYd4OErBBg
+93NsqBYROdzJ4pqxoJb6gt2EHCt3pazavgwDxzCJhcMtvBiYLEkDxUX77yS5sXYc
+k6NLIwFL5BPY9JX/QP1RaiJV+TtHg69YElW+rudX6VdLQ7mKCMTHGWbHU5oF+Dv4
+Kv8xsrjNU2spImfzY2coq3osLpFpOa8VhrLSwMXFDtej5OHq0M0qYpYm3op6B+Nz
+6pNYlMpveQv5Qjy9LTNMvLX4z+tnh6Siz8mJLmtghwCzC+DnyQGCn/Stzq6kF5aM
+Fork7RosB4FB8u6WjVrFZfTg5JUqZh6gCW3JHpQ70wTdpy6tDKDtNrbjKo7CGL8+
+shoSI7t2xa8W3OyyFXMEuJzTY2UCQ+QxTOWI9idkdZCCUMBXEvkraqG8rU4UKRCk
+iAGwEMzophEv+aSyJfdu6yJGjd+/wUCHMS3EmtOWHwtB5d5sVhErdQNA+JQN+wPU
+vBG2Jg3wGJTHNNx4WRnWRLWsH6SRcgx8zWXHjVgXIep8XjWQmOGBXbG87hktESqc
+DQPUv3MzieKfcpgQsboRnqSN1DymwvAu+PVsMNf8DHQKLdZ/iuzPzwRkfIVpmh+U
+ku1N8jMAAdX6tjQ48eLq/lJvjHJUnTdNTA18xhDvngKNaXQGPOO/dt+JfHQdmFQI
+WdWZSeCpm6jCiaxiV50FBGEuv3Ew0Y7FKHLKFu7hoNXIthoh2qo5ZH6QX4nt0nYR
+VvyvIcAB9BwC7OeqBTeusFJD/wGiQD3yFDYUekaRys2fcwguNqAdpjWsEETJxREw
+ZdbP0sDMSykae4wHyrODWcUmOiPc/9nU6c0t7bBzI8VQ7sZKJb0TVgSCxDHi9Qgb
+4qdh4ZqFMP0s+TQ4Ms5NWkC1eg0DSdkWSzGQ0QrUsGUgbupYYUoEyRmsz9PjW6l1
+wuWkE66qxSHFsg18/gA5XpLM82DP4EmkEwgC08Hww2lPRJN8VYFvlwbRMbSd1PtA
+Dd5dI/Oq1CHSL6enlncVkKr/S7aaKKyjAyn1HOT2FdPWdSYLE+F+dWc6vu+JeXc+
+7nSDO1DW3U6ZkZvTw4901GxgrzUfYajhBky25L29WUduGoerhkZds5wduSKQwBkY
+TUW/YrP6Ttrbx8B0wzDo64L2Rv6Tb14ElMc9KUY1I1yHKgXtl9oHEH3mpa/IGO+q
+PN1hBi+jg68lfb00FR7edvos4KWKAWWlZaYKm2ZeeHPjhNGcX/UcF8A23GLuSruR
+NDDy9KlI3NMtvmOhOD+WwFmmRjBk/jkZMlVM3GlpjP/l5TuzxEecK1pQiDGQl9S/
+574qGNKtAiqgC5+wyUFPqnp28K2+rsEu7jWWOlfOrNGg2KVO8kcqsQuUm7sjSW9N
+oHcVAoKSLHBWjFIzFUZpeDOASI1/21Ph4B6FTFJvEpzfYEXE9osz64DhlXDEyY33
+p86AiqAj6PUY4BjHLYAeA7ymphKzVOzq4pSH7qKsxDzUnj/Uj8P85A5jbzHmzOPf
+VnvQlZ7B1FqhdNP2SVqLmu+/tH9Wy0v7ZnItSQbyHDKP+Eib4B/ihaNIIoz/YKgD
+3eYgjp6ZyZR1KkSMpuNkpsihA7s3UsFyowEeo+7l3Wt/ScjCa/IBsxLLtI2EZAJo
+9WHYqsCl1HCzJHI9QCnlPz8U1FcNGCrL/66MKz2MMN8UFFqjYr61wexghxNwc7GD
+XR7Js4mhiF0GwPhAR3ZLiqzPAXAvn8YRf5fylMZ4LA9RO+SHFL/MxQxfrJOAgWB6
+pLPUuCWJXLm7os6rCC23RsyDDWe8N+JNF0/ryzr8MHeIJGsT+AYnZr08PeTbyr01
+JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzYCXrxZcUmuay6/MV8w/f5T6vQXdoSw5pu
+WodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSVOWSvST0AtAX57fFOTckm
++facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4EgXBLNvOZY
+9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ4
+0BQDc6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q
+53DvKVtXp9Ycam5JTmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp
+6B+06HljUwQLBJs9XtCfqH5Zgdz9gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/T
+H68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4zVkwsn203bUmKLyz+yl1zItD
+pn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeDJJVld3ac6F8+
+3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
+95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUC
+QkJyqTeTeGgHrn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrV
+uh6V9m7Mpl9hzpogg++EZqahfzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6
+M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUtj2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4
+EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRIIpi+7tX0FsilqEbm
+jG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRmhOhG
+qUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38
+Bw10ERapm8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6
+L7IwJWotIUx8E0XH0/cUxS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+Nt
+gabrZ6SsKGthGa7eULTpz0McWTLRU0y//tkckpm5pDnXSFbIMskwwjECz82UZBSP
+pigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9PO1tQd60EO+3awBlC9ZXf
+/InoXE+21s/6p5RGkmg8Rl+k3ZRhmZ3weq1HRhto5npGWf2e+l0r1/KVd3D3PbF4
+JuMNZS20kHhWpnEYkzx4JMLVUNXIA6xDmftJjnl0yRBtT6jhn/gnmbz7DPnQEEgt
++u4vV5nr8IXoJ2/FVGInXSxdzROfaxUxeqTDsB2nUZigIj1zpUVIUrvj6f7LstUV
+DkcGdtDIolx290s5fBk49oUcLlQ1dGY6lzB0+rJdR77Eiw4xhvN2UCcj14YM15EO
+S1Rr9GHQJtkLGOYnOhkRg4RmOxhmUR+nUpvrW3zPibbyEYsSDzxPUiGbFrYd5RZ6
+zVGmaAg4/7/YtveyaP+X9+lK7iBpsWDIIBUfkd0JgxJxS/xJW7nn62l47wQugcdB
+RdXiuvTzg7hu53OGA1I4/IsYOXmx8NReLK6w8LFLglU78pjpXZCu2D+rbC2ZekSR
+mcZP5CLdYPPC3hbzVqXO2dgw/XugYubFfvUpX04SIxmMjhZpoa3444g0u1Gp5+Kh
+nU0jYvWzkzS3JvBOzJT1YREz7elTBch8lWxsxlGU1o7Y6iBwdtpHhRa+E6P7cJMb
+WxOGJhAzEyenVGmrHeeHLOos7dNGuRi/GcDdx08Gf0R6qmAEyDtfeEKIxXcWXlyP
+9Y4yG0diBjsGB4JejjoQVVnj5augZnjrEaJEOIhuWjxvMt3tALG+6TPHLeZQOCxl
+Dyl2zg3bzB5JSEGTkwA9t8GlG9dRUnEyEqpe5xBTUx3WpIYtu64hC7P2kAanUkVT
+H+8SQKCbvh1pKhVYJm4H7VkTh/jxyW+sGPnXEw1/wI8QUTu/JLNVvpfYfWLlfdn5
+jcN0hxbDhjYUKV9wmTgzCrwKrYYAsYUSB71hIQT1ibK5To4V5TQgKieJcCBnvZIz
+x8HAk+u4sVt2w1gpb6gB+Y+KxdJYxxmZ1Jt+TQZi/68q27d56BJtbDVSwJW1k6H0
+Tlm5DzeXn0IGo72xX9IVTdausnSo1bGuZe72cmflB/mIJGgUZg0dgeQgbkVLo3TQ
+YQNnEaTGaujZ374B2PktUdz9vVxhaau7H6MSojxkrxzJMHRcxsED8dhvH01drOvv
+Oc/j8yW/ellOgRxi36WAscACu1QB2HJuFssjA0yrSCvoTC0OSUFreezhbH+slTwf
+ssazqBXy6p5pKR62/6fP6xCF9y3FnWvH7mrNd/IU5BWk7bcoNC6cGLUGX2TrUOLi
+r0lZzIAMFc8dcnOnuYvwWTvN28wAR+4QPWmF1GboaANihhSzjJAiuFKMWVbKTuFP
+zjvnGTcEi/76hu9ZIC//f6kXoDpTZFcMKFWacbQmc9r3Bhi13MGYt9koGNf4OMPI
+Qyy6E+wLO43hHq0lUSpisHZGrZqbEAYA8OPLtPwK335efw0ZUvXnvkH3xXnFIrQ3
+QivpLV+S9nxmKy+YOkpbZ3DCHldabceJ7kowvzveOKtSmLar0IjxViahFyETDW22
+DguO7Iy82tLRBa4pjcMXK1hks7MuUfW3hUNWhz3DKw1nwqL4jUZNqj7cbiiAuUJN
+mbjpiS4woi8FBhG9P9TKc79zKkGu3ZkWsl4Nw2ViT2o8TWb+nkt+exJTL8BkJqmn
+29ppUCcFi7IPZvTxu7qhKMq6knOjIrmPonCxBYm/Yzn0UK8e9K00ilH06+DLT9Gm
+WQHn4wq6VSMk3pIRQzpNDZsdOe3qJ5choJhqZef1KPrdSdWddWGv5WzW35nm0SEi
+Xk1VtCPBYbHgGTCNRksKf5bnScUi2DoMkZIfhl9d+DHsTaOzvRdUsSwn1mkhvRXN
+7OYn8tOLmvf7fEhq2GT5v5dzJAAAAAA=
+-----END PKCS7-----
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/nav-smime b/src/lib/libssl/src/crypto/pkcs7/t/nav-smime
new file mode 100644
index 0000000000..6ee4b597a1
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/nav-smime
@@ -0,0 +1,157 @@
+From angela@c2.net.au Thu May 14 13:32:27 1998
+X-UIDL: 83c94dd550e54329bf9571b72038b8c8
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27838 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:32:26 +1000 (EST)
+Message-ID: <355A6779.4B63E64C@cryptsoft.com>
+Date: Thu, 14 May 1998 13:39:37 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: signed
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9A58844C95949ECC78A1C54C"
+Content-Length: 2604
+Status: OR
+
+This is a cryptographically signed message in MIME format.
+
+--------------ms9A58844C95949ECC78A1C54C
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+signed body
+
+--------------ms9A58844C95949ECC78A1C54C
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+Content-Description: S/MIME Cryptographic Signature
+
+MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
+CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
+SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
+BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
+9CWR6g==
+--------------ms9A58844C95949ECC78A1C54C--
+
+
+From angela@c2.net.au Thu May 14 13:33:16 1998
+X-UIDL: 8f076c44ff7c5967fd5b00c4588a8731
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27847 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:33:15 +1000 (EST)
+Message-ID: <355A67AB.2AF38806@cryptsoft.com>
+Date: Thu, 14 May 1998 13:40:27 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: signed
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD7863B84BD61E02C407F2F5E"
+Content-Length: 2679
+Status: OR
+
+This is a cryptographically signed message in MIME format.
+
+--------------msD7863B84BD61E02C407F2F5E
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+signed body 2
+
+--------------msD7863B84BD61E02C407F2F5E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+Content-Description: S/MIME Cryptographic Signature
+
+MIIGVgYJKoZIhvcNAQcCoIIGRzCCBkMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
+BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
+ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
+AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
+gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
+ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
+A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
+dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
+hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
+hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
+igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
+syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
+kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
+MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
+TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
+BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
+mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
+8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
+ggGzMIIBrwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
+BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
+REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
+AgIEfjAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN
+AQkFMQ8XDTk4MDUxNDAzNDAyN1owIwYJKoZIhvcNAQkEMRYEFOKcV8mNYJnM8rHQajcSEqJN
+rwdDMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO
+AwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEADPE/N
+coH+zTFuX5YpolupTKxKK8eEjc48TuADuO8bIHHDE/fEYaWunlwDuTlcFJl1ig0idffPB1qC
+Zp8SSVVY
+--------------msD7863B84BD61E02C407F2F5E--
+
+
+From angela@c2.net.au Thu May 14 14:05:32 1998
+X-UIDL: a7d629b4b9acacaee8b39371b860a32a
+Return-Path: angela@c2.net.au
+Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id OAA28033 for <tjh@cryptsoft.com>; Thu, 14 May 1998 14:05:32 +1000 (EST)
+Message-ID: <355A6F3B.AC385981@cryptsoft.com>
+Date: Thu, 14 May 1998 14:12:43 +1000
+From: Angela van Lent <angela@c2.net.au>
+X-Mailer: Mozilla 4.03 [en] (Win95; U)
+MIME-Version: 1.0
+To: tjh@cryptsoft.com
+Subject: encrypted
+Content-Type: application/x-pkcs7-mime; name="smime.p7m"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7m"
+Content-Description: S/MIME Encrypted Message
+Content-Length: 905
+Status: OR
+
+MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
+A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
+ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEA92N29Yk39RUY2tIVd
+exGT2MFX3J6H8LB8aDRJjw7843ALgJ5zXpM5+f80QkAWwEN2A6Pl3VxiCeKLi435zXVyMIHw
+AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
+QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
+UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0G
+CSqGSIb3DQEBAQUABECR9IfyHtvnjFmZ8B2oUCEs1vxMsG0u1kxKE4RMPFyDqDCEARq7zXMg
+nzSUI7Wgv5USSKDqcLRJeW+jvYURv/nJMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
+oAQIrLqrij2ZMpeggAQoibtn6reRZWuWk5Iv5IAhgitr8EYE4w4ySQ7EMB6mTlBoFpccUMWX
+BwQgQn1UoWCvYAlhDzURdbui64Dc0rS2wtj+kE/InS6y25EEEPe4NUKaF8/UlE+lo3LtILQE
+CL3uV8k7m0iqAAAAAAAAAAAAAA==
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/s.pem b/src/lib/libssl/src/crypto/pkcs7/t/s.pem
new file mode 100644
index 0000000000..4fa925b182
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/s.pem
@@ -0,0 +1,57 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
diff --git a/src/lib/libssl/src/crypto/pkcs7/t/server.pem b/src/lib/libssl/src/crypto/pkcs7/t/server.pem
new file mode 100644
index 0000000000..989baf8709
--- /dev/null
+++ b/src/lib/libssl/src/crypto/pkcs7/t/server.pem
@@ -0,0 +1,57 @@
+issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
+subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
+serial :047D
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1149 (0x47d)
+        Signature Algorithm: md5withRSAEncryption
+        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
+        Validity
+            Not Before: May 13 05:40:58 1998 GMT
+            Not After : May 12 05:40:58 2000 GMT
+        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Modulus:
+                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
+                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
+                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
+                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
+                    e7:e7:0c:4d:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            Netscape Comment: 
+                Generated with SSLeay
+    Signature Algorithm: md5withRSAEncryption
+        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
+        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
+        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
+        50:74:ad:92:cb:4e:90:e5:fa:7d
+
+-----BEGIN CERTIFICATE-----
+MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
+ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
+IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
+NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
+UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
+dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
+aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
+9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
+lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
+hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
+UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
+4A3ZItobUHStkstOkOX6fQ==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
+mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
+fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
+zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
+p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
+bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
+IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/crypto/rand/rand_egd.c b/src/lib/libssl/src/crypto/rand/rand_egd.c
new file mode 100644
index 0000000000..d834408bd4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_egd.c
@@ -0,0 +1,110 @@
+/* crypto/rand/rand_egd.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/rand.h>
+
+/* Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
+ */
+
+#if defined(WIN32) || defined(VMS) || defined(__VMS)
+int RAND_egd(const char *path)
+        {
+        return(-1);
+        }
+#else
+#include <openssl/opensslconf.h>
+#include OPENSSL_UNISTD
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <string.h>
+
+#ifndef offsetof
+#  define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
+#endif
+
+int RAND_egd(const char *path)
+        {
+        int ret = -1;
+        struct sockaddr_un addr;
+        int len, num;
+        int fd = -1;
+        unsigned char buf[256];
+
+        memset(&addr, 0, sizeof(addr));
+        addr.sun_family = AF_UNIX;
+        if (strlen(path) > sizeof(addr.sun_path))
+                return (-1);
+        strcpy(addr.sun_path,path);
+        len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
+        fd = socket(AF_UNIX, SOCK_STREAM, 0);
+        if (fd == -1) return (-1);
+        if (connect(fd, (struct sockaddr *)&addr, len) == -1) goto err;
+        buf[0] = 1;
+        buf[1] = 255;
+        write(fd, buf, 2);
+        if (read(fd, buf, 1) != 1) goto err;
+    if (buf[0] == 0) goto err;
+        num = read(fd, buf, 255);
+        if (num < 1) goto err;
+        RAND_seed(buf, num);
+        if (RAND_status() == 1)
+                ret = num;
+ err:
+        if (fd != -1) close(fd);
+        return(ret);
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/rand/rand_err.c b/src/lib/libssl/src/crypto/rand/rand_err.c
new file mode 100644
index 0000000000..d1263edf80
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_err.c
@@ -0,0 +1,93 @@
+/* crypto/rand/rand_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA RAND_str_functs[]=
+        {
+{ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA RAND_str_reasons[]=
+        {
+{RAND_R_PRNG_NOT_SEEDED                  ,"prng not seeded"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_RAND_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
+                ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/rand/rand_lcl.h b/src/lib/libssl/src/crypto/rand/rand_lcl.h
new file mode 100644
index 0000000000..120e9366d2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_lcl.h
@@ -0,0 +1,184 @@
+/* crypto/rand/md_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_RAND_LCL_H
+#define HEADER_RAND_LCL_H
+
+#define ENTROPY_NEEDED 20  /* require 160 bits = 20 bytes of randomness */
+
+
+#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#define USE_SHA1_RAND
+#elif !defined(NO_MD5)
+#define USE_MD5_RAND
+#elif !defined(NO_MDC2) && !defined(NO_DES)
+#define USE_MDC2_RAND
+#elif !defined(NO_MD2)
+#define USE_MD2_RAND
+#else
+#error No message digest algorithm available
+#endif
+#endif
+
+#if defined(USE_MD5_RAND)
+#include <openssl/md5.h>
+#define MD_DIGEST_LENGTH        MD5_DIGEST_LENGTH
+#define MD(a,b,c)               MD5(a,b,c)
+#elif defined(USE_SHA1_RAND)
+#include <openssl/sha.h>
+#define MD_DIGEST_LENGTH        SHA_DIGEST_LENGTH
+#define MD(a,b,c)               SHA1(a,b,c)
+#elif defined(USE_MDC2_RAND)
+#include <openssl/mdc2.h>
+#define MD_DIGEST_LENGTH        MDC2_DIGEST_LENGTH
+#define MD(a,b,c)               MDC2(a,b,c)
+#elif defined(USE_MD2_RAND)
+#include <openssl/md2.h>
+#define MD_DIGEST_LENGTH        MD2_DIGEST_LENGTH
+#define MD(a,b,c)               MD2(a,b,c)
+#endif
+#if defined(USE_MD5_RAND)
+#include <openssl/md5.h>
+#define MD_DIGEST_LENGTH        MD5_DIGEST_LENGTH
+#define MD_CTX                  MD5_CTX
+#define MD_Init(a)              MD5_Init(a)
+#define MD_Update(a,b,c)        MD5_Update(a,b,c)
+#define MD_Final(a,b)           MD5_Final(a,b)
+#define MD(a,b,c)               MD5(a,b,c)
+#elif defined(USE_SHA1_RAND)
+#include <openssl/sha.h>
+#define MD_DIGEST_LENGTH        SHA_DIGEST_LENGTH
+#define MD_CTX                  SHA_CTX
+#define MD_Init(a)              SHA1_Init(a)
+#define MD_Update(a,b,c)        SHA1_Update(a,b,c)
+#define MD_Final(a,b)           SHA1_Final(a,b)
+#define MD(a,b,c)               SHA1(a,b,c)
+#elif defined(USE_MDC2_RAND)
+#include <openssl/mdc2.h>
+#define MD_DIGEST_LENGTH        MDC2_DIGEST_LENGTH
+#define MD_CTX                  MDC2_CTX
+#define MD_Init(a)              MDC2_Init(a)
+#define MD_Update(a,b,c)        MDC2_Update(a,b,c)
+#define MD_Final(a,b)           MDC2_Final(a,b)
+#define MD(a,b,c)               MDC2(a,b,c)
+#elif defined(USE_MD2_RAND)
+#include <openssl/md2.h>
+#define MD_DIGEST_LENGTH        MD2_DIGEST_LENGTH
+#define MD_CTX                  MD2_CTX
+#define MD_Init(a)              MD2_Init(a)
+#define MD_Update(a,b,c)        MD2_Update(a,b,c)
+#define MD_Final(a,b)           MD2_Final(a,b)
+#define MD(a,b,c)               MD2(a,b,c)
+#endif
+
+
+#endif
diff --git a/src/lib/libssl/src/crypto/rand/rand_lib.c b/src/lib/libssl/src/crypto/rand/rand_lib.c
new file mode 100644
index 0000000000..34c6d5b968
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_lib.c
@@ -0,0 +1,98 @@
+/* crypto/rand/rand_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <time.h>
+#include <openssl/rand.h>
+
+#ifdef NO_RAND
+static RAND_METHOD *rand_meth=NULL;
+#else
+extern RAND_METHOD rand_ssleay_meth;
+static RAND_METHOD *rand_meth= &rand_ssleay_meth;
+#endif
+
+void RAND_set_rand_method(RAND_METHOD *meth)
+        {
+        rand_meth=meth;
+        }
+
+RAND_METHOD *RAND_get_rand_method(void)
+        {
+        return(rand_meth);
+        }
+
+void RAND_cleanup(void)
+        {
+        if (rand_meth != NULL)
+                rand_meth->cleanup();
+        }
+
+void RAND_seed(const void *buf, int num)
+        {
+        if (rand_meth != NULL)
+                rand_meth->seed(buf,num);
+        }
+
+void RAND_bytes(unsigned char *buf, int num)
+        {
+        if (rand_meth != NULL)
+                rand_meth->bytes(buf,num);
+        }
+
diff --git a/src/lib/libssl/src/crypto/rand/rand_os2.c b/src/lib/libssl/src/crypto/rand/rand_os2.c
new file mode 100644
index 0000000000..c3e36d4e5e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_os2.c
@@ -0,0 +1,147 @@
+/* crypto/rand/rand_os2.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#ifdef OPENSSL_SYS_OS2
+
+#define INCL_DOSPROCESS
+#define INCL_DOSPROFILE
+#define INCL_DOSMISC
+#define INCL_DOSMODULEMGR
+#include <os2.h>
+
+#define   CMD_KI_RDCNT    (0x63)
+
+typedef struct _CPUUTIL {
+    ULONG ulTimeLow;            /* Low 32 bits of time stamp      */
+    ULONG ulTimeHigh;           /* High 32 bits of time stamp     */
+    ULONG ulIdleLow;            /* Low 32 bits of idle time       */
+    ULONG ulIdleHigh;           /* High 32 bits of idle time      */
+    ULONG ulBusyLow;            /* Low 32 bits of busy time       */
+    ULONG ulBusyHigh;           /* High 32 bits of busy time      */
+    ULONG ulIntrLow;            /* Low 32 bits of interrupt time  */
+    ULONG ulIntrHigh;           /* High 32 bits of interrupt time */
+} CPUUTIL;
+
+APIRET APIENTRY(*DosPerfSysCall) (ULONG ulCommand, ULONG ulParm1, ULONG ulParm2, ULONG ulParm3) = NULL;
+APIRET APIENTRY(*DosQuerySysState) (ULONG func, ULONG arg1, ULONG pid, ULONG _res_, PVOID buf, ULONG bufsz) = NULL;
+HMODULE hDoscalls = 0;
+
+int RAND_poll(void)
+{
+    char failed_module[20];
+    QWORD qwTime;
+    ULONG SysVars[QSV_FOREGROUND_PROCESS];
+
+    if (hDoscalls == 0) {
+        ULONG rc = DosLoadModule(failed_module, sizeof(failed_module), "DOSCALLS", &hDoscalls);
+
+        if (rc == 0) {
+            rc = DosQueryProcAddr(hDoscalls, 976, NULL, (PFN *)&DosPerfSysCall);
+
+            if (rc)
+                DosPerfSysCall = NULL;
+
+            rc = DosQueryProcAddr(hDoscalls, 368, NULL, (PFN *)&DosQuerySysState);
+
+            if (rc)
+                DosQuerySysState = NULL;
+        }
+    }
+
+    /* Sample the hi-res timer, runs at around 1.1 MHz */
+    DosTmrQueryTime(&qwTime);
+    RAND_add(&qwTime, sizeof(qwTime), 2);
+
+    /* Sample a bunch of system variables, includes various process & memory statistics */
+    DosQuerySysInfo(1, QSV_FOREGROUND_PROCESS, SysVars, sizeof(SysVars));
+    RAND_add(SysVars, sizeof(SysVars), 4);
+
+    /* If available, sample CPU registers that count at CPU MHz
+     * Only fairly new CPUs (PPro & K6 onwards) & OS/2 versions support this
+     */
+    if (DosPerfSysCall) {
+        CPUUTIL util;
+
+        if (DosPerfSysCall(CMD_KI_RDCNT, (ULONG)&util, 0, 0) == 0) {
+            RAND_add(&util, sizeof(util), 10);
+        }
+        else {
+            DosPerfSysCall = NULL;
+        }
+    }
+
+    /* DosQuerySysState() gives us a huge quantity of process, thread, memory & handle stats */
+    if (DosQuerySysState) {
+        char *buffer = OPENSSL_malloc(256 * 1024);
+
+        if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) {
+            /* First 4 bytes in buffer is a pointer to the thread count
+             * there should be at least 1 byte of entropy per thread
+             */
+            RAND_add(buffer, 256 * 1024, **(ULONG **)buffer);
+        }
+
+        OPENSSL_free(buffer);
+        return 1;
+    }
+
+    return 0;
+}
+
+#endif /* OPENSSL_SYS_OS2 */
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
new file mode 100644
index 0000000000..0b29235130
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -0,0 +1,274 @@
+/* crypto/rand/rand_unix.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2))
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/times.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+
+#ifdef __OpenBSD__
+#undef DEVRANDOM
+#define DEVRANDOM "/dev/arandom"
+int RAND_poll(void)
+{
+        unsigned long l;
+        pid_t curr_pid = getpid();
+        FILE *fh;
+
+        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+         * have this. Use /dev/urandom if you can as /dev/random may block
+         * if it runs out of random entries.  */
+
+        if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+                {
+                unsigned char tmpbuf[ENTROPY_NEEDED];
+                int n;
+
+                setvbuf(fh, NULL, _IONBF, 0);
+                n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+                fclose(fh);
+                RAND_add(tmpbuf,sizeof tmpbuf,n);
+                memset(tmpbuf,0,n);
+                }
+
+        /* put in some default random data, we need more than just this */
+        l=curr_pid;
+        RAND_add(&l,sizeof(l),0);
+        l=getuid();
+        RAND_add(&l,sizeof(l),0);
+
+        l=time(NULL);
+        RAND_add(&l,sizeof(l),0);
+
+        return 1;
+}
+#else
+int RAND_poll(void)
+{
+        unsigned long l;
+        pid_t curr_pid = getpid();
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        unsigned char tmpbuf[ENTROPY_NEEDED];
+        int n = 0;
+#endif
+#ifdef DEVRANDOM
+        static const char *randomfiles[] = { DEVRANDOM, NULL };
+        const char **randomfile = NULL;
+        int fd;
+#endif
+#ifdef DEVRANDOM_EGD
+        static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
+        const char **egdsocket = NULL;
+#endif
+
+#ifdef DEVRANDOM
+        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+         * have this. Use /dev/urandom if you can as /dev/random may block
+         * if it runs out of random entries.  */
+
+        for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
+                {
+                if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
+#ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it
+                   our controlling tty */
+                        |O_NOCTTY
+#endif
+#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */
+                        |O_NOFOLLOW
+#endif
+                        )) >= 0)
+                        {
+                        struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
+                                                              each file. */
+                        int r;
+                        fd_set fset;
+
+                        do
+                                {
+                                FD_ZERO(&fset);
+                                FD_SET(fd, &fset);
+                                r = -1;
+
+                                if (select(fd+1,&fset,NULL,NULL,&t) < 0)
+                                        t.tv_usec=0;
+                                else if (FD_ISSET(fd, &fset))
+                                        {
+                                        r=read(fd,(unsigned char *)tmpbuf+n,
+                                               ENTROPY_NEEDED-n);
+                                        if (r > 0)
+                                                n += r;
+                                        }
+
+                                /* Some Unixen will update t, some
+                                   won't.  For those who won't, give
+                                   up here, otherwise, we will do
+                                   this once again for the remaining
+                                   time. */
+                                if (t.tv_usec == 10*1000)
+                                        t.tv_usec=0;
+                                }
+                        while ((r > 0 || (errno == EINTR || errno == EAGAIN))
+                                && t.tv_usec != 0 && n < ENTROPY_NEEDED);
+
+                        close(fd);
+                        }
+                }
+#endif
+
+#ifdef DEVRANDOM_EGD
+        /* Use an EGD socket to read entropy from an EGD or PRNGD entropy
+         * collecting daemon. */
+
+        for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED; egdsocket++)
+                {
+                int r;
+
+                r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf+n,
+                                         ENTROPY_NEEDED-n);
+                if (r > 0)
+                        n += r;
+                }
+#endif
+
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        if (n > 0)
+                {
+                RAND_add(tmpbuf,sizeof tmpbuf,n);
+                memset(tmpbuf,0,n);
+                }
+#endif
+
+        /* put in some default random data, we need more than just this */
+        l=curr_pid;
+        RAND_add(&l,sizeof(l),0);
+        l=getuid();
+        RAND_add(&l,sizeof(l),0);
+
+        l=time(NULL);
+        RAND_add(&l,sizeof(l),0);
+
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        return 1;
+#else
+        return 0;
+#endif
+}
+
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/rand/rand_vms.c b/src/lib/libssl/src/crypto/rand/rand_vms.c
new file mode 100644
index 0000000000..29b2d7af0b
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_vms.c
@@ -0,0 +1,135 @@
+/* crypto/rand/rand_vms.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if defined(OPENSSL_SYS_VMS)
+
+#include <descrip.h>
+#include <jpidef.h>
+#include <ssdef.h>
+#include <starlet.h>
+#ifdef __DECC
+# pragma message disable DOLLARID
+#endif
+
+static struct items_data_st
+        {
+        short length, code;     /* length is amount of bytes */
+        } items_data[] =
+                { { 4, JPI$_BUFIO },
+                  { 4, JPI$_CPUTIM },
+                  { 4, JPI$_DIRIO },
+                  { 8, JPI$_LOGINTIM },
+                  { 4, JPI$_PAGEFLTS },
+                  { 4, JPI$_PID },
+                  { 4, JPI$_WSSIZE },
+                  { 0, 0 }
+                };
+                  
+int RAND_poll(void)
+        {
+        long pid, iosb[2];
+        int status = 0;
+        struct
+                {
+                short length, code;
+                long *buffer;
+                int *retlen;
+                } item[32], *pitem;
+        unsigned char data_buffer[256];
+        short total_length = 0;
+        struct items_data_st *pitems_data;
+
+        pitems_data = items_data;
+        pitem = item;
+
+        /* Setup */
+        while (pitems_data->length)
+                {
+                pitem->length = pitems_data->length;
+                pitem->code = pitems_data->code;
+                pitem->buffer = (long *)data_buffer[total_length];
+                pitem->retlen = 0;
+                total_length += pitems_data->length;
+                pitems_data++;
+                pitem++;
+                }
+        pitem->length = pitem->code = 0;
+
+        /*
+         * Scan through all the processes in the system and add entropy with
+         * results from the processes that were possible to look at.
+         * However, view the information as only half trustable.
+         */
+        pid = -1;                       /* search context */
+        while ((status = sys$getjpiw(0, &pid,  0, item, iosb, 0, 0))
+                != SS$_NOMOREPROC)
+                {
+                if (status == SS$_NORMAL)
+                        {
+                        RAND_add(data_buffer, total_length, total_length/2);
+                        }
+                }
+        sys$gettim(iosb);
+        RAND_add((unsigned char *)iosb, sizeof(iosb), sizeof(iosb)/2);
+        return 1;
+}
+
+#endif
diff --git a/src/lib/libssl/src/crypto/rand/rand_win.c b/src/lib/libssl/src/crypto/rand/rand_win.c
new file mode 100644
index 0000000000..9f2dcff9a9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rand/rand_win.c
@@ -0,0 +1,732 @@
+/* crypto/rand/rand_win.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if defined(WINDOWS) || defined(WIN32)
+#include <windows.h>
+#ifndef _WIN32_WINNT
+# define _WIN32_WINNT 0x0400
+#endif
+#include <wincrypt.h>
+#include <tlhelp32.h>
+
+/* Intel hardware RNG CSP -- available from
+ * http://developer.intel.com/design/security/rng/redist_license.htm
+ */
+#define PROV_INTEL_SEC 22
+#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider"
+
+static void readtimer(void);
+static void readscreen(void);
+
+/* It appears like CURSORINFO, PCURSORINFO and LPCURSORINFO are only defined
+   when WINVER is 0x0500 and up, which currently only happens on Win2000.
+   Unfortunately, those are typedefs, so they're a little bit difficult to
+   detect properly.  On the other hand, the macro CURSOR_SHOWING is defined
+   within the same conditional, so it can be use to detect the absence of said
+   typedefs. */
+
+#ifndef CURSOR_SHOWING
+/*
+ * Information about the global cursor.
+ */
+typedef struct tagCURSORINFO
+{
+    DWORD   cbSize;
+    DWORD   flags;
+    HCURSOR hCursor;
+    POINT   ptScreenPos;
+} CURSORINFO, *PCURSORINFO, *LPCURSORINFO;
+
+#define CURSOR_SHOWING     0x00000001
+#endif /* CURSOR_SHOWING */
+
+typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR,
+                                    DWORD, DWORD);
+typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *);
+typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD);
+
+typedef HWND (WINAPI *GETFOREGROUNDWINDOW)(VOID);
+typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO);
+typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT);
+
+typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
+typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD);
+typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32);
+typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32);
+typedef BOOL (WINAPI *PROCESS32)(HANDLE, LPPROCESSENTRY32);
+typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32);
+typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
+
+#include <lmcons.h>
+#include <lmstats.h>
+#if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
+       * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
+       * was added to the Platform SDK to allow the NET API to be used in
+       * non-Unicode applications provided that Unicode strings were still
+       * used for input.  LMSTR is defined as LPWSTR.
+       */
+typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
+        (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
+typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);
+#endif /* 1 */
+
+int RAND_poll(void)
+{
+        MEMORYSTATUS m;
+        HCRYPTPROV hProvider = 0;
+        BYTE buf[64];
+        DWORD w;
+        HWND h;
+
+        HMODULE advapi, kernel, user, netapi;
+        CRYPTACQUIRECONTEXT acquire = 0;
+        CRYPTGENRANDOM gen = 0;
+        CRYPTRELEASECONTEXT release = 0;
+#if 1 /* There was previously a problem with NETSTATGET.  Currently, this
+       * section is still experimental, but if all goes well, this conditional
+       * will be removed
+       */
+        NETSTATGET netstatget = 0;
+        NETFREE netfree = 0;
+#endif /* 1 */
+
+        /* Determine the OS version we are on so we can turn off things 
+         * that do not work properly.
+         */
+        OSVERSIONINFO osverinfo ;
+        osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
+        GetVersionEx( &osverinfo ) ;
+
+        /* load functions dynamically - not available on all systems */
+        advapi = LoadLibrary("ADVAPI32.DLL");
+        kernel = LoadLibrary("KERNEL32.DLL");
+        user = LoadLibrary("USER32.DLL");
+        netapi = LoadLibrary("NETAPI32.DLL");
+
+#if 1 /* There was previously a problem with NETSTATGET.  Currently, this
+       * section is still experimental, but if all goes well, this conditional
+       * will be removed
+       */
+        if (netapi)
+                {
+                netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
+                netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
+                }
+
+        if (netstatget && netfree)
+                {
+                LPBYTE outbuf;
+                /* NetStatisticsGet() is a Unicode only function
+                 * STAT_WORKSTATION_0 contains 45 fields and STAT_SERVER_0
+                 * contains 17 fields.  We treat each field as a source of
+                 * one byte of entropy.
+                 */
+
+                if (netstatget(NULL, L"LanmanWorkstation", 0, 0, &outbuf) == 0)
+                        {
+                        RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45);
+                        netfree(outbuf);
+                        }
+                if (netstatget(NULL, L"LanmanServer", 0, 0, &outbuf) == 0)
+                        {
+                        RAND_add(outbuf, sizeof(STAT_SERVER_0), 17);
+                        netfree(outbuf);
+                        }
+                }
+
+        if (netapi)
+                FreeLibrary(netapi);
+#endif /* 1 */
+ 
+        /* It appears like this can cause an exception deep within ADVAPI32.DLL
+         * at random times on Windows 2000.  Reported by Jeffrey Altman.  
+         * Only use it on NT.
+         */
+        if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
+                osverinfo.dwMajorVersion < 5)
+                {
+                /* Read Performance Statistics from NT/2000 registry
+                 * The size of the performance data can vary from call
+                 * to call so we must guess the size of the buffer to use
+                 * and increase its size if we get an ERROR_MORE_DATA
+                 * return instead of ERROR_SUCCESS.
+                 */
+                LONG   rc=ERROR_MORE_DATA;
+                char * buf=NULL;
+                DWORD bufsz=0;
+                DWORD length;
+
+                while (rc == ERROR_MORE_DATA)
+                        {
+                        buf = realloc(buf,bufsz+8192);
+                        if (!buf)
+                                break;
+                        bufsz += 8192;
+
+                        length = bufsz;
+                        rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, "Global",
+                                NULL, NULL, buf, &length);
+                        }
+                if (rc == ERROR_SUCCESS)
+                        {
+                        /* For entropy count assume only least significant
+                         * byte of each DWORD is random.
+                         */
+                        RAND_add(&length, sizeof(length), 0);
+                        RAND_add(buf, length, length / 4.0);
+                        }
+                if (buf)
+                        free(buf);
+                }
+
+        if (advapi)
+                {
+                acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
+                        "CryptAcquireContextA");
+                gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
+                        "CryptGenRandom");
+                release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
+                        "CryptReleaseContext");
+                }
+
+        if (acquire && gen && release)
+                {
+                /* poll the CryptoAPI PRNG */
+                /* The CryptoAPI returns sizeof(buf) bytes of randomness */
+                if (acquire(&hProvider, 0, 0, PROV_RSA_FULL,
+                        CRYPT_VERIFYCONTEXT))
+                        {
+                        if (gen(hProvider, sizeof(buf), buf) != 0)
+                                {
+                                RAND_add(buf, sizeof(buf), sizeof(buf));
+#ifdef DEBUG
+                                printf("randomness from PROV_RSA_FULL\n");
+#endif
+                                }
+                        release(hProvider, 0); 
+                        }
+                
+                /* poll the Pentium PRG with CryptoAPI */
+                if (acquire(&hProvider, 0, INTEL_DEF_PROV, PROV_INTEL_SEC, 0))
+                        {
+                        if (gen(hProvider, sizeof(buf), buf) != 0)
+                                {
+                                RAND_add(buf, sizeof(buf), sizeof(buf));
+#ifdef DEBUG
+                                printf("randomness from PROV_INTEL_SEC\n");
+#endif
+                                }
+                        release(hProvider, 0);
+                        }
+                }
+
+        if (advapi)
+                FreeLibrary(advapi);
+
+        /* timer data */
+        readtimer();
+        
+        /* memory usage statistics */
+        GlobalMemoryStatus(&m);
+        RAND_add(&m, sizeof(m), 1);
+
+        /* process ID */
+        w = GetCurrentProcessId();
+        RAND_add(&w, sizeof(w), 1);
+
+        if (user)
+                {
+                GETCURSORINFO cursor;
+                GETFOREGROUNDWINDOW win;
+                GETQUEUESTATUS queue;
+
+                win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
+                cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
+                queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");
+
+                if (win)
+                        {
+                        /* window handle */
+                        h = win();
+                        RAND_add(&h, sizeof(h), 0);
+                        }
+                if (cursor)
+                        {
+                        /* unfortunately, its not safe to call GetCursorInfo()
+                         * on NT4 even though it exists in SP3 (or SP6) and
+                         * higher.
+                         */
+                        if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
+                                osverinfo.dwMajorVersion < 5)
+                                cursor = 0;
+                        }
+                if (cursor)
+                        {
+                        /* cursor position */
+                        /* assume 2 bytes of entropy */
+                        CURSORINFO ci;
+                        ci.cbSize = sizeof(CURSORINFO);
+                        if (cursor(&ci))
+                                RAND_add(&ci, ci.cbSize, 2);
+                        }
+
+                if (queue)
+                        {
+                        /* message queue status */
+                        /* assume 1 byte of entropy */
+                        w = queue(QS_ALLEVENTS);
+                        RAND_add(&w, sizeof(w), 1);
+                        }
+
+                FreeLibrary(user);
+                }
+
+        /* Toolhelp32 snapshot: enumerate processes, threads, modules and heap
+         * http://msdn.microsoft.com/library/psdk/winbase/toolhelp_5pfd.htm
+         * (Win 9x and 2000 only, not available on NT)
+         *
+         * This seeding method was proposed in Peter Gutmann, Software
+         * Generation of Practically Strong Random Numbers,
+         * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html
+     * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
+         * (The assignment of entropy estimates below is arbitrary, but based
+         * on Peter's analysis the full poll appears to be safe. Additional
+         * interactive seeding is encouraged.)
+         */
+
+        if (kernel)
+                {
+                CREATETOOLHELP32SNAPSHOT snap;
+                HANDLE handle;
+
+                HEAP32FIRST heap_first;
+                HEAP32NEXT heap_next;
+                HEAP32LIST heaplist_first, heaplist_next;
+                PROCESS32 process_first, process_next;
+                THREAD32 thread_first, thread_next;
+                MODULE32 module_first, module_next;
+
+                HEAPLIST32 hlist;
+                HEAPENTRY32 hentry;
+                PROCESSENTRY32 p;
+                THREADENTRY32 t;
+                MODULEENTRY32 m;
+
+                snap = (CREATETOOLHELP32SNAPSHOT)
+                        GetProcAddress(kernel, "CreateToolhelp32Snapshot");
+                heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
+                heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
+                heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
+                heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
+                process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
+                process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
+                thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
+                thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
+                module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
+                module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");
+
+                if (snap && heap_first && heap_next && heaplist_first &&
+                        heaplist_next && process_first && process_next &&
+                        thread_first && thread_next && module_first &&
+                        module_next && (handle = snap(TH32CS_SNAPALL,0))
+                        != NULL)
+                        {
+                        /* heap list and heap walking */
+                        /* HEAPLIST32 contains 3 fields that will change with
+                         * each entry.  Consider each field a source of 1 byte
+                         * of entropy.
+                         * HEAPENTRY32 contains 5 fields that will change with 
+                         * each entry.  Consider each field a source of 1 byte
+                         * of entropy.
+                         */
+                        hlist.dwSize = sizeof(HEAPLIST32);              
+                        if (heaplist_first(handle, &hlist))
+                                do
+                                        {
+                                        RAND_add(&hlist, hlist.dwSize, 3);
+                                        hentry.dwSize = sizeof(HEAPENTRY32);
+                                        if (heap_first(&hentry,
+                                                hlist.th32ProcessID,
+                                                hlist.th32HeapID))
+                                                {
+                                                int entrycnt = 50;
+                                                do
+                                                        RAND_add(&hentry,
+                                                                hentry.dwSize, 5);
+                                                while (heap_next(&hentry)
+                                                        && --entrycnt > 0);
+                                                }
+                                        } while (heaplist_next(handle,
+                                                &hlist));
+                        
+                        /* process walking */
+                        /* PROCESSENTRY32 contains 9 fields that will change
+                         * with each entry.  Consider each field a source of
+                         * 1 byte of entropy.
+                         */
+                        p.dwSize = sizeof(PROCESSENTRY32);
+                        if (process_first(handle, &p))
+                                do
+                                        RAND_add(&p, p.dwSize, 9);
+                                while (process_next(handle, &p));
+
+                        /* thread walking */
+                        /* THREADENTRY32 contains 6 fields that will change
+                         * with each entry.  Consider each field a source of
+                         * 1 byte of entropy.
+                         */
+                        t.dwSize = sizeof(THREADENTRY32);
+                        if (thread_first(handle, &t))
+                                do
+                                        RAND_add(&t, t.dwSize, 6);
+                                while (thread_next(handle, &t));
+
+                        /* module walking */
+                        /* MODULEENTRY32 contains 9 fields that will change
+                         * with each entry.  Consider each field a source of
+                         * 1 byte of entropy.
+                         */
+                        m.dwSize = sizeof(MODULEENTRY32);
+                        if (module_first(handle, &m))
+                                do
+                                        RAND_add(&m, m.dwSize, 9);
+                                while (module_next(handle, &m));
+
+                        CloseHandle(handle);
+                        }
+
+                FreeLibrary(kernel);
+                }
+
+#ifdef DEBUG
+        printf("Exiting RAND_poll\n");
+#endif
+
+        return(1);
+}
+
+int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
+        {
+        double add_entropy=0;
+
+        switch (iMsg)
+                {
+        case WM_KEYDOWN:
+                        {
+                        static WPARAM key;
+                        if (key != wParam)
+                                add_entropy = 0.05;
+                        key = wParam;
+                        }
+                        break;
+        case WM_MOUSEMOVE:
+                        {
+                        static int lastx,lasty,lastdx,lastdy;
+                        int x,y,dx,dy;
+
+                        x=LOWORD(lParam);
+                        y=HIWORD(lParam);
+                        dx=lastx-x;
+                        dy=lasty-y;
+                        if (dx != 0 && dy != 0 && dx-lastdx != 0 && dy-lastdy != 0)
+                                add_entropy=.2;
+                        lastx=x, lasty=y;
+                        lastdx=dx, lastdy=dy;
+                        }
+                break;
+                }
+
+        readtimer();
+        RAND_add(&iMsg, sizeof(iMsg), add_entropy);
+        RAND_add(&wParam, sizeof(wParam), 0);
+        RAND_add(&lParam, sizeof(lParam), 0);
+ 
+        return (RAND_status());
+        }
+
+
+void RAND_screen(void) /* function available for backward compatibility */
+{
+        RAND_poll();
+        readscreen();
+}
+
+
+/* feed timing information to the PRNG */
+static void readtimer(void)
+{
+        DWORD w;
+        LARGE_INTEGER l;
+        static int have_perfc = 1;
+#ifndef __GNUC__
+        static int have_tsc = 1;
+        DWORD cyclecount;
+
+        if (have_tsc) {
+          __try {
+            __asm {
+              rdtsc
+              mov cyclecount, eax
+              }
+            RAND_add(&cyclecount, sizeof(cyclecount), 1);
+          } __except(EXCEPTION_EXECUTE_HANDLER) {
+            have_tsc = 0;
+          }
+        }
+#else
+# define have_tsc 0
+#endif
+
+        if (have_perfc) {
+          if (QueryPerformanceCounter(&l) == 0)
+            have_perfc = 0;
+          else
+            RAND_add(&l, sizeof(l), 0);
+        }
+
+        if (!have_tsc && !have_perfc) {
+          w = GetTickCount();
+          RAND_add(&w, sizeof(w), 0);
+        }
+}
+
+/* feed screen contents to PRNG */
+/*****************************************************************************
+ *
+ * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V.
+ *
+ * Code adapted from
+ * <URL:http://www.microsoft.com/kb/developr/win_dk/q97193.htm>;
+ * the original copyright message is:
+ *
+ *   (C) Copyright Microsoft Corp. 1993.  All rights reserved.
+ *
+ *   You have a royalty-free right to use, modify, reproduce and
+ *   distribute the Sample Files (and/or any modified version) in
+ *   any way you find useful, provided that you agree that
+ *   Microsoft has no warranty obligations or liability for any
+ *   Sample Application Files which are modified.
+ */
+
+static void readscreen(void)
+{
+  HDC           hScrDC;         /* screen DC */
+  HDC           hMemDC;         /* memory DC */
+  HBITMAP       hBitmap;        /* handle for our bitmap */
+  HBITMAP       hOldBitmap;     /* handle for previous bitmap */
+  BITMAP        bm;             /* bitmap properties */
+  unsigned int  size;           /* size of bitmap */
+  char          *bmbits;        /* contents of bitmap */
+  int           w;              /* screen width */
+  int           h;              /* screen height */
+  int           y;              /* y-coordinate of screen lines to grab */
+  int           n = 16;         /* number of screen lines to grab at a time */
+
+  /* Create a screen DC and a memory DC compatible to screen DC */
+  hScrDC = CreateDC("DISPLAY", NULL, NULL, NULL);
+  hMemDC = CreateCompatibleDC(hScrDC);
+
+  /* Get screen resolution */
+  w = GetDeviceCaps(hScrDC, HORZRES);
+  h = GetDeviceCaps(hScrDC, VERTRES);
+
+  /* Create a bitmap compatible with the screen DC */
+  hBitmap = CreateCompatibleBitmap(hScrDC, w, n);
+
+  /* Select new bitmap into memory DC */
+  hOldBitmap = SelectObject(hMemDC, hBitmap);
+
+  /* Get bitmap properties */
+  GetObject(hBitmap, sizeof(BITMAP), (LPSTR)&bm);
+  size = (unsigned int)bm.bmWidthBytes * bm.bmHeight * bm.bmPlanes;
+
+  bmbits = OPENSSL_malloc(size);
+  if (bmbits) {
+    /* Now go through the whole screen, repeatedly grabbing n lines */
+    for (y = 0; y < h-n; y += n)
+        {
+        unsigned char md[MD_DIGEST_LENGTH];
+
+        /* Bitblt screen DC to memory DC */
+        BitBlt(hMemDC, 0, 0, w, n, hScrDC, 0, y, SRCCOPY);
+
+        /* Copy bitmap bits from memory DC to bmbits */
+        GetBitmapBits(hBitmap, size, bmbits);
+
+        /* Get the hash of the bitmap */
+        MD(bmbits,size,md);
+
+        /* Seed the random generator with the hash value */
+        RAND_add(md, MD_DIGEST_LENGTH, 0);
+        }
+
+    OPENSSL_free(bmbits);
+  }
+
+  /* Select old bitmap back into memory DC */
+  hBitmap = SelectObject(hMemDC, hOldBitmap);
+
+  /* Clean up */
+  DeleteObject(hBitmap);
+  DeleteDC(hMemDC);
+  DeleteDC(hScrDC);
+}
+
+#else /* Unix version */
+
+#include <time.h>
+
+int RAND_poll(void)
+{
+        unsigned long l;
+        pid_t curr_pid = getpid();
+#ifdef DEVRANDOM
+        FILE *fh;
+#endif
+
+#ifdef DEVRANDOM
+        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+         * have this. Use /dev/urandom if you can as /dev/random may block
+         * if it runs out of random entries.  */
+
+        if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+                {
+                unsigned char tmpbuf[ENTROPY_NEEDED];
+                int n;
+                
+                setvbuf(fh, NULL, _IONBF, 0);
+                n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+                fclose(fh);
+                RAND_add(tmpbuf,sizeof tmpbuf,n);
+                memset(tmpbuf,0,n);
+                }
+#endif
+
+        /* put in some default random data, we need more than just this */
+        l=curr_pid;
+        RAND_add(&l,sizeof(l),0);
+        l=getuid();
+        RAND_add(&l,sizeof(l),0);
+
+        l=time(NULL);
+        RAND_add(&l,sizeof(l),0);
+
+#ifdef DEVRANDOM
+        return 1;
+#endif
+        return 0;
+}
+
+#endif
diff --git a/src/lib/libssl/src/crypto/rc2/rc2.h b/src/lib/libssl/src/crypto/rc2/rc2.h
new file mode 100644
index 0000000000..9571efb755
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rc2/rc2.h
@@ -0,0 +1,99 @@
+/* crypto/rc2/rc2.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC2_H
+#define HEADER_RC2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC2
+#error RC2 is disabled.
+#endif
+
+#define RC2_ENCRYPT     1
+#define RC2_DECRYPT     0
+
+#include <openssl/opensslconf.h> /* RC2_INT */
+#define RC2_BLOCK       8
+#define RC2_KEY_LENGTH  16
+
+typedef struct rc2_key_st
+        {
+        RC2_INT data[64];
+        } RC2_KEY;
+
+ 
+void RC2_set_key(RC2_KEY *key, int len, unsigned char *data,int bits);
+void RC2_ecb_encrypt(unsigned char *in,unsigned char *out,RC2_KEY *key,
+        int enc);
+void RC2_encrypt(unsigned long *data,RC2_KEY *key);
+void RC2_decrypt(unsigned long *data,RC2_KEY *key);
+void RC2_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *ks, unsigned char *iv, int enc);
+void RC2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *schedule, unsigned char *ivec, int *num, int enc);
+void RC2_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        RC2_KEY *schedule, unsigned char *ivec, int *num);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/rc2/tab.c b/src/lib/libssl/src/crypto/rc2/tab.c
new file mode 100644
index 0000000000..25dc14eeba
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rc2/tab.c
@@ -0,0 +1,86 @@
+#include <stdio.h>
+
+unsigned char ebits_to_num[256]={
+        0xbd,0x56,0xea,0xf2,0xa2,0xf1,0xac,0x2a,
+        0xb0,0x93,0xd1,0x9c,0x1b,0x33,0xfd,0xd0,
+        0x30,0x04,0xb6,0xdc,0x7d,0xdf,0x32,0x4b,
+        0xf7,0xcb,0x45,0x9b,0x31,0xbb,0x21,0x5a,
+        0x41,0x9f,0xe1,0xd9,0x4a,0x4d,0x9e,0xda,
+        0xa0,0x68,0x2c,0xc3,0x27,0x5f,0x80,0x36,
+        0x3e,0xee,0xfb,0x95,0x1a,0xfe,0xce,0xa8,
+        0x34,0xa9,0x13,0xf0,0xa6,0x3f,0xd8,0x0c,
+        0x78,0x24,0xaf,0x23,0x52,0xc1,0x67,0x17,
+        0xf5,0x66,0x90,0xe7,0xe8,0x07,0xb8,0x60,
+        0x48,0xe6,0x1e,0x53,0xf3,0x92,0xa4,0x72,
+        0x8c,0x08,0x15,0x6e,0x86,0x00,0x84,0xfa,
+        0xf4,0x7f,0x8a,0x42,0x19,0xf6,0xdb,0xcd,
+        0x14,0x8d,0x50,0x12,0xba,0x3c,0x06,0x4e,
+        0xec,0xb3,0x35,0x11,0xa1,0x88,0x8e,0x2b,
+        0x94,0x99,0xb7,0x71,0x74,0xd3,0xe4,0xbf,
+        0x3a,0xde,0x96,0x0e,0xbc,0x0a,0xed,0x77,
+        0xfc,0x37,0x6b,0x03,0x79,0x89,0x62,0xc6,
+        0xd7,0xc0,0xd2,0x7c,0x6a,0x8b,0x22,0xa3,
+        0x5b,0x05,0x5d,0x02,0x75,0xd5,0x61,0xe3,
+        0x18,0x8f,0x55,0x51,0xad,0x1f,0x0b,0x5e,
+        0x85,0xe5,0xc2,0x57,0x63,0xca,0x3d,0x6c,
+        0xb4,0xc5,0xcc,0x70,0xb2,0x91,0x59,0x0d,
+        0x47,0x20,0xc8,0x4f,0x58,0xe0,0x01,0xe2,
+        0x16,0x38,0xc4,0x6f,0x3b,0x0f,0x65,0x46,
+        0xbe,0x7e,0x2d,0x7b,0x82,0xf9,0x40,0xb5,
+        0x1d,0x73,0xf8,0xeb,0x26,0xc7,0x87,0x97,
+        0x25,0x54,0xb1,0x28,0xaa,0x98,0x9d,0xa5,
+        0x64,0x6d,0x7a,0xd4,0x10,0x81,0x44,0xef,
+        0x49,0xd6,0xae,0x2e,0xdd,0x76,0x5c,0x2f,
+        0xa7,0x1c,0xc9,0x09,0x69,0x9a,0x83,0xcf,
+        0x29,0x39,0xb9,0xe9,0x4c,0xff,0x43,0xab,
+        };
+
+unsigned char num_to_ebits[256]={
+        0x5d,0xbe,0x9b,0x8b,0x11,0x99,0x6e,0x4d,
+        0x59,0xf3,0x85,0xa6,0x3f,0xb7,0x83,0xc5,
+        0xe4,0x73,0x6b,0x3a,0x68,0x5a,0xc0,0x47,
+        0xa0,0x64,0x34,0x0c,0xf1,0xd0,0x52,0xa5,
+        0xb9,0x1e,0x96,0x43,0x41,0xd8,0xd4,0x2c,
+        0xdb,0xf8,0x07,0x77,0x2a,0xca,0xeb,0xef,
+        0x10,0x1c,0x16,0x0d,0x38,0x72,0x2f,0x89,
+        0xc1,0xf9,0x80,0xc4,0x6d,0xae,0x30,0x3d,
+        0xce,0x20,0x63,0xfe,0xe6,0x1a,0xc7,0xb8,
+        0x50,0xe8,0x24,0x17,0xfc,0x25,0x6f,0xbb,
+        0x6a,0xa3,0x44,0x53,0xd9,0xa2,0x01,0xab,
+        0xbc,0xb6,0x1f,0x98,0xee,0x9a,0xa7,0x2d,
+        0x4f,0x9e,0x8e,0xac,0xe0,0xc6,0x49,0x46,
+        0x29,0xf4,0x94,0x8a,0xaf,0xe1,0x5b,0xc3,
+        0xb3,0x7b,0x57,0xd1,0x7c,0x9c,0xed,0x87,
+        0x40,0x8c,0xe2,0xcb,0x93,0x14,0xc9,0x61,
+        0x2e,0xe5,0xcc,0xf6,0x5e,0xa8,0x5c,0xd6,
+        0x75,0x8d,0x62,0x95,0x58,0x69,0x76,0xa1,
+        0x4a,0xb5,0x55,0x09,0x78,0x33,0x82,0xd7,
+        0xdd,0x79,0xf5,0x1b,0x0b,0xde,0x26,0x21,
+        0x28,0x74,0x04,0x97,0x56,0xdf,0x3c,0xf0,
+        0x37,0x39,0xdc,0xff,0x06,0xa4,0xea,0x42,
+        0x08,0xda,0xb4,0x71,0xb0,0xcf,0x12,0x7a,
+        0x4e,0xfa,0x6c,0x1d,0x84,0x00,0xc8,0x7f,
+        0x91,0x45,0xaa,0x2b,0xc2,0xb1,0x8f,0xd5,
+        0xba,0xf2,0xad,0x19,0xb2,0x67,0x36,0xf7,
+        0x0f,0x0a,0x92,0x7d,0xe3,0x9d,0xe9,0x90,
+        0x3e,0x23,0x27,0x66,0x13,0xec,0x81,0x15,
+        0xbd,0x22,0xbf,0x9f,0x7e,0xa9,0x51,0x4b,
+        0x4c,0xfb,0x02,0xd3,0x70,0x86,0x31,0xe7,
+        0x3b,0x05,0x03,0x54,0x60,0x48,0x65,0x18,
+        0xd2,0xcd,0x5f,0x32,0x88,0x0e,0x35,0xfd,
+        };
+        
+main()
+        {
+        int i,j;
+
+        for (i=0; i<256; i++)
+                {
+                for (j=0; j<256; j++)
+                        if (ebits_to_num[j] == i)
+                                {
+                                printf("0x%02x,",j);
+                                break;
+                                }
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/rc4/rc4.h b/src/lib/libssl/src/crypto/rc4/rc4.h
new file mode 100644
index 0000000000..7418c2a9a2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rc4/rc4.h
@@ -0,0 +1,88 @@
+/* crypto/rc4/rc4.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_RC4_H
+#define HEADER_RC4_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef NO_RC4
+#error RC4 is disabled.
+#endif
+
+#include <openssl/opensslconf.h> /* RC4_INT */
+
+typedef struct rc4_key_st
+        {
+        RC4_INT x,y;
+        RC4_INT data[256];
+        } RC4_KEY;
+
+ 
+const char *RC4_options(void);
+void RC4_set_key(RC4_KEY *key, int len, unsigned char *data);
+void RC4(RC4_KEY *key, unsigned long len, unsigned char *indata,
+                unsigned char *outdata);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/lib/libssl/src/crypto/rc4/rc4_locl.h b/src/lib/libssl/src/crypto/rc4/rc4_locl.h
new file mode 100644
index 0000000000..3bb80b6ce9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rc4/rc4_locl.h
@@ -0,0 +1,4 @@
+#ifndef HEADER_RC4_LOCL_H
+#define HEADER_RC4_LOCL_H
+#include <openssl/opensslconf.h>
+#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_asn1.c b/src/lib/libssl/src/crypto/rsa/rsa_asn1.c
new file mode 100644
index 0000000000..1455a7e0e4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_asn1.c
@@ -0,0 +1,121 @@
+/* rsa_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/asn1t.h>
+
+static ASN1_METHOD method={
+        (int (*)())  i2d_RSAPrivateKey,
+        (char *(*)())d2i_RSAPrivateKey,
+        (char *(*)())RSA_new,
+        (void (*)()) RSA_free};
+
+ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
+        {
+        return(&method);
+        }
+
+/* Override the default free and new methods */
+static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)RSA_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                RSA_free((RSA *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, version, LONG),
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+        ASN1_SIMPLE(RSA, d, BIGNUM),
+        ASN1_SIMPLE(RSA, p, BIGNUM),
+        ASN1_SIMPLE(RSA, q, BIGNUM),
+        ASN1_SIMPLE(RSA, dmp1, BIGNUM),
+        ASN1_SIMPLE(RSA, dmq1, BIGNUM),
+        ASN1_SIMPLE(RSA, iqmp, BIGNUM)
+} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
+
+
+ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
+
+RSA *RSAPublicKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
+        }
+
+RSA *RSAPrivateKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
+        }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_chk.c b/src/lib/libssl/src/crypto/rsa/rsa_chk.c
new file mode 100644
index 0000000000..91b9115798
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_chk.c
@@ -0,0 +1,184 @@
+/* crypto/rsa/rsa_chk.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+
+
+int RSA_check_key(RSA *key)
+        {
+        BIGNUM *i, *j, *k, *l, *m;
+        BN_CTX *ctx;
+        int r;
+        int ret=1;
+        
+        i = BN_new();
+        j = BN_new();
+        k = BN_new();
+        l = BN_new();
+        m = BN_new();
+        ctx = BN_CTX_new();
+        if (i == NULL || j == NULL || k == NULL || l == NULL ||
+                m == NULL || ctx == NULL)
+                {
+                ret = -1;
+                RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        
+        /* p prime? */
+        r = BN_is_prime(key->p, BN_prime_checks, NULL, NULL, NULL);
+        if (r != 1)
+                {
+                ret = r;
+                if (r != 0)
+                        goto err;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
+                }
+        
+        /* q prime? */
+        r = BN_is_prime(key->q, BN_prime_checks, NULL, NULL, NULL);
+        if (r != 1)
+                {
+                ret = r;
+                if (r != 0)
+                        goto err;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
+                }
+        
+        /* n = p*q? */
+        r = BN_mul(i, key->p, key->q, ctx);
+        if (!r) { ret = -1; goto err; }
+        
+        if (BN_cmp(i, key->n) != 0)
+                {
+                ret = 0;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
+                }
+        
+        /* d*e = 1  mod lcm(p-1,q-1)? */
+
+        r = BN_sub(i, key->p, BN_value_one());
+        if (!r) { ret = -1; goto err; }
+        r = BN_sub(j, key->q, BN_value_one());
+        if (!r) { ret = -1; goto err; }
+
+        /* now compute k = lcm(i,j) */
+        r = BN_mul(l, i, j, ctx);
+        if (!r) { ret = -1; goto err; }
+        r = BN_gcd(m, i, j, ctx);
+        if (!r) { ret = -1; goto err; }
+        r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
+        if (!r) { ret = -1; goto err; }
+
+        r = BN_mod_mul(i, key->d, key->e, k, ctx);
+        if (!r) { ret = -1; goto err; }
+
+        if (!BN_is_one(i))
+                {
+                ret = 0;
+                RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+                }
+        
+        if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL)
+                {
+                /* dmp1 = d mod (p-1)? */
+                r = BN_sub(i, key->p, BN_value_one());
+                if (!r) { ret = -1; goto err; }
+
+                r = BN_mod(j, key->d, i, ctx);
+                if (!r) { ret = -1; goto err; }
+
+                if (BN_cmp(j, key->dmp1) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_DMP1_NOT_CONGRUENT_TO_D);
+                        }
+        
+                /* dmq1 = d mod (q-1)? */    
+                r = BN_sub(i, key->q, BN_value_one());
+                if (!r) { ret = -1; goto err; }
+        
+                r = BN_mod(j, key->d, i, ctx);
+                if (!r) { ret = -1; goto err; }
+
+                if (BN_cmp(j, key->dmq1) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
+                        }
+        
+                /* iqmp = q^-1 mod p? */
+                if(!BN_mod_inverse(i, key->q, key->p, ctx))
+                        {
+                        ret = -1;
+                        goto err;
+                        }
+
+                if (BN_cmp(i, key->iqmp) != 0)
+                        {
+                        ret = 0;
+                        RSAerr(RSA_F_RSA_CHECK_KEY,
+                                RSA_R_IQMP_NOT_INVERSE_OF_Q);
+                        }
+                }
+
+ err:
+        if (i != NULL) BN_free(i);
+        if (j != NULL) BN_free(j);
+        if (k != NULL) BN_free(k);
+        if (l != NULL) BN_free(l);
+        if (m != NULL) BN_free(m);
+        if (ctx != NULL) BN_CTX_free(ctx);
+        return (ret);
+        }
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_null.c b/src/lib/libssl/src/crypto/rsa/rsa_null.c
new file mode 100644
index 0000000000..7b58a0eca3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_null.c
@@ -0,0 +1,149 @@
+/* rsa_null.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+
+/* This is a dummy RSA implementation that just returns errors when called.
+ * It is designed to allow some RSA functions to work while stopping those
+ * covered by the RSA patent. That is RSA, encryption, decryption, signing
+ * and verify is not allowed but RSA key generation, key checking and other
+ * operations (like storing RSA keys) are permitted.
+ */
+
+static int RSA_null_public_encrypt(int flen, unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_private_encrypt(int flen, unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_public_decrypt(int flen, unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int RSA_null_private_decrypt(int flen, unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+#if 0 /* not currently used */
+static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
+#endif
+static int RSA_null_init(RSA *rsa);
+static int RSA_null_finish(RSA *rsa);
+static RSA_METHOD rsa_null_meth={
+        "Null RSA",
+        RSA_null_public_encrypt,
+        RSA_null_public_decrypt,
+        RSA_null_private_encrypt,
+        RSA_null_private_decrypt,
+        NULL, NULL,
+        RSA_null_init,
+        RSA_null_finish,
+        0,
+        NULL,
+        };
+
+RSA_METHOD *RSA_null_method(void)
+        {
+        return(&rsa_null_meth);
+        }
+
+static int RSA_null_public_encrypt(int flen, unsigned char *from,
+             unsigned char *to, RSA *rsa, int padding)
+        {
+        RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+        return -1;
+        }
+
+static int RSA_null_private_encrypt(int flen, unsigned char *from,
+             unsigned char *to, RSA *rsa, int padding)
+        {
+        RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+        return -1;
+        }
+
+static int RSA_null_private_decrypt(int flen, unsigned char *from,
+             unsigned char *to, RSA *rsa, int padding)
+        {
+        RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+        return -1;
+        }
+
+static int RSA_null_public_decrypt(int flen, unsigned char *from,
+             unsigned char *to, RSA *rsa, int padding)
+        {
+        RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+        return -1;
+        }
+
+#if 0 /* not currently used */
+static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+        {
+        RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+        return -1;
+        }
+#endif
+
+static int RSA_null_init(RSA *rsa)
+        {
+        return(1);
+        }
+
+static int RSA_null_finish(RSA *rsa)
+        {
+        return(1);
+        }
+
+
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
new file mode 100644
index 0000000000..843c40c864
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
@@ -0,0 +1,162 @@
+/* crypto/rsa/rsa_oaep.c */
+/* Written by Ulf Moeller. This software is distributed on an "AS IS"
+   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
+
+/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+#if !defined(NO_SHA) && !defined(NO_SHA1)
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, unsigned char *param, int plen)
+    {
+    int i, emlen = tlen - 1;
+    unsigned char *db, *seed;
+    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+
+    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+        return (0);
+        }
+
+    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+        return (0);
+        }
+    
+    dbmask = Malloc(emlen - SHA_DIGEST_LENGTH);
+    if (dbmask == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (0);
+        }
+
+    to[0] = 0;
+    seed = to + 1;
+    db = to + SHA_DIGEST_LENGTH + 1;
+
+    SHA1(param, plen, db);
+    memset(db + SHA_DIGEST_LENGTH, 0,
+           emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+    RAND_bytes(seed, SHA_DIGEST_LENGTH);
+#ifdef PKCS_TESTVECT
+    memcpy(seed,
+           "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
+           20);
+#endif
+
+    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+        db[i] ^= dbmask[i];
+
+    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= seedmask[i];
+
+    Free(dbmask);
+    return (1);
+    }
+
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+             unsigned char *from, int flen, int num, unsigned char *param,
+             int plen)
+    {
+    int i, dblen, mlen = -1;
+    unsigned char *maskeddb;
+    int lzero;
+    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+
+    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+        {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+        return (-1);
+        }
+
+    dblen = num - SHA_DIGEST_LENGTH;
+    db = Malloc(dblen);
+    if (db == NULL)
+        {
+        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+        return (-1);
+        }
+
+    lzero = num - flen;
+    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+    
+    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+        seed[i] ^= from[i - lzero];
+  
+    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+    for (i = 0; i < dblen; i++)
+        db[i] ^= maskeddb[i];
+
+    SHA1(param, plen, phash);
+
+    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    else
+        {
+        for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+            if (db[i] != 0x00)
+                break;
+        if (db[i] != 0x01 || i++ >= dblen)
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP,
+                   RSA_R_OAEP_DECODING_ERROR);
+        else
+            {
+            mlen = dblen - i;
+            if (tlen < mlen)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+                mlen = -1;
+                }
+            else
+                memcpy(to, db + i, mlen);
+            }
+        }
+    Free(db);
+    return (mlen);
+    }
+
+int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
+    {
+    long i, outlen = 0;
+    unsigned char cnt[4];
+    SHA_CTX c;
+    unsigned char md[SHA_DIGEST_LENGTH];
+
+    for (i = 0; outlen < len; i++)
+        {
+        cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
+          cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
+        SHA1_Init(&c);
+        SHA1_Update(&c, seed, seedlen);
+        SHA1_Update(&c, cnt, 4);
+        if (outlen + SHA_DIGEST_LENGTH <= len)
+            {
+            SHA1_Final(mask + outlen, &c);
+            outlen += SHA_DIGEST_LENGTH;
+            }
+        else
+            {
+            SHA1_Final(md, &c);
+            memcpy(mask + outlen, md, len - outlen);
+            outlen = len;
+            }
+        }
+    return (0);
+    }
+#endif
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_test.c b/src/lib/libssl/src/crypto/rsa/rsa_test.c
new file mode 100644
index 0000000000..e5ae0c1f69
--- /dev/null
+++ b/src/lib/libssl/src/crypto/rsa/rsa_test.c
@@ -0,0 +1,314 @@
+/* test vectors from p1ovect1.txt */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "openssl/e_os.h"
+
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#ifdef NO_RSA
+int main(int argc, char *argv[])
+{
+    printf("No RSA support\n");
+    return(0);
+}
+#else
+#include <openssl/rsa.h>
+
+#define SetKey \
+  key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
+  key->e = BN_bin2bn(e, sizeof(e)-1, key->e); \
+  key->d = BN_bin2bn(d, sizeof(d)-1, key->d); \
+  key->p = BN_bin2bn(p, sizeof(p)-1, key->p); \
+  key->q = BN_bin2bn(q, sizeof(q)-1, key->q); \
+  key->dmp1 = BN_bin2bn(dmp1, sizeof(dmp1)-1, key->dmp1); \
+  key->dmq1 = BN_bin2bn(dmq1, sizeof(dmq1)-1, key->dmq1); \
+  key->iqmp = BN_bin2bn(iqmp, sizeof(iqmp)-1, key->iqmp); \
+  memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \
+  return (sizeof(ctext_ex) - 1);
+
+static int key1(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
+"\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
+"\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
+"\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
+"\xF5";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
+"\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
+"\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
+"\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
+
+    static unsigned char p[] =
+"\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
+"\x0D";
+    
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x89";
+
+    static unsigned char dmp1[] =
+"\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
+"\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
+
+    static unsigned char dmq1[] =
+"\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
+"\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
+"\x51";
+
+    static unsigned char iqmp[] =
+"\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
+"\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
+
+    static unsigned char ctext_ex[] =
+"\x1b\x8f\x05\xf9\xca\x1a\x79\x52\x6e\x53\xf3\xcc\x51\x4f\xdb\x89"
+"\x2b\xfb\x91\x93\x23\x1e\x78\xb9\x92\xe6\x8d\x50\xa4\x80\xcb\x52"
+"\x33\x89\x5c\x74\x95\x8d\x5d\x02\xab\x8c\x0f\xd0\x40\xeb\x58\x44"
+"\xb0\x05\xc3\x9e\xd8\x27\x4a\x9d\xbf\xa8\x06\x71\x40\x94\x39\xd2";
+
+    SetKey;
+    }
+
+static int key2(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
+"\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
+"\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
+"\x34\x77\xCF";
+
+    static unsigned char e[] = "\x3";
+
+    static unsigned char d[] =
+"\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
+"\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
+"\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
+"\xE5\xEB";
+
+    static unsigned char p[] =
+"\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
+"\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
+    
+    static unsigned char dmp1[] =
+"\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
+"\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
+
+    static unsigned char dmq1[] =
+"\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
+"\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
+
+    static unsigned char iqmp[] =
+"\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
+"\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
+
+    static unsigned char ctext_ex[] =
+"\x14\xbd\xdd\x28\xc9\x83\x35\x19\x23\x80\xe8\xe5\x49\xb1\x58\x2a"
+"\x8b\x40\xb4\x48\x6d\x03\xa6\xa5\x31\x1f\x1f\xd5\xf0\xa1\x80\xe4"
+"\x17\x53\x03\x29\xa9\x34\x90\x74\xb1\x52\x13\x54\x29\x08\x24\x52"
+"\x62\x51";
+
+    SetKey;
+    }
+
+static int key3(RSA *key, unsigned char *c)
+    {
+    static unsigned char n[] =
+"\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
+"\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
+"\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
+"\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
+"\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
+"\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
+"\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
+"\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
+"\xCB";
+
+    static unsigned char e[] = "\x11";
+
+    static unsigned char d[] =
+"\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
+"\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
+"\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
+"\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
+"\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
+"\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
+"\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
+"\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
+"\xC1";
+
+    static unsigned char p[] =
+"\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
+"\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
+"\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
+"\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
+"\x99";
+
+    static unsigned char q[] =
+"\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
+"\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
+"\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
+"\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
+"\x03";
+
+    static unsigned char dmp1[] =
+"\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
+"\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
+"\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
+"\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
+
+    static unsigned char dmq1[] =
+"\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
+"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
+"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
+"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
+    
+    static unsigned char iqmp[] =
+"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
+"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
+"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
+"\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
+"\xF7";
+
+    static unsigned char ctext_ex[] =
+"\xb8\x24\x6b\x56\xa6\xed\x58\x81\xae\xb5\x85\xd9\xa2\x5b\x2a\xd7"
+"\x90\xc4\x17\xe0\x80\x68\x1b\xf1\xac\x2b\xc3\xde\xb6\x9d\x8b\xce"
+"\xf0\xc4\x36\x6f\xec\x40\x0a\xf0\x52\xa7\x2e\x9b\x0e\xff\xb5\xb3"
+"\xf2\xf1\x92\xdb\xea\xca\x03\xc1\x27\x40\x05\x71\x13\xbf\x1f\x06"
+"\x69\xac\x22\xe9\xf3\xa7\x85\x2e\x3c\x15\xd9\x13\xca\xb0\xb8\x86"
+"\x3a\x95\xc9\x92\x94\xce\x86\x74\x21\x49\x54\x61\x03\x46\xf4\xd4"
+"\x74\xb2\x6f\x7c\x48\xb4\x2e\xe6\x8e\x1f\x57\x2a\x1f\xc4\x02\x6a"
+"\xc4\x56\xb4\xf5\x9f\x7b\x62\x1e\xa1\xb9\xd8\x8f\x64\x20\x2f\xb1";
+
+    SetKey;
+    }
+
+static int pad_unknown(void)
+{
+    unsigned long l;
+    while ((l = ERR_get_error()) != 0)
+      if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE)
+        return(1);
+    return(0);
+}
+
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+
+int main(int argc, char *argv[])
+    {
+    int err=0;
+    int v;
+    RSA *key;
+    unsigned char ptext[256];
+    unsigned char ctext[256];
+    static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a";
+    unsigned char ctext_ex[256];
+    int plen;
+    int clen = 0;
+    int num;
+
+    RAND_seed(rnd_seed, sizeof rnd_seed); /* or OAEP may fail */
+
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+        
+    plen = sizeof(ptext_ex) - 1;
+
+    for (v = 0; v < 3; v++)
+        {
+        key = RSA_new();
+        switch (v) {
+    case 0:
+        clen = key1(key, ctext_ex);
+        break;
+    case 1:
+        clen = key2(key, ctext_ex);
+        break;
+    case 2:
+        clen = key3(key, ctext_ex);
+        break;
+        }
+
+        num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+                                 RSA_PKCS1_PADDING);
+        if (num != clen)
+            {
+            printf("PKCS#1 v1.5 encryption failed!\n");
+            err=1;
+            goto oaep;
+            }
+  
+        num = RSA_private_decrypt(num, ctext, ptext, key,
+                                  RSA_PKCS1_PADDING);
+        if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+            {
+            printf("PKCS#1 v1.5 decryption failed!\n");
+            err=1;
+            }
+        else
+            printf("PKCS #1 v1.5 encryption/decryption ok\n");
+
+    oaep:
+        ERR_clear_error();
+        num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
+                                 RSA_PKCS1_OAEP_PADDING);
+        if (num == -1 && pad_unknown())
+            {
+            printf("No OAEP support\n");
+            goto next;
+            }
+        if (num != clen)
+            {
+            printf("OAEP encryption failed!\n");
+            err=1;
+            goto next;
+            }
+  
+        num = RSA_private_decrypt(num, ctext, ptext, key,
+                                  RSA_PKCS1_OAEP_PADDING);
+        if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+            {
+            printf("OAEP decryption (encrypted data) failed!\n");
+            err=1;
+            }
+        else if (memcmp(ctext, ctext_ex, num) == 0)
+            {
+            printf("OAEP test vector %d passed!\n", v);
+            goto next;
+            }
+    
+        /* Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT).
+           Try decrypting ctext_ex */
+
+        num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
+                                  RSA_PKCS1_OAEP_PADDING);
+
+        if (num != plen || memcmp(ptext, ptext_ex, num) != 0)
+            {
+            printf("OAEP decryption (test vector data) failed!\n");
+            err=1;
+            }
+        else
+            printf("OAEP encryption/decryption ok\n");
+    next:
+        RSA_free(key);
+        }
+
+    ERR_remove_state(0);
+
+    CRYPTO_mem_leaks_fp(stdout);
+
+    return err;
+    }
+#endif
diff --git a/src/lib/libssl/src/crypto/stack/safestack.h b/src/lib/libssl/src/crypto/stack/safestack.h
new file mode 100644
index 0000000000..38934981e3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/stack/safestack.h
@@ -0,0 +1,129 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SAFESTACK_H
+#define HEADER_SAFESTACK_H
+
+#include <openssl/stack.h>
+
+#define STACK_OF(type)  STACK_##type
+
+#define DECLARE_STACK_OF(type) \
+typedef struct stack_st_##type  \
+    { \
+    STACK stack; \
+    } STACK_OF(type); \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)); \
+STACK_OF(type) *sk_##type##_new_null(void); \
+void sk_##type##_free(STACK_OF(type) *sk); \
+int sk_##type##_num(const STACK_OF(type) *sk); \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n); \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v); \
+void sk_##type##_zero(STACK_OF(type) *sk); \
+int sk_##type##_push(STACK_OF(type) *sk,type *v); \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v); \
+int sk_##type##_find(STACK_OF(type) *sk,type *v); \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n); \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v); \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n); \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+                               int (*cmp)(type **,type **)))(type **,type **); \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk); \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)); \
+type *sk_##type##_shift(STACK_OF(type) *sk); \
+type *sk_##type##_pop(STACK_OF(type) *sk); \
+void sk_##type##_sort(STACK_OF(type) *sk);
+
+#define IMPLEMENT_STACK_OF(type) \
+STACK_OF(type) *sk_##type##_new(int (*cmp)(type **,type **)) \
+    { return (STACK_OF(type) *)sk_new(cmp); } \
+STACK_OF(type) *sk_##type##_new_null() \
+    { return (STACK_OF(type) *)sk_new_null(); } \
+void sk_##type##_free(STACK_OF(type) *sk) \
+    { sk_free((STACK *)sk); } \
+int sk_##type##_num(const STACK_OF(type) *sk) \
+    { return M_sk_num((const STACK *)sk); } \
+type *sk_##type##_value(const STACK_OF(type) *sk,int n) \
+    { return (type *)sk_value((STACK *)sk,n); } \
+type *sk_##type##_set(STACK_OF(type) *sk,int n,type *v) \
+    { return (type *)(sk_set((STACK *)sk,n,(char *)v)); } \
+void sk_##type##_zero(STACK_OF(type) *sk) \
+    { sk_zero((STACK *)sk); } \
+int sk_##type##_push(STACK_OF(type) *sk,type *v) \
+    { return sk_push((STACK *)sk,(char *)v); } \
+int sk_##type##_unshift(STACK_OF(type) *sk,type *v) \
+    { return sk_unshift((STACK *)sk,(char *)v); } \
+int sk_##type##_find(STACK_OF(type) *sk,type *v) \
+    { return sk_find((STACK *)sk,(char *)v); } \
+type *sk_##type##_delete(STACK_OF(type) *sk,int n) \
+    { return (type *)sk_delete((STACK *)sk,n); } \
+void sk_##type##_delete_ptr(STACK_OF(type) *sk,type *v) \
+    { sk_delete_ptr((STACK *)sk,(char *)v); } \
+int sk_##type##_insert(STACK_OF(type) *sk,type *v,int n) \
+    { return sk_insert((STACK *)sk,(char *)v,n); } \
+int (*sk_##type##_set_cmp_func(STACK_OF(type) *sk, \
+                               int (*cmp)(type **,type **)))(type **,type **) \
+    { return (int (*)(type **,type **))sk_set_cmp_func((STACK *)sk,cmp); } \
+STACK_OF(type) *sk_##type##_dup(STACK_OF(type) *sk) \
+    { return (STACK_OF(type) *)sk_dup((STACK *)sk); } \
+void sk_##type##_pop_free(STACK_OF(type) *sk,void (*func)(type *)) \
+    { sk_pop_free((STACK *)sk,func); } \
+type *sk_##type##_shift(STACK_OF(type) *sk) \
+    { return (type *)sk_shift((STACK *)sk); } \
+type *sk_##type##_pop(STACK_OF(type) *sk) \
+    { return (type *)sk_pop((STACK *)sk); } \
+void sk_##type##_sort(STACK_OF(type) *sk) \
+    { sk_sort((STACK *)sk); }
+
+#endif /* ndef HEADER_SAFESTACK_H */
diff --git a/src/lib/libssl/src/crypto/symhacks.h b/src/lib/libssl/src/crypto/symhacks.h
new file mode 100644
index 0000000000..358ad355bb
--- /dev/null
+++ b/src/lib/libssl/src/crypto/symhacks.h
@@ -0,0 +1,154 @@
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SYMHACKS_H
+#define HEADER_SYMHACKS_H
+
+/* Hacks to solve the problem with linkers incapable of handling very long
+   symbol names.  In the case of VMS, the limit is 31 characters on VMS for
+   VAX. */
+#ifdef VMS
+
+/* Hack a long name in crypto/asn1/a_mbstr.c */
+#undef ASN1_STRING_set_default_mask_asc
+#define ASN1_STRING_set_default_mask_asc        ASN1_STRING_set_def_mask_asc
+
+#if 0 /* No longer needed, since safestack macro magic does the job */
+/* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO) */
+#undef i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO
+#define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO       i2d_ASN1_SET_OF_PKCS7_SIGINF
+#undef d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO
+#define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO       d2i_ASN1_SET_OF_PKCS7_SIGINF
+#endif
+
+#if 0 /* No longer needed, since safestack macro magic does the job */
+/* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO) */
+#undef i2d_ASN1_SET_OF_PKCS7_RECIP_INFO
+#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO        i2d_ASN1_SET_OF_PKCS7_RECINF
+#undef d2i_ASN1_SET_OF_PKCS7_RECIP_INFO
+#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO        d2i_ASN1_SET_OF_PKCS7_RECINF
+#endif
+
+#if 0 /* No longer needed, since safestack macro magic does the job */
+/* Hack the names created with DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) */
+#undef i2d_ASN1_SET_OF_ACCESS_DESCRIPTION
+#define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION      i2d_ASN1_SET_OF_ACC_DESC
+#undef d2i_ASN1_SET_OF_ACCESS_DESCRIPTION
+#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION      d2i_ASN1_SET_OF_ACC_DESC
+#endif
+
+/* Hack the names created with DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE) */
+#undef PEM_read_NETSCAPE_CERT_SEQUENCE
+#define PEM_read_NETSCAPE_CERT_SEQUENCE         PEM_read_NS_CERT_SEQ
+#undef PEM_write_NETSCAPE_CERT_SEQUENCE
+#define PEM_write_NETSCAPE_CERT_SEQUENCE        PEM_write_NS_CERT_SEQ
+#undef PEM_read_bio_NETSCAPE_CERT_SEQUENCE
+#define PEM_read_bio_NETSCAPE_CERT_SEQUENCE     PEM_read_bio_NS_CERT_SEQ
+#undef PEM_write_bio_NETSCAPE_CERT_SEQUENCE
+#define PEM_write_bio_NETSCAPE_CERT_SEQUENCE    PEM_write_bio_NS_CERT_SEQ
+#undef PEM_write_cb_bio_NETSCAPE_CERT_SEQUENCE
+#define PEM_write_cb_bio_NETSCAPE_CERT_SEQUENCE PEM_write_cb_bio_NS_CERT_SEQ
+
+/* Hack the names created with DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO) */
+#undef PEM_read_PKCS8_PRIV_KEY_INFO
+#define PEM_read_PKCS8_PRIV_KEY_INFO            PEM_read_P8_PRIV_KEY_INFO
+#undef PEM_write_PKCS8_PRIV_KEY_INFO
+#define PEM_write_PKCS8_PRIV_KEY_INFO           PEM_write_P8_PRIV_KEY_INFO
+#undef PEM_read_bio_PKCS8_PRIV_KEY_INFO
+#define PEM_read_bio_PKCS8_PRIV_KEY_INFO        PEM_read_bio_P8_PRIV_KEY_INFO
+#undef PEM_write_bio_PKCS8_PRIV_KEY_INFO
+#define PEM_write_bio_PKCS8_PRIV_KEY_INFO       PEM_write_bio_P8_PRIV_KEY_INFO
+#undef PEM_write_cb_bio_PKCS8_PRIV_KEY_INFO
+#define PEM_write_cb_bio_PKCS8_PRIV_KEY_INFO    PEM_wrt_cb_bio_P8_PRIV_KEY_INFO
+
+/* Hack other PEM names */
+#undef PEM_write_bio_PKCS8PrivateKey_nid
+#define PEM_write_bio_PKCS8PrivateKey_nid       PEM_write_bio_PKCS8PrivKey_nid
+
+/* Hack some long X509 names */
+#undef X509_REVOKED_get_ext_by_critical
+#define X509_REVOKED_get_ext_by_critical        X509_REVOKED_get_ext_by_critic
+
+/* Hack some long CRYPTO names */
+#define CRYPTO_set_dynlock_destroy_callback     CRYPTO_set_dynlock_destroy_cb
+#define CRYPTO_set_dynlock_create_callback      CRYPTO_set_dynlock_create_cb
+#define CRYPTO_set_dynlock_lock_callback        CRYPTO_set_dynlock_lock_cb
+#define CRYPTO_get_dynlock_lock_callback        CRYPTO_get_dynlock_lock_cb
+#define CRYPTO_get_dynlock_destroy_callback     CRYPTO_get_dynlock_destroy_cb
+#define CRYPTO_get_dynlock_create_callback      CRYPTO_get_dynlock_create_cb
+
+/* Hack some long SSL names */
+#define SSL_CTX_set_default_verify_paths        SSL_CTX_set_def_verify_paths
+#define SSL_get_ex_data_X509_STORE_CTX_idx      SSL_get_ex_d_X509_STORE_CTX_idx
+#define SSL_add_file_cert_subjects_to_stack     SSL_add_file_cert_subjs_to_stk
+#define SSL_add_dir_cert_subjects_to_stack      SSL_add_dir_cert_subjs_to_stk
+#define SSL_CTX_use_certificate_chain_file      SSL_CTX_use_cert_chain_file
+#define SSL_CTX_set_cert_verify_callback        SSL_CTX_set_cert_verify_cb
+#define SSL_CTX_set_default_passwd_cb_userdata  SSL_CTX_set_def_passwd_cb_ud
+
+/* Hack some long ENGINE names */
+#define ENGINE_get_default_BN_mod_exp_crt       ENGINE_get_def_BN_mod_exp_crt
+#define ENGINE_set_default_BN_mod_exp_crt       ENGINE_set_def_BN_mod_exp_crt
+
+#endif /* defined VMS */
+
+
+/* Case insensiteve linking causes problems.... */
+#if defined(WIN16) || defined(VMS)
+#undef ERR_load_CRYPTO_strings
+#define ERR_load_CRYPTO_strings                 ERR_load_CRYPTOlib_strings
+#endif
+
+
+#endif /* ! defined HEADER_VMS_IDHACKS_H */
diff --git a/src/lib/libssl/src/crypto/threads/README b/src/lib/libssl/src/crypto/threads/README
new file mode 100644
index 0000000000..df6b26e146
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/README
@@ -0,0 +1,14 @@
+Mutithreading testing area.
+
+Since this stuff is very very platorm specific, this is not part of the
+normal build.  Have a read of doc/threads.doc.
+
+mttest will do some testing and will currently build under Windows NT/95,
+Solaris and Linux.  The IRIX stuff is not finished.
+
+I have tested this program on a 12 CPU ultra sparc box (solaris 2.5.1)
+and things seem to work ok.
+
+The Linux pthreads package can be retrieved from 
+http://www.mit.edu:8001/people/proven/pthreads.html
+
diff --git a/src/lib/libssl/src/crypto/threads/profile.sh b/src/lib/libssl/src/crypto/threads/profile.sh
new file mode 100644
index 0000000000..6e3e342fc0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/profile.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -p -DSOLARIS -I../../include -g mttest.c -o mttest -L/usr/lib/libc -ldl -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/src/lib/libssl/src/crypto/threads/ptest.bat b/src/lib/libssl/src/crypto/threads/ptest.bat
new file mode 100644
index 0000000000..4071b5ffea
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/ptest.bat
@@ -0,0 +1,4 @@
+del mttest.exe
+
+purify cl /O2 -DWIN32 /MD -I..\..\out mttest.c /Femttest ..\..\out\ssl32.lib ..\..\out\crypt32.lib
+
diff --git a/src/lib/libssl/src/crypto/threads/pthread.sh b/src/lib/libssl/src/crypto/threads/pthread.sh
new file mode 100644
index 0000000000..f1c49821d2
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/pthread.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# build using pthreads
+#
+# http://www.mit.edu:8001/people/proven/pthreads.html
+#
+/bin/rm -f mttest
+pgcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto 
+
diff --git a/src/lib/libssl/src/crypto/threads/pthread2.sh b/src/lib/libssl/src/crypto/threads/pthread2.sh
new file mode 100644
index 0000000000..41264c6a50
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/pthread2.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+#
+# build using pthreads where it's already built into the system
+#
+/bin/rm -f mttest
+gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread
+
diff --git a/src/lib/libssl/src/crypto/threads/pthreads-vms.com b/src/lib/libssl/src/crypto/threads/pthreads-vms.com
new file mode 100644
index 0000000000..63f5b8cc2e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/pthreads-vms.com
@@ -0,0 +1,9 @@
+$! To compile mttest on VMS.
+$!
+$! WARNING: only tested with DEC C so far.
+$
+$ arch := vax
+$ if f$getsyi("CPU") .ge. 128 then arch := axp
+$ define/user openssl [--.include.openssl]
+$ cc/def=PTHREADS mttest.c
+$ link mttest,[--.'arch'.exe.ssl]libssl/lib,[--.'arch'.exe.crypto]libcrypto/lib
diff --git a/src/lib/libssl/src/crypto/threads/purify.sh b/src/lib/libssl/src/crypto/threads/purify.sh
new file mode 100644
index 0000000000..6d44fe26b7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/purify.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+purify cc -DSOLARIS -I../../include -g mttest.c -o mttest -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/src/lib/libssl/src/crypto/threads/solaris.sh b/src/lib/libssl/src/crypto/threads/solaris.sh
new file mode 100644
index 0000000000..bc93094a27
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/solaris.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+/bin/rm -f mttest
+cc -DSOLARIS -I../../include -g mttest.c -o mttest -L../.. -lthread  -lssl -lcrypto -lnsl -lsocket
+
diff --git a/src/lib/libssl/src/crypto/threads/win32.bat b/src/lib/libssl/src/crypto/threads/win32.bat
new file mode 100644
index 0000000000..ee6da80a07
--- /dev/null
+++ b/src/lib/libssl/src/crypto/threads/win32.bat
@@ -0,0 +1,4 @@
+del mttest.exe
+
+cl /O2 -DWIN32 /MD -I..\..\out mttest.c /Femttest ..\..\out\ssleay32.lib ..\..\out\libeay32.lib
+
diff --git a/src/lib/libssl/src/crypto/tmdiff.h b/src/lib/libssl/src/crypto/tmdiff.h
new file mode 100644
index 0000000000..41a8a1e0e0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/tmdiff.h
@@ -0,0 +1,81 @@
+/* crypto/tmdiff.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* Header for dynamic hash table routines
+ * Author - Eric Young
+ */
+
+#ifndef HEADER_TMDIFF_H
+#define HEADER_TMDIFF_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+char *ms_time_new(void );
+void ms_time_free(char *a);
+void ms_time_get(char *a);
+double ms_time_diff(char *start,char *end);
+int ms_time_cmp(char *ap,char *bp);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/lib/libssl/src/crypto/ui/ui.h b/src/lib/libssl/src/crypto/ui/ui.h
new file mode 100644
index 0000000000..735a2d988e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui.h
@@ -0,0 +1,387 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_H
+#define HEADER_UI_H
+
+#include <openssl/crypto.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The UI type is a holder for a specific user interface session.  It can
+   contain an illimited number of informational or error strings as well
+   as things to prompt for, both passwords (noecho mode) and others (echo
+   mode), and verification of the same.  All of these are called strings,
+   and are further described below. */
+typedef struct ui_st UI;
+
+/* All instances of UI have a reference to a method structure, which is a
+   ordered vector of functions that implement the lower level things to do.
+   There is an instruction on the implementation further down, in the section
+   for method implementors. */
+typedef struct ui_method_st UI_METHOD;
+
+
+/* All the following functions return -1 or NULL on error and in some cases
+   (UI_process()) -2 if interrupted or in some other way cancelled.
+   When everything is fine, they return 0, a positive value or a non-NULL
+   pointer, all depending on their purpose. */
+
+/* Creators and destructor.   */
+UI *UI_new(void);
+UI *UI_new_method(const UI_METHOD *method);
+void UI_free(UI *ui);
+
+/* The following functions are used to add strings to be printed and prompt
+   strings to prompt for data.  The names are UI_{add,dup}_<function>_string
+   and UI_{add,dup}_input_boolean.
+
+   UI_{add,dup}_<function>_string have the following meanings:
+        add     add a text or prompt string.  The pointers given to these
+                functions are used verbatim, no copying is done.
+        dup     make a copy of the text or prompt string, then add the copy
+                to the collection of strings in the user interface.
+        <function>
+                The function is a name for the functionality that the given
+                string shall be used for.  It can be one of:
+                        input   use the string as data prompt.
+                        verify  use the string as verification prompt.  This
+                                is used to verify a previous input.
+                        info    use the string for informational output.
+                        error   use the string for error output.
+   Honestly, there's currently no difference between info and error for the
+   moment.
+
+   UI_{add,dup}_input_boolean have the same semantics for "add" and "dup",
+   and are typically used when one wants to prompt for a yes/no response.
+
+
+   All of the functions in this group take a UI and a prompt string.
+   The string input and verify addition functions also take a flag argument,
+   a buffer for the result to end up with, a minimum input size and a maximum
+   input size (the result buffer MUST be large enough to be able to contain
+   the maximum number of characters).  Additionally, the verify addition
+   functions takes another buffer to compare the result against.
+   The boolean input functions take an action description string (which should
+   be safe to ignore if the expected user action is obvious, for example with
+   a dialog box with an OK button and a Cancel button), a string of acceptable
+   characters to mean OK and to mean Cancel.  The two last strings are checked
+   to make sure they don't have common characters.  Additionally, the same
+   flag argument as for the string input is taken, as well as a result buffer.
+   The result buffer is required to be at least one byte long.  Depending on
+   the answer, the first character from the OK or the Cancel character strings
+   will be stored in the first byte of the result buffer.  No NUL will be
+   added, so the result is *not* a string.
+
+   On success, the all return an index of the added information.  That index
+   is usefull when retrieving results with UI_get0_result(). */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_add_info_string(UI *ui, const char *text);
+int UI_dup_info_string(UI *ui, const char *text);
+int UI_add_error_string(UI *ui, const char *text);
+int UI_dup_error_string(UI *ui, const char *text);
+
+/* These are the possible flags.  They can be or'ed together. */
+/* Use to have echoing of input */
+#define UI_INPUT_FLAG_ECHO              0x01
+/* Use a default password.  Where that password is found is completely
+   up to the application, it might for example be in the user data set
+   with UI_add_user_data().  It is not recommended to have more than
+   one input in each UI being marked with this flag, or the application
+   might get confused. */
+#define UI_INPUT_FLAG_DEFAULT_PWD       0x02
+
+/* The user of these routines may want to define flags of their own.  The core
+   UI won't look at those, but will pass them on to the method routines.  They
+   must use higher bits so they don't get confused with the UI bits above.
+   UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use.  A good
+   example of use is this:
+
+        #define MY_UI_FLAG1     (0x01 << UI_INPUT_FLAG_USER_BASE)
+
+*/
+#define UI_INPUT_FLAG_USER_BASE 16
+
+
+/* The following function helps construct a prompt.  object_desc is a
+   textual short description of the object, for example "pass phrase",
+   and object_name is the name of the object (might be a card name or
+   a file name.
+   The returned string shall always be allocated on the heap with
+   OPENSSL_malloc(), and need to be free'd with OPENSSL_free().
+
+   If the ui_method doesn't contain a pointer to a user-defined prompt
+   constructor, a default string is built, looking like this:
+
+        "Enter {object_desc} for {object_name}:"
+
+   So, if object_desc has the value "pass phrase" and object_name has
+   the value "foo.key", the resulting string is:
+
+        "Enter pass phrase for foo.key:"
+*/
+char *UI_construct_prompt(UI *ui_method,
+        const char *object_desc, const char *object_name);
+
+
+/* The following function is used to store a pointer to user-specific data.
+   Any previous such pointer will be returned and replaced.
+
+   For callback purposes, this function makes a lot more sense than using
+   ex_data, since the latter requires that different parts of OpenSSL or
+   applications share the same ex_data index.
+
+   Note that the UI_OpenSSL() method completely ignores the user data.
+   Other methods may not, however.  */
+void *UI_add_user_data(UI *ui, void *user_data);
+/* We need a user data retrieving function as well.  */
+void *UI_get0_user_data(UI *ui);
+
+/* Return the result associated with a prompt given with the index i. */
+const char *UI_get0_result(UI *ui, int i);
+
+/* When all strings have been added, process the whole thing. */
+int UI_process(UI *ui);
+
+/* Give a user interface parametrised control commands.  This can be used to
+   send down an integer, a data pointer or a function pointer, as well as
+   be used to get information from a UI. */
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
+
+/* The commands */
+/* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the
+   OpenSSL error stack before printing any info or added error messages and
+   before any prompting. */
+#define UI_CTRL_PRINT_ERRORS            1
+/* Check if a UI_process() is possible to do again with the same instance of
+   a user interface.  This makes UI_ctrl() return 1 if it is redoable, and 0
+   if not. */
+#define UI_CTRL_IS_REDOABLE             2
+
+
+/* Some methods may use extra data */
+#define UI_set_app_data(s,arg)         UI_set_ex_data(s,0,arg)
+#define UI_get_app_data(s)             UI_get_ex_data(s,0)
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int UI_set_ex_data(UI *r,int idx,void *arg);
+void *UI_get_ex_data(UI *r, int idx);
+
+/* Use specific methods instead of the built-in one */
+void UI_set_default_method(const UI_METHOD *meth);
+const UI_METHOD *UI_get_default_method(void);
+const UI_METHOD *UI_get_method(UI *ui);
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth);
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void);
+
+
+/* ---------- For method writers ---------- */
+/* A method contains a number of functions that implement the low level
+   of the User Interface.  The functions are:
+
+        an opener       This function starts a session, maybe by opening
+                        a channel to a tty, or by opening a window.
+        a writer        This function is called to write a given string,
+                        maybe to the tty, maybe as a field label in a
+                        window.
+        a flusher       This function is called to flush everything that
+                        has been output so far.  It can be used to actually
+                        display a dialog box after it has been built.
+        a reader        This function is called to read a given prompt,
+                        maybe from the tty, maybe from a field in a
+                        window.  Note that it's called wth all string
+                        structures, not only the prompt ones, so it must
+                        check such things itself.
+        a closer        This function closes the session, maybe by closing
+                        the channel to the tty, or closing the window.
+
+   All these functions are expected to return:
+
+        0       on error.
+        1       on success.
+        -1      on out-of-band events, for example if some prompting has
+                been canceled (by pressing Ctrl-C, for example).  This is
+                only checked when returned by the flusher or the reader.
+
+   The way this is used, the opener is first called, then the writer for all
+   strings, then the flusher, then the reader for all strings and finally the
+   closer.  Note that if you want to prompt from a terminal or other command
+   line interface, the best is to have the reader also write the prompts
+   instead of having the writer do it.  If you want to prompt from a dialog
+   box, the writer can be used to build up the contents of the box, and the
+   flusher to actually display the box and run the event loop until all data
+   has been given, after which the reader only grabs the given data and puts
+   them back into the UI strings.
+
+   All method functions take a UI as argument.  Additionally, the writer and
+   the reader take a UI_STRING.
+*/
+
+/* The UI_STRING type is the data structure that contains all the needed info
+   about a string or a prompt, including test data for a verification prompt.
+*/
+DECLARE_STACK_OF(UI_STRING)
+typedef struct ui_string_st UI_STRING;
+
+/* The different types of strings that are currently supported.
+   This is only needed by method authors. */
+enum UI_string_types
+        {
+        UIT_NONE=0,
+        UIT_PROMPT,             /* Prompt for a string */
+        UIT_VERIFY,             /* Prompt for a string and verify */
+        UIT_BOOLEAN,            /* Prompt for a yes/no response */
+        UIT_INFO,               /* Send info to the user */
+        UIT_ERROR               /* Send an error message to the user */
+        };
+
+/* Create and manipulate methods */
+UI_METHOD *UI_create_method(char *name);
+void UI_destroy_method(UI_METHOD *ui_method);
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui));
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis));
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui));
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis));
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui));
+int (*UI_method_get_opener(UI_METHOD *method))(UI*);
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*);
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_closer(UI_METHOD *method))(UI*);
+
+/* The following functions are helpers for method writers to access relevant
+   data from a UI_STRING. */
+
+/* Return type of the UI_STRING */
+enum UI_string_types UI_get_string_type(UI_STRING *uis);
+/* Return input flags of the UI_STRING */
+int UI_get_input_flags(UI_STRING *uis);
+/* Return the actual string to output (the prompt, info or error) */
+const char *UI_get0_output_string(UI_STRING *uis);
+/* Return the optional action string to output (the boolean promtp instruction) */
+const char *UI_get0_action_string(UI_STRING *uis);
+/* Return the result of a prompt */
+const char *UI_get0_result_string(UI_STRING *uis);
+/* Return the string to test the result against.  Only useful with verifies. */
+const char *UI_get0_test_string(UI_STRING *uis);
+/* Return the required minimum size of the result */
+int UI_get_result_minsize(UI_STRING *uis);
+/* Return the required maximum size of the result */
+int UI_get_result_maxsize(UI_STRING *uis);
+/* Set the result of a UI_STRING. */
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result);
+
+
+/* A couple of popular utility functions */
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_UI_strings(void);
+
+/* Error codes for the UI functions. */
+
+/* Function codes. */
+#define UI_F_GENERAL_ALLOCATE_BOOLEAN                    108
+#define UI_F_GENERAL_ALLOCATE_PROMPT                     109
+#define UI_F_GENERAL_ALLOCATE_STRING                     100
+#define UI_F_UI_CTRL                                     111
+#define UI_F_UI_DUP_ERROR_STRING                         101
+#define UI_F_UI_DUP_INFO_STRING                          102
+#define UI_F_UI_DUP_INPUT_BOOLEAN                        110
+#define UI_F_UI_DUP_INPUT_STRING                         103
+#define UI_F_UI_DUP_VERIFY_STRING                        106
+#define UI_F_UI_GET0_RESULT                              107
+#define UI_F_UI_NEW_METHOD                               104
+#define UI_F_UI_SET_RESULT                               105
+
+/* Reason codes. */
+#define UI_R_COMMON_OK_AND_CANCEL_CHARACTERS             104
+#define UI_R_INDEX_TOO_LARGE                             102
+#define UI_R_INDEX_TOO_SMALL                             103
+#define UI_R_NO_RESULT_BUFFER                            105
+#define UI_R_RESULT_TOO_LARGE                            100
+#define UI_R_RESULT_TOO_SMALL                            101
+#define UI_R_UNKNOWN_CONTROL_COMMAND                     106
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/ui/ui_compat.c b/src/lib/libssl/src/crypto/ui/ui_compat.c
new file mode 100644
index 0000000000..13e0f70d90
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_compat.c
@@ -0,0 +1,67 @@
+/* crypto/ui/ui_compat.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/ui_compat.h>
+
+int _ossl_old_des_read_pw_string(char *buf,int length,const char *prompt,int verify)
+        {
+        return UI_UTIL_read_pw_string(buf, length, prompt, verify);
+        }
+
+int _ossl_old_des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
+        {
+        return UI_UTIL_read_pw(buf, buff, size, prompt, verify);
+        }
diff --git a/src/lib/libssl/src/crypto/ui/ui_compat.h b/src/lib/libssl/src/crypto/ui/ui_compat.h
new file mode 100644
index 0000000000..b35c9bb7fd
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_compat.h
@@ -0,0 +1,83 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_COMPAT_H
+#define HEADER_UI_COMPAT_H
+
+#include <openssl/opensslconf.h>
+#include <openssl/ui.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The following functions were previously part of the DES section,
+   and are provided here for backward compatibility reasons. */
+
+#define des_read_pw_string(b,l,p,v) \
+        _ossl_old_des_read_pw_string((b),(l),(p),(v))
+#define des_read_pw(b,bf,s,p,v) \
+        _ossl_old_des_read_pw((b),(bf),(s),(p),(v))
+
+int _ossl_old_des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int _ossl_old_des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libssl/src/crypto/ui/ui_err.c b/src/lib/libssl/src/crypto/ui/ui_err.c
new file mode 100644
index 0000000000..39a62ae737
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_err.c
@@ -0,0 +1,111 @@
+/* crypto/ui/ui_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ui.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA UI_str_functs[]=
+        {
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),   "GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),    "GENERAL_ALLOCATE_PROMPT"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),    "GENERAL_ALLOCATE_STRING"},
+{ERR_PACK(0,UI_F_UI_CTRL,0),    "UI_ctrl"},
+{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),        "UI_dup_error_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0), "UI_dup_info_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),       "UI_dup_input_boolean"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),        "UI_dup_input_string"},
+{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),       "UI_dup_verify_string"},
+{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),     "UI_get0_result"},
+{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),      "UI_new_method"},
+{ERR_PACK(0,UI_F_UI_SET_RESULT,0),      "UI_set_result"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA UI_str_reasons[]=
+        {
+{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
+{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
+{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
+{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
+{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
+{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
+{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_UI_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_UI,UI_str_functs);
+                ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/ui/ui_lib.c b/src/lib/libssl/src/crypto/ui/ui_lib.c
new file mode 100644
index 0000000000..16946cad95
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_lib.c
@@ -0,0 +1,899 @@
+/* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/e_os2.h>
+#include <openssl/buffer.h>
+#include <openssl/ui.h>
+#include <openssl/err.h>
+#include "ui_locl.h"
+
+IMPLEMENT_STACK_OF(UI_STRING_ST)
+
+static const UI_METHOD *default_UI_meth=NULL;
+
+UI *UI_new(void)
+        {
+        return(UI_new_method(NULL));
+        }
+
+UI *UI_new_method(const UI_METHOD *method)
+        {
+        UI *ret;
+
+        ret=(UI *)OPENSSL_malloc(sizeof(UI));
+        if (ret == NULL)
+                {
+                UIerr(UI_F_UI_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        if (method == NULL)
+                ret->meth=UI_get_default_method();
+        else
+                ret->meth=method;
+
+        ret->strings=NULL;
+        ret->user_data=NULL;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
+        return ret;
+        }
+
+static void free_string(UI_STRING *uis)
+        {
+        if (uis->flags & OUT_STRING_FREEABLE)
+                {
+                OPENSSL_free((char *)uis->out_string);
+                switch(uis->type)
+                        {
+                case UIT_BOOLEAN:
+                        OPENSSL_free((char *)uis->_.boolean_data.action_desc);
+                        OPENSSL_free((char *)uis->_.boolean_data.ok_chars);
+                        OPENSSL_free((char *)uis->_.boolean_data.cancel_chars);
+                        break;
+                default:
+                        break;
+                        }
+                }
+        OPENSSL_free(uis);
+        }
+
+void UI_free(UI *ui)
+        {
+        if (ui == NULL)
+                return;
+        sk_UI_STRING_pop_free(ui->strings,free_string);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data);
+        OPENSSL_free(ui);
+        }
+
+static int allocate_string_stack(UI *ui)
+        {
+        if (ui->strings == NULL)
+                {
+                ui->strings=sk_UI_STRING_new_null();
+                if (ui->strings == NULL)
+                        {
+                        return -1;
+                        }
+                }
+        return 0;
+        }
+
+static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        UI_STRING *ret = NULL;
+
+        if (prompt == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (result_buf == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER);
+                }
+        else if ((ret = (UI_STRING *)OPENSSL_malloc(sizeof(UI_STRING))))
+                {
+                ret->out_string=prompt;
+                ret->flags=prompt_freeable ? OUT_STRING_FREEABLE : 0;
+                ret->input_flags=input_flags;
+                ret->type=type;
+                ret->result_buf=result_buf;
+                }
+        return ret;
+        }
+
+static int general_allocate_string(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        int ret = -1;
+        UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                type, input_flags, result_buf);
+
+        if (s)
+                {
+                if (allocate_string_stack(ui) >= 0)
+                        {
+                        s->_.string_data.result_minsize=minsize;
+                        s->_.string_data.result_maxsize=maxsize;
+                        s->_.string_data.test_buf=test_buf;
+                        ret=sk_UI_STRING_push(ui->strings, s);
+                        /* sk_push() returns 0 on error.  Let's addapt that */
+                        if (ret <= 0) ret--;
+                        }
+                else
+                        free_string(s);
+                }
+        return ret;
+        }
+
+static int general_allocate_boolean(UI *ui,
+        const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        int ret = -1;
+        UI_STRING *s;
+        const char *p;
+
+        if (ok_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (cancel_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else
+                {
+                for(p = ok_chars; *p; p++)
+                        {
+                        if (strchr(cancel_chars, *p))
+                                {
+                                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
+                                        UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
+                                }
+                        }
+
+                s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                        type, input_flags, result_buf);
+
+                if (s)
+                        {
+                        if (allocate_string_stack(ui) >= 0)
+                                {
+                                s->_.boolean_data.action_desc = action_desc;
+                                s->_.boolean_data.ok_chars = ok_chars;
+                                s->_.boolean_data.cancel_chars = cancel_chars;
+                                ret=sk_UI_STRING_push(ui->strings, s);
+                                /* sk_push() returns 0 on error.
+                                   Let's addapt that */
+                                if (ret <= 0) ret--;
+                                }
+                        else
+                                free_string(s);
+                        }
+                }
+        return ret;
+        }
+
+/* Returns the index to the place in the stack or 0 for error.  Uses a
+   direct reference to the prompt.  */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+/* Same as UI_add_input_string(), excepts it takes a copy of the prompt */
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_STRING,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_VERIFY_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        return general_allocate_boolean(ui, prompt, action_desc,
+                ok_chars, cancel_chars, 0, UIT_BOOLEAN, flags, result_buf);
+        }
+
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        char *prompt_copy = NULL;
+        char *action_desc_copy = NULL;
+        char *ok_chars_copy = NULL;
+        char *cancel_chars_copy = NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (action_desc)
+                {
+                action_desc_copy=BUF_strdup(action_desc);
+                if (action_desc_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (ok_chars)
+                {
+                ok_chars_copy=BUF_strdup(ok_chars);
+                if (ok_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (cancel_chars)
+                {
+                cancel_chars_copy=BUF_strdup(cancel_chars);
+                if (cancel_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        return general_allocate_boolean(ui, prompt_copy, action_desc_copy,
+                ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags,
+                result_buf);
+ err:
+        if (prompt_copy) OPENSSL_free(prompt_copy);
+        if (action_desc_copy) OPENSSL_free(action_desc_copy);
+        if (ok_chars_copy) OPENSSL_free(ok_chars_copy);
+        if (cancel_chars_copy) OPENSSL_free(cancel_chars_copy);
+        return -1;
+        }
+
+int UI_add_info_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_INFO, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_info_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INFO_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+
+        return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL,
+                0, 0, NULL);
+        }
+
+int UI_add_error_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_ERROR, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_error_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_ERROR_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL,
+                0, 0, NULL);
+        }
+
+char *UI_construct_prompt(UI *ui, const char *object_desc,
+        const char *object_name)
+        {
+        char *prompt = NULL;
+
+        if (ui->meth->ui_construct_prompt)
+                prompt = ui->meth->ui_construct_prompt(ui,
+                        object_desc, object_name);
+        else
+                {
+                char prompt1[] = "Enter ";
+                char prompt2[] = " for ";
+                char prompt3[] = ":";
+                int len = 0;
+
+                if (object_desc == NULL)
+                        return NULL;
+                len = sizeof(prompt1) - 1 + strlen(object_desc);
+                if (object_name)
+                        len += sizeof(prompt2) - 1 + strlen(object_name);
+                len += sizeof(prompt3) - 1;
+
+                prompt = (char *)OPENSSL_malloc(len + 1);
+                strcpy(prompt, prompt1);
+                strcat(prompt, object_desc);
+                if (object_name)
+                        {
+                        strcat(prompt, prompt2);
+                        strcat(prompt, object_name);
+                        }
+                strcat(prompt, prompt3);
+                }
+        return prompt;
+        }
+
+void *UI_add_user_data(UI *ui, void *user_data)
+        {
+        void *old_data = ui->user_data;
+        ui->user_data = user_data;
+        return old_data;
+        }
+
+void *UI_get0_user_data(UI *ui)
+        {
+        return ui->user_data;
+        }
+
+const char *UI_get0_result(UI *ui, int i)
+        {
+        if (i < 0)
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_SMALL);
+                return NULL;
+                }
+        if (i >= sk_UI_STRING_num(ui->strings))
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_LARGE);
+                return NULL;
+                }
+        return UI_get0_result_string(sk_UI_STRING_value(ui->strings, i));
+        }
+
+static int print_error(const char *str, size_t len, UI *ui)
+        {
+        UI_STRING uis;
+
+        memset(&uis, 0, sizeof(uis));
+        uis.type = UIT_ERROR;
+        uis.out_string = str;
+
+        if (ui->meth->ui_write_string
+                && !ui->meth->ui_write_string(ui, &uis))
+                return -1;
+        return 0;
+        }
+
+int UI_process(UI *ui)
+        {
+        int i, ok=0;
+
+        if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
+                return -1;
+
+        if (ui->flags & UI_FLAG_PRINT_ERRORS)
+                ERR_print_errors_cb(
+                        (int (*)(const char *, size_t, void *))print_error,
+                        (void *)ui);
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_write_string
+                        && !ui->meth->ui_write_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                        {
+                        ok=-1;
+                        goto err;
+                        }
+                }
+
+        if (ui->meth->ui_flush)
+                switch(ui->meth->ui_flush(ui))
+                        {
+                case -1: /* Interrupt/Cancel/something... */
+                        ok = -2;
+                        goto err;
+                case 0: /* Errors */
+                        ok = -1;
+                        goto err;
+                default: /* Success */
+                        ok = 0;
+                        break;
+                        }
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_read_string)
+                        {
+                        switch(ui->meth->ui_read_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                                {
+                        case -1: /* Interrupt/Cancel/something... */
+                                ok = -2;
+                                goto err;
+                        case 0: /* Errors */
+                                ok = -1;
+                                goto err;
+                        default: /* Success */
+                                ok = 0;
+                                break;
+                                }
+                        }
+                }
+ err:
+        if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
+                return -1;
+        return ok;
+        }
+
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)())
+        {
+        if (ui == NULL)
+                {
+                UIerr(UI_F_UI_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return -1;
+                }
+        switch(cmd)
+                {
+        case UI_CTRL_PRINT_ERRORS:
+                {
+                int save_flag = !!(ui->flags & UI_FLAG_PRINT_ERRORS);
+                if (i)
+                        ui->flags |= UI_FLAG_PRINT_ERRORS;
+                else
+                        ui->flags &= ~UI_FLAG_PRINT_ERRORS;
+                return save_flag;
+                }
+        case UI_CTRL_IS_REDOABLE:
+                return !!(ui->flags & UI_FLAG_REDOABLE);
+        default:
+                break;
+                }
+        UIerr(UI_F_UI_CTRL,UI_R_UNKNOWN_CONTROL_COMMAND);
+        return -1;
+        }
+
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp,
+                                new_func, dup_func, free_func);
+        }
+
+int UI_set_ex_data(UI *r, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+        }
+
+void *UI_get_ex_data(UI *r, int idx)
+        {
+        return(CRYPTO_get_ex_data(&r->ex_data,idx));
+        }
+
+void UI_set_default_method(const UI_METHOD *meth)
+        {
+        default_UI_meth=meth;
+        }
+
+const UI_METHOD *UI_get_default_method(void)
+        {
+        if (default_UI_meth == NULL)
+                {
+                default_UI_meth=UI_OpenSSL();
+                }
+        return default_UI_meth;
+        }
+
+const UI_METHOD *UI_get_method(UI *ui)
+        {
+        return ui->meth;
+        }
+
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth)
+        {
+        ui->meth=meth;
+        return ui->meth;
+        }
+
+
+UI_METHOD *UI_create_method(char *name)
+        {
+        UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD));
+
+        if (ui_method)
+                memset(ui_method, 0, sizeof(*ui_method));
+        ui_method->name = BUF_strdup(name);
+        return ui_method;
+        }
+
+/* BIG FSCKING WARNING!!!!  If you use this on a statically allocated method
+   (that is, it hasn't been allocated using UI_create_method(), you deserve
+   anything Murphy can throw at you and more!  You have been warned. */
+void UI_destroy_method(UI_METHOD *ui_method)
+        {
+        OPENSSL_free(ui_method->name);
+        ui_method->name = NULL;
+        OPENSSL_free(ui_method);
+        }
+
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_open_session = opener;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_write_string = writer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_flush = flusher;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_read_string = reader;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_close_session = closer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int (*UI_method_get_opener(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_open_session;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_write_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_flush;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_read_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_closer(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_close_session;
+        else
+                return NULL;
+        }
+
+enum UI_string_types UI_get_string_type(UI_STRING *uis)
+        {
+        if (!uis)
+                return UIT_NONE;
+        return uis->type;
+        }
+
+int UI_get_input_flags(UI_STRING *uis)
+        {
+        if (!uis)
+                return 0;
+        return uis->input_flags;
+        }
+
+const char *UI_get0_output_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        return uis->out_string;
+        }
+
+const char *UI_get0_action_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_BOOLEAN:
+                return uis->_.boolean_data.action_desc;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_result_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->result_buf;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_test_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_VERIFY:
+                return uis->_.string_data.test_buf;
+        default:
+                return NULL;
+                }
+        }
+
+int UI_get_result_minsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_minsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_get_result_maxsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_maxsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
+        {
+        int l = strlen(result);
+
+        ui->flags &= ~UI_FLAG_REDOABLE;
+
+        if (!uis)
+                return -1;
+        switch (uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                {
+                char number1[20];
+                char number2[20];
+
+                BIO_snprintf(number1, sizeof(number1), "%d",
+                        uis->_.string_data.result_minsize);
+                BIO_snprintf(number2, sizeof(number2), "%d",
+                        uis->_.string_data.result_maxsize);
+
+                if (l < uis->_.string_data.result_minsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_SMALL);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                if (l > uis->_.string_data.result_maxsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_LARGE);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                }
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                strcpy(uis->result_buf, result);
+                break;
+        case UIT_BOOLEAN:
+                {
+                const char *p;
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                uis->result_buf[0] = '\0';
+                for(p = result; *p; p++)
+                        {
+                        if (strchr(uis->_.boolean_data.ok_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.ok_chars[0];
+                                break;
+                                }
+                        if (strchr(uis->_.boolean_data.cancel_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.cancel_chars[0];
+                                break;
+                                }
+                        }
+        default:
+                break;
+                }
+                }
+        return 0;
+        }
diff --git a/src/lib/libssl/src/crypto/ui/ui_locl.h b/src/lib/libssl/src/crypto/ui/ui_locl.h
new file mode 100644
index 0000000000..7d3a75a619
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_locl.h
@@ -0,0 +1,148 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_LOCL_H
+#define HEADER_UI_LOCL_H
+
+#include <openssl/ui.h>
+
+struct ui_method_st
+        {
+        char *name;
+
+        /* All the functions return 1 or non-NULL for success and 0 or NULL
+           for failure */
+
+        /* Open whatever channel for this, be it the console, an X window
+           or whatever.
+           This function should use the ex_data structure to save
+           intermediate data. */
+        int (*ui_open_session)(UI *ui);
+
+        int (*ui_write_string)(UI *ui, UI_STRING *uis);
+
+        /* Flush the output.  If a GUI dialog box is used, this function can
+           be used to actually display it. */
+        int (*ui_flush)(UI *ui);
+
+        int (*ui_read_string)(UI *ui, UI_STRING *uis);
+
+        int (*ui_close_session)(UI *ui);
+
+        /* Construct a prompt in a user-defined manner.  object_desc is a
+           textual short description of the object, for example "pass phrase",
+           and object_name is the name of the object (might be a card name or
+           a file name.
+           The returned string shall always be allocated on the heap with
+           OPENSSL_malloc(), and need to be free'd with OPENSSL_free(). */
+        char *(*ui_construct_prompt)(UI *ui, const char *object_desc,
+                const char *object_name);
+        };
+
+struct ui_string_st
+        {
+        enum UI_string_types type; /* Input */
+        const char *out_string; /* Input */
+        int input_flags;        /* Flags from the user */
+
+        /* The following parameters are completely irrelevant for UIT_INFO,
+           and can therefore be set to 0 or NULL */
+        char *result_buf;       /* Input and Output: If not NULL, user-defined
+                                   with size in result_maxsize.  Otherwise, it
+                                   may be allocated by the UI routine, meaning
+                                   result_minsize is going to be overwritten.*/
+        union
+                {
+                struct
+                        {
+                        int result_minsize;     /* Input: minimum required
+                                                   size of the result.
+                                                */
+                        int result_maxsize;     /* Input: maximum permitted
+                                                   size of the result */
+
+                        const char *test_buf;   /* Input: test string to verify
+                                                   against */
+                        } string_data;
+                struct
+                        {
+                        const char *action_desc; /* Input */
+                        const char *ok_chars; /* Input */
+                        const char *cancel_chars; /* Input */
+                        } boolean_data;
+                } _;
+
+#define OUT_STRING_FREEABLE 0x01
+        int flags;              /* flags for internal use */
+        };
+
+struct ui_st
+        {
+        const UI_METHOD *meth;
+        STACK_OF(UI_STRING) *strings; /* We might want to prompt for more
+                                         than one thing at a time, and
+                                         with different echoing status.  */
+        void *user_data;
+        CRYPTO_EX_DATA ex_data;
+
+#define UI_FLAG_REDOABLE        0x0001
+#define UI_FLAG_PRINT_ERRORS    0x0100
+        int flags;
+        };
+
+#endif
diff --git a/src/lib/libssl/src/crypto/ui/ui_openssl.c b/src/lib/libssl/src/crypto/ui/ui_openssl.c
new file mode 100644
index 0000000000..3aa03f74aa
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_openssl.c
@@ -0,0 +1,661 @@
+/* crypto/ui/ui_openssl.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) and others
+ * for the OpenSSL project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* The lowest level part of this file was previously in crypto/des/read_pwd.c,
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+
+#include <openssl/e_os2.h>
+
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
+# ifdef OPENSSL_UNISTD
+#  include OPENSSL_UNISTD
+# else
+#  include <unistd.h>
+# endif
+/* If unistd.h defines _POSIX_VERSION, we conclude that we
+ * are on a POSIX system and have sigaction and termios. */
+# if defined(_POSIX_VERSION)
+
+#  define SIGACTION
+#  if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
+#   define TERMIOS
+#  endif
+
+# endif
+#endif
+
+#ifdef WIN16TTY
+# undef OPENSSL_SYS_WIN16
+# undef WIN16
+# undef _WINDOWS
+# include <graph.h>
+#endif
+
+/* 06-Apr-92 Luke Brennan    Support for VMS */
+#include "ui_locl.h"
+#include "cryptlib.h"
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef OPENSSL_SYS_VMS          /* prototypes for sys$whatever */
+# include <starlet.h>
+# ifdef __DECC
+#  pragma message disable DOLLARID
+# endif
+#endif
+
+#ifdef WIN_CONSOLE_BUG
+# include <windows.h>
+# include <wincon.h>
+#endif
+
+
+/* There are 5 types of terminal interface supported,
+ * TERMIO, TERMIOS, VMS, MSDOS and SGTTY
+ */
+
+#if defined(__sgi) && !defined(TERMIOS)
+# define TERMIOS
+# undef  TERMIO
+# undef  SGTTY
+#endif
+
+#if defined(linux) && !defined(TERMIO)
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#ifdef _LIBC
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(MAC_OS_GUSI_SOURCE)
+# undef  TERMIOS
+# undef  TERMIO
+# define SGTTY
+#endif
+
+#if defined(OPENSSL_SYS_VSWORKS)
+#undef TERMIOS
+#undef TERMIO
+#undef SGTTY
+#endif
+
+#ifdef TERMIOS
+# include <termios.h>
+# define TTY_STRUCT             struct termios
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      tcgetattr(tty,data)
+# define TTY_set(tty,data)      tcsetattr(tty,TCSANOW,data)
+#endif
+
+#ifdef TERMIO
+# include <termio.h>
+# define TTY_STRUCT             struct termio
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      ioctl(tty,TCGETA,data)
+# define TTY_set(tty,data)      ioctl(tty,TCSETA,data)
+#endif
+
+#ifdef SGTTY
+# include <sgtty.h>
+# define TTY_STRUCT             struct sgttyb
+# define TTY_FLAGS              sg_flags
+# define TTY_get(tty,data)      ioctl(tty,TIOCGETP,data)
+# define TTY_set(tty,data)      ioctl(tty,TIOCSETP,data)
+#endif
+
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+# include <sys/ioctl.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+# include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+# include <ssdef.h>
+# include <iodef.h>
+# include <ttdef.h>
+# include <descrip.h>
+struct IOSB {
+        short iosb$w_value;
+        short iosb$w_count;
+        long  iosb$l_info;
+        };
+#endif
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
+/*
+ * This one needs work. As a matter of fact the code is unoperational
+ * and this is only a trick to get it compiled.
+ *                                      <appro@fy.chalmers.se>
+ */
+# define TTY_STRUCT int
+#endif
+
+#ifndef NX509_SIG
+# define NX509_SIG 32
+#endif
+
+
+/* Define globals.  They are protected by a lock */
+#ifdef SIGACTION
+static struct sigaction savsig[NX509_SIG];
+#else
+static void (*savsig[NX509_SIG])(int );
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+static struct IOSB iosb;
+static $DESCRIPTOR(terminal,"TT");
+static long tty_orig[3], tty_new[3]; /* XXX   Is there any guarantee that this will always suffice for the actual structures? */
+static long status;
+static unsigned short channel = 0;
+#else
+#ifndef OPENSSL_SYS_MSDOS
+static TTY_STRUCT tty_orig,tty_new;
+#endif
+#endif
+static FILE *tty_in, *tty_out;
+static int is_a_tty;
+
+/* Declare static functions */
+static void read_till_nl(FILE *);
+static void recsig(int);
+static void pushsig(void);
+static void popsig(void);
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty);
+#endif
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl);
+
+static int read_string(UI *ui, UI_STRING *uis);
+static int write_string(UI *ui, UI_STRING *uis);
+
+static int open_console(UI *ui);
+static int echo_console(UI *ui);
+static int noecho_console(UI *ui);
+static int close_console(UI *ui);
+
+static UI_METHOD ui_openssl =
+        {
+        "OpenSSL default user interface",
+        open_console,
+        write_string,
+        NULL,                   /* No flusher is needed for command lines */
+        read_string,
+        close_console,
+        NULL
+        };
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void)
+        {
+        return &ui_openssl;
+        }
+
+/* The following function makes sure that info and error strings are printed
+   before any prompt. */
+static int write_string(UI *ui, UI_STRING *uis)
+        {
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_ERROR:
+        case UIT_INFO:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+static int read_string(UI *ui, UI_STRING *uis)
+        {
+        int ok = 0;
+
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_BOOLEAN:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fputs(UI_get0_action_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 0);
+        case UIT_PROMPT:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1);
+        case UIT_VERIFY:
+                fprintf(tty_out,"Verifying - %s",
+                        UI_get0_output_string(uis));
+                fflush(tty_out);
+                if ((ok = read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1)) <= 0)
+                        return ok;
+                if (strcmp(UI_get0_result_string(uis),
+                        UI_get0_test_string(uis)) != 0)
+                        {
+                        fprintf(tty_out,"Verify failure\n");
+                        fflush(tty_out);
+                        return 0;
+                        }
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+
+/* Internal functions to read a string without echoing */
+static void read_till_nl(FILE *in)
+        {
+#define SIZE 4
+        char buf[SIZE+1];
+
+        do      {
+                fgets(buf,SIZE,in);
+                } while (strchr(buf,'\n') == NULL);
+        }
+
+static sig_atomic_t intr_signal;
+
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
+        {
+        static int ps;
+        int ok;
+        char result[BUFSIZ];
+        int maxsize = BUFSIZ-1;
+        char *p;
+
+#ifndef OPENSSL_SYS_WIN16
+        intr_signal=0;
+        ok=0;
+        ps=0;
+
+        pushsig();
+        ps=1;
+
+        if (!echo && !noecho_console(ui))
+                goto error;
+        ps=2;
+
+        result[0]='\0';
+#ifdef OPENSSL_SYS_MSDOS
+        if (!echo)
+                {
+                noecho_fgets(result,maxsize,tty_in);
+                p=result; /* FIXME: noecho_fgets doesn't return errors */
+                }
+        else
+                p=fgets(result,maxsize,tty_in);
+#else
+        p=fgets(result,maxsize,tty_in);
+#endif
+        if(!p)
+                goto error;
+        if (feof(tty_in)) goto error;
+        if (ferror(tty_in)) goto error;
+        if ((p=(char *)strchr(result,'\n')) != NULL)
+                {
+                if (strip_nl)
+                        *p='\0';
+                }
+        else
+                read_till_nl(tty_in);
+        if (UI_set_result(ui, uis, result) >= 0)
+                ok=1;
+
+error:
+        if (intr_signal == SIGINT)
+                ok=-1;
+        if (!echo) fprintf(tty_out,"\n");
+        if (ps >= 2 && !echo && !echo_console(ui))
+                ok=0;
+
+        if (ps >= 1)
+                popsig();
+#else
+        ok=1;
+#endif
+
+        memset(result,0,BUFSIZ);
+        return ok;
+        }
+
+
+/* Internal functions to open, handle and close a channel to the console.  */
+static int open_console(UI *ui)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_UI);
+        is_a_tty = 1;
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS)
+        tty_in=stdin;
+        tty_out=stderr;
+#else
+#  ifdef OPENSSL_SYS_MSDOS
+#    define DEV_TTY "con"
+#  else
+#    define DEV_TTY "/dev/tty"
+#  endif
+        if ((tty_in=fopen(DEV_TTY,"r")) == NULL)
+                tty_in=stdin;
+        if ((tty_out=fopen(DEV_TTY,"w")) == NULL)
+                tty_out=stderr;
+#endif
+
+#if defined(TTY_get) && !defined(VMS)
+        if (TTY_get(fileno(tty_in),&tty_orig) == -1)
+                {
+#ifdef ENOTTY
+                if (errno == ENOTTY)
+                        is_a_tty=0;
+                else
+#endif
+#ifdef EINVAL
+                /* Ariel Glenn ariel@columbia.edu reports that solaris
+                 * can return EINVAL instead.  This should be ok */
+                if (errno == EINVAL)
+                        is_a_tty=0;
+                else
+#endif
+                        return 0;
+                }
+#endif
+#ifdef OPENSSL_SYS_VMS
+        status = sys$assign(&terminal,&channel,0,0);
+        if (status != SS$_NORMAL)
+                return 0;
+        status=sys$qiow(0,channel,IO$_SENSEMODE,&iosb,0,0,tty_orig,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int noecho_console(UI *ui)
+        {
+#ifdef TTY_FLAGS
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS &= ~ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] | TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int echo_console(UI *ui)
+        {
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS |= ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int close_console(UI *ui)
+        {
+        if (tty_in != stderr) fclose(tty_in);
+        if (tty_out != stderr) fclose(tty_out);
+#ifdef OPENSSL_SYS_VMS
+        status = sys$dassgn(channel);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_UI);
+
+        return 1;
+        }
+
+
+/* Internal functions to handle signals and act on them */
+static void pushsig(void)
+        {
+        int i;
+#ifdef SIGACTION
+        struct sigaction sa;
+
+        memset(&sa,0,sizeof sa);
+        sa.sa_handler=recsig;
+#endif
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGKILL
+                if (i == SIGKILL) /* We can't make any action on that. */
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&sa,&savsig[i]);
+#else
+                savsig[i]=signal(i,recsig);
+#endif
+                }
+
+#ifdef SIGWINCH
+        signal(SIGWINCH,SIG_DFL);
+#endif
+        }
+
+static void popsig(void)
+        {
+        int i;
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&savsig[i],NULL);
+#else
+                signal(i,savsig[i]);
+#endif
+                }
+        }
+
+static void recsig(int i)
+        {
+        intr_signal=i;
+        }
+
+/* Internal functions specific for Windows */
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty)
+        {
+        int i;
+        char *p;
+
+        p=buf;
+        for (;;)
+                {
+                if (size == 0)
+                        {
+                        *p='\0';
+                        break;
+                        }
+                size--;
+#ifdef WIN16TTY
+                i=_inchar();
+#else
+                i=getch();
+#endif
+                if (i == '\r') i='\n';
+                *(p++)=i;
+                if (i == '\n')
+                        {
+                        *p='\0';
+                        break;
+                        }
+                }
+#ifdef WIN_CONSOLE_BUG
+/* Win95 has several evil console bugs: one of these is that the
+ * last character read using getch() is passed to the next read: this is
+ * usually a CR so this can be trouble. No STDIO fix seems to work but
+ * flushing the console appears to do the trick.
+ */
+                {
+                        HANDLE inh;
+                        inh = GetStdHandle(STD_INPUT_HANDLE);
+                        FlushConsoleInputBuffer(inh);
+                }
+#endif
+        return(strlen(buf));
+        }
+#endif
diff --git a/src/lib/libssl/src/crypto/ui/ui_util.c b/src/lib/libssl/src/crypto/ui/ui_util.c
new file mode 100644
index 0000000000..7c6f7d3a73
--- /dev/null
+++ b/src/lib/libssl/src/crypto/ui/ui_util.c
@@ -0,0 +1,86 @@
+/* crypto/ui/ui_util.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/ui.h>
+
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
+        {
+        char buff[BUFSIZ];
+        int ret;
+
+        ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
+        memset(buff,0,BUFSIZ);
+        return(ret);
+        }
+
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
+        {
+        int ok = 0;
+        UI *ui;
+
+        ui = UI_new();
+        if (ui)
+                {
+                ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1);
+                if (ok == 0 && verify)
+                        ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1,
+                                buf);
+                if (ok == 0)
+                        ok=UI_process(ui);
+                UI_free(ui);
+                }
+        return(ok);
+        }
diff --git a/src/lib/libssl/src/crypto/uid.c b/src/lib/libssl/src/crypto/uid.c
new file mode 100644
index 0000000000..b5b61b76d4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/uid.c
@@ -0,0 +1,88 @@
+/* crypto/uid.c */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+
+#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2)
+
+#include <unistd.h>
+
+int OPENSSL_issetugid(void)
+        {
+        return issetugid();
+        }
+
+#elif defined(WIN32)
+
+int OPENSSL_issetugid(void)
+        {
+        return 0;
+        }
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+
+int OPENSSL_issetugid(void)
+        {
+        if (getuid() != geteuid()) return 1;
+        if (getgid() != getegid()) return 1;
+        return 0;
+        }
+#endif
+
+
+
diff --git a/src/lib/libssl/src/crypto/x509/x509_att.c b/src/lib/libssl/src/crypto/x509/x509_att.c
new file mode 100644
index 0000000000..caafde658f
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509_att.c
@@ -0,0 +1,326 @@
+/* crypto/x509/x509_att.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <openssl/stack.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
+{
+        if (!x) return 0;
+        return(sk_X509_ATTRIBUTE_num(x));
+}
+
+int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+                          int lastpos)
+{
+        ASN1_OBJECT *obj;
+
+        obj=OBJ_nid2obj(nid);
+        if (obj == NULL) return(-2);
+        return(X509at_get_attr_by_OBJ(x,obj,lastpos));
+}
+
+int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj,
+                          int lastpos)
+{
+        int n;
+        X509_ATTRIBUTE *ex;
+
+        if (sk == NULL) return(-1);
+        lastpos++;
+        if (lastpos < 0)
+                lastpos=0;
+        n=sk_X509_ATTRIBUTE_num(sk);
+        for ( ; lastpos < n; lastpos++)
+                {
+                ex=sk_X509_ATTRIBUTE_value(sk,lastpos);
+                if (OBJ_cmp(ex->object,obj) == 0)
+                        return(lastpos);
+                }
+        return(-1);
+}
+
+X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+        if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+                return NULL;
+        else
+                return sk_X509_ATTRIBUTE_value(x,loc);
+}
+
+X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
+{
+        X509_ATTRIBUTE *ret;
+
+        if (x == NULL || sk_X509_ATTRIBUTE_num(x) <= loc || loc < 0)
+                return(NULL);
+        ret=sk_X509_ATTRIBUTE_delete(x,loc);
+        return(ret);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+                                         X509_ATTRIBUTE *attr)
+{
+        X509_ATTRIBUTE *new_attr=NULL;
+        STACK_OF(X509_ATTRIBUTE) *sk=NULL;
+
+        if ((x != NULL) && (*x == NULL))
+                {
+                if ((sk=sk_X509_ATTRIBUTE_new_null()) == NULL)
+                        goto err;
+                }
+        else
+                sk= *x;
+
+        if ((new_attr=X509_ATTRIBUTE_dup(attr)) == NULL)
+                goto err2;
+        if (!sk_X509_ATTRIBUTE_push(sk,new_attr))
+                goto err;
+        if ((x != NULL) && (*x == NULL))
+                *x=sk;
+        return(sk);
+err:
+        X509err(X509_F_X509_ADD_ATTR,ERR_R_MALLOC_FAILURE);
+err2:
+        if (new_attr != NULL) X509_ATTRIBUTE_free(new_attr);
+        if (sk != NULL) sk_X509_ATTRIBUTE_free(sk);
+        return(NULL);
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+                        ASN1_OBJECT *obj, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+                        int nid, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+                        char *attrname, int type,
+                        unsigned char *bytes, int len)
+{
+        X509_ATTRIBUTE *attr;
+        STACK_OF(X509_ATTRIBUTE) *ret;
+        attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
+        if(!attr) return 0;
+        ret = X509at_add1_attr(x, attr);
+        X509_ATTRIBUTE_free(attr);
+        return ret;
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+             int atrtype, void *data, int len)
+{
+        ASN1_OBJECT *obj;
+        X509_ATTRIBUTE *ret;
+
+        obj=OBJ_nid2obj(nid);
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_NID,X509_R_UNKNOWN_NID);
+                return(NULL);
+                }
+        ret=X509_ATTRIBUTE_create_by_OBJ(attr,obj,atrtype,data,len);
+        if (ret == NULL) ASN1_OBJECT_free(obj);
+        return(ret);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+             ASN1_OBJECT *obj, int atrtype, void *data, int len)
+{
+        X509_ATTRIBUTE *ret;
+
+        if ((attr == NULL) || (*attr == NULL))
+                {
+                if ((ret=X509_ATTRIBUTE_new()) == NULL)
+                        {
+                        X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ,ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
+                }
+        else
+                ret= *attr;
+
+        if (!X509_ATTRIBUTE_set1_object(ret,obj))
+                goto err;
+        if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
+                goto err;
+        
+        if ((attr != NULL) && (*attr == NULL)) *attr=ret;
+        return(ret);
+err:
+        if ((attr == NULL) || (ret != *attr))
+                X509_ATTRIBUTE_free(ret);
+        return(NULL);
+}
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+                char *atrname, int type, unsigned char *bytes, int len)
+        {
+        ASN1_OBJECT *obj;
+        X509_ATTRIBUTE *nattr;
+
+        obj=OBJ_txt2obj(atrname, 0);
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_ATTRIBUTE_CREATE_BY_TXT,
+                                                X509_R_INVALID_FIELD_NAME);
+                ERR_add_error_data(2, "name=", atrname);
+                return(NULL);
+                }
+        nattr = X509_ATTRIBUTE_create_by_OBJ(attr,obj,type,bytes,len);
+        ASN1_OBJECT_free(obj);
+        return nattr;
+        }
+
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+{
+        if ((attr == NULL) || (obj == NULL))
+                return(0);
+        ASN1_OBJECT_free(attr->object);
+        attr->object=OBJ_dup(obj);
+        return(1);
+}
+
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+{
+        ASN1_TYPE *ttmp;
+        ASN1_STRING *stmp;
+        int atype;
+        if (!attr) return 0;
+        if(attrtype & MBSTRING_FLAG) {
+                stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype,
+                                                OBJ_obj2nid(attr->object));
+                if(!stmp) {
+                        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_ASN1_LIB);
+                        return 0;
+                }
+                atype = stmp->type;
+        } else {
+                if(!(stmp = ASN1_STRING_type_new(attrtype))) goto err;
+                if(!ASN1_STRING_set(stmp, data, len)) goto err;
+                atype = attrtype;
+        }
+        if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+        if(!(ttmp = ASN1_TYPE_new())) goto err;
+        if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
+        attr->set = 1;
+        ASN1_TYPE_set(ttmp, atype, stmp);
+        return 1;
+        err:
+        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
+        return 0;
+}
+
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
+{
+        if(attr->set) return sk_ASN1_TYPE_num(attr->value.set);
+        if(attr->value.single) return 1;
+        return 0;
+}
+
+ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
+{
+        if (attr == NULL) return(NULL);
+        return(attr->object);
+}
+
+void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+                                        int atrtype, void *data)
+{
+        ASN1_TYPE *ttmp;
+        ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
+        if(!ttmp) return NULL;
+        if(atrtype != ASN1_TYPE_get(ttmp)){
+                X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
+                return NULL;
+        }
+        return ttmp->value.ptr;
+}
+
+ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
+{
+        if (attr == NULL) return(NULL);
+        if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
+        if(attr->set) return sk_ASN1_TYPE_value(attr->value.set, idx);
+        else return attr->value.single;
+}
diff --git a/src/lib/libssl/src/crypto/x509/x509_trs.c b/src/lib/libssl/src/crypto/x509/x509_trs.c
new file mode 100644
index 0000000000..9f7d67952d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509_trs.c
@@ -0,0 +1,263 @@
+/* x509_trs.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b);
+static void trtable_free(X509_TRUST *p);
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
+static int trust_any(X509_TRUST *trust, X509 *x, int flags);
+
+static int obj_trust(int id, X509 *x, int flags);
+static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
+
+/* WARNING: the following table should be kept in order of trust
+ * and without any gaps so we can just subtract the minimum trust
+ * value to get an index into the table
+ */
+
+static X509_TRUST trstandard[] = {
+{X509_TRUST_ANY, 0, trust_any, "Any", 0, NULL},
+{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
+{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
+{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+};
+
+#define X509_TRUST_COUNT        (sizeof(trstandard)/sizeof(X509_TRUST))
+
+IMPLEMENT_STACK_OF(X509_TRUST)
+
+static STACK_OF(X509_TRUST) *trtable = NULL;
+
+static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
+{
+        return (*a)->trust - (*b)->trust;
+}
+
+int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
+{
+int (*oldtrust)(int , X509 *, int);
+oldtrust = default_trust;
+default_trust = trust;
+return oldtrust;
+}
+
+
+int X509_check_trust(X509 *x, int id, int flags)
+{
+        X509_TRUST *pt;
+        int idx;
+        if(id == -1) return 1;
+        if(!(idx = X509_TRUST_get_by_id(id)))
+                        return default_trust(id, x, flags);
+        pt = X509_TRUST_get0(idx);
+        return pt->check_trust(pt, x, flags);
+}
+
+int X509_TRUST_get_count(void)
+{
+        if(!trtable) return X509_TRUST_COUNT;
+        return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
+}
+
+X509_TRUST * X509_TRUST_get0(int idx)
+{
+        if(idx < 0) return NULL;
+        if(idx < X509_TRUST_COUNT) return trstandard + idx;
+        return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
+}
+
+int X509_TRUST_get_by_id(int id)
+{
+        X509_TRUST tmp;
+        int idx;
+        if((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
+                                 return id - X509_TRUST_MIN;
+        tmp.trust = id;
+        if(!trtable) return -1;
+        idx = sk_X509_TRUST_find(trtable, &tmp);
+        if(idx == -1) return -1;
+        return idx + X509_TRUST_COUNT;
+}
+
+int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
+                                        char *name, int arg1, void *arg2)
+{
+        int idx;
+        X509_TRUST *trtmp;
+        /* This is set according to what we change: application can't set it */
+        flags &= ~X509_TRUST_DYNAMIC;
+        /* This will always be set for application modified trust entries */
+        flags |= X509_TRUST_DYNAMIC_NAME;
+        /* Get existing entry if any */
+        idx = X509_TRUST_get_by_id(id);
+        /* Need a new entry */
+        if(idx == -1) {
+                if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                trtmp->flags = X509_TRUST_DYNAMIC;
+        } else trtmp = X509_TRUST_get0(idx);
+
+        /* Free existing name if dynamic */
+        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+        /* dup supplied name */
+        if(!(trtmp->name = BUF_strdup(name))) {
+                X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        /* Keep the dynamic flag of existing entry */
+        trtmp->flags &= X509_TRUST_DYNAMIC;
+        /* Set all other flags */
+        trtmp->flags |= flags;
+
+        trtmp->trust = id;
+        trtmp->check_trust = ck;
+        trtmp->arg1 = arg1;
+        trtmp->arg2 = arg2;
+
+        /* If its a new entry manage the dynamic table */
+        if(idx == -1) {
+                if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if (!sk_X509_TRUST_push(trtable, trtmp)) {
+                        X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+        }
+        return 1;
+}
+
+static void trtable_free(X509_TRUST *p)
+        {
+        if(!p) return;
+        if (p->flags & X509_TRUST_DYNAMIC) 
+                {
+                if (p->flags & X509_TRUST_DYNAMIC_NAME)
+                        Free(p->name);
+                Free(p);
+                }
+        }
+
+void X509_TRUST_cleanup(void)
+{
+        int i;
+        for(i = 0; i < X509_TRUST_COUNT; i++) trtable_free(trstandard + i);
+        sk_X509_TRUST_pop_free(trtable, trtable_free);
+        trtable = NULL;
+}
+
+int X509_TRUST_get_flags(X509_TRUST *xp)
+{
+        return xp->flags;
+}
+
+char *X509_TRUST_get0_name(X509_TRUST *xp)
+{
+        return xp->name;
+}
+
+int X509_TRUST_get_trust(X509_TRUST *xp)
+{
+        return xp->trust;
+}
+
+static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
+{
+        if(x->aux) return obj_trust(trust->arg1, x, flags);
+        /* we don't have any trust settings: for compatibility
+         * we return trusted if it is self signed
+         */
+        X509_check_purpose(x, -1, 0);
+        if(x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED;
+        else return X509_TRUST_UNTRUSTED;
+}
+
+static int obj_trust(int id, X509 *x, int flags)
+{
+        ASN1_OBJECT *obj;
+        int i;
+        X509_CERT_AUX *ax;
+        ax = x->aux;
+        if(!ax) return X509_TRUST_UNTRUSTED;
+        if(ax->reject) {
+                for(i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+                        obj = sk_ASN1_OBJECT_value(ax->reject, i);
+                        if(OBJ_obj2nid(obj) == id) return X509_TRUST_REJECTED;
+                }
+        }       
+        if(ax->trust) {
+                for(i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+                        obj = sk_ASN1_OBJECT_value(ax->trust, i);
+                        if(OBJ_obj2nid(obj) == id) return X509_TRUST_TRUSTED;
+                }
+        }
+        return X509_TRUST_UNTRUSTED;
+}
+
+static int trust_any(X509_TRUST *trust, X509 *x, int flags)
+{
+        return X509_TRUST_TRUSTED;
+}
diff --git a/src/lib/libssl/src/crypto/x509/x509cset.c b/src/lib/libssl/src/crypto/x509/x509cset.c
new file mode 100644
index 0000000000..6cac440ea9
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509cset.c
@@ -0,0 +1,169 @@
+/* crypto/x509/x509cset.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_CRL_set_version(X509_CRL *x, long version)
+        {
+        if (x == NULL) return(0);
+        if (x->crl->version == NULL)
+                {
+                if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
+                        return(0);
+                }
+        return(ASN1_INTEGER_set(x->crl->version,version));
+        }
+
+int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
+        {
+        if ((x == NULL) || (x->crl == NULL)) return(0);
+        return(X509_NAME_set(&x->crl->issuer,name));
+        }
+
+
+int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->lastUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->lastUpdate);
+                        x->crl->lastUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->nextUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->nextUpdate);
+                        x->crl->nextUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_sort(X509_CRL *c)
+        {
+        int i;
+        X509_REVOKED *r;
+        /* sort the data so it will be written in serial
+         * number order */
+        sk_X509_REVOKED_sort(c->crl->revoked);
+        for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
+                {
+                r=sk_X509_REVOKED_value(c->crl->revoked,i);
+                r->sequence=i;
+                }
+        return 1;
+        }
+
+int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->revocationDate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->revocationDate);
+                        x->revocationDate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
+        {
+        ASN1_INTEGER *in;
+
+        if (x == NULL) return(0);
+        in=x->serialNumber;
+        if (in != serial)
+                {
+                in=M_ASN1_INTEGER_dup(serial);
+                if (in != NULL)
+                        {
+                        M_ASN1_INTEGER_free(x->serialNumber);
+                        x->serialNumber=in;
+                        }
+                }
+        return(in != NULL);
+        }
diff --git a/src/lib/libssl/src/crypto/x509/x509spki.c b/src/lib/libssl/src/crypto/x509/x509spki.c
new file mode 100644
index 0000000000..b35c3f92e7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509/x509spki.c
@@ -0,0 +1,121 @@
+/* x509spki.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509.h>
+#include <openssl/asn1_mac.h>
+
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
+{
+        if ((x == NULL) || (x->spkac == NULL)) return(0);
+        return(X509_PUBKEY_set(&(x->spkac->pubkey),pkey));
+}
+
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x)
+{
+        if ((x == NULL) || (x->spkac == NULL))
+                return(NULL);
+        return(X509_PUBKEY_get(x->spkac->pubkey));
+}
+
+/* Load a Netscape SPKI from a base64 encoded string */
+
+NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
+{
+        unsigned char *spki_der, *p;
+        int spki_len;
+        NETSCAPE_SPKI *spki;
+        if(len <= 0) len = strlen(str);
+        if (!(spki_der = Malloc(len + 1))) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        spki_len = EVP_DecodeBlock(spki_der, (const unsigned char *)str, len);
+        if(spki_len < 0) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
+                                                X509_R_BASE64_DECODE_ERROR);
+                Free(spki_der);
+                return NULL;
+        }
+        p = spki_der;
+        spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
+        Free(spki_der);
+        return spki;
+}
+
+/* Generate a base64 encoded string from an SPKI */
+
+char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
+{
+        unsigned char *der_spki, *p;
+        char *b64_str;
+        int der_len;
+        der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+        der_spki = Malloc(der_len);
+        b64_str = Malloc(der_len * 2);
+        if(!der_spki || !b64_str) {
+                X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        p = der_spki;
+        i2d_NETSCAPE_SPKI(spki, &p);
+        EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
+        Free(der_spki);
+        return b64_str;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
new file mode 100644
index 0000000000..801a585a52
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
@@ -0,0 +1,97 @@
+/* ext_dat.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* This file contains a table of "standard" extensions */
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+
+/* This table will be searched using OBJ_bsearch so it *must* kept in
+ * order of the ext_nid values.
+ */
+
+static X509V3_EXT_METHOD *standard_exts[] = {
+&v3_nscert,
+&v3_ns_ia5_list[0],
+&v3_ns_ia5_list[1],
+&v3_ns_ia5_list[2],
+&v3_ns_ia5_list[3],
+&v3_ns_ia5_list[4],
+&v3_ns_ia5_list[5],
+&v3_ns_ia5_list[6],
+&v3_skey_id,
+&v3_key_usage,
+&v3_pkey_usage_period,
+&v3_alt[0],
+&v3_alt[1],
+&v3_bcons,
+&v3_crl_num,
+&v3_cpols,
+&v3_akey_id,
+&v3_crld,
+&v3_ext_ku,
+&v3_crl_reason,
+&v3_sxnet,
+&v3_info,
+};
+
+/* Number of standard extensions */
+
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
+
diff --git a/src/lib/libssl/src/crypto/x509v3/tabtest.c b/src/lib/libssl/src/crypto/x509v3/tabtest.c
new file mode 100644
index 0000000000..dad0d38dd5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/tabtest.c
@@ -0,0 +1,88 @@
+/* tabtest.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple program to check the ext_dat.h is correct and print out
+ * problems if it is not.
+ */
+
+#include <stdio.h>
+
+#include <openssl/x509v3.h>
+
+#include "ext_dat.h"
+
+main()
+{
+        int i, prev = -1, bad = 0;
+        X509V3_EXT_METHOD **tmp;
+        i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
+        if(i != STANDARD_EXTENSION_COUNT)
+                fprintf(stderr, "Extension number invalid expecting %d\n", i);
+        tmp = standard_exts;
+        for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) {
+                if((*tmp)->ext_nid < prev) bad = 1;
+                prev = (*tmp)->ext_nid;
+                
+        }
+        if(bad) {
+                tmp = standard_exts;
+                fprintf(stderr, "Extensions out of order!\n");
+                for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
+                printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
+        } else fprintf(stderr, "Order OK\n");
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_akey.c b/src/lib/libssl/src/crypto/x509v3/v3_akey.c
new file mode 100644
index 0000000000..4099e6019e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_akey.c
@@ -0,0 +1,249 @@
+/* v3_akey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+                        AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+                        X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_akey_id = {
+NID_authority_key_identifier, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_KEYID_new,
+(X509V3_EXT_FREE)AUTHORITY_KEYID_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_KEYID,
+(X509V3_EXT_I2D)i2d_AUTHORITY_KEYID,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING);
+        M_ASN1_I2D_len_IMP_opt (a->issuer, i2d_GENERAL_NAMES);
+        M_ASN1_I2D_len_IMP_opt (a->serial, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING, 0);
+        M_ASN1_I2D_put_IMP_opt (a->issuer, i2d_GENERAL_NAMES, 1);
+        M_ASN1_I2D_put_IMP_opt (a->serial, i2d_ASN1_INTEGER, 2);
+
+        M_ASN1_I2D_finish();
+}
+
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void)
+{
+        AUTHORITY_KEYID *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, AUTHORITY_KEYID);
+        ret->keyid = NULL;
+        ret->issuer = NULL;
+        ret->serial = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_AUTHORITY_KEYID_NEW);
+}
+
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,AUTHORITY_KEYID *,AUTHORITY_KEYID_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_IMP_opt (ret->keyid, d2i_ASN1_OCTET_STRING, 0,
+                                                        V_ASN1_OCTET_STRING);
+        M_ASN1_D2I_get_IMP_opt (ret->issuer, d2i_GENERAL_NAMES, 1,
+                                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_get_IMP_opt (ret->serial, d2i_ASN1_INTEGER, 2,
+                                                        V_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, AUTHORITY_KEYID_free, ASN1_F_D2I_AUTHORITY_KEYID);
+}
+
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
+{
+        if (a == NULL) return;
+        ASN1_OCTET_STRING_free(a->keyid);
+        sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
+        ASN1_INTEGER_free (a->serial);
+        Free ((char *)a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+             AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
+{
+        char *tmp;
+        if(akeyid->keyid) {
+                tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+                X509V3_add_value("keyid", tmp, &extlist);
+                Free(tmp);
+        }
+        if(akeyid->issuer) 
+                extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+        if(akeyid->serial) {
+                tmp = hex_to_string(akeyid->serial->data,
+                                                 akeyid->serial->length);
+                X509V3_add_value("serial", tmp, &extlist);
+                Free(tmp);
+        }
+        return extlist;
+}
+
+/* Currently two options:
+ * keyid: use the issuers subject keyid, the value 'always' means its is
+ * an error if the issuer certificate doesn't have a key id.
+ * issuer: use the issuers cert issuer and serial number. The default is
+ * to only use this if keyid is not present. With the option 'always'
+ * this is always included.
+ */
+
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+char keyid=0, issuer=0;
+int i;
+CONF_VALUE *cnf;
+ASN1_OCTET_STRING *ikeyid = NULL;
+X509_NAME *isname = NULL;
+STACK_OF(GENERAL_NAME) * gens = NULL;
+GENERAL_NAME *gen = NULL;
+ASN1_INTEGER *serial = NULL;
+X509_EXTENSION *ext;
+X509 *cert;
+AUTHORITY_KEYID *akeyid;
+for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+        cnf = sk_CONF_VALUE_value(values, i);
+        if(!strcmp(cnf->name, "keyid")) {
+                keyid = 1;
+                if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2;
+        } else if(!strcmp(cnf->name, "issuer")) {
+                issuer = 1;
+                if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2;
+        } else {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION);
+                ERR_add_error_data(2, "name=", cnf->name);
+                return NULL;
+        }
+}
+
+
+
+if(!ctx || !ctx->issuer_cert) {
+        if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
+        X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
+        return NULL;
+}
+
+cert = ctx->issuer_cert;
+
+if(keyid) {
+        i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+        if((i >= 0)  && (ext = X509_get_ext(cert, i)))
+                                                 ikeyid = X509V3_EXT_d2i(ext);
+        if(keyid==2 && !ikeyid) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+                return NULL;
+        }
+}
+
+if((issuer && !ikeyid) || (issuer == 2)) {
+        isname = X509_NAME_dup(X509_get_issuer_name(cert));
+        serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+        if(!isname || !serial) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+                goto err;
+        }
+}
+
+if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
+
+if(isname) {
+        if(!(gens = sk_GENERAL_NAME_new(NULL)) || !(gen = GENERAL_NAME_new())
+                || !sk_GENERAL_NAME_push(gens, gen)) {
+                X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        gen->type = GEN_DIRNAME;
+        gen->d.dirn = isname;
+}
+
+akeyid->issuer = gens;
+akeyid->serial = serial;
+akeyid->keyid = ikeyid;
+
+return akeyid;
+
+err:
+X509_NAME_free(isname);
+ASN1_INTEGER_free(serial);
+ASN1_OCTET_STRING_free(ikeyid);
+return NULL;
+
+}
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_akeya.c b/src/lib/libssl/src/crypto/x509v3/v3_akeya.c
new file mode 100644
index 0000000000..2aafa26ba7
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_akeya.c
@@ -0,0 +1,72 @@
+/* v3_akey_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+ASN1_SEQUENCE(AUTHORITY_KEYID) = {
+        ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
+        ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
+        ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
+} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
+
+IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_alt.c b/src/lib/libssl/src/crypto/x509v3/v3_alt.c
new file mode 100644
index 0000000000..b5e1f8af96
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_alt.c
@@ -0,0 +1,402 @@
+/* v3_alt.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+X509V3_EXT_METHOD v3_alt[] = {
+{ NID_subject_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_subject_alt,
+NULL, NULL, NULL},
+{ NID_issuer_alt_name, 0,
+(X509V3_EXT_NEW)GENERAL_NAMES_new,
+(X509V3_EXT_FREE)GENERAL_NAMES_free,
+(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
+(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+(X509V3_EXT_V2I)v2i_issuer_alt,
+NULL, NULL, NULL},
+EXT_END
+};
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                STACK_OF(GENERAL_NAME) *gens, STACK_OF(CONF_VALUE) *ret)
+{
+        int i;
+        GENERAL_NAME *gen;
+        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+                gen = sk_GENERAL_NAME_value(gens, i);
+                ret = i2v_GENERAL_NAME(method, gen, ret);
+        }
+        if(!ret) return sk_CONF_VALUE_new_null();
+        return ret;
+}
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
+                                GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
+{
+        char oline[256];
+        unsigned char *p;
+        switch (gen->type)
+        {
+                case GEN_OTHERNAME:
+                X509V3_add_value("othername","<unsupported>", &ret);
+                break;
+
+                case GEN_X400:
+                X509V3_add_value("X400Name","<unsupported>", &ret);
+                break;
+
+                case GEN_EDIPARTY:
+                X509V3_add_value("EdiPartyName","<unsupported>", &ret);
+                break;
+
+                case GEN_EMAIL:
+                X509V3_add_value_uchar("email",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_DNS:
+                X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_URI:
+                X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret);
+                break;
+
+                case GEN_DIRNAME:
+                X509_NAME_oneline(gen->d.dirn, oline, 256);
+                X509V3_add_value("DirName",oline, &ret);
+                break;
+
+                case GEN_IPADD:
+                p = gen->d.ip->data;
+                /* BUG: doesn't support IPV6 */
+                if(gen->d.ip->length != 4) {
+                        X509V3_add_value("IP Address","<invalid>", &ret);
+                        break;
+                }
+                sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+                X509V3_add_value("IP Address",oline, &ret);
+                break;
+
+                case GEN_RID:
+                i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
+                X509V3_add_value("Registered ID",oline, &ret);
+                break;
+        }
+        return ret;
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!name_cmp(cnf->name, "issuer") && cnf->value &&
+                                                !strcmp(cnf->value, "copy")) {
+                        if(!copy_issuer(ctx, gens)) goto err;
+                } else {
+                        GENERAL_NAME *gen;
+                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+                                                                 goto err; 
+                        sk_GENERAL_NAME_push(gens, gen);
+                }
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+/* Append subject altname of issuer to issuer alt name of subject */
+
+static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+        STACK_OF(GENERAL_NAME) *ialt;
+        GENERAL_NAME *gen;
+        X509_EXTENSION *ext;
+        int i;
+        if(ctx && (ctx->flags == CTX_TEST)) return 1;
+        if(!ctx || !ctx->issuer_cert) {
+                X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS);
+                goto err;
+        }
+        i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
+        if(i < 0) return 1;
+        if(!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
+                        !(ialt = X509V3_EXT_d2i(ext)) ) {
+                X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR);
+                goto err;
+        }
+
+        for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
+                gen = sk_GENERAL_NAME_value(ialt, i);
+                if(!sk_GENERAL_NAME_push(gens, gen)) {
+                        X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+        }
+        sk_GENERAL_NAME_free(ialt);
+
+        return 1;
+                
+        err:
+        return 0;
+        
+}
+
+static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!name_cmp(cnf->name, "email") && cnf->value &&
+                                                !strcmp(cnf->value, "copy")) {
+                        if(!copy_email(ctx, gens)) goto err;
+                } else {
+                        GENERAL_NAME *gen;
+                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+                                                                 goto err; 
+                        sk_GENERAL_NAME_push(gens, gen);
+                }
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+/* Copy any email addresses in a certificate or request to 
+ * GENERAL_NAMES
+ */
+
+static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+{
+        X509_NAME *nm;
+        ASN1_IA5STRING *email = NULL;
+        X509_NAME_ENTRY *ne;
+        GENERAL_NAME *gen = NULL;
+        int i;
+        if(ctx->flags == CTX_TEST) return 1;
+        if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
+                X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
+                goto err;
+        }
+        /* Find the subject name */
+        if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert);
+        else nm = X509_REQ_get_subject_name(ctx->subject_req);
+
+        /* Now add any email address(es) to STACK */
+        i = -1;
+        while((i = X509_NAME_get_index_by_NID(nm,
+                                         NID_pkcs9_emailAddress, i)) > 0) {
+                ne = X509_NAME_get_entry(nm, i);
+                email = ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+                if(!email || !(gen = GENERAL_NAME_new())) {
+                        X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                gen->d.ia5 = email;
+                email = NULL;
+                gen->type = GEN_EMAIL;
+                if(!sk_GENERAL_NAME_push(gens, gen)) {
+                        X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                gen = NULL;
+        }
+
+        
+        return 1;
+                
+        err:
+        GENERAL_NAME_free(gen);
+        ASN1_IA5STRING_free(email);
+        return 0;
+        
+}
+
+STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        GENERAL_NAME *gen;
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+                sk_GENERAL_NAME_push(gens, gen);
+        }
+        return gens;
+        err:
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return NULL;
+}
+
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                         CONF_VALUE *cnf)
+{
+char is_string = 0;
+int type;
+GENERAL_NAME *gen = NULL;
+
+char *name, *value;
+
+name = cnf->name;
+value = cnf->value;
+
+if(!value) {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
+        return NULL;
+}
+
+if(!(gen = GENERAL_NAME_new())) {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+if(!name_cmp(name, "email")) {
+        is_string = 1;
+        type = GEN_EMAIL;
+} else if(!name_cmp(name, "URI")) {
+        is_string = 1;
+        type = GEN_URI;
+} else if(!name_cmp(name, "DNS")) {
+        is_string = 1;
+        type = GEN_DNS;
+} else if(!name_cmp(name, "RID")) {
+        ASN1_OBJECT *obj;
+        if(!(obj = OBJ_txt2obj(value,0))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
+                ERR_add_error_data(2, "value=", value);
+                goto err;
+        }
+        gen->d.rid = obj;
+        type = GEN_RID;
+} else if(!name_cmp(name, "IP")) {
+        int i1,i2,i3,i4;
+        unsigned char ip[4];
+        if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
+            (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
+            (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
+                ERR_add_error_data(2, "value=", value);
+                goto err;
+        }
+        ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
+        if(!(gen->d.ip = ASN1_OCTET_STRING_new()) ||
+                !ASN1_STRING_set(gen->d.ip, ip, 4)) {
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                        goto err;
+        }
+        type = GEN_IPADD;
+} else {
+        X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
+        ERR_add_error_data(2, "name=", name);
+        goto err;
+}
+
+if(is_string) {
+        if(!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
+                      !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
+                                       strlen(value))) {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+}
+
+gen->type = type;
+
+return gen;
+
+err:
+GENERAL_NAME_free(gen);
+return NULL;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_bcons.c b/src/lib/libssl/src/crypto/x509v3/v3_bcons.c
new file mode 100644
index 0000000000..de2f855c35
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_bcons.c
@@ -0,0 +1,164 @@
+/* v3_bcons.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+X509V3_EXT_METHOD v3_bcons = {
+NID_basic_constraints, 0,
+(X509V3_EXT_NEW)BASIC_CONSTRAINTS_new,
+(X509V3_EXT_FREE)BASIC_CONSTRAINTS_free,
+(X509V3_EXT_D2I)d2i_BASIC_CONSTRAINTS,
+(X509V3_EXT_I2D)i2d_BASIC_CONSTRAINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
+(X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
+NULL,NULL,
+NULL
+};
+
+
+int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+        if(a->ca) M_ASN1_I2D_len (a->ca, i2d_ASN1_BOOLEAN);
+        M_ASN1_I2D_len (a->pathlen, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        if (a->ca) M_ASN1_I2D_put (a->ca, i2d_ASN1_BOOLEAN);
+        M_ASN1_I2D_put (a->pathlen, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_finish();
+}
+
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void)
+{
+        BASIC_CONSTRAINTS *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, BASIC_CONSTRAINTS);
+        ret->ca = 0;
+        ret->pathlen = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_BASIC_CONSTRAINTS_NEW);
+}
+
+BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,BASIC_CONSTRAINTS *,BASIC_CONSTRAINTS_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        if((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) ==
+                 (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN) ) {
+                        M_ASN1_D2I_get_int (ret->ca, d2i_ASN1_BOOLEAN);
+        }
+        M_ASN1_D2I_get_opt (ret->pathlen, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+        M_ASN1_D2I_Finish(a, BASIC_CONSTRAINTS_free, ASN1_F_D2I_BASIC_CONSTRAINTS);
+}
+
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free (a->pathlen);
+        Free ((char *)a);
+}
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+             BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
+{
+        X509V3_add_value_bool("CA", bcons->ca, &extlist);
+        X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
+        return extlist;
+}
+
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+{
+        BASIC_CONSTRAINTS *bcons=NULL;
+        CONF_VALUE *val;
+        int i;
+        if(!(bcons = BASIC_CONSTRAINTS_new())) {
+                X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
+                val = sk_CONF_VALUE_value(values, i);
+                if(!strcmp(val->name, "CA")) {
+                        if(!X509V3_get_value_bool(val, &bcons->ca)) goto err;
+                } else if(!strcmp(val->name, "pathlen")) {
+                        if(!X509V3_get_value_int(val, &bcons->pathlen)) goto err;
+                } else {
+                        X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, X509V3_R_INVALID_NAME);
+                        X509V3_conf_err(val);
+                        goto err;
+                }
+        }
+        return bcons;
+        err:
+        BASIC_CONSTRAINTS_free(bcons);
+        return NULL;
+}
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_bitst.c b/src/lib/libssl/src/crypto/x509v3/v3_bitst.c
new file mode 100644
index 0000000000..9828ba15b3
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_bitst.c
@@ -0,0 +1,147 @@
+/* v3_bitst.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static ASN1_BIT_STRING *asn1_bit_string_new(void);
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+                                ASN1_BIT_STRING *bits,
+                                STACK_OF(CONF_VALUE) *extlist);
+static BIT_STRING_BITNAME ns_cert_type_table[] = {
+{0, "SSL Client", "client"},
+{1, "SSL Server", "server"},
+{2, "S/MIME", "email"},
+{3, "Object Signing", "objsign"},
+{4, "Unused", "reserved"},
+{5, "SSL CA", "sslCA"},
+{6, "S/MIME CA", "emailCA"},
+{7, "Object Signing CA", "objCA"},
+{-1, NULL, NULL}
+};
+
+static BIT_STRING_BITNAME key_usage_type_table[] = {
+{0, "Digital Signature", "digitalSignature"},
+{1, "Non Repudiation", "nonRepudiation"},
+{2, "Key Encipherment", "keyEncipherment"},
+{3, "Data Encipherment", "dataEncipherment"},
+{4, "Key Agreement", "keyAgreement"},
+{5, "Certificate Sign", "keyCertSign"},
+{6, "CRL Sign", "cRLSign"},
+{7, "Encipher Only", "encipherOnly"},
+{8, "Decipher Only", "decipherOnly"},
+{-1, NULL, NULL}
+};
+
+
+
+X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);
+X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table);
+
+static ASN1_BIT_STRING *asn1_bit_string_new(void)
+{
+        return ASN1_BIT_STRING_new();
+}
+
+static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+             ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret)
+{
+        BIT_STRING_BITNAME *bnam;
+        for(bnam =method->usr_data; bnam->lname; bnam++) {
+                if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) 
+                        X509V3_add_value(bnam->lname, NULL, &ret);
+        }
+        return ret;
+}
+        
+static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        CONF_VALUE *val;
+        ASN1_BIT_STRING *bs;
+        int i;
+        BIT_STRING_BITNAME *bnam;
+        if(!(bs = ASN1_BIT_STRING_new())) {
+                X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                for(bnam = method->usr_data; bnam->lname; bnam++) {
+                        if(!strcmp(bnam->sname, val->name) ||
+                                !strcmp(bnam->lname, val->name) ) {
+                                ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+                                break;
+                        }
+                }
+                if(!bnam->lname) {
+                        X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+                                        X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+                        X509V3_conf_err(val);
+                        ASN1_BIT_STRING_free(bs);
+                        return NULL;
+                }
+        }
+        return bs;
+}
+        
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_conf.c b/src/lib/libssl/src/crypto/x509v3/v3_conf.c
new file mode 100644
index 0000000000..f19bb3ad84
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_conf.c
@@ -0,0 +1,366 @@
+/* v3_conf.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* extension creation utilities */
+
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static int v3_check_critical(char **value);
+static int v3_check_generic(char **value);
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
+static char *conf_lhash_get_string(void *db, char *section, char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc);
+/* LHASH *conf:  Config file    */
+/* char *name:  Name    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+             char *value)
+{
+        int crit;
+        int ext_type;
+        X509_EXTENSION *ret;
+        crit = v3_check_critical(&value);
+        if((ext_type = v3_check_generic(&value))) 
+                return v3_generic_extension(name, value, crit, ext_type);
+        ret = do_ext_conf(conf, ctx, OBJ_sn2nid(name), crit, value);
+        if(!ret) {
+                X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
+                ERR_add_error_data(4,"name=", name, ", value=", value);
+        }
+        return ret;
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             char *value)
+{
+        int crit;
+        int ext_type;
+        crit = v3_check_critical(&value);
+        if((ext_type = v3_check_generic(&value))) 
+                return v3_generic_extension(OBJ_nid2sn(ext_nid),
+                                                         value, crit, ext_type);
+        return do_ext_conf(conf, ctx, ext_nid, crit, value);
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             int crit, char *value)
+{
+        X509V3_EXT_METHOD *method;
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        void *ext_struc;
+        if(ext_nid == NID_undef) {
+                X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
+                return NULL;
+        }
+        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+                X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
+                return NULL;
+        }
+        /* Now get internal extension representation based on type */
+        if(method->v2i) {
+                if(*value == '@') nval = CONF_get_section(conf, value + 1);
+                else nval = X509V3_parse_list(value);
+                if(!nval) {
+                        X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
+                        ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
+                        return NULL;
+                }
+                ext_struc = method->v2i(method, ctx, nval);
+                if(*value != '@') sk_CONF_VALUE_pop_free(nval,
+                                                         X509V3_conf_free);
+                if(!ext_struc) return NULL;
+        } else if(method->s2i) {
+                if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
+        } else if(method->r2i) {
+                if(!ctx->db) {
+                        X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+                        return NULL;
+                }
+                if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
+        } else {
+                X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+                ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
+                return NULL;
+        }
+
+        ext  = do_ext_i2d(method, ext_nid, crit, ext_struc);
+        method->ext_free(ext_struc);
+        return ext;
+
+}
+
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc)
+{
+        unsigned char *ext_der, *p;
+        int ext_len;
+        ASN1_OCTET_STRING *ext_oct;
+        X509_EXTENSION *ext;
+        /* Convert internal representation to DER */
+        ext_len = method->i2d(ext_struc, NULL);
+        if(!(ext_der = Malloc(ext_len))) goto merr;
+        p = ext_der;
+        method->i2d(ext_struc, &p);
+        if(!(ext_oct = ASN1_OCTET_STRING_new())) goto merr;
+        ext_oct->data = ext_der;
+        ext_oct->length = ext_len;
+        
+        ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
+        if(!ext) goto merr;
+        ASN1_OCTET_STRING_free(ext_oct);
+
+        return ext;
+
+        merr:
+        X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
+        return NULL;
+
+}
+
+/* Given an internal structure, nid and critical flag create an extension */
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
+{
+        X509V3_EXT_METHOD *method;
+        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+                X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
+                return NULL;
+        }
+        return do_ext_i2d(method, ext_nid, crit, ext_struc);
+}
+
+/* Check the extension string for critical flag */
+static int v3_check_critical(char **value)
+{
+        char *p = *value;
+        if((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
+        p+=9;
+        while(isspace((unsigned char)*p)) p++;
+        *value = p;
+        return 1;
+}
+
+/* Check extension string for generic extension and return the type */
+static int v3_check_generic(char **value)
+{
+        char *p = *value;
+        if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+        p+=4;
+        while(isspace((unsigned char)*p)) p++;
+        *value = p;
+        return 1;
+}
+
+/* Create a generic extension: for now just handle RAW type */
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
+             int crit, int type)
+{
+unsigned char *ext_der=NULL;
+long ext_len;
+ASN1_OBJECT *obj=NULL;
+ASN1_OCTET_STRING *oct=NULL;
+X509_EXTENSION *extension=NULL;
+if(!(obj = OBJ_txt2obj(ext, 0))) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
+        ERR_add_error_data(2, "name=", ext);
+        goto err;
+}
+
+if(!(ext_der = string_to_hex(value, &ext_len))) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
+        ERR_add_error_data(2, "value=", value);
+        goto err;
+}
+
+if(!(oct = ASN1_OCTET_STRING_new())) {
+        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
+        goto err;
+}
+
+oct->data = ext_der;
+oct->length = ext_len;
+ext_der = NULL;
+
+extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+
+err:
+ASN1_OBJECT_free(obj);
+ASN1_OCTET_STRING_free(oct);
+if(ext_der) Free(ext_der);
+return extension;
+}
+
+
+/* This is the main function: add a bunch of extensions based on a config file
+ * section
+ */
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509 *cert)
+{
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        CONF_VALUE *val;        
+        int i;
+        if(!(nval = CONF_get_section(conf, section))) return 0;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                                                                return 0;
+                if(cert) X509_add_ext(cert, ext, -1);
+                X509_EXTENSION_free(ext);
+        }
+        return 1;
+}
+
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_CRL *crl)
+{
+        X509_EXTENSION *ext;
+        STACK_OF(CONF_VALUE) *nval;
+        CONF_VALUE *val;        
+        int i;
+        if(!(nval = CONF_get_section(conf, section))) return 0;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                                                                return 0;
+                if(crl) X509_CRL_add_ext(crl, ext, -1);
+                X509_EXTENSION_free(ext);
+        }
+        return 1;
+}
+
+/* Config database functions */
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
+{
+        if(ctx->db_meth->get_string)
+                        return ctx->db_meth->get_string(ctx->db, name, section);
+        return NULL;
+}
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
+{
+        if(ctx->db_meth->get_section)
+                        return ctx->db_meth->get_section(ctx->db, section);
+        return NULL;
+}
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str)
+{
+        if(!str) return;
+        if(ctx->db_meth->free_string)
+                        ctx->db_meth->free_string(ctx->db, str);
+}
+
+void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
+{
+        if(!section) return;
+        if(ctx->db_meth->free_section)
+                        ctx->db_meth->free_section(ctx->db, section);
+}
+
+static char *conf_lhash_get_string(void *db, char *section, char *value)
+{
+        return CONF_get_string(db, section, value);
+}
+
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
+{
+        return CONF_get_section(db, section);
+}
+
+static X509V3_CONF_METHOD conf_lhash_method = {
+conf_lhash_get_string,
+conf_lhash_get_section,
+NULL,
+NULL
+};
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
+{
+        ctx->db_meth = &conf_lhash_method;
+        ctx->db = lhash;
+}
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+             X509_CRL *crl, int flags)
+{
+        ctx->issuer_cert = issuer;
+        ctx->subject_cert = subj;
+        ctx->crl = crl;
+        ctx->subject_req = req;
+        ctx->flags = flags;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_cpols.c b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
new file mode 100644
index 0000000000..b4d4883545
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_cpols.c
@@ -0,0 +1,655 @@
+/* v3_cpols.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Certificate policies extension support: this one is a bit complex... */
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
+static void print_notice(BIO *out, USERNOTICE *notice, int indent);
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+                                 STACK_OF(CONF_VALUE) *polstrs, int ia5org);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+                                        STACK_OF(CONF_VALUE) *unot, int ia5org);
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos);
+
+X509V3_EXT_METHOD v3_cpols = {
+NID_certificate_policies, 0,
+(X509V3_EXT_NEW)CERTIFICATEPOLICIES_new,
+(X509V3_EXT_FREE)CERTIFICATEPOLICIES_free,
+(X509V3_EXT_D2I)d2i_CERTIFICATEPOLICIES,
+(X509V3_EXT_I2D)i2d_CERTIFICATEPOLICIES,
+NULL, NULL,
+NULL, NULL,
+(X509V3_EXT_I2R)i2r_certpol,
+(X509V3_EXT_R2I)r2i_certpol,
+NULL
+};
+
+
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
+                X509V3_CTX *ctx, char *value)
+{
+        STACK_OF(POLICYINFO) *pols = NULL;
+        char *pstr;
+        POLICYINFO *pol;
+        ASN1_OBJECT *pobj;
+        STACK_OF(CONF_VALUE) *vals;
+        CONF_VALUE *cnf;
+        int i, ia5org;
+        pols = sk_POLICYINFO_new_null();
+        vals =  X509V3_parse_list(value);
+        ia5org = 0;
+        for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+                cnf = sk_CONF_VALUE_value(vals, i);
+                if(cnf->value || !cnf->name ) {
+                        X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+                pstr = cnf->name;
+                if(!strcmp(pstr,"ia5org")) {
+                        ia5org = 1;
+                        continue;
+                } else if(*pstr == '@') {
+                        STACK_OF(CONF_VALUE) *polsect;
+                        polsect = X509V3_get_section(ctx, pstr + 1);
+                        if(!polsect) {
+                                X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
+
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol = policy_section(ctx, polsect, ia5org);
+                        X509V3_section_free(ctx, polsect);
+                        if(!pol) goto err;
+                } else {
+                        if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+                                X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol = POLICYINFO_new();
+                        pol->policyid = pobj;
+                }
+                sk_POLICYINFO_push(pols, pol);
+        }
+        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+        return pols;
+        err:
+        sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
+        return NULL;
+}
+
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+                                STACK_OF(CONF_VALUE) *polstrs, int ia5org)
+{
+        int i;
+        CONF_VALUE *cnf;
+        POLICYINFO *pol;
+        POLICYQUALINFO *qual;
+        if(!(pol = POLICYINFO_new())) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
+                cnf = sk_CONF_VALUE_value(polstrs, i);
+                if(!strcmp(cnf->name, "policyIdentifier")) {
+                        ASN1_OBJECT *pobj;
+                        if(!(pobj = OBJ_txt2obj(cnf->value, 0))) {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        pol->policyid = pobj;
+
+                } else if(!name_cmp(cnf->name, "CPS")) {
+                        if(!pol->qualifiers) pol->qualifiers =
+                                                 sk_POLICYQUALINFO_new_null();
+                        if(!(qual = POLICYQUALINFO_new())) goto merr;
+                        if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                 goto merr;
+                        qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
+                        qual->d.cpsuri = ASN1_IA5STRING_new();
+                        if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!name_cmp(cnf->name, "userNotice")) {
+                        STACK_OF(CONF_VALUE) *unot;
+                        if(*cnf->value != '@') {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_EXPECTED_A_SECTION_NAME);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        unot = X509V3_get_section(ctx, cnf->value + 1);
+                        if(!unot) {
+                                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_SECTION);
+
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        qual = notice_section(ctx, unot, ia5org);
+                        X509V3_section_free(ctx, unot);
+                        if(!qual) goto err;
+                        if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+                                                                 goto merr;
+                } else {
+                        X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_INVALID_OPTION);
+
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+        }
+        if(!pol->policyid) {
+                X509V3err(X509V3_F_POLICY_SECTION,X509V3_R_NO_POLICY_IDENTIFIER);
+                goto err;
+        }
+
+        return pol;
+
+        merr:
+        X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        POLICYINFO_free(pol);
+        return NULL;
+        
+        
+}
+
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+                                        STACK_OF(CONF_VALUE) *unot, int ia5org)
+{
+        int i;
+        CONF_VALUE *cnf;
+        USERNOTICE *not;
+        POLICYQUALINFO *qual;
+        if(!(qual = POLICYQUALINFO_new())) goto merr;
+        qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+        if(!(not = USERNOTICE_new())) goto merr;
+        qual->d.usernotice = not;
+        for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
+                cnf = sk_CONF_VALUE_value(unot, i);
+                if(!strcmp(cnf->name, "explicitText")) {
+                        not->exptext = ASN1_VISIBLESTRING_new();
+                        if(!ASN1_STRING_set(not->exptext, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!strcmp(cnf->name, "organization")) {
+                        NOTICEREF *nref;
+                        if(!not->noticeref) {
+                                if(!(nref = NOTICEREF_new())) goto merr;
+                                not->noticeref = nref;
+                        } else nref = not->noticeref;
+                        if(ia5org) nref->organization = ASN1_IA5STRING_new();
+                        else nref->organization = ASN1_VISIBLESTRING_new();
+                        if(!ASN1_STRING_set(nref->organization, cnf->value,
+                                                 strlen(cnf->value))) goto merr;
+                } else if(!strcmp(cnf->name, "noticeNumbers")) {
+                        NOTICEREF *nref;
+                        STACK_OF(CONF_VALUE) *nos;
+                        if(!not->noticeref) {
+                                if(!(nref = NOTICEREF_new())) goto merr;
+                                not->noticeref = nref;
+                        } else nref = not->noticeref;
+                        nos = X509V3_parse_list(cnf->value);
+                        if(!nos || !sk_CONF_VALUE_num(nos)) {
+                                X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_NUMBERS);
+                                X509V3_conf_err(cnf);
+                                goto err;
+                        }
+                        nref->noticenos = nref_nos(nos);
+                        sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
+                        if(!nref->noticenos) goto err;
+                } else {
+                        X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
+
+                        X509V3_conf_err(cnf);
+                        goto err;
+                }
+        }
+
+        if(not->noticeref && 
+              (!not->noticeref->noticenos || !not->noticeref->organization)) {
+                        X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
+                        goto err;
+        }
+
+        return qual;
+
+        merr:
+        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        POLICYQUALINFO_free(qual);
+        return NULL;
+}
+
+static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos)
+{
+        STACK *nnums;
+        CONF_VALUE *cnf;
+        ASN1_INTEGER *aint;
+        int i;
+        if(!(nnums = sk_new_null())) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
+                cnf = sk_CONF_VALUE_value(nos, i);
+                if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+                        X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
+                        goto err;
+                }
+                if(!sk_push(nnums, (char *)aint)) goto merr;
+        }
+        return nnums;
+
+        merr:
+        X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+        err:
+        sk_pop_free(nnums, ASN1_STRING_free);
+        return NULL;
+}
+
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
+                BIO *out, int indent)
+{
+        int i;
+        POLICYINFO *pinfo;
+        /* First print out the policy OIDs */
+        for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
+                pinfo = sk_POLICYINFO_value(pol, i);
+                BIO_printf(out, "%*sPolicy: ", indent, "");
+                i2a_ASN1_OBJECT(out, pinfo->policyid);
+                BIO_puts(out, "\n");
+                if(pinfo->qualifiers)
+                         print_qualifiers(out, pinfo->qualifiers, indent + 2);
+        }
+        return 1;
+}
+
+
+int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_POLICYINFO(a, pp, i2d_POLICYINFO, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void)
+{
+        return sk_POLICYINFO_new_null();
+}
+
+void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a)
+{
+        sk_POLICYINFO_pop_free(a, POLICYINFO_free);
+}
+
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a,
+                unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_POLICYINFO(a, pp, length, d2i_POLICYINFO,
+                         POLICYINFO_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(POLICYINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYINFO)
+
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->policyid, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+                                                         i2d_POLICYQUALINFO);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->policyid, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+                                                         i2d_POLICYQUALINFO);
+
+        M_ASN1_I2D_finish();
+}
+
+POLICYINFO *POLICYINFO_new(void)
+{
+        POLICYINFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, POLICYINFO);
+        ret->policyid = NULL;
+        ret->qualifiers = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_POLICYINFO_NEW);
+}
+
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,POLICYINFO *,POLICYINFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->policyid, d2i_ASN1_OBJECT);
+        if(!M_ASN1_D2I_end_sequence()) {
+                M_ASN1_D2I_get_seq_type (POLICYQUALINFO, ret->qualifiers,
+                                 d2i_POLICYQUALINFO, POLICYQUALINFO_free);
+        }
+        M_ASN1_D2I_Finish(a, POLICYINFO_free, ASN1_F_D2I_POLICYINFO);
+}
+
+void POLICYINFO_free(POLICYINFO *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->policyid);
+        sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
+        Free (a);
+}
+
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
+                int indent)
+{
+        POLICYQUALINFO *qualinfo;
+        int i;
+        for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
+                qualinfo = sk_POLICYQUALINFO_value(quals, i);
+                switch(OBJ_obj2nid(qualinfo->pqualid))
+                {
+                        case NID_id_qt_cps:
+                        BIO_printf(out, "%*sCPS: %s\n", indent, "",
+                                                qualinfo->d.cpsuri->data);
+                        break;
+                
+                        case NID_id_qt_unotice:
+                        BIO_printf(out, "%*sUser Notice:\n", indent, "");
+                        print_notice(out, qualinfo->d.usernotice, indent + 2);
+                        break;
+
+                        default:
+                        BIO_printf(out, "%*sUnknown Qualifier: ",
+                                                         indent + 2, "");
+                        
+                        i2a_ASN1_OBJECT(out, qualinfo->pqualid);
+                        BIO_puts(out, "\n");
+                        break;
+                }
+        }
+}
+
+static void print_notice(BIO *out, USERNOTICE *notice, int indent)
+{
+        int i;
+        if(notice->noticeref) {
+                NOTICEREF *ref;
+                ref = notice->noticeref;
+                BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+                                                 ref->organization->data);
+                BIO_printf(out, "%*sNumber%s: ", indent, "",
+                                 (sk_num(ref->noticenos) > 1) ? "s" : "");
+                for(i = 0; i < sk_num(ref->noticenos); i++) {
+                        ASN1_INTEGER *num;
+                        char *tmp;
+                        num = (ASN1_INTEGER *)sk_value(ref->noticenos, i);
+                        if(i) BIO_puts(out, ", ");
+                        tmp = i2s_ASN1_INTEGER(NULL, num);
+                        BIO_puts(out, tmp);
+                        Free(tmp);
+                }
+                BIO_puts(out, "\n");
+        }
+        if(notice->exptext)
+                BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+                                                         notice->exptext->data);
+}
+                
+        
+
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->pqualid, i2d_ASN1_OBJECT);
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_I2D_len(a->d.cpsuri, i2d_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_I2D_len(a->d.usernotice, i2d_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_I2D_len(a->d.other, i2d_ASN1_TYPE);
+                break;
+        }
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->pqualid, i2d_ASN1_OBJECT);
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_I2D_put(a->d.cpsuri, i2d_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_I2D_put(a->d.usernotice, i2d_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_I2D_put(a->d.other, i2d_ASN1_TYPE);
+                break;
+        }
+
+        M_ASN1_I2D_finish();
+}
+
+POLICYQUALINFO *POLICYQUALINFO_new(void)
+{
+        POLICYQUALINFO *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, POLICYQUALINFO);
+        ret->pqualid = NULL;
+        ret->d.other = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_POLICYQUALINFO_NEW);
+}
+
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
+                long length)
+{
+        M_ASN1_D2I_vars(a,POLICYQUALINFO *,POLICYQUALINFO_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->pqualid, d2i_ASN1_OBJECT);
+        switch(OBJ_obj2nid(ret->pqualid)) {
+                case NID_id_qt_cps:
+                M_ASN1_D2I_get(ret->d.cpsuri, d2i_ASN1_IA5STRING);
+                break;
+
+                case NID_id_qt_unotice:
+                M_ASN1_D2I_get(ret->d.usernotice, d2i_USERNOTICE);
+                break;
+
+                default:
+                M_ASN1_D2I_get(ret->d.other, d2i_ASN1_TYPE);
+                break;
+        }
+        M_ASN1_D2I_Finish(a, POLICYQUALINFO_free, ASN1_F_D2I_POLICYQUALINFO);
+}
+
+void POLICYQUALINFO_free(POLICYQUALINFO *a)
+{
+        if (a == NULL) return;
+        switch(OBJ_obj2nid(a->pqualid)) {
+                case NID_id_qt_cps:
+                ASN1_IA5STRING_free(a->d.cpsuri);
+                break;
+
+                case NID_id_qt_unotice:
+                USERNOTICE_free(a->d.usernotice);
+                break;
+
+                default:
+                ASN1_TYPE_free(a->d.other);
+                break;
+        }
+        
+        ASN1_OBJECT_free(a->pqualid);
+        Free (a);
+}
+
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->noticeref, i2d_NOTICEREF);
+        M_ASN1_I2D_len (a->exptext, i2d_DISPLAYTEXT);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->noticeref, i2d_NOTICEREF);
+        M_ASN1_I2D_put (a->exptext, i2d_DISPLAYTEXT);
+
+        M_ASN1_I2D_finish();
+}
+
+USERNOTICE *USERNOTICE_new(void)
+{
+        USERNOTICE *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, USERNOTICE);
+        ret->noticeref = NULL;
+        ret->exptext = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_USERNOTICE_NEW);
+}
+
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,USERNOTICE *,USERNOTICE_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_opt(ret->noticeref, d2i_NOTICEREF, V_ASN1_SEQUENCE);
+        if (!M_ASN1_D2I_end_sequence()) {
+                M_ASN1_D2I_get(ret->exptext, d2i_DISPLAYTEXT);
+        }
+        M_ASN1_D2I_Finish(a, USERNOTICE_free, ASN1_F_D2I_USERNOTICE);
+}
+
+void USERNOTICE_free(USERNOTICE *a)
+{
+        if (a == NULL) return;
+        NOTICEREF_free(a->noticeref);
+        DISPLAYTEXT_free(a->exptext);
+        Free (a);
+}
+
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
+        M_ASN1_I2D_len_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
+        M_ASN1_I2D_put_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+        M_ASN1_I2D_finish();
+}
+
+NOTICEREF *NOTICEREF_new(void)
+{
+        NOTICEREF *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, NOTICEREF);
+        ret->organization = NULL;
+        ret->noticenos = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_NOTICEREF_NEW);
+}
+
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
+{
+        M_ASN1_D2I_vars(a,NOTICEREF *,NOTICEREF_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        /* This is to cope with some broken encodings that use IA5STRING for
+         * the organization field
+         */
+        M_ASN1_D2I_get_opt(ret->organization, d2i_ASN1_IA5STRING,
+                                                         V_ASN1_IA5STRING);
+        if(!ret->organization) {
+                 M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
+        }
+        M_ASN1_D2I_get_seq(ret->noticenos, d2i_ASN1_INTEGER, ASN1_STRING_free);
+        M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
+}
+
+void NOTICEREF_free(NOTICEREF *a)
+{
+        if (a == NULL) return;
+        DISPLAYTEXT_free(a->organization);
+        sk_pop_free(a->noticenos, ASN1_STRING_free);
+        Free (a);
+}
+
+IMPLEMENT_STACK_OF(POLICYQUALINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYQUALINFO)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_crld.c b/src/lib/libssl/src/crypto/x509v3/v3_crld.c
new file mode 100644
index 0000000000..897ffb63e4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_crld.c
@@ -0,0 +1,283 @@
+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+(X509V3_EXT_FREE)CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+(X509V3_EXT_I2D)i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                        STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+{
+        DIST_POINT *point;
+        int i;
+        for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+                point = sk_DIST_POINT_value(crld, i);
+                if(point->distpoint->fullname) {
+                        exts = i2v_GENERAL_NAMES(NULL,
+                                         point->distpoint->fullname, exts);
+                }
+                if(point->reasons) 
+                        X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+                if(point->CRLissuer)
+                        X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+                if(point->distpoint->relativename)
+                        X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+        }
+        return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(DIST_POINT) *crld = NULL;
+        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAME *gen = NULL;
+        CONF_VALUE *cnf;
+        int i;
+        if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                DIST_POINT *point;
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+                if(!(gens = GENERAL_NAMES_new())) goto merr;
+                if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+                gen = NULL;
+                if(!(point = DIST_POINT_new())) goto merr;
+                if(!sk_DIST_POINT_push(crld, point)) {
+                        DIST_POINT_free(point);
+                        goto merr;
+                }
+                if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+                point->distpoint->fullname = gens;
+                gens = NULL;
+        }
+        return crld;
+
+        merr:
+        X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+        err:
+        GENERAL_NAME_free(gen);
+        GENERAL_NAMES_free(gens);
+        sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+        return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+        return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+        sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+        /* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+        M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+        M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+        M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+        M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+        M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+        M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+        DIST_POINT *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, DIST_POINT);
+        ret->distpoint = NULL;
+        ret->reasons = NULL;
+        ret->CRLissuer = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+        M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+                                                        V_ASN1_BIT_STRING);
+        M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+                                                        V_ASN1_SEQUENCE);
+        M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+        if (a == NULL) return;
+        DIST_POINT_NAME_free(a->distpoint);
+        ASN1_BIT_STRING_free(a->reasons);
+        sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+        Free ((char *)a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+        int v = 0;
+        M_ASN1_I2D_vars(a);
+
+        if(a->fullname) {
+                M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+        } else {
+                M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+        }
+
+        /* Don't want a SEQUENCE so... */
+        if(pp == NULL) return ret;
+        p = *pp;
+
+        if(a->fullname) {
+                M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+        } else {
+                M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+        }
+        M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+        DIST_POINT_NAME *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+        ret->fullname = NULL;
+        ret->relativename = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+        if (a == NULL) return;
+        X509_NAME_free(a->relativename);
+        sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+        Free ((char *)a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+        
+        if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+                M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+                                                        V_ASN1_SEQUENCE);
+        } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+                M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+        } else {
+                c.error = ASN1_R_BAD_TAG;
+                goto err;
+        }
+
+        M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_enum.c b/src/lib/libssl/src/crypto/x509v3/v3_enum.c
new file mode 100644
index 0000000000..db423548ff
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_enum.c
@@ -0,0 +1,103 @@
+/* v3_enum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_ENUMERATED *asn1_enumerated_new(void);
+
+static ENUMERATED_NAMES crl_reasons[] = {
+{0, "Unspecified", "unspecified"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{8, "Remove From CRL", "removeFromCRL"},
+{-1, NULL, NULL}
+};
+
+X509V3_EXT_METHOD v3_crl_reason = { 
+NID_crl_reason, 0,
+(X509V3_EXT_NEW)asn1_enumerated_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_ENUMERATED,
+(X509V3_EXT_I2D)i2d_ASN1_ENUMERATED,
+(X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
+(X509V3_EXT_S2I)NULL,
+NULL, NULL, NULL, NULL, crl_reasons};
+
+
+static ASN1_ENUMERATED *asn1_enumerated_new(void)
+{
+        return ASN1_ENUMERATED_new();
+}
+
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
+             ASN1_ENUMERATED *e)
+{
+        ENUMERATED_NAMES *enam;
+        long strval;
+        strval = ASN1_ENUMERATED_get(e);
+        for(enam = method->usr_data; enam->lname; enam++) {
+                if(strval == enam->bitnum) return BUF_strdup(enam->lname);
+        }
+        return i2s_ASN1_ENUMERATED(method, e);
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_extku.c b/src/lib/libssl/src/crypto/x509v3/v3_extku.c
new file mode 100644
index 0000000000..e039d21cbf
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_extku.c
@@ -0,0 +1,150 @@
+/* v3_extku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *extlist);
+X509V3_EXT_METHOD v3_ext_ku = {
+NID_ext_key_usage, 0,
+(X509V3_EXT_NEW)ext_ku_new,
+(X509V3_EXT_FREE)ext_ku_free,
+(X509V3_EXT_D2I)d2i_ext_ku,
+(X509V3_EXT_I2D)i2d_ext_ku,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_ext_ku,
+(X509V3_EXT_V2I)v2i_ext_ku,
+NULL,NULL,
+NULL
+};
+
+STACK_OF(ASN1_OBJECT) *ext_ku_new(void)
+{
+        return sk_ASN1_OBJECT_new_null();
+}
+
+void ext_ku_free(STACK_OF(ASN1_OBJECT) *eku)
+{
+        sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free);
+        return;
+}
+
+int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp)
+{
+        return i2d_ASN1_SET_OF_ASN1_OBJECT(a, pp, i2d_ASN1_OBJECT,
+                                V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
+                                        unsigned char **pp, long length)
+{
+        return d2i_ASN1_SET_OF_ASN1_OBJECT(a, pp, length, d2i_ASN1_OBJECT,
+                         ASN1_OBJECT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+
+
+static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
+                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *ext_list)
+{
+int i;
+ASN1_OBJECT *obj;
+char obj_tmp[80];
+for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+        obj = sk_ASN1_OBJECT_value(eku, i);
+        i2t_ASN1_OBJECT(obj_tmp, 80, obj);
+        X509V3_add_value(NULL, obj_tmp, &ext_list);
+}
+return ext_list;
+}
+
+static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+STACK_OF(ASN1_OBJECT) *extku;
+char *extval;
+ASN1_OBJECT *objtmp;
+CONF_VALUE *val;
+int i;
+
+if(!(extku = sk_ASN1_OBJECT_new(NULL))) {
+        X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+        val = sk_CONF_VALUE_value(nval, i);
+        if(val->value) extval = val->value;
+        else extval = val->name;
+        if(!(objtmp = OBJ_txt2obj(extval, 0))) {
+                sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+                X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                X509V3_conf_err(val);
+                return NULL;
+        }
+        sk_ASN1_OBJECT_push(extku, objtmp);
+}
+return extku;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_genn.c b/src/lib/libssl/src/crypto/x509v3/v3_genn.c
new file mode 100644
index 0000000000..af716232f8
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_genn.c
@@ -0,0 +1,237 @@
+/* v3_genn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp)
+{
+        unsigned char *p;
+        int ret;
+
+        ret = 0;
+
+        /* Save the location of initial TAG */
+        if(pp) p = *pp;
+        else p = NULL;
+
+        /* GEN_DNAME needs special treatment because of EXPLICIT tag */
+
+        if(a->type == GEN_DIRNAME) {
+                int v = 0;
+                M_ASN1_I2D_len_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+                if(!p) return ret;
+                M_ASN1_I2D_put_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
+                *pp = p;
+                return ret;
+        }
+
+        switch(a->type) {
+
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                ret = i2d_ASN1_TYPE(a->d.other, pp);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+                ret = i2d_ASN1_IA5STRING(a->d.ia5, pp);
+                break;
+
+                case GEN_IPADD:
+                ret = i2d_ASN1_OCTET_STRING(a->d.ip, pp);
+                break;
+        
+                case GEN_RID:
+                ret = i2d_ASN1_OBJECT(a->d.rid, pp);
+                break;
+        }
+        /* Replace TAG with IMPLICIT value */
+        if(p) *p = (*p & V_ASN1_CONSTRUCTED) | a->type;
+        return ret;
+}
+
+GENERAL_NAME *GENERAL_NAME_new()
+{
+        GENERAL_NAME *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, GENERAL_NAME);
+        ret->type = -1;
+        ret->d.ptr = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_GENERAL_NAME_NEW);
+}
+
+GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp,
+                                                                 long length)
+{
+        unsigned char _tmp;
+        M_ASN1_D2I_vars(a,GENERAL_NAME *,GENERAL_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        ret->type = _tmp & ~V_ASN1_CONSTRUCTED;
+
+        switch(ret->type) {
+                /* Just put these in a "blob" for now */
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                M_ASN1_D2I_get_imp(ret->d.other, d2i_ASN1_TYPE,V_ASN1_SEQUENCE);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+                M_ASN1_D2I_get_imp(ret->d.ia5, d2i_ASN1_IA5STRING,
+                                                        V_ASN1_IA5STRING);
+                break;
+
+                case GEN_DIRNAME:
+                M_ASN1_D2I_get_EXP_opt(ret->d.dirn, d2i_X509_NAME, 4);
+                break;
+
+                case GEN_IPADD:
+                M_ASN1_D2I_get_imp(ret->d.ip, d2i_ASN1_OCTET_STRING,
+                                                        V_ASN1_OCTET_STRING);
+                break;
+        
+                case GEN_RID:
+                M_ASN1_D2I_get_imp(ret->d.rid, d2i_ASN1_OBJECT,V_ASN1_OBJECT);
+                break;
+
+                default:
+                c.error = ASN1_R_BAD_TAG;
+                goto err;
+        }
+
+        c.slen = 0;
+        M_ASN1_D2I_Finish(a, GENERAL_NAME_free, ASN1_F_D2I_GENERAL_NAME);
+}
+
+void GENERAL_NAME_free(GENERAL_NAME *a)
+{
+        if (a == NULL) return;
+        switch(a->type) {
+                case GEN_OTHERNAME:
+                case GEN_X400:
+                case GEN_EDIPARTY:
+                ASN1_TYPE_free(a->d.other);
+                break;
+
+                case GEN_EMAIL:
+                case GEN_DNS:
+                case GEN_URI:
+
+                ASN1_IA5STRING_free(a->d.ia5);
+                break;
+
+                case GEN_DIRNAME:
+                X509_NAME_free(a->d.dirn);
+                break;
+
+                case GEN_IPADD:
+                ASN1_OCTET_STRING_free(a->d.ip);
+                break;
+        
+                case GEN_RID:
+                ASN1_OBJECT_free(a->d.rid);
+                break;
+
+        }
+        Free ((char *)a);
+}
+
+/* Now the GeneralNames versions: a SEQUENCE OF GeneralName These are needed as
+ * an explicit functions.
+ */
+
+STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
+{
+        return sk_GENERAL_NAME_new(NULL);
+}
+
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a)
+{
+        sk_GENERAL_NAME_pop_free(a, GENERAL_NAME_free);
+}
+
+STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a,
+                                         unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_GENERAL_NAME(a, pp, length, d2i_GENERAL_NAME,
+                         GENERAL_NAME_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_GENERAL_NAME(a, pp, i2d_GENERAL_NAME, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(GENERAL_NAME)
+IMPLEMENT_ASN1_SET_OF(GENERAL_NAME)
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ia5.c b/src/lib/libssl/src/crypto/x509v3/v3_ia5.c
new file mode 100644
index 0000000000..3446c5cd6a
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ia5.c
@@ -0,0 +1,116 @@
+/* v3_ia5.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static ASN1_IA5STRING *ia5string_new(void);
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_ns_ia5_list[] = { 
+EXT_IA5STRING(NID_netscape_base_url),
+EXT_IA5STRING(NID_netscape_revocation_url),
+EXT_IA5STRING(NID_netscape_ca_revocation_url),
+EXT_IA5STRING(NID_netscape_renewal_url),
+EXT_IA5STRING(NID_netscape_ca_policy_url),
+EXT_IA5STRING(NID_netscape_ssl_server_name),
+EXT_IA5STRING(NID_netscape_comment),
+EXT_END
+};
+
+
+static ASN1_IA5STRING *ia5string_new(void)
+{
+        return ASN1_IA5STRING_new();
+}
+
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+             ASN1_IA5STRING *ia5)
+{
+        char *tmp;
+        if(!ia5 || !ia5->length) return NULL;
+        tmp = Malloc(ia5->length + 1);
+        memcpy(tmp, ia5->data, ia5->length);
+        tmp[ia5->length] = 0;
+        return tmp;
+}
+
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_IA5STRING *ia5;
+        if(!str) {
+                X509V3err(X509V3_F_S2I_ASN1_IA5STRING,X509V3_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+        if(!(ia5 = ASN1_IA5STRING_new())) goto err;
+        if(!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
+                            strlen(str))) {
+                ASN1_IA5STRING_free(ia5);
+                goto err;
+        }
+        return ia5;
+        err:
+        X509V3err(X509V3_F_S2I_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_info.c b/src/lib/libssl/src/crypto/x509v3/v3_info.c
new file mode 100644
index 0000000000..78d2135046
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_info.c
@@ -0,0 +1,236 @@
+/* v3_info.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                                STACK_OF(CONF_VALUE) *ret);
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+X509V3_EXT_METHOD v3_info =
+{ NID_info_access, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)AUTHORITY_INFO_ACCESS_new,
+(X509V3_EXT_FREE)AUTHORITY_INFO_ACCESS_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_I2D)i2d_AUTHORITY_INFO_ACCESS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+NULL, NULL, NULL};
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                                STACK_OF(CONF_VALUE) *ret)
+{
+        ACCESS_DESCRIPTION *desc;
+        int i;
+        char objtmp[80], *ntmp;
+        CONF_VALUE *vtmp;
+        for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
+                desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
+                ret = i2v_GENERAL_NAME(method, desc->location, ret);
+                if(!ret) break;
+                vtmp = sk_CONF_VALUE_value(ret, i);
+                i2t_ASN1_OBJECT(objtmp, 80, desc->method);
+                ntmp = Malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+                if(!ntmp) {
+                        X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
+                                        ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                strcpy(ntmp, objtmp);
+                strcat(ntmp, " - ");
+                strcat(ntmp, vtmp->name);
+                Free(vtmp->name);
+                vtmp->name = ntmp;
+                
+        }
+        if(!ret) return sk_CONF_VALUE_new_null();
+        return ret;
+}
+
+static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+        STACK_OF(ACCESS_DESCRIPTION) *ainfo = NULL;
+        CONF_VALUE *cnf, ctmp;
+        ACCESS_DESCRIPTION *acc;
+        int i, objlen;
+        char *objtmp, *ptmp;
+        if(!(ainfo = sk_ACCESS_DESCRIPTION_new(NULL))) {
+                X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!(acc = ACCESS_DESCRIPTION_new())
+                        || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                ptmp = strchr(cnf->name, ';');
+                if(!ptmp) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX);
+                        goto err;
+                }
+                objlen = ptmp - cnf->name;
+                ctmp.name = ptmp + 1;
+                ctmp.value = cnf->value;
+                if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
+                                                                 goto err; 
+                if(!(objtmp = Malloc(objlen + 1))) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                strncpy(objtmp, cnf->name, objlen);
+                objtmp[objlen] = 0;
+                acc->method = OBJ_txt2obj(objtmp, 0);
+                if(!acc->method) {
+                        X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
+                        ERR_add_error_data(2, "value=", objtmp);
+                        Free(objtmp);
+                        goto err;
+                }
+                Free(objtmp);
+
+        }
+        return ainfo;
+        err:
+        sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
+        return NULL;
+}
+
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len(a->method, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_len(a->location, i2d_GENERAL_NAME);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put(a->method, i2d_ASN1_OBJECT);
+        M_ASN1_I2D_put(a->location, i2d_GENERAL_NAME);
+
+        M_ASN1_I2D_finish();
+}
+
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void)
+{
+        ACCESS_DESCRIPTION *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, ACCESS_DESCRIPTION);
+        ret->method = OBJ_nid2obj(NID_undef);
+        ret->location = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_ACCESS_DESCRIPTION_NEW);
+}
+
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
+             long length)
+{
+        M_ASN1_D2I_vars(a,ACCESS_DESCRIPTION *,ACCESS_DESCRIPTION_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->method, d2i_ASN1_OBJECT);
+        M_ASN1_D2I_get(ret->location, d2i_GENERAL_NAME);
+        M_ASN1_D2I_Finish(a, ACCESS_DESCRIPTION_free, ASN1_F_D2I_ACCESS_DESCRIPTION);
+}
+
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
+{
+        if (a == NULL) return;
+        ASN1_OBJECT_free(a->method);
+        GENERAL_NAME_free(a->location);
+        Free (a);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void)
+{
+        return sk_ACCESS_DESCRIPTION_new(NULL);
+}
+
+void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a)
+{
+        sk_ACCESS_DESCRIPTION_pop_free(a, ACCESS_DESCRIPTION_free);
+}
+
+STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
+                                         unsigned char **pp, long length)
+{
+return d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, length, d2i_ACCESS_DESCRIPTION,
+                         ACCESS_DESCRIPTION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+}
+
+int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp)
+{
+return i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, i2d_ACCESS_DESCRIPTION, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
+}
+
+IMPLEMENT_STACK_OF(ACCESS_DESCRIPTION)
+IMPLEMENT_ASN1_SET_OF(ACCESS_DESCRIPTION)
+
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_int.c b/src/lib/libssl/src/crypto/x509v3/v3_int.c
new file mode 100644
index 0000000000..637dd5e128
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_int.c
@@ -0,0 +1,79 @@
+/* v3_int.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_INTEGER *asn1_integer_new(void);
+
+X509V3_EXT_METHOD v3_crl_num = { 
+NID_crl_number, 0,
+(X509V3_EXT_NEW)asn1_integer_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_INTEGER,
+(X509V3_EXT_I2D)i2d_ASN1_INTEGER,
+(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+(X509V3_EXT_S2I)NULL,
+NULL, NULL, NULL, NULL, NULL};
+
+
+static ASN1_INTEGER *asn1_integer_new(void)
+{
+        return ASN1_INTEGER_new();
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_lib.c b/src/lib/libssl/src/crypto/x509v3/v3_lib.c
new file mode 100644
index 0000000000..a0aa5de794
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_lib.c
@@ -0,0 +1,177 @@
+/* v3_lib.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static STACK *ext_list = NULL;
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b);
+static void ext_list_free(X509V3_EXT_METHOD *ext);
+
+int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+        if(!ext_list && !(ext_list = sk_new(ext_cmp))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        if(!sk_push(ext_list, (char *)ext)) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        return 1;
+}
+
+static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b)
+{
+        return ((*a)->ext_nid - (*b)->ext_nid);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+{
+        X509V3_EXT_METHOD tmp;
+        int idx;
+        tmp.ext_nid = nid;
+        if(!ext_list || (tmp.ext_nid < 0) ) return NULL;
+        idx = sk_find(ext_list, (char *)&tmp);
+        if(idx == -1) return NULL;
+        return (X509V3_EXT_METHOD *)sk_value(ext_list, idx);
+}
+
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+{
+        int nid;
+        if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
+        return X509V3_EXT_get_nid(nid);
+}
+
+
+int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+        for(;extlist->ext_nid!=-1;extlist++) 
+                        if(!X509V3_EXT_add(extlist)) return 0;
+        return 1;
+}
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+        X509V3_EXT_METHOD *ext, *tmpext;
+        if(!(ext = X509V3_EXT_get_nid(nid_from))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
+                return 0;
+        }
+        if(!(tmpext = (X509V3_EXT_METHOD *)Malloc(sizeof(X509V3_EXT_METHOD)))) {
+                X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        *tmpext = *ext;
+        tmpext->ext_nid = nid_to;
+        tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
+        return 1;
+}
+
+void X509V3_EXT_cleanup(void)
+{
+        sk_pop_free(ext_list, ext_list_free);
+        ext_list = NULL;
+}
+
+static void ext_list_free(X509V3_EXT_METHOD *ext)
+{
+        if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
+}
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+
+int X509V3_add_standard_extensions(void)
+{
+        X509V3_EXT_add_list(v3_ns_ia5_list);
+        X509V3_EXT_add_list(v3_alt);
+        X509V3_EXT_add(&v3_bcons);
+        X509V3_EXT_add(&v3_nscert);
+        X509V3_EXT_add(&v3_key_usage);
+        X509V3_EXT_add(&v3_ext_ku);
+        X509V3_EXT_add(&v3_skey_id);
+        X509V3_EXT_add(&v3_akey_id);
+        X509V3_EXT_add(&v3_pkey_usage_period);
+        X509V3_EXT_add(&v3_crl_num);
+        X509V3_EXT_add(&v3_sxnet);
+        X509V3_EXT_add(&v3_crl_reason);
+        X509V3_EXT_add(&v3_cpols);
+        X509V3_EXT_add(&v3_crld);
+        return 1;
+}
+
+/* Return an extension internal structure */
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext)
+{
+        X509V3_EXT_METHOD *method;
+        unsigned char *p;
+        if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
+        p = ext->value->data;
+        return method->d2i(NULL, &p, ext->value->length);
+}
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
new file mode 100644
index 0000000000..083112314e
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_ocsp.c
@@ -0,0 +1,272 @@
+/* v3_ocsp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/ocsp.h>
+#include <openssl/x509v3.h>
+
+/* OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
+
+static void *ocsp_nonce_new(void);
+static int i2d_ocsp_nonce(void *a, unsigned char **pp);
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
+static void ocsp_nonce_free(void *a);
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
+
+X509V3_EXT_METHOD v3_ocsp_crlid = {
+        NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_crlid,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_acutoff = {
+        NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_invdate = {
+        NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_hold = {
+        NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_object,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nonce = {
+        NID_id_pkix_OCSP_Nonce, 0, NULL,
+        ocsp_nonce_new,
+        ocsp_nonce_free,
+        d2i_ocsp_nonce,
+        i2d_ocsp_nonce,
+        0,0,
+        0,0,
+        i2r_ocsp_nonce,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nocheck = {
+        NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
+        0,0,0,0,
+        0,s2i_ocsp_nocheck,
+        0,0,
+        i2r_ocsp_nocheck,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+        NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_serviceloc,0,
+        NULL
+};
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+        OCSP_CRLID *a = in;
+        if (a->crlUrl)
+                {
+                if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+                if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlNum)
+                {
+                if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
+                if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlTime)
+                {
+                if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        return 1;
+        err:
+        return 0;
+}
+
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
+        return 1;
+}
+
+
+static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+        return 1;
+}
+
+/* OCSP nonce. This is needs special treatment because it doesn't have
+ * an ASN1 encoding at all: it just contains arbitrary data.
+ */
+
+static void *ocsp_nonce_new(void)
+{
+        return ASN1_OCTET_STRING_new();
+}
+
+static int i2d_ocsp_nonce(void *a, unsigned char **pp)
+{
+        ASN1_OCTET_STRING *os = a;
+        if(pp) {
+                memcpy(*pp, os->data, os->length);
+                *pp += os->length;
+        }
+        return os->length;
+}
+
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length)
+{
+        ASN1_OCTET_STRING *os, **pos;
+        pos = a;
+        if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
+        else os = *pos;
+        if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
+
+        *pp += length;
+
+        if(pos) *pos = os;
+        return os;
+
+        err:
+        if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
+        OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+static void ocsp_nonce_free(void *a)
+{
+        M_ASN1_OCTET_STRING_free(a);
+}
+
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
+{
+        if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
+        if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
+        return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
+{
+        return 1;
+}
+
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+{
+        return ASN1_NULL_new();
+}
+
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+        {
+        int i;
+        OCSP_SERVICELOC *a = in;
+        ACCESS_DESCRIPTION *ad;
+
+        if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
+        if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
+        for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
+                {
+                                ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
+                                if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) 
+                                        goto err;
+                                if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
+                                if(BIO_puts(bp, " - ") <= 0) goto err;
+                                if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
+                }
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_pku.c b/src/lib/libssl/src/crypto/x509v3/v3_pku.c
new file mode 100644
index 0000000000..c13e7d8f45
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_pku.c
@@ -0,0 +1,151 @@
+/* v3_pku.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+*/
+X509V3_EXT_METHOD v3_pkey_usage_period = {
+NID_private_key_usage_period, 0,
+(X509V3_EXT_NEW)PKEY_USAGE_PERIOD_new,
+(X509V3_EXT_FREE)PKEY_USAGE_PERIOD_free,
+(X509V3_EXT_D2I)d2i_PKEY_USAGE_PERIOD,
+(X509V3_EXT_I2D)i2d_PKEY_USAGE_PERIOD,
+NULL, NULL, NULL, NULL,
+(X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
+NULL
+};
+
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME);
+        M_ASN1_I2D_len_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME, 0);
+        M_ASN1_I2D_put_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME, 1);
+
+        M_ASN1_I2D_finish();
+}
+
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void)
+{
+        PKEY_USAGE_PERIOD *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, PKEY_USAGE_PERIOD);
+        ret->notBefore = NULL;
+        ret->notAfter = NULL;
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_PKEY_USAGE_PERIOD_NEW);
+}
+
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a,
+             unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,PKEY_USAGE_PERIOD *,PKEY_USAGE_PERIOD_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get_IMP_opt (ret->notBefore, d2i_ASN1_GENERALIZEDTIME, 0,
+                                                        V_ASN1_GENERALIZEDTIME);
+        M_ASN1_D2I_get_IMP_opt (ret->notAfter, d2i_ASN1_GENERALIZEDTIME, 1,
+                                                        V_ASN1_GENERALIZEDTIME);
+        M_ASN1_D2I_Finish(a, PKEY_USAGE_PERIOD_free, ASN1_F_D2I_PKEY_USAGE_PERIOD);
+}
+
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
+{
+        if (a == NULL) return;
+        ASN1_GENERALIZEDTIME_free(a->notBefore);
+        ASN1_GENERALIZEDTIME_free(a->notAfter);
+        Free ((char *)a);
+}
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
+             PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
+{
+        BIO_printf(out, "%*s", indent, "");
+        if(usage->notBefore) {
+                BIO_write(out, "Not Before: ", 12);
+                ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
+                if(usage->notAfter) BIO_write(out, ", ", 2);
+        }
+        if(usage->notAfter) {
+                BIO_write(out, "Not After: ", 11);
+                ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
+        }
+        return 1;
+}
+
+/*
+static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+STACK_OF(CONF_VALUE) *values;
+{
+return NULL;
+}
+*/
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_prn.c b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
new file mode 100644
index 0000000000..dc20c6bdba
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_prn.c
@@ -0,0 +1,135 @@
+/* v3_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+/* Extension printing routines */
+
+/* Print out a name+value stack */
+
+void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
+{
+        int i;
+        CONF_VALUE *nval;
+        if(!val) return;
+        if(!ml || !sk_CONF_VALUE_num(val)) {
+                BIO_printf(out, "%*s", indent, "");
+                if(!sk_CONF_VALUE_num(val)) BIO_puts(out, "<EMPTY>\n");
+        }
+        for(i = 0; i < sk_CONF_VALUE_num(val); i++) {
+                if(ml) BIO_printf(out, "%*s", indent, "");
+                else if(i > 0) BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
+                if(!nval->name) BIO_puts(out, nval->value);
+                else if(!nval->value) BIO_puts(out, nval->name);
+                else BIO_printf(out, "%s:%s", nval->name, nval->value);
+                if(ml) BIO_puts(out, "\n");
+        }
+}
+
+/* Main routine: print out a general extension */
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
+{
+        char *ext_str = NULL, *value = NULL;
+        unsigned char *p;
+        X509V3_EXT_METHOD *method;      
+        STACK_OF(CONF_VALUE) *nval = NULL;
+        int ok = 1;
+        if(!(method = X509V3_EXT_get(ext))) return 0;
+        p = ext->value->data;
+        if(!(ext_str = method->d2i(NULL, &p, ext->value->length))) return 0;
+        if(method->i2s) {
+                if(!(value = method->i2s(method, ext_str))) {
+                        ok = 0;
+                        goto err;
+                }
+                BIO_printf(out, "%*s%s", indent, "", value);
+        } else if(method->i2v) {
+                if(!(nval = method->i2v(method, ext_str, NULL))) {
+                        ok = 0;
+                        goto err;
+                }
+                X509V3_EXT_val_prn(out, nval, indent,
+                                 method->ext_flags & X509V3_EXT_MULTILINE);
+        } else if(method->i2r) {
+                if(!method->i2r(method, ext_str, out, indent)) ok = 0;
+        } else ok = 0;
+
+        err:
+                sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+                if(value) Free(value);
+                method->ext_free(ext_str);
+                return ok;
+}
+
+#ifndef NO_FP_API
+int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
+{
+        BIO *bio_tmp;
+        int ret;
+        if(!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) return 0;
+        ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
+        BIO_free(bio_tmp);
+        return ret;
+}
+#endif
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
new file mode 100644
index 0000000000..b7494ebcd5
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -0,0 +1,456 @@
+/* v3_purp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+
+static void x509v3_cache_extensions(X509 *x);
+
+static int ca_check(X509 *x);
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
+static int purpose_smime(X509 *x, int ca);
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
+static void xptable_free(X509_PURPOSE *p);
+
+static X509_PURPOSE xstandard[] = {
+        {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
+        {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
+        {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
+        {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
+        {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
+        {X509_PURPOSE_CRL_SIGN, X509_TRUST_ANY, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
+};
+
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
+IMPLEMENT_STACK_OF(X509_PURPOSE)
+
+static STACK_OF(X509_PURPOSE) *xptable = NULL;
+
+static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
+{
+        return (*a)->purpose - (*b)->purpose;
+}
+
+int X509_check_purpose(X509 *x, int id, int ca)
+{
+        int idx;
+        X509_PURPOSE *pt;
+        if(!(x->ex_flags & EXFLAG_SET)) {
+                CRYPTO_w_lock(CRYPTO_LOCK_X509);
+                x509v3_cache_extensions(x);
+                CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+        }
+        if(id == -1) return 1;
+        idx = X509_PURPOSE_get_by_id(id);
+        if(idx == -1) return -1;
+        pt = X509_PURPOSE_get0(idx);
+        return pt->check_purpose(pt, x, ca);
+}
+
+int X509_PURPOSE_get_count(void)
+{
+        if(!xptable) return X509_PURPOSE_COUNT;
+        return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
+}
+
+X509_PURPOSE * X509_PURPOSE_get0(int idx)
+{
+        if(idx < 0) return NULL;
+        if(idx < X509_PURPOSE_COUNT) return xstandard + idx;
+        return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
+}
+
+int X509_PURPOSE_get_by_sname(char *sname)
+{
+        int i;
+        X509_PURPOSE *xptmp;
+        for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+                xptmp = X509_PURPOSE_get0(i);
+                if(!strcmp(xptmp->sname, sname)) return i;
+        }
+        return -1;
+}
+
+
+int X509_PURPOSE_get_by_id(int purpose)
+{
+        X509_PURPOSE tmp;
+        int idx;
+        if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+                return purpose - X509_PURPOSE_MIN;
+        tmp.purpose = purpose;
+        if(!xptable) return -1;
+        idx = sk_X509_PURPOSE_find(xptable, &tmp);
+        if(idx == -1) return -1;
+        return idx + X509_PURPOSE_COUNT;
+}
+
+int X509_PURPOSE_add(int id, int trust, int flags,
+                        int (*ck)(X509_PURPOSE *, X509 *, int),
+                                        char *name, char *sname, void *arg)
+{
+        int idx;
+        X509_PURPOSE *ptmp;
+        /* This is set according to what we change: application can't set it */
+        flags &= ~X509_PURPOSE_DYNAMIC;
+        /* This will always be set for application modified trust entries */
+        flags |= X509_PURPOSE_DYNAMIC_NAME;
+        /* Get existing entry if any */
+        idx = X509_PURPOSE_get_by_id(id);
+        /* Need a new entry */
+        if(idx == -1) {
+                if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                ptmp->flags = X509_PURPOSE_DYNAMIC;
+        } else ptmp = X509_PURPOSE_get0(idx);
+
+        /* Free existing name if dynamic */
+        if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+                Free(ptmp->name);
+                Free(ptmp->sname);
+        }
+        /* dup supplied name */
+        ptmp->name = BUF_strdup(name);
+        ptmp->sname = BUF_strdup(sname);
+        if(!ptmp->name || !ptmp->sname) {
+                X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        /* Keep the dynamic flag of existing entry */
+        ptmp->flags &= X509_PURPOSE_DYNAMIC;
+        /* Set all other flags */
+        ptmp->flags |= flags;
+
+        ptmp->purpose = id;
+        ptmp->trust = trust;
+        ptmp->check_purpose = ck;
+        ptmp->usr_data = arg;
+
+        /* If its a new entry manage the dynamic table */
+        if(idx == -1) {
+                if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
+                        X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+        }
+        return 1;
+}
+
+static void xptable_free(X509_PURPOSE *p)
+        {
+        if(!p) return;
+        if (p->flags & X509_PURPOSE_DYNAMIC) 
+                {
+                if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
+                        Free(p->name);
+                        Free(p->sname);
+                }
+                Free(p);
+                }
+        }
+
+void X509_PURPOSE_cleanup(void)
+{
+        int i;
+        sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+        for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i);
+        xptable = NULL;
+}
+
+int X509_PURPOSE_get_id(X509_PURPOSE *xp)
+{
+        return xp->purpose;
+}
+
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
+{
+        return xp->name;
+}
+
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
+{
+        return xp->sname;
+}
+
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
+{
+        return xp->trust;
+}
+
+#ifndef NO_SHA
+static void x509v3_cache_extensions(X509 *x)
+{
+        BASIC_CONSTRAINTS *bs;
+        ASN1_BIT_STRING *usage;
+        ASN1_BIT_STRING *ns;
+        STACK_OF(ASN1_OBJECT) *extusage;
+        int i;
+        if(x->ex_flags & EXFLAG_SET) return;
+        X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+        /* Does subject name match issuer ? */
+        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
+                         x->ex_flags |= EXFLAG_SS;
+        /* V1 should mean no extensions ... */
+        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
+        /* Handle basic constraints */
+        if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+                if(bs->ca) x->ex_flags |= EXFLAG_CA;
+                if(bs->pathlen) {
+                        if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
+                                                || !bs->ca) {
+                                x->ex_flags |= EXFLAG_INVALID;
+                                x->ex_pathlen = 0;
+                        } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+                } else x->ex_pathlen = -1;
+                BASIC_CONSTRAINTS_free(bs);
+                x->ex_flags |= EXFLAG_BCONS;
+        }
+        /* Handle key usage */
+        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+                if(usage->length > 0) {
+                        x->ex_kusage = usage->data[0];
+                        if(usage->length > 1) 
+                                x->ex_kusage |= usage->data[1] << 8;
+                } else x->ex_kusage = 0;
+                x->ex_flags |= EXFLAG_KUSAGE;
+                ASN1_BIT_STRING_free(usage);
+        }
+        x->ex_xkusage = 0;
+        if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+                x->ex_flags |= EXFLAG_XKUSAGE;
+                for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
+                        switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
+                                case NID_server_auth:
+                                x->ex_xkusage |= XKU_SSL_SERVER;
+                                break;
+
+                                case NID_client_auth:
+                                x->ex_xkusage |= XKU_SSL_CLIENT;
+                                break;
+
+                                case NID_email_protect:
+                                x->ex_xkusage |= XKU_SMIME;
+                                break;
+
+                                case NID_code_sign:
+                                x->ex_xkusage |= XKU_CODE_SIGN;
+                                break;
+
+                                case NID_ms_sgc:
+                                case NID_ns_sgc:
+                                x->ex_xkusage |= XKU_SGC;
+                        }
+                }
+                sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
+        }
+
+        if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+                if(ns->length > 0) x->ex_nscert = ns->data[0];
+                else x->ex_nscert = 0;
+                x->ex_flags |= EXFLAG_NSCERT;
+                ASN1_BIT_STRING_free(ns);
+        }
+        x->ex_flags |= EXFLAG_SET;
+}
+#endif
+
+/* CA checks common to all purposes
+ * return codes:
+ * 0 not a CA
+ * 1 is a CA
+ * 2 basicConstraints absent so "maybe" a CA
+ * 3 basicConstraints absent but self signed V1.
+ */
+
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
+static int ca_check(X509 *x)
+{
+        /* keyUsage if present should allow cert signing */
+        if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
+        if(x->ex_flags & EXFLAG_BCONS) {
+                if(x->ex_flags & EXFLAG_CA) return 1;
+                /* If basicConstraints says not a CA then say so */
+                else return 0;
+        } else {
+                if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
+                else return 2;
+        }
+}
+
+
+static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
+        if(ca) {
+                int ca_ret;
+                ca_ret = ca_check(x);
+                if(!ca_ret) return 0;
+                /* check nsCertType if present */
+                if(x->ex_flags & EXFLAG_NSCERT) {
+                        if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+                        return 0;
+                }
+                if(ca_ret != 2) return ca_ret;
+                else return 0;
+        }
+        /* We need to do digital signatures with it */
+        if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
+        /* nsCertType if present should allow SSL client use */ 
+        if(ns_reject(x, NS_SSL_CLIENT)) return 0;
+        return 1;
+}
+
+static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
+        /* Otherwise same as SSL client for a CA */
+        if(ca) return check_purpose_ssl_client(xp, x, 1);
+
+        if(ns_reject(x, NS_SSL_SERVER)) return 0;
+        /* Now as for keyUsage: we'll at least need to sign OR encipher */
+        if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0;
+        
+        return 1;
+
+}
+
+static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = check_purpose_ssl_server(xp, x, ca);
+        if(!ret || ca) return ret;
+        /* We need to encipher or Netscape complains */
+        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+        return ret;
+}
+
+/* common S/MIME checks */
+static int purpose_smime(X509 *x, int ca)
+{
+        if(xku_reject(x,XKU_SMIME)) return 0;
+        if(ca) {
+                int ca_ret;
+                ca_ret = ca_check(x);
+                if(!ca_ret) return 0;
+                /* check nsCertType if present */
+                if(x->ex_flags & EXFLAG_NSCERT) {
+                        if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
+                        return 0;
+                }
+                if(ca_ret != 2) return ca_ret;
+                else return 0;
+        }
+        if(x->ex_flags & EXFLAG_NSCERT) {
+                if(x->ex_nscert & NS_SMIME) return 1;
+                /* Workaround for some buggy certificates */
+                if(x->ex_nscert & NS_SSL_CLIENT) return 2;
+                return 0;
+        }
+        return 1;
+}
+
+static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = purpose_smime(x, ca);
+        if(!ret || ca) return ret;
+        if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
+        return ret;
+}
+
+static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        int ret;
+        ret = purpose_smime(x, ca);
+        if(!ret || ca) return ret;
+        if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0;
+        return ret;
+}
+
+static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
+{
+        if(ca) {
+                int ca_ret;
+                if((ca_ret = ca_check(x)) != 2) return ca_ret;
+                else return 0;
+        }
+        if(ku_reject(x, KU_CRL_SIGN)) return 0;
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_skey.c b/src/lib/libssl/src/crypto/x509v3/v3_skey.c
new file mode 100644
index 0000000000..fb3e36014d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_skey.c
@@ -0,0 +1,156 @@
+/* v3_skey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/x509v3.h>
+
+static ASN1_OCTET_STRING *octet_string_new(void);
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+X509V3_EXT_METHOD v3_skey_id = { 
+NID_subject_key_identifier, 0,
+(X509V3_EXT_NEW)octet_string_new,
+(X509V3_EXT_FREE)ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
+(X509V3_EXT_I2D)i2d_ASN1_OCTET_STRING,
+(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
+(X509V3_EXT_S2I)s2i_skey_id,
+NULL, NULL, NULL, NULL, NULL};
+
+
+static ASN1_OCTET_STRING *octet_string_new(void)
+{
+        return ASN1_OCTET_STRING_new();
+}
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+             ASN1_OCTET_STRING *oct)
+{
+        return hex_to_string(oct->data, oct->length);
+}
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_OCTET_STRING *oct;
+        long length;
+
+        if(!(oct = ASN1_OCTET_STRING_new())) {
+                X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(!(oct->data = string_to_hex(str, &length))) {
+                ASN1_OCTET_STRING_free(oct);
+                return NULL;
+        }
+
+        oct->length = length;
+
+        return oct;
+
+}
+
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
+             X509V3_CTX *ctx, char *str)
+{
+        ASN1_OCTET_STRING *oct;
+        ASN1_BIT_STRING *pk;
+        unsigned char pkey_dig[EVP_MAX_MD_SIZE];
+        EVP_MD_CTX md;
+        unsigned int diglen;
+
+        if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
+
+        if(!(oct = ASN1_OCTET_STRING_new())) {
+                X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        if(ctx && (ctx->flags == CTX_TEST)) return oct;
+
+        if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
+                X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+                goto err;
+        }
+
+        if(ctx->subject_req) 
+                pk = ctx->subject_req->req_info->pubkey->public_key;
+        else pk = ctx->subject_cert->cert_info->key->public_key;
+
+        if(!pk) {
+                X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+                goto err;
+        }
+
+        EVP_DigestInit(&md, EVP_sha1());
+        EVP_DigestUpdate(&md, pk->data, pk->length);
+        EVP_DigestFinal(&md, pkey_dig, &diglen);
+
+        if(!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+                X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        return oct;
+        
+        err:
+        ASN1_OCTET_STRING_free(oct);
+        return NULL;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_sxnet.c b/src/lib/libssl/src/crypto/x509v3/v3_sxnet.c
new file mode 100644
index 0000000000..0687bb4e3d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_sxnet.c
@@ -0,0 +1,340 @@
+/* v3_sxnet.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509v3.h>
+
+/* Support for Thawte strong extranet extension */
+
+#define SXNET_TEST
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent);
+#ifdef SXNET_TEST
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                STACK_OF(CONF_VALUE) *nval);
+#endif
+X509V3_EXT_METHOD v3_sxnet = {
+NID_sxnet, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)SXNET_new,
+(X509V3_EXT_FREE)SXNET_free,
+(X509V3_EXT_D2I)d2i_SXNET,
+(X509V3_EXT_I2D)i2d_SXNET,
+NULL, NULL,
+NULL, 
+#ifdef SXNET_TEST
+(X509V3_EXT_V2I)sxnet_v2i,
+#else
+NULL,
+#endif
+(X509V3_EXT_I2R)sxnet_i2r,
+NULL,
+NULL
+};
+
+
+int i2d_SXNET(SXNET *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+
+        M_ASN1_I2D_finish();
+}
+
+SXNET *SXNET_new(void)
+{
+        SXNET *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, SXNET);
+        M_ASN1_New(ret->version,ASN1_INTEGER_new);
+        M_ASN1_New(ret->ids,sk_SXNETID_new_null);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_SXNET_NEW);
+}
+
+SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,SXNET *,SXNET_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get_seq_type (SXNETID, ret->ids, d2i_SXNETID, SXNETID_free);
+        M_ASN1_D2I_Finish(a, SXNET_free, ASN1_F_D2I_SXNET);
+}
+
+void SXNET_free(SXNET *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free(a->version);
+        sk_SXNETID_pop_free(a->ids, SXNETID_free);
+        Free (a);
+}
+
+int i2d_SXNETID(SXNETID *a, unsigned char **pp)
+{
+        M_ASN1_I2D_vars(a);
+
+        M_ASN1_I2D_len (a->zone, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len (a->user, i2d_ASN1_OCTET_STRING);
+
+        M_ASN1_I2D_seq_total();
+
+        M_ASN1_I2D_put (a->zone, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put (a->user, i2d_ASN1_OCTET_STRING);
+
+        M_ASN1_I2D_finish();
+}
+
+SXNETID *SXNETID_new(void)
+{
+        SXNETID *ret=NULL;
+        ASN1_CTX c;
+        M_ASN1_New_Malloc(ret, SXNETID);
+        ret->zone = NULL;
+        M_ASN1_New(ret->user,ASN1_OCTET_STRING_new);
+        return (ret);
+        M_ASN1_New_Error(ASN1_F_SXNETID_NEW);
+}
+
+SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length)
+{
+        M_ASN1_D2I_vars(a,SXNETID *,SXNETID_new);
+        M_ASN1_D2I_Init();
+        M_ASN1_D2I_start_sequence();
+        M_ASN1_D2I_get(ret->zone, d2i_ASN1_INTEGER);
+        M_ASN1_D2I_get(ret->user, d2i_ASN1_OCTET_STRING);
+        M_ASN1_D2I_Finish(a, SXNETID_free, ASN1_F_D2I_SXNETID);
+}
+
+void SXNETID_free(SXNETID *a)
+{
+        if (a == NULL) return;
+        ASN1_INTEGER_free(a->zone);
+        ASN1_OCTET_STRING_free(a->user);
+        Free (a);
+}
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
+             int indent)
+{
+        long v;
+        char *tmp;
+        SXNETID *id;
+        int i;
+        v = ASN1_INTEGER_get(sx->version);
+        BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v);
+        for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+                id = sk_SXNETID_value(sx->ids, i);
+                tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+                BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
+                Free(tmp);
+                ASN1_OCTET_STRING_print(out, id->user);
+        }
+        return 1;
+}
+
+#ifdef SXNET_TEST
+
+/* NBB: this is used for testing only. It should *not* be used for anything
+ * else because it will just take static IDs from the configuration file and
+ * they should really be separate values for each user.
+ */
+
+
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+             STACK_OF(CONF_VALUE) *nval)
+{
+        CONF_VALUE *cnf;
+        SXNET *sx = NULL;
+        int i;
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                cnf = sk_CONF_VALUE_value(nval, i);
+                if(!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
+                                                                 return NULL;
+        }
+        return sx;
+}
+                
+        
+#endif
+
+/* Strong Extranet utility functions */
+
+/* Add an id given the zone as an ASCII number */
+
+int SXNET_add_id_asc(SXNET **psx, char *zone, char *user,
+             int userlen)
+{
+        ASN1_INTEGER *izone = NULL;
+        if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+                X509V3err(X509V3_F_SXNET_ADD_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+                return 0;
+        }
+        return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+}
+
+/* Add an id given the zone as an unsigned long */
+
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
+             int userlen)
+{
+        ASN1_INTEGER *izone = NULL;
+        if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_ULONG,ERR_R_MALLOC_FAILURE);
+                ASN1_INTEGER_free(izone);
+                return 0;
+        }
+        return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+        
+}
+
+/* Add an id given the zone as an ASN1_INTEGER.
+ * Note this version uses the passed integer and doesn't make a copy so don't
+ * free it up afterwards.
+ */
+
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
+             int userlen)
+{
+        SXNET *sx = NULL;
+        SXNETID *id = NULL;
+        if(!psx || !zone || !user) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_INVALID_NULL_ARGUMENT);
+                return 0;
+        }
+        if(userlen == -1) userlen = strlen(user);
+        if(userlen > 64) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_USER_TOO_LONG);
+                return 0;
+        }
+        if(!*psx) {
+                if(!(sx = SXNET_new())) goto err;
+                if(!ASN1_INTEGER_set(sx->version, 0)) goto err;
+                *psx = sx;
+        } else sx = *psx;
+        if(SXNET_get_id_INTEGER(sx, zone)) {
+                X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,X509V3_R_DUPLICATE_ZONE_ID);
+                return 0;
+        }
+
+        if(!(id = SXNETID_new())) goto err;
+        if(userlen == -1) userlen = strlen(user);
+                
+        if(!ASN1_OCTET_STRING_set(id->user, user, userlen)) goto err;
+        if(!sk_SXNETID_push(sx->ids, id)) goto err;
+        id->zone = zone;
+        return 1;
+        
+        err:
+        X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER,ERR_R_MALLOC_FAILURE);
+        SXNETID_free(id);
+        SXNET_free(sx);
+        *psx = NULL;
+        return 0;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
+{
+        ASN1_INTEGER *izone = NULL;
+        ASN1_OCTET_STRING *oct;
+        if(!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+                X509V3err(X509V3_F_SXNET_GET_ID_ASC,X509V3_R_ERROR_CONVERTING_ZONE);
+                return NULL;
+        }
+        oct = SXNET_get_id_INTEGER(sx, izone);
+        ASN1_INTEGER_free(izone);
+        return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
+{
+        ASN1_INTEGER *izone = NULL;
+        ASN1_OCTET_STRING *oct;
+        if(!(izone = ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
+                X509V3err(X509V3_F_SXNET_GET_ID_ULONG,ERR_R_MALLOC_FAILURE);
+                ASN1_INTEGER_free(izone);
+                return NULL;
+        }
+        oct = SXNET_get_id_INTEGER(sx, izone);
+        ASN1_INTEGER_free(izone);
+        return oct;
+}
+
+ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
+{
+        SXNETID *id;
+        int i;
+        for(i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+                id = sk_SXNETID_value(sx->ids, i);
+                if(!ASN1_INTEGER_cmp(id->zone, zone)) return id->user;
+        }
+        return NULL;
+}
+
+IMPLEMENT_STACK_OF(SXNETID)
+IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_utl.c b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
new file mode 100644
index 0000000000..40f71c71b4
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3_utl.c
@@ -0,0 +1,418 @@
+/* v3_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static char *strip_spaces(char *name);
+
+/* Add a CONF_VALUE name value pair to stack */
+
+int X509V3_add_value(const char *name, const char *value,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        CONF_VALUE *vtmp = NULL;
+        char *tname = NULL, *tvalue = NULL;
+        if(name && !(tname = BUF_strdup(name))) goto err;
+        if(value && !(tvalue = BUF_strdup(value))) goto err;;
+        if(!(vtmp = (CONF_VALUE *)Malloc(sizeof(CONF_VALUE)))) goto err;
+        if(!*extlist && !(*extlist = sk_CONF_VALUE_new(NULL))) goto err;
+        vtmp->section = NULL;
+        vtmp->name = tname;
+        vtmp->value = tvalue;
+        if(!sk_CONF_VALUE_push(*extlist, vtmp)) goto err;
+        return 1;
+        err:
+        X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
+        if(vtmp) Free(vtmp);
+        if(tname) Free(tname);
+        if(tvalue) Free(tvalue);
+        return 0;
+}
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+                           STACK_OF(CONF_VALUE) **extlist)
+    {
+    return X509V3_add_value(name,(const char *)value,extlist);
+    }
+
+/* Free function for STACK_OF(CONF_VALUE) */
+
+void X509V3_conf_free(CONF_VALUE *conf)
+{
+        if(!conf) return;
+        if(conf->name) Free(conf->name);
+        if(conf->value) Free(conf->value);
+        if(conf->section) Free(conf->section);
+        Free((char *)conf);
+}
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+        return X509V3_add_value(name, "FALSE", extlist);
+}
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist)
+{
+        if(asn1_bool) return X509V3_add_value(name, "TRUE", extlist);
+        return 1;
+}
+
+
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
+{
+        BIGNUM *bntmp = NULL;
+        char *strtmp = NULL;
+        if(!a) return NULL;
+        if(!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
+            !(strtmp = BN_bn2dec(bntmp)) )
+                X509V3err(X509V3_F_I2S_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE);
+        BN_free(bntmp);
+        return strtmp;
+}
+
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
+{
+        BIGNUM *bntmp = NULL;
+        char *strtmp = NULL;
+        if(!a) return NULL;
+        if(!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
+            !(strtmp = BN_bn2dec(bntmp)) )
+                X509V3err(X509V3_F_I2S_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+        BN_free(bntmp);
+        return strtmp;
+}
+
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
+{
+        BIGNUM *bn = NULL;
+        ASN1_INTEGER *aint;
+        bn = BN_new();
+        if(!value) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
+                return 0;
+        }
+        if(!BN_dec2bn(&bn, value)) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
+                return 0;
+        }
+
+        if(!(aint = BN_to_ASN1_INTEGER(bn, NULL))) {
+                X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
+                return 0;
+        }
+        BN_free(bn);
+        return aint;
+}
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+             STACK_OF(CONF_VALUE) **extlist)
+{
+        char *strtmp;
+        int ret;
+        if(!aint) return 1;
+        if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
+        ret = X509V3_add_value(name, strtmp, extlist);
+        Free(strtmp);
+        return ret;
+}
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
+{
+        char *btmp;
+        if(!(btmp = value->value)) goto err;
+        if(!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
+                 || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
+                || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
+                *asn1_bool = 0xff;
+                return 1;
+        } else if(!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
+                 || !strcmp(btmp, "N") || !strcmp(btmp, "n")
+                || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
+                *asn1_bool = 0;
+                return 1;
+        }
+        err:
+        X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,X509V3_R_INVALID_BOOLEAN_STRING);
+        X509V3_conf_err(value);
+        return 0;
+}
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
+{
+        ASN1_INTEGER *itmp;
+        if(!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
+                X509V3_conf_err(value);
+                return 0;
+        }
+        *aint = itmp;
+        return 1;
+}
+
+#define HDR_NAME        1
+#define HDR_VALUE       2
+
+/*#define DEBUG*/
+
+STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
+{
+        char *p, *q, c;
+        char *ntmp, *vtmp;
+        STACK_OF(CONF_VALUE) *values = NULL;
+        char *linebuf;
+        int state;
+        /* We are going to modify the line so copy it first */
+        linebuf = BUF_strdup(line);
+        state = HDR_NAME;
+        ntmp = NULL;
+        /* Go through all characters */
+        for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
+
+                switch(state) {
+                        case HDR_NAME:
+                        if(c == ':') {
+                                state = HDR_VALUE;
+                                *p = 0;
+                                ntmp = strip_spaces(q);
+                                if(!ntmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                                        goto err;
+                                }
+                                q = p + 1;
+                        } else if(c == ',') {
+                                *p = 0;
+                                ntmp = strip_spaces(q);
+                                q = p + 1;
+#ifdef DEBUG
+                                printf("%s\n", ntmp);
+#endif
+                                if(!ntmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                                        goto err;
+                                }
+                                X509V3_add_value(ntmp, NULL, &values);
+                        }
+                        break ;
+
+                        case HDR_VALUE:
+                        if(c == ',') {
+                                state = HDR_NAME;
+                                *p = 0;
+                                vtmp = strip_spaces(q);
+#ifdef DEBUG
+                                printf("%s\n", ntmp);
+#endif
+                                if(!vtmp) {
+                                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+                                        goto err;
+                                }
+                                X509V3_add_value(ntmp, vtmp, &values);
+                                ntmp = NULL;
+                                q = p + 1;
+                        }
+
+                }
+        }
+
+        if(state == HDR_VALUE) {
+                vtmp = strip_spaces(q);
+#ifdef DEBUG
+                printf("%s=%s\n", ntmp, vtmp);
+#endif
+                if(!vtmp) {
+                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_VALUE);
+                        goto err;
+                }
+                X509V3_add_value(ntmp, vtmp, &values);
+        } else {
+                ntmp = strip_spaces(q);
+#ifdef DEBUG
+                printf("%s\n", ntmp);
+#endif
+                if(!ntmp) {
+                        X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
+                        goto err;
+                }
+                X509V3_add_value(ntmp, NULL, &values);
+        }
+Free(linebuf);
+return values;
+
+err:
+Free(linebuf);
+sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
+return NULL;
+
+}
+
+/* Delete leading and trailing spaces from a string */
+static char *strip_spaces(char *name)
+{
+        char *p, *q;
+        /* Skip over leading spaces */
+        p = name;
+        while(*p && isspace((unsigned char)*p)) p++;
+        if(!*p) return NULL;
+        q = p + strlen(p) - 1;
+        while((q != p) && isspace((unsigned char)*q)) q--;
+        if(p != q) q[1] = 0;
+        if(!*p) return NULL;
+        return p;
+}
+
+/* hex string utilities */
+
+/* Given a buffer of length 'len' return a Malloc'ed string with its
+ * hex representation
+ */
+
+char *hex_to_string(unsigned char *buffer, long len)
+{
+        char *tmp, *q;
+        unsigned char *p;
+        int i;
+        static char hexdig[] = "0123456789ABCDEF";
+        if(!buffer || !len) return NULL;
+        if(!(tmp = Malloc(len * 3 + 1))) {
+                X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        q = tmp;
+        for(i = 0, p = buffer; i < len; i++,p++) {
+                *q++ = hexdig[(*p >> 4) & 0xf];
+                *q++ = hexdig[*p & 0xf];
+                *q++ = ':';
+        }
+        q[-1] = 0;
+        return tmp;
+}
+
+/* Give a string of hex digits convert to
+ * a buffer
+ */
+
+unsigned char *string_to_hex(char *str, long *len)
+{
+        unsigned char *hexbuf, *q;
+        unsigned char ch, cl, *p;
+        if(!str) {
+                X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
+                return NULL;
+        }
+        if(!(hexbuf = Malloc(strlen(str) >> 1))) goto err;
+        for(p = (unsigned char *)str, q = hexbuf; *p;) {
+                ch = *p++;
+                if(ch == ':') continue;
+                cl = *p++;
+                if(!cl) {
+                        X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
+                        Free(hexbuf);
+                        return NULL;
+                }
+                if(isupper(ch)) ch = tolower(ch);
+                if(isupper(cl)) cl = tolower(cl);
+
+                if((ch >= '0') && (ch <= '9')) ch -= '0';
+                else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
+                else goto badhex;
+
+                if((cl >= '0') && (cl <= '9')) cl -= '0';
+                else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
+                else goto badhex;
+
+                *q++ = (ch << 4) | cl;
+        }
+
+        if(len) *len = q - hexbuf;
+
+        return hexbuf;
+
+        err:
+        if(hexbuf) Free(hexbuf);
+        X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
+        return NULL;
+
+        badhex:
+        Free(hexbuf);
+        X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
+        return NULL;
+
+}
+
+/* V2I name comparison function: returns zero if 'name' matches
+ * cmp or cmp.*
+ */
+
+int name_cmp(const char *name, const char *cmp)
+{
+        int len, ret;
+        char c;
+        len = strlen(cmp);
+        if((ret = strncmp(name, cmp, len))) return ret;
+        c = name[len];
+        if(!c || (c=='.')) return 0;
+        return 1;
+}
diff --git a/src/lib/libssl/src/crypto/x509v3/v3conf.c b/src/lib/libssl/src/crypto/x509v3/v3conf.c
new file mode 100644
index 0000000000..21cf746f45
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3conf.c
@@ -0,0 +1,128 @@
+/* v3conf.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+/* Test application to add extensions from a config file */
+
+int main(int argc, char **argv)
+{
+        LHASH *conf;
+        X509 *cert;
+        FILE *inf;
+        char *conf_file;
+        int i;
+        int count;
+        X509_EXTENSION *ext;
+        X509V3_add_standard_extensions();
+        ERR_load_crypto_strings();
+        if(!argv[1]) {
+                fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n");
+                exit(1);
+        }
+        conf_file = argv[2];
+        if(!conf_file) conf_file = "test.cnf";
+        conf = CONF_load(NULL, "test.cnf", NULL);
+        if(!conf) {
+                fprintf(stderr, "Error opening Config file %s\n", conf_file);
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+
+        inf = fopen(argv[1], "r");
+        if(!inf) {
+                fprintf(stderr, "Can't open certificate file %s\n", argv[1]);
+                exit(1);
+        }
+        cert = PEM_read_X509(inf, NULL, NULL);
+        if(!cert) {
+                fprintf(stderr, "Error reading certificate file %s\n", argv[1]);
+                exit(1);
+        }
+        fclose(inf);
+
+        sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free);
+        cert->cert_info->extensions = NULL;
+
+        if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) {
+                fprintf(stderr, "Error adding extensions\n");
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+
+        count = X509_get_ext_count(cert);
+        printf("%d extensions\n", count);
+        for(i = 0; i < count; i++) {
+                ext = X509_get_ext(cert, i);
+                printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+                if(ext->critical) printf(",critical:\n");
+                else printf(":\n");
+                X509V3_EXT_print_fp(stdout, ext, 0);
+                printf("\n");
+                
+        }
+        return 0;
+}
+
diff --git a/src/lib/libssl/src/crypto/x509v3/v3err.c b/src/lib/libssl/src/crypto/x509v3/v3err.c
new file mode 100644
index 0000000000..50efa8d99d
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3err.c
@@ -0,0 +1,171 @@
+/* crypto/x509v3/v3err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA X509V3_str_functs[]=
+        {
+{ERR_PACK(0,X509V3_F_COPY_EMAIL,0),     "COPY_EMAIL"},
+{ERR_PACK(0,X509V3_F_COPY_ISSUER,0),    "COPY_ISSUER"},
+{ERR_PACK(0,X509V3_F_DO_EXT_CONF,0),    "DO_EXT_CONF"},
+{ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),     "DO_EXT_I2D"},
+{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),  "hex_to_string"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),    "i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),       "i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"},
+{ERR_PACK(0,X509V3_F_NREF_NOS,0),       "NREF_NOS"},
+{ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"},
+{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),    "R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),     "S2I_ASN1_IA5STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),       "s2i_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),  "s2i_ASN1_OCTET_STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),       "S2I_ASN1_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),        "S2I_S2I_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),  "string_to_hex"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ASC,0),  "SXNET_ADD_ASC"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_INTEGER,0),   "SXNET_add_id_INTEGER"},
+{ERR_PACK(0,X509V3_F_SXNET_ADD_ID_ULONG,0),     "SXNET_add_id_ulong"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ASC,0),       "SXNET_get_id_asc"},
+{ERR_PACK(0,X509V3_F_SXNET_GET_ID_ULONG,0),     "SXNET_get_id_ulong"},
+{ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),    "V2I_ASN1_BIT_STRING"},
+{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),    "V2I_AUTHORITY_KEYID"},
+{ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),  "V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),       "V2I_CRLD"},
+{ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),     "V2I_EXT_KU"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),       "v2i_GENERAL_NAME"},
+{ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),      "v2i_GENERAL_NAMES"},
+{ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),   "V3_GENERIC_EXTENSION"},
+{ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),       "X509V3_add_value"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0), "X509V3_EXT_add"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),   "X509V3_EXT_add_alias"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),        "X509V3_EXT_conf"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0), "X509V3_EXT_i2d"},
+{ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),  "X509V3_get_value_bool"},
+{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),      "X509V3_parse_list"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA X509V3_str_reasons[]=
+        {
+{X509V3_R_BAD_IP_ADDRESS                 ,"bad ip address"},
+{X509V3_R_BAD_OBJECT                     ,"bad object"},
+{X509V3_R_BN_DEC2BN_ERROR                ,"bn dec2bn error"},
+{X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
+{X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
+{X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
+{X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
+{X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
+{X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
+{X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
+{X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
+{X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
+{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
+{X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
+{X509V3_R_INVALID_NAME                   ,"invalid name"},
+{X509V3_R_INVALID_NULL_ARGUMENT          ,"invalid null argument"},
+{X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
+{X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
+{X509V3_R_INVALID_NUMBER                 ,"invalid number"},
+{X509V3_R_INVALID_NUMBERS                ,"invalid numbers"},
+{X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_INVALID_OPTION                 ,"invalid option"},
+{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_SECTION                ,"invalid section"},
+{X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
+{X509V3_R_MISSING_VALUE                  ,"missing value"},
+{X509V3_R_NEED_ORGANIZATION_AND_NUMBERS  ,"need organization and numbers"},
+{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
+{X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
+{X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
+{X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
+{X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
+{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
+{X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
+{X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
+{X509V3_R_UNKNOWN_EXTENSION              ,"unknown extension"},
+{X509V3_R_UNKNOWN_EXTENSION_NAME         ,"unknown extension name"},
+{X509V3_R_UNKNOWN_OPTION                 ,"unknown option"},
+{X509V3_R_UNSUPPORTED_OPTION             ,"unsupported option"},
+{X509V3_R_USER_TOO_LONG                  ,"user too long"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_X509V3_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
+                ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libssl/src/crypto/x509v3/v3prin.c b/src/lib/libssl/src/crypto/x509v3/v3prin.c
new file mode 100644
index 0000000000..ee798859f0
--- /dev/null
+++ b/src/lib/libssl/src/crypto/x509v3/v3prin.c
@@ -0,0 +1,101 @@
+/* v3prin.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int main(int argc, char **argv)
+{
+        X509 *cert;
+        FILE *inf;
+        int i, count;
+        X509_EXTENSION *ext;
+        X509V3_add_standard_extensions();
+        ERR_load_crypto_strings();
+        if(!argv[1]) {
+                fprintf(stderr, "Usage v3prin cert.pem\n");
+                exit(1);
+        }
+        if(!(inf = fopen(argv[1], "r"))) {
+                fprintf(stderr, "Can't open %s\n", argv[1]);
+                exit(1);
+        }
+        if(!(cert = PEM_read_X509(inf, NULL, NULL))) {
+                fprintf(stderr, "Can't read certificate %s\n", argv[1]);
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+        fclose(inf);
+        count = X509_get_ext_count(cert);
+        printf("%d extensions\n", count);
+        for(i = 0; i < count; i++) {
+                ext = X509_get_ext(cert, i);
+                printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+                if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr);
+                printf("\n");
+                
+        }
+        return 0;
+}
diff --git a/src/lib/libssl/src/demos/asn1/README.ASN1 b/src/lib/libssl/src/demos/asn1/README.ASN1
new file mode 100644
index 0000000000..ac497be184
--- /dev/null
+++ b/src/lib/libssl/src/demos/asn1/README.ASN1
@@ -0,0 +1,7 @@
+This is a demo of the new ASN1 code. Its an OCSP ASN1 module. Doesn't
+do much yet other than demonstrate what the new ASN1 modules might look
+like.
+
+It wont even compile yet: the new code isn't in place.
+
+
diff --git a/src/lib/libssl/src/demos/asn1/ocsp.c b/src/lib/libssl/src/demos/asn1/ocsp.c
new file mode 100644
index 0000000000..0199fe1004
--- /dev/null
+++ b/src/lib/libssl/src/demos/asn1/ocsp.c
@@ -0,0 +1,366 @@
+/* ocsp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+
+
+
+/* Example of new ASN1 code, OCSP request
+
+        OCSPRequest     ::=     SEQUENCE {
+            tbsRequest                  TBSRequest,
+            optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+
+        TBSRequest      ::=     SEQUENCE {
+            version             [0] EXPLICIT Version DEFAULT v1,
+            requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+            requestList             SEQUENCE OF Request,
+            requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+
+        Signature       ::=     SEQUENCE {
+            signatureAlgorithm   AlgorithmIdentifier,
+            signature            BIT STRING,
+            certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+        Version  ::=  INTEGER  {  v1(0) }
+
+        Request ::=     SEQUENCE {
+            reqCert                    CertID,
+            singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+
+        CertID ::= SEQUENCE {
+            hashAlgorithm            AlgorithmIdentifier,
+            issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+            issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
+            serialNumber       CertificateSerialNumber }
+
+        OCSPResponse ::= SEQUENCE {
+           responseStatus         OCSPResponseStatus,
+           responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+
+        OCSPResponseStatus ::= ENUMERATED {
+            successful            (0),      --Response has valid confirmations
+            malformedRequest      (1),      --Illegal confirmation request
+            internalError         (2),      --Internal error in issuer
+            tryLater              (3),      --Try again later
+                                            --(4) is not used
+            sigRequired           (5),      --Must sign the request
+            unauthorized          (6)       --Request unauthorized
+        }
+
+        ResponseBytes ::=       SEQUENCE {
+            responseType   OBJECT IDENTIFIER,
+            response       OCTET STRING }
+
+        BasicOCSPResponse       ::= SEQUENCE {
+           tbsResponseData      ResponseData,
+           signatureAlgorithm   AlgorithmIdentifier,
+           signature            BIT STRING,
+           certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+
+        ResponseData ::= SEQUENCE {
+           version              [0] EXPLICIT Version DEFAULT v1,
+           responderID              ResponderID,
+           producedAt               GeneralizedTime,
+           responses                SEQUENCE OF SingleResponse,
+           responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+
+        ResponderID ::= CHOICE {
+           byName   [1] Name,    --EXPLICIT
+           byKey    [2] KeyHash }
+
+        KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+                                 --(excluding the tag and length fields)
+
+        SingleResponse ::= SEQUENCE {
+           certID                       CertID,
+           certStatus                   CertStatus,
+           thisUpdate                   GeneralizedTime,
+           nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+           singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+
+        CertStatus ::= CHOICE {
+            good                [0]     IMPLICIT NULL,
+            revoked             [1]     IMPLICIT RevokedInfo,
+            unknown             [2]     IMPLICIT UnknownInfo }
+
+        RevokedInfo ::= SEQUENCE {
+            revocationTime              GeneralizedTime,
+            revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+
+        UnknownInfo ::= NULL -- this can be replaced with an enumeration
+
+        ArchiveCutoff ::= GeneralizedTime
+
+        AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
+
+        ServiceLocator ::= SEQUENCE {
+            issuer    Name,
+            locator   AuthorityInfoAccessSyntax }
+
+        -- Object Identifiers
+
+        id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
+        id-pkix-ocsp                 OBJECT IDENTIFIER ::= { id-ad-ocsp }
+        id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
+        id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
+        id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
+        id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
+        id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
+        id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
+        id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
+
+*/
+
+/* Request Structures */
+
+DECLARE_STACK_OF(Request)
+
+typedef struct {
+        ASN1_INTEGER *version;
+        GENERAL_NAME *requestorName;
+        STACK_OF(Request) *requestList;
+        STACK_OF(X509_EXTENSION) *requestExtensions;
+} TBSRequest;
+
+typedef struct {
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+} Signature;
+
+typedef struct {
+        TBSRequest *tbsRequest;
+        Signature *optionalSignature;
+} OCSPRequest;
+
+typedef struct {
+        X509_ALGOR *hashAlgorithm;
+        ASN1_OCTET_STRING *issuerNameHash;
+        ASN1_OCTET_STRING *issuerKeyHash;
+        ASN1_INTEGER *certificateSerialNumber;
+} CertID;
+
+typedef struct {
+        CertID *reqCert;
+        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+} Request;
+
+/* Response structures */
+
+typedef struct {
+        ASN1_OBJECT *responseType;
+        ASN1_OCTET_STRING *response;
+} ResponseBytes;
+
+typedef struct {
+        ASN1_ENUMERATED *responseStatus;
+        ResponseBytes *responseBytes;
+} OCSPResponse;
+
+typedef struct {
+        int type;
+        union {
+           X509_NAME *byName;
+           ASN1_OCTET_STRING *byKey;
+        }d;
+} ResponderID;
+
+typedef struct {
+           ASN1_INTEGER *version;
+           ResponderID *responderID;
+           ASN1_GENERALIZEDTIME *producedAt;
+           STACK_OF(SingleResponse) *responses;
+           STACK_OF(X509_EXTENSION) *responseExtensions;
+} ResponseData;
+
+typedef struct {
+           ResponseData *tbsResponseData;
+           X509_ALGOR *signatureAlgorithm;
+           ASN1_BIT_STRING *signature;
+           STACK_OF(X509) *certs;
+} BasicOCSPResponse;
+
+typedef struct {
+        ASN1_GENERALIZEDTIME *revocationTime;
+        ASN1_ENUMERATED * revocationReason;
+} RevokedInfo;
+
+typedef struct {
+        int type;
+        union {
+            ASN1_NULL *good;
+            RevokedInfo *revoked;
+            ASN1_NULL *unknown;
+        } d;
+} CertStatus;
+
+typedef struct {
+           CertID *certID;
+           CertStatus *certStatus;
+           ASN1_GENERALIZEDTIME *thisUpdate;
+           ASN1_GENERALIZEDTIME *nextUpdate;
+           STACK_OF(X509_EXTENSION) *singleExtensions;
+} SingleResponse;
+
+
+typedef struct {
+    X509_NAME *issuer;
+    STACK_OF(ACCESS_DESCRIPTION) *locator;
+} ServiceLocator;
+
+
+/* Now the ASN1 templates */
+
+IMPLEMENT_COMPAT_ASN1(X509);
+IMPLEMENT_COMPAT_ASN1(X509_ALGOR);
+//IMPLEMENT_COMPAT_ASN1(X509_EXTENSION);
+IMPLEMENT_COMPAT_ASN1(GENERAL_NAME);
+IMPLEMENT_COMPAT_ASN1(X509_NAME);
+
+ASN1_SEQUENCE(X509_EXTENSION) = {
+        ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
+        ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
+        ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(X509_EXTENSION);
+        
+
+ASN1_SEQUENCE(Signature) = {
+        ASN1_SIMPLE(Signature, signatureAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(Signature, signature, ASN1_BIT_STRING),
+        ASN1_SEQUENCE_OF(Signature, certs, X509)
+} ASN1_SEQUENCE_END(Signature);
+
+ASN1_SEQUENCE(CertID) = {
+        ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CertID, certificateSerialNumber, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(CertID);
+
+ASN1_SEQUENCE(Request) = {
+        ASN1_SIMPLE(Request, reqCert, CertID),
+        ASN1_EXP_SEQUENCE_OF_OPT(Request, singleRequestExtensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END(Request);
+
+ASN1_SEQUENCE(TBSRequest) = {
+        ASN1_EXP_OPT(TBSRequest, version, ASN1_INTEGER, 0),
+        ASN1_EXP_OPT(TBSRequest, requestorName, GENERAL_NAME, 1),
+        ASN1_SEQUENCE_OF(TBSRequest, requestList, Request),
+        ASN1_EXP_SEQUENCE_OF_OPT(TBSRequest, requestExtensions, X509_EXTENSION, 2)
+} ASN1_SEQUENCE_END(TBSRequest);
+
+ASN1_SEQUENCE(OCSPRequest) = {
+        ASN1_SIMPLE(OCSPRequest, tbsRequest, TBSRequest),
+        ASN1_EXP_OPT(OCSPRequest, optionalSignature, Signature, 0)
+} ASN1_SEQUENCE_END(OCSPRequest);
+
+
+/* Response templates */
+
+ASN1_SEQUENCE(ResponseBytes) = {
+            ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
+            ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(ResponseBytes);
+
+ASN1_SEQUENCE(OCSPResponse) = {
+        ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
+        ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
+} ASN1_SEQUENCE_END(OCSPResponse);
+
+ASN1_CHOICE(ResponderID) = {
+           ASN1_EXP(ResponderID, d.byName, X509_NAME, 1),
+           ASN1_IMP(ResponderID, d.byKey, ASN1_OCTET_STRING, 2)
+} ASN1_CHOICE_END(ResponderID);
+
+ASN1_SEQUENCE(RevokedInfo) = {
+        ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
+        ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
+} ASN1_SEQUENCE_END(RevokedInfo);
+
+ASN1_CHOICE(CertStatus) = {
+        ASN1_IMP(CertStatus, d.good, ASN1_NULL, 0),
+        ASN1_IMP(CertStatus, d.revoked, RevokedInfo, 1),
+        ASN1_IMP(CertStatus, d.unknown, ASN1_NULL, 2)
+} ASN1_CHOICE_END(CertStatus);
+
+ASN1_SEQUENCE(SingleResponse) = {
+           ASN1_SIMPLE(SingleResponse, certID, CertID),
+           ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
+           ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
+           ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
+           ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(SingleResponse);
+
+ASN1_SEQUENCE(ResponseData) = {
+           ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
+           ASN1_SIMPLE(ResponseData, responderID, ResponderID),
+           ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
+           ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
+           ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(ResponseData);
+
+ASN1_SEQUENCE(BasicOCSPResponse) = {
+           ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
+           ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
+           ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
+           ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
+} ASN1_SEQUENCE_END(BasicOCSPResponse);
+
diff --git a/src/lib/libssl/src/demos/bio/Makefile b/src/lib/libssl/src/demos/bio/Makefile
new file mode 100644
index 0000000000..4351540532
--- /dev/null
+++ b/src/lib/libssl/src/demos/bio/Makefile
@@ -0,0 +1,16 @@
+CC=cc
+CFLAGS= -g -I../../include
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a
+EXAMPLES=saccept sconnect
+
+all: $(EXAMPLES) 
+
+saccept: saccept.o
+        $(CC) -o saccept saccept.o $(LIBS)
+
+sconnect: sconnect.o
+        $(CC) -o sconnect sconnect.o $(LIBS)
+
+clean:  
+        rm -f $(EXAMPLES) *.o
+
diff --git a/src/lib/libssl/src/demos/easy_tls/Makefile b/src/lib/libssl/src/demos/easy_tls/Makefile
new file mode 100644
index 0000000000..fd3c246ef4
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/Makefile
@@ -0,0 +1,123 @@
+# Makefile for easy-tls example application (rudimentary client and server)
+# $Id: Makefile,v 1.1 2002/05/15 02:29:18 beck Exp $
+
+SOLARIS_CFLAGS=-Wall -pedantic -g -O2
+SOLARIS_LIBS=-lxnet
+
+LINUX_CFLAGS=-Wall -pedantic -g -O2
+LINUX_LIBS=
+
+
+auto-all:
+        case `uname -s` in \
+        SunOS) echo Using SunOS configuration; \
+          make SYSCFLAGS="$(SOLARIS_CFLAGS)" SYSLIBS="$(SOLARIS_LIBS)" all;; \
+        Linux) echo Using Linux configuration; \
+          make SYSCFLAGS="$(LINUX_CFLAGS)" SYSLIBS="$(LINUX_LIBS)" all;; \
+        *) echo "unknown system"; exit 1;; \
+        esac
+
+all: test TAGS
+
+# For adapting this Makefile to a different system, only the following
+# definitions should need customizing:
+
+OPENSSLDIR=../..
+CC=gcc
+
+SYSCFLAGS=whatever
+SYSLIBS=whatever
+
+
+#############################################################################
+#
+# SSLeay/OpenSSL imports
+#
+# OPENSSLDIR (set above) can be either the directory where OpenSSL is
+# installed or the directory where it was compiled.
+
+# We rely on having a new OpenSSL release where include files
+# have names like <openssl/ssl.h> (not just <ssl.h>).
+OPENSSLINCLUDES=-I$(OPENSSLDIR)/include
+
+# libcrypto.a and libssl.a are directly in $(OPENSSLDIR) if this is
+# the compile directory, or in $(OPENSSLDIR)/lib if we use an installed
+# library.  With the following definition, we can handle either case.
+OPENSSLLIBS=-L$(OPENSSLDIR) -L$(OPENSSLDIR)/lib -lssl -lcrypto
+
+
+#############################################################################
+#
+# Stuff for handling the source files
+#
+
+SOURCES=easy-tls.c test.c
+HEADERS=easy-tls.h test.h
+DOCSandEXAMPLESetc=Makefile cert.pem cacerts.pem
+EVERYTHING=$(SOURCES) $(HEADERS) $(DOCSandEXAMPLESetc)
+
+ls: ls-l
+ls-l:
+        ls -l $(EVERYTHING)
+# For RCS:
+tag:
+        -rcs -n_`date +%y%m%d`: $(EVERYTHING)
+        rcs -nMYTAG $(EVERYTHING)
+        rcs -nMYTAG: $(EVERYTHING)
+diff:
+        -rcsdiff -rMYTAG -u $(EVERYTHING)
+today:
+        -rcsdiff -r_`date +%y%m%d` -u $(EVERYTHING)
+ident:
+        for a in $(EVERYTHING); do ident $$a; done
+
+# Distribution .tar:
+easy-tls.tar.gz: $(EVERYTHING)
+        tar cvf - $(EVERYTHING) | \
+        gzip -9 > easy-tls.tar.gz
+
+# Working .tar:
+tls.tgz: $(EVERYTHING)
+        tar cfv - `find . -type f -a ! -name '*.tgz' -a ! -name '*.tar.gz'` | \
+        gzip -9 > tls.tgz
+
+# For emacs:
+etags: TAGS
+TAGS: $(SOURCES) $(HEADERS)
+        -etags $(SOURCES) $(HEADERS)
+
+
+#############################################################################
+#
+# Compilation
+#
+# The following definitions are system dependent (and hence defined
+# at the beginning of this Makefile, where they are more easily found):
+
+### CC=gcc
+### SYSCFLAGS=-Wall -pedantic -g -O2
+### SYSLIBS=-lxnet
+
+EXTRACFLAGS=-DTLS_APP=\"test.h\"
+# EXTRACFLAGS=-DTLS_APP=\"test.h\" -DDEBUG_TLS
+
+#
+# The rest shouldn't need to be touched.
+#
+LDFLAGS=$(SYSLIBS) $(OPENSSLLIBS)
+INCLUDES=$(OPENSSLINCLUDES)
+CFLAGS=$(SYSCFLAGS) $(EXTRACFLAGS) $(INCLUDES)
+
+OBJS=easy-tls.o test.o
+
+clean:
+        @rm -f test
+        @rm -f TAGS
+        @rm -f *.o
+        @rm -f core
+
+test: $(OBJS)
+        $(CC) $(OBJS) $(LDFLAGS) -o test
+
+test.o: $(HEADERS)
+easy-tls.o: $(HEADERS)
diff --git a/src/lib/libssl/src/demos/easy_tls/README b/src/lib/libssl/src/demos/easy_tls/README
new file mode 100644
index 0000000000..816a58009c
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/README
@@ -0,0 +1,65 @@
+easy_tls - generic SSL/TLS proxy
+========
+
+(... and example for non-blocking SSL/TLS I/O multiplexing.)
+
+
+  easy_tls.c, easy_tls.h:
+
+     Small generic SSL/TLS proxy library: With a few function calls,
+     an application socket will be replaced by a pipe handled by a
+     separate SSL/TLS proxy process.  This allows easily adding
+     SSL/TLS support to many programs not originally designed for it.
+
+     [Actually easy_tls.c is not a proper library: Customization
+     requires defining preprocessor macros while compiling it.
+     This is quite confusing, so I'll probably change it.]
+
+     These files may be used under the OpenSSL license.
+
+
+
+  test.c, test.h, Makefile, cert.pem, cacerts.pem:
+
+     Rudimentary example program using the easy_tls library, and
+     example key and certificates for it.  Usage examples:
+
+       $ ./test 8443     # create server listening at port 8443
+       $ ./test 127.0.0.1 8443  # create client, connect to port 8443
+                                # at IP address 127.0.0.1
+
+     'test' will not automatically do SSL/TLS, or even read or write
+     data -- it must be told to do so on input lines starting
+     with a command letter.  'W' means write a line, 'R' means
+     read a line, 'C' means close the connection, 'T' means
+     start an SSL/TLS proxy.  E.g. (user input tagged with '*'):
+
+     * R
+       <<< 220 mail.example.net
+     * WSTARTTLS
+       >>> STARTTLS
+     * R
+       <<< 220 Ready to start TLS
+     * T
+       test_process_init(fd = 3, client_p = 1, apparg = (nil))
+       +++ `E:self signed certificate in certificate chain'
+       +++ `<... certificate info ...>'
+     * WHELO localhost
+       >>> HELO localhost
+       R
+       <<< 250 mail.example.net
+
+     You can even do SSL/TLS over SSL/TLS over SSL/TLS ... by using
+     'T' multiple times.  I have no idea why you would want to though.
+
+
+This code is rather old.  When I find time I will update anything that
+should be changed, and improve code comments.  To compile the sample
+program 'test' on platforms other then Linux or Solaris, you will have
+to edit the Makefile.
+
+As noted above, easy_tls.c will be changed to become a library one
+day, which means that future revisions will not be fully compatible to
+the current version.
+
+Bodo Möller <bodo@openssl.org>
diff --git a/src/lib/libssl/src/demos/easy_tls/cacerts.pem b/src/lib/libssl/src/demos/easy_tls/cacerts.pem
new file mode 100644
index 0000000000..0b1c91f95e
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/cacerts.pem
@@ -0,0 +1,18 @@
+$Id: cacerts.pem,v 1.1 2002/05/15 02:29:18 beck Exp $
+
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+-----BEGIN CERTIFICATE-----
+MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
+VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
+OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
+BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
+IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
+DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
+1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
+mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
+hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
+YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
+q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/demos/easy_tls/cert.pem b/src/lib/libssl/src/demos/easy_tls/cert.pem
new file mode 100644
index 0000000000..d4d19d9ad1
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/cert.pem
@@ -0,0 +1,31 @@
+$Id: cert.pem,v 1.1 2002/05/15 02:29:18 beck Exp $
+
+Example certificate and key.
+
+-----BEGIN CERTIFICATE-----
+MIIB1jCCAT8CAQEwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
+BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDAeFw05OTA1MDEwMTI2MzVaFw05OTA1MzEwMTI2MzVaMCIxCzAJBgNVBAYTAkRF
+MRMwEQYDVQQDEwpUZXN0c2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68/8MbT3ou0pdF
+AcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2ai7emdjMjXVL
+tzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQABMA0GCSqGSIb3
+DQEBBAUAA4GBAMgM+sbAk8DfjSfa+Rf2gcGXmbrvZAzKzC+5RU3kaq/NyxIXAGco
+9dZjozzWfN/xuGup5boFk+KrP+xdgsaqGHsyzlgEoqz4ekqLjQeVbnoj339hVFU9
+MhPi6JULPxjXKumjfX2LLNkikW5puz8Df3UiX0EiaJvd7EwP8J75tiUT
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68
+/8MbT3ou0pdFAcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2
+ai7emdjMjXVLtzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQAB
+AoGANST8c1etf1MU19oIO5aqaE19OCXIG7oakNLCCtVTPMfvnE+vffBJH7BPIUuU
+4BBzwRv1nQrkvk72TPjVjOAu81B1SStKQueun2flVuYxp9NyupNWCBley4QdohlP
+I92ml2tzTSPmNIoA6jdGyNzFcGchapRRmejsC39F1RUbHQECQQD9KX81Wt8ZOrri
+dWiEXja1L3X8Bkb9vvUjVMQDTJJPxBJjehC6eurgE6PP6SJD5p/f3RHPCcLr8tSM
+D4P/OpKhAkEA/PFNlhIZUDKK6aTvG2mn7qQ5phbadOoyN1Js3ttWG5OMOZ6b/QlC
+Wvp84h44506BIlv+Tg2YAI0AdBUrf7oEowJAM4joAVd/ROaEtqbJ4PBA2L9RmD06
+5FqkEk4mHLnQqvYx/BgUIbH18ClvVlqSBBqFfw/EmU3WZSuogt6Bs0ocIQJBAOxB
+AoPiYcxbeQ5kZIVJOXaX49SzUdaUDNVJYrEBUzsspHQJJo/Avz606kJVkjbSR6Ft
+JWmIHuqcyMikIV4KxFsCQQCU2evoVjVsqkkbHi7W28f73PGBsyu0KIwlK7nu4h08
+Daf7TAI+A6jW/WRUsJ6dFhUYi7/Jvkcdrlnbgm2fxziX
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/demos/easy_tls/easy-tls.c b/src/lib/libssl/src/demos/easy_tls/easy-tls.c
new file mode 100644
index 0000000000..9fa0ef9a6b
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/easy-tls.c
@@ -0,0 +1,1235 @@
+/* -*- Mode: C; c-file-style: "bsd" -*- */
+/*
+ * easy-tls.c -- generic TLS proxy.
+ * $Id: easy-tls.c,v 1.1 2002/05/15 02:29:18 beck Exp $
+ */
+/*
+ (c) Copyright 1999 Bodo Moeller.  All rights reserved.
+
+ This is free software; you can redistributed and/or modify it
+ unter the terms of either
+   -  the GNU General Public License as published by the
+      Free Software Foundation, version 1, or (at your option)
+      any later version,
+ or
+   -  the following license:
+*/
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that each of the following
+ * conditions is met:
+ *
+ * 1. Redistributions qualify as "freeware" or "Open Source Software" under
+ *    one of the following terms:
+ * 
+ *    (a) Redistributions are made at no charge beyond the reasonable cost of
+ *        materials and delivery.
+ * 
+ *    (b) Redistributions are accompanied by a copy of the Source Code
+ *        or by an irrevocable offer to provide a copy of the Source Code
+ *        for up to three years at the cost of materials and delivery.
+ *        Such redistributions must allow further use, modification, and
+ *        redistribution of the Source Code under substantially the same
+ *        terms as this license.
+ *
+ * 2. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 3. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 4. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by Bodo Moeller."
+ *    (If available, substitute umlauted o for oe.)
+ *
+ * 5. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by Bodo Moeller."
+ *
+ * THIS SOFTWARE IS PROVIDED BY BODO MOELLER ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL BODO MOELLER OR
+ * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Attribution for OpenSSL library:
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ * This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)
+ */
+
+static char const rcsid[] =
+"$Id: easy-tls.c,v 1.1 2002/05/15 02:29:18 beck Exp $";
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+#include <unistd.h>
+
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/opensslv.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#ifndef NO_RSA
+ #include <openssl/rsa.h>
+#endif
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x00904000L /* 0.9.4-dev */
+# error "This program needs OpenSSL 0.9.4 or later."
+#endif
+
+#include "easy-tls.h" /* include after <openssl/ssl.h> if both are needed */
+
+#if TLS_INFO_SIZE > PIPE_BUF
+# if PIPE_BUF < 512
+#  error "PIPE_BUF < 512" /* non-POSIX */
+# endif
+# error "TLS_INFO_SIZE > PIPE_BUF"
+#endif
+
+/*****************************************************************************/
+
+#ifdef TLS_APP
+# include TLS_APP
+#endif
+
+/* Applications can define:
+ *   TLS_APP_PROCESS_INIT -- void ...(int fd, int client_p, void *apparg)
+ *   TLS_CUMULATE_ERRORS 
+ *   TLS_ERROR_BUFSIZ
+ *   TLS_APP_ERRFLUSH -- void ...(int child_p, char *, size_t, void *apparg)
+ */
+
+#ifndef TLS_APP_PROCESS_INIT
+# define TLS_APP_PROCESS_INIT(fd, client_p, apparg) ((void) 0)
+#endif
+
+#ifndef TLS_ERROR_BUFSIZ
+# define TLS_ERROR_BUFSIZ (10*160)
+#endif
+#if TLS_ERROR_BUFSIZ < 2 /* {'\n',0} */
+# error "TLS_ERROR_BUFSIZE is too small."
+#endif
+
+#ifndef TLS_APP_ERRFLUSH
+# define TLS_APP_ERRFLUSH tls_app_errflush
+static void
+tls_app_errflush(int child_p, char *errbuf, size_t num, void *apparg)
+{
+    fputs(errbuf, stderr);
+}
+#endif
+
+/*****************************************************************************/
+
+#ifdef DEBUG_TLS
+# define DEBUG_MSG(x) fprintf(stderr,"  %s\n",x)
+# define DEBUG_MSG2(x,y) fprintf(stderr, "  %s: %d\n",x,y)
+static int tls_loop_count = 0;
+static int tls_select_count = 0;
+#else
+# define DEBUG_MSG(x) (void)0
+# define DEBUG_MSG2(x,y) (void)0
+#endif
+
+static void tls_rand_seed_uniquely(void);
+static void tls_proxy(int clear_fd, int tls_fd, int info_fd, SSL_CTX *ctx, int client_p);
+static int tls_socket_nonblocking(int fd);
+
+static int tls_child_p = 0;
+static void *tls_child_apparg;
+
+
+struct tls_start_proxy_args
+tls_start_proxy_defaultargs(void)
+{
+    struct tls_start_proxy_args ret;
+
+    ret.fd = -1;
+    ret.client_p = -1;
+    ret.ctx = NULL;
+    ret.pid = NULL;
+    ret.infofd = NULL;
+    
+    return ret;
+}
+
+/* Slice in TLS proxy process at fd.
+ * Return value:
+ *   0    ok  (*pid is set to child's PID if pid != NULL),
+ *   < 0  look at errno
+ *   > 0  other error
+ *   (return value encodes place of error)
+ *
+ */
+int
+tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
+{
+    int fds[2] = {-1, -1};
+    int infofds[2] = {-1, -1};
+    int r, getfd, getfl;
+    int ret;
+
+    DEBUG_MSG2("tls_start_proxy fd", a.fd);
+    DEBUG_MSG2("tls_start_proxy client_p", a.client_p);
+
+    if (a.fd == -1 || a.client_p == -1 || a.ctx == NULL)
+        return 1;
+
+    if (a.pid != NULL) {
+        *a.pid = 0;
+    }
+    if (a.infofd != NULL) {
+        *a.infofd = -1;
+    }
+
+    r = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
+    if (r == -1)
+        return -1;
+    if (a.fd >= FD_SETSIZE || fds[0] >= FD_SETSIZE) {
+        ret = 2;
+        goto err;
+    }
+    if (a.infofd != NULL) {
+        r = pipe(infofds);
+        if (r == -1) {
+            ret = -3;
+            goto err;
+        }
+    }
+
+    r = fork();
+    if (r == -1) {
+        ret = -4;
+        goto err;
+    }
+    if (r == 0) {
+        DEBUG_MSG("fork");
+        tls_child_p = 1;
+        tls_child_apparg = apparg;
+        close(fds[1]);
+        if (infofds[0] != -1)
+            close(infofds[0]);
+        TLS_APP_PROCESS_INIT(a.fd, a.client_p, apparg);
+        DEBUG_MSG("TLS_APP_PROCESS_INIT");
+        tls_proxy(fds[0], a.fd, infofds[1], a.ctx, a.client_p);
+        exit(0);
+    }
+    if (a.pid != NULL)
+        *a.pid = r;
+    if (infofds[1] != -1) {
+        close(infofds[1]);
+        infofds[1] = -1;
+    }
+    /* install fds[1] in place of fd: */
+    close(fds[0]);
+    fds[0] = -1;
+    getfd = fcntl(a.fd, F_GETFD);
+    getfl = fcntl(a.fd, F_GETFL);
+    r = dup2(fds[1], a.fd);
+    close(fds[1]);
+    fds[1] = -1;
+    if (r == -1) {
+        ret = -5;
+        goto err;
+    }
+    if (getfd != 1)
+        fcntl(a.fd, F_SETFD, getfd);
+    if (getfl & O_NONBLOCK)
+        (void)tls_socket_nonblocking(a.fd);
+    if (a.infofd != NULL)
+        *a.infofd = infofds[0];
+    return 0;
+    
+  err:
+    if (fds[0] != -1)
+        close(fds[0]);
+    if (fds[1] != -1)
+        close(fds[1]);
+    if (infofds[0] != -1)
+        close(infofds[0]);
+    if (infofds[1] != -1)
+        close(infofds[1]);
+    return ret;
+}
+
+/*****************************************************************************/
+
+static char errbuf[TLS_ERROR_BUFSIZ];
+static size_t errbuf_i = 0;
+
+static void
+tls_errflush(void *apparg)
+{
+    if (errbuf_i == 0)
+        return;
+    
+    assert(errbuf_i < sizeof errbuf);
+    assert(errbuf[errbuf_i] == 0);
+    if (errbuf_i == sizeof errbuf - 1) {
+        /* make sure we have a newline, even if string has been truncated */
+        errbuf[errbuf_i - 1] = '\n';
+    }
+
+    /* TLS_APP_ERRFLUSH may modify the string as needed,
+     * e.g. substitute other characters for \n for convenience */
+    TLS_APP_ERRFLUSH(tls_child_p, errbuf, errbuf_i, apparg);
+
+    errbuf_i = 0;
+}
+
+static void
+tls_errprintf(int flush, void *apparg, const char *fmt, ...)
+{
+    va_list args;
+    int r;
+    
+    if (errbuf_i < sizeof errbuf - 1) {
+        size_t n;
+
+        va_start(args, fmt);
+        n = (sizeof errbuf) - errbuf_i;
+        r = vsnprintf(errbuf + errbuf_i, n, fmt, args);
+        if (r >= n)
+            r = n - 1;
+        if (r >= 0) {
+            errbuf_i += r;
+        } else {
+            errbuf_i = sizeof errbuf - 1;
+            errbuf[errbuf_i] = '\0';
+        }
+        assert(errbuf_i < sizeof errbuf);
+        assert(errbuf[errbuf_i] == 0);
+    }
+#ifndef TLS_CUMULATE_ERRORS
+    tls_errflush(apparg);
+#else
+    if (flush)
+        tls_errflush(apparg);
+#endif
+}
+
+/* app_prefix.. are for additional information provided by caller.
+ * If OpenSSL error queue is empty, print default_text ("???" if NULL).
+ */
+static char *
+tls_openssl_errors(const char *app_prefix_1, const char *app_prefix_2, const char *default_text, void *apparg)
+{
+    static char reasons[255];
+    size_t reasons_i;
+    unsigned long err;
+    const char *file;
+    int line;
+    const char *data;
+    int flags;
+    char *errstring;
+    int printed_something = 0;
+    
+    reasons_i = 0;
+
+    assert(app_prefix_1 != NULL);
+    assert(app_prefix_2 != NULL);
+
+    if (default_text == NULL)
+        default_text = "?""?""?";
+    
+    while ((err = ERR_get_error_line_data(&file,&line,&data,&flags)) != 0) {
+        if (reasons_i < sizeof reasons) {
+            size_t n;
+            int r;
+
+            n = (sizeof reasons) - reasons_i;
+            r = snprintf(reasons + reasons_i, n, "%s%s", (reasons_i > 0 ? ", " : ""), ERR_reason_error_string(err));
+            if (r >= n)
+                r = n - 1;
+            if (r >= 0) {
+                reasons_i += r;
+            } else {
+                reasons_i = sizeof reasons;
+            }
+            assert(reasons_i <= sizeof reasons);
+        }
+        
+        errstring = ERR_error_string(err, NULL);
+        assert(errstring != NULL);
+        tls_errprintf(0, apparg, "OpenSSL error%s%s: %s:%s:%d:%s\n", app_prefix_1, app_prefix_2, errstring, file, line, (flags & ERR_TXT_STRING) ? data : "");
+        printed_something = 1;
+    }
+
+    if (!printed_something) {
+        assert(reasons_i == 0);
+        snprintf(reasons, sizeof reasons, "%s", default_text);
+        tls_errprintf(0, apparg, "OpenSSL error%s%s: %s\n", app_prefix_1, app_prefix_2, default_text);
+    }
+
+#ifdef TLS_CUMULATE_ERRORS    
+    tls_errflush(apparg);
+#endif
+    assert(errbuf_i == 0);
+
+    return reasons;
+}
+
+/*****************************************************************************/
+
+static int tls_init_done = 0;
+
+static int
+tls_init(void *apparg)
+{
+    if (tls_init_done)
+        return 0;
+    
+    SSL_load_error_strings();
+    if (!SSL_library_init() /* aka SSLeay_add_ssl_algorithms() */ ) {
+        tls_errprintf(1, apparg, "SSL_library_init failed.\n");
+        return -1;
+    }
+    tls_init_done = 1;
+    tls_rand_seed();
+    return 0;
+}
+
+/*****************************************************************************/
+
+static void
+tls_rand_seed_uniquely(void)
+{
+    struct {
+        pid_t pid;
+        time_t time;
+        void *stack;
+    } data;
+
+    data.pid = getpid();
+    data.time = time(NULL);
+    data.stack = (void *)&data;
+
+    RAND_seed((const void *)&data, sizeof data);
+}
+
+void
+tls_rand_seed(void)
+{
+    struct {
+        struct utsname uname;
+        int uname_1;
+        int uname_2;
+        uid_t uid;
+        uid_t euid;
+        gid_t gid;
+        gid_t egid;
+    } data;
+    
+    data.uname_1 = uname(&data.uname);
+    data.uname_2 = errno; /* Let's hope that uname fails randomly :-) */
+
+    data.uid = getuid();
+    data.euid = geteuid();
+    data.gid = getgid();
+    data.egid = getegid();
+    
+    RAND_seed((const void *)&data, sizeof data);
+    tls_rand_seed_uniquely();
+}
+
+static int tls_rand_seeded_p = 0;
+
+#define my_MIN_SEED_BYTES 256 /* struct stat can be larger than 128 */
+int
+tls_rand_seed_from_file(const char *filename, size_t n, void *apparg)
+{
+    /* Seed OpenSSL's random number generator from file.
+       Try to read n bytes if n > 0, whole file if n == 0. */
+
+    int r;
+
+    if (tls_init(apparg) == -1)
+        return -1;
+    tls_rand_seed();
+
+    r = RAND_load_file(filename, (n > 0 && n < LONG_MAX) ? (long)n : LONG_MAX);
+    /* r is the number of bytes filled into the random number generator,
+     * which are taken from "stat(filename, ...)" in addition to the
+     * file contents.
+     */
+    assert(1 < my_MIN_SEED_BYTES);
+    /* We need to detect at least those cases when the file does not exist
+     * at all.  With current versions of OpenSSL, this should do it: */
+    if (n == 0)
+        n = my_MIN_SEED_BYTES;
+    if (r < n) {
+        tls_errprintf(1, apparg, "rand_seed_from_file: could not read %d bytes from %s.\n", n, filename);
+        return -1;
+    } else {
+        tls_rand_seeded_p = 1;
+        return 0;
+    }
+}
+
+void
+tls_rand_seed_from_memory(const void *buf, size_t n)
+{
+    size_t i = 0;
+    
+    while (i < n) {
+        size_t rest = n - i;
+        int chunk = rest < INT_MAX ? (int)rest : INT_MAX;
+        RAND_seed((const char *)buf + i, chunk);
+        i += chunk;
+    }
+    tls_rand_seeded_p = 1;
+}
+
+
+/*****************************************************************************/
+
+struct tls_x509_name_string {
+    char str[100];
+};
+
+static void
+tls_get_x509_subject_name_oneline(X509 *cert, struct tls_x509_name_string *namestring)
+{
+    X509_NAME *name;
+
+    if (cert == NULL) {
+        namestring->str[0] = '\0';
+        return;
+    }
+    
+    name = X509_get_subject_name(cert); /* does not increment any reference counter */
+
+    assert(sizeof namestring->str >= 4); /* "?" or "...", plus 0 */
+    
+    if (name == NULL) {
+        namestring->str[0] = '?';
+        namestring->str[1] = 0;
+    } else {
+        size_t len;
+
+        X509_NAME_oneline(name, namestring->str, sizeof namestring->str);
+        len = strlen(namestring->str);
+        assert(namestring->str[len] == 0);
+        assert(len < sizeof namestring->str);
+
+        if (len+1 == sizeof namestring->str) {
+            /* (Probably something was cut off.)
+             * Does not really work -- X509_NAME_oneline truncates after
+             * name components, we cannot tell from the result whether
+             * anything is missing. */
+
+            assert(namestring->str[len] == 0);
+            namestring->str[--len] = '.';
+            namestring->str[--len] = '.';
+            namestring->str[--len] = '.';
+        }
+    }
+}
+
+/*****************************************************************************/
+
+/* to hinder OpenSSL from asking for passphrases */
+static int
+no_passphrase_callback(char *buf, int num, int w, void *arg)
+{
+    return -1;
+}
+
+static int
+verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)
+{
+    int i;
+    
+    i = X509_verify_cert(c); /* sets c->error */
+#if OPENSSL_VERSION_NUMBER >= 0x00905000L /* don't allow unverified
+                                           * certificates -- they could
+                                           * survive session reuse, but
+                                           * OpenSSL < 0.9.5-dev does not
+                                           * preserve their verify_result */
+    if (i == 0)
+        return 1;
+    else
+#endif
+        return i;
+}
+
+static DH *tls_dhe1024 = NULL; /* generating these takes a while, so do it just once */
+
+void
+tls_set_dhe1024(int i, void *apparg)
+{
+    DSA *dsaparams;
+    DH *dhparams;
+    const char *seed[] = { ";-)  :-(  :-)  :-(  ",
+                           ";-)  :-(  :-)  :-(  ",
+                           "Random String no. 12",
+                           ";-)  :-(  :-)  :-(  ",
+                           "hackers have even mo", /* from jargon file */
+    };
+    unsigned char seedbuf[20];
+    
+    tls_init(apparg);
+    if (i >= 0) {
+        i %= sizeof seed / sizeof seed[0];
+        assert(strlen(seed[i]) == 20);
+        memcpy(seedbuf, seed[i], 20);
+        dsaparams = DSA_generate_parameters(1024, seedbuf, 20, NULL, NULL, 0, NULL);
+    } else {
+        /* random parameters (may take a while) */
+        dsaparams = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
+    }
+    
+    if (dsaparams == NULL) {
+        tls_openssl_errors("", "", NULL, apparg);
+        return;
+    }
+    dhparams = DSA_dup_DH(dsaparams);
+    DSA_free(dsaparams);
+    if (dhparams == NULL) {
+        tls_openssl_errors("", "", NULL, apparg);
+        return;
+    }
+    if (tls_dhe1024 != NULL)
+        DH_free(tls_dhe1024);
+    tls_dhe1024 = dhparams;
+}
+
+struct tls_create_ctx_args
+tls_create_ctx_defaultargs(void)
+{
+        struct tls_create_ctx_args ret;
+
+        ret.client_p = 0;
+        ret.certificate_file = NULL;
+        ret.key_file = NULL;
+        ret.ca_file = NULL;
+        ret.verify_depth = -1;
+        ret.fail_unless_verified = 0;
+        ret.export_p = 0;
+
+        return ret;
+}
+
+SSL_CTX *
+tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
+{
+    int r;
+    static long context_num = 0;
+    SSL_CTX *ret;
+    const char *err_pref_1 = "", *err_pref_2 = "";
+    
+    if (tls_init(apparg) == -1)
+        return NULL;
+
+    ret = SSL_CTX_new((a.client_p? SSLv23_client_method:SSLv23_server_method)());
+
+    if (ret == NULL)
+        goto err;
+
+    SSL_CTX_set_default_passwd_cb(ret, no_passphrase_callback);
+    SSL_CTX_set_mode(ret, SSL_MODE_ENABLE_PARTIAL_WRITE);
+    
+    if ((a.certificate_file != NULL) || (a.key_file != NULL)) {
+        if (a.key_file == NULL) {
+            tls_errprintf(1, apparg, "Need a key file.\n");
+            goto err_return;
+        }
+        if (a.certificate_file == NULL) {
+            tls_errprintf(1, apparg, "Need a certificate chain file.\n");
+            goto err_return;
+        }
+        
+        if (!SSL_CTX_use_PrivateKey_file(ret, a.key_file, SSL_FILETYPE_PEM))
+            goto err;
+        if (!tls_rand_seeded_p) {
+            /* particularly paranoid people may not like this --
+             * so provide your own random seeding before calling this */
+            if (tls_rand_seed_from_file(a.key_file, 0, apparg) == -1)
+                goto err_return;
+        }
+        if (!SSL_CTX_use_certificate_chain_file(ret, a.certificate_file))
+            goto err;
+        if (!SSL_CTX_check_private_key(ret)) {
+            tls_errprintf(1, apparg, "Private key \"%s\" does not match certificate \"%s\".\n", a.key_file, a.certificate_file);
+            goto err_peek;
+        }
+    }
+    
+    if ((a.ca_file != NULL) || (a.verify_depth > 0)) {
+        context_num++;
+        r = SSL_CTX_set_session_id_context(ret, (const void *)&context_num, (unsigned int)sizeof context_num);
+        if (!r)
+            goto err;
+        
+        SSL_CTX_set_verify(ret, SSL_VERIFY_PEER | (a.fail_unless_verified ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), 0);
+        if (!a.fail_unless_verified)
+            SSL_CTX_set_cert_verify_callback(ret, verify_dont_fail_cb, NULL);
+            
+        if (a.verify_depth > 0)
+            SSL_CTX_set_verify_depth(ret, a.verify_depth);
+        
+        if (a.ca_file != NULL) {
+            r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */
+            if (!r) {
+                err_pref_1 = " while processing certificate file ";
+                err_pref_2 = a.ca_file;
+                goto err;
+            }
+            
+            if (!a.client_p) {
+                /* SSL_load_client_CA_file is a misnomer, it just creates a list of CNs. */
+                SSL_CTX_set_client_CA_list(ret, SSL_load_client_CA_file(a.ca_file));
+                /* SSL_CTX_set_client_CA_list does not have a return value;
+                 * it does not really need one, but make sure
+                 * (we really test if SSL_load_client_CA_file worked) */
+                if (SSL_CTX_get_client_CA_list(ret) == NULL) {
+                    tls_errprintf(1, apparg, "Could not set client CA list from \"%s\".\n", a.ca_file);
+                    goto err_peek;
+                }
+            }
+        }
+    }
+    
+    if (!a.client_p) {
+        if (tls_dhe1024 == NULL) {
+            int i;
+
+            RAND_bytes((unsigned char *) &i, sizeof i);
+            /* make sure that i is non-negative -- pick one of the provided
+             * seeds */
+            if (i < 0)
+                i = -i;
+            if (i < 0)
+                i = 0;
+            tls_set_dhe1024(i, apparg);
+            if (tls_dhe1024 == NULL)
+                goto err_return;
+        }
+        
+        if (!SSL_CTX_set_tmp_dh(ret, tls_dhe1024))
+            goto err;
+
+        /* avoid small subgroup attacks: */
+        SSL_CTX_set_options(ret, SSL_OP_SINGLE_DH_USE);
+    }
+        
+#ifndef NO_RSA
+    if (!a.client_p && a.export_p) {
+        RSA *tmpkey;
+
+        tmpkey = RSA_generate_key(512, RSA_F4, 0, NULL);
+        if (tmpkey == NULL)
+            goto err;
+        if (!SSL_CTX_set_tmp_rsa(ret, tmpkey)) {
+            RSA_free(tmpkey);
+            goto err;
+        }
+        RSA_free(tmpkey); /* SSL_CTX_set_tmp_rsa uses a duplicate. */
+    }
+#endif
+        
+    return ret;
+    
+ err_peek:
+    if (!ERR_peek_error())
+        goto err_return;
+ err:
+    tls_openssl_errors(err_pref_1, err_pref_2, NULL, apparg);
+ err_return:
+    if (ret != NULL)
+        SSL_CTX_free(ret);
+    return NULL;
+}
+
+
+/*****************************************************************************/
+
+static int
+tls_socket_nonblocking(int fd)
+{
+    int v, r;
+
+    v = fcntl(fd, F_GETFL, 0);
+    if (v == -1) {
+        if (errno == EINVAL)
+            return 0; /* already shut down -- ignore */
+        return -1;
+    }
+    r = fcntl(fd, F_SETFL, v | O_NONBLOCK);
+    if (r == -1) {
+        if (errno == EINVAL)
+            return 0; /* already shut down -- ignore */
+        return -1;
+    }
+    return 0;
+}
+
+static int
+max(int a, int b)
+{
+    return a > b ? a : b;
+}
+
+static void
+tls_sockets_select(int read_select_1, int read_select_2, int write_select_1, int write_select_2, int seconds /* timeout, -1 means no timeout */)
+{
+    int maxfd, n;
+    fd_set reads, writes;
+    struct timeval timeout;
+    struct timeval *timeout_p;
+    
+    assert(read_select_1 >= -1 && read_select_2 >= -1 && write_select_1 >= -1 && write_select_2 >= -1);
+    assert(read_select_1 < FD_SETSIZE && read_select_2 < FD_SETSIZE -1 && write_select_1 < FD_SETSIZE -1 && write_select_2 < FD_SETSIZE -1);
+
+    maxfd = max(max(read_select_1, read_select_2), max(write_select_1, write_select_2));
+    assert(maxfd >= 0);
+
+    FD_ZERO(&reads);
+    FD_ZERO(&writes);
+    
+    for(n = 0; n < 4; ++n) {
+        int i = n % 2;
+        int w = n >= 2;
+        /* loop over all (i, w) in {0,1}x{0,1} */
+        int fd;
+        
+        if (i == 0 && w == 0)
+            fd = read_select_1;
+        else if (i == 1 && w == 0)
+            fd = read_select_2;
+        else if (i == 0 && w == 1)
+            fd = write_select_1;
+        else {
+            assert(i == 1 && w == 1);
+            fd = write_select_2;
+        }
+        
+        if (fd >= 0) {
+            if (w == 0)
+                FD_SET(fd, &reads);
+            else /* w == 1 */
+                FD_SET(fd, &writes);
+        }
+    }
+
+    if (seconds >= 0) {
+        timeout.tv_sec = seconds;
+        timeout.tv_usec = 0;
+        timeout_p = &timeout;
+    } else 
+        timeout_p = NULL;
+
+    DEBUG_MSG2("select no.", ++tls_select_count);
+    select(maxfd + 1, &reads, &writes, (fd_set *) NULL, timeout_p);
+    DEBUG_MSG("cont.");
+}
+
+/*****************************************************************************/
+
+#define TUNNELBUFSIZE (16*1024)
+struct tunnelbuf {
+    char buf[TUNNELBUFSIZE];
+    size_t len;
+    size_t offset;
+};
+
+static int tls_connect_attempt(SSL *, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref);
+
+static int tls_accept_attempt(SSL *, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref);
+
+static int tls_write_attempt(SSL *, struct tunnelbuf *, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref);
+
+static int tls_read_attempt(SSL *, struct tunnelbuf *, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref);
+
+static int write_attempt(int fd, struct tunnelbuf *, int *select, int *closed, int *progress);
+
+static int read_attempt(int fd, struct tunnelbuf *, int *select, int *closed, int *progress);
+
+static void write_info(SSL *ssl, int *info_fd)
+{
+    if (*info_fd != -1) {
+        long v;
+        int v_ok;
+        struct tls_x509_name_string peer;
+        char infobuf[TLS_INFO_SIZE];
+        int r;
+
+        DEBUG_MSG("write_info");
+        v = SSL_get_verify_result(ssl);
+        v_ok = (v == X509_V_OK) ? 'A' : 'E'; /* Auth./Error */
+        {
+            X509 *peercert;
+
+            peercert = SSL_get_peer_certificate(ssl);
+            tls_get_x509_subject_name_oneline(peercert, &peer);
+            if (peercert != NULL)
+                X509_free(peercert);
+        }
+        if (peer.str[0] == '\0')
+            v_ok = '0'; /* no cert at all */
+        else
+            if (strchr(peer.str, '\n')) {
+                /* should not happen, but make sure */
+                *strchr(peer.str, '\n') = '\0';
+            }
+        r = snprintf(infobuf, sizeof infobuf, "%c:%s\n%s\n", v_ok, X509_verify_cert_error_string(v), peer.str);
+        DEBUG_MSG2("snprintf", r);
+        if (r == -1 || r >= sizeof infobuf)
+            r = sizeof infobuf - 1;
+        write(*info_fd, infobuf, r);
+        close (*info_fd);
+        *info_fd = -1;
+    }
+}
+
+
+/* tls_proxy expects that all fds are closed after return */
+static void
+tls_proxy(int clear_fd, int tls_fd, int info_fd, SSL_CTX *ctx, int client_p)
+{
+    struct tunnelbuf clear_to_tls, tls_to_clear;
+    SSL *ssl;
+    BIO *rbio, *wbio;
+    int closed, in_handshake;
+    const char *err_pref_1 = "", *err_pref_2 = "";
+    const char *err_def = NULL;
+
+    assert(clear_fd != -1);
+    assert(tls_fd != -1);
+    assert(clear_fd < FD_SETSIZE);
+    assert(tls_fd < FD_SETSIZE);
+    /* info_fd may be -1 */
+    assert(ctx != NULL);
+
+    tls_rand_seed_uniquely();
+
+    tls_socket_nonblocking(clear_fd);
+    DEBUG_MSG2("clear_fd", clear_fd);
+    tls_socket_nonblocking(tls_fd);
+    DEBUG_MSG2("tls_fd", tls_fd);
+
+    ssl = SSL_new(ctx);
+    if (ssl == NULL)
+        goto err;
+    DEBUG_MSG("SSL_new");
+    if (!SSL_set_fd(ssl, tls_fd))
+        goto err;
+    rbio = SSL_get_rbio(ssl);
+    wbio = SSL_get_wbio(ssl); /* should be the same, but who cares */
+    assert(rbio != NULL);
+    assert(wbio != NULL);
+    if (client_p)
+        SSL_set_connect_state(ssl);
+    else
+        SSL_set_accept_state(ssl);
+    
+    closed = 0;
+    in_handshake = 1;
+    tls_to_clear.len = 0;
+    tls_to_clear.offset = 0;
+    clear_to_tls.len = 0;
+    clear_to_tls.offset = 0;
+
+    err_def = "I/O error";
+    
+    /* loop finishes as soon as we detect that one side closed;
+     * when all (program and OS) buffers have enough space,
+     * the data from the last succesful read in each direction is transferred
+     * before close */
+    do {
+        int clear_read_select = 0, clear_write_select = 0,
+            tls_read_select = 0, tls_write_select = 0,
+            progress = 0;
+        int r;
+        unsigned long num_read = BIO_number_read(rbio),
+            num_written = BIO_number_written(wbio);
+
+        DEBUG_MSG2("loop iteration", ++tls_loop_count);
+
+        if (in_handshake) {
+            DEBUG_MSG("in_handshake");
+            if (client_p)
+                r = tls_connect_attempt(ssl, &tls_write_select, &tls_read_select, &closed, &progress, &err_pref_1);
+            else
+                r = tls_accept_attempt(ssl, &tls_write_select, &tls_read_select, &closed, &progress, &err_pref_1);
+            if (r != 0) {
+                write_info(ssl, &info_fd);
+                goto err;
+            }
+            if (closed)
+                goto err_return;
+            if (!SSL_in_init(ssl)) {
+                in_handshake = 0;
+                write_info(ssl, &info_fd);
+            }
+        }
+        
+        if (clear_to_tls.len != 0 && !in_handshake) {
+            assert(!closed);
+            
+            r = tls_write_attempt(ssl, &clear_to_tls, &tls_write_select, &tls_read_select, &closed, &progress, &err_pref_1);
+            if (r != 0)
+                goto err;
+            if (closed) {
+                assert(progress);
+                tls_to_clear.offset = 0;
+                tls_to_clear.len = 0;
+            }
+        }
+        
+        if (tls_to_clear.len != 0) {
+            assert(!closed);
+
+            r = write_attempt(clear_fd, &tls_to_clear, &clear_write_select, &closed, &progress);
+            if (r != 0)
+                goto err_return;
+            if (closed) {
+                assert(progress);
+                clear_to_tls.offset = 0;
+                clear_to_tls.len = 0;
+            }
+        }
+        
+        if (!closed) {
+            if (clear_to_tls.offset + clear_to_tls.len < sizeof clear_to_tls.buf) {
+                r = read_attempt(clear_fd, &clear_to_tls, &clear_read_select, &closed, &progress);
+                if (r != 0)
+                    goto err_return;
+                if (closed) {
+                    r = SSL_shutdown(ssl);
+                    DEBUG_MSG2("SSL_shutdown", r);
+                }
+            }
+        }
+        
+        if (!closed && !in_handshake) {
+            if (tls_to_clear.offset + tls_to_clear.len < sizeof tls_to_clear.buf) {
+                r = tls_read_attempt(ssl, &tls_to_clear, &tls_write_select, &tls_read_select, &closed, &progress, &err_pref_1);
+                if (r != 0)
+                    goto err;
+                if (closed) {
+                    r = SSL_shutdown(ssl);
+                    DEBUG_MSG2("SSL_shutdown", r);
+                }
+            }
+        }
+
+        if (!progress) {
+            DEBUG_MSG("!progress?");
+            if (num_read != BIO_number_read(rbio) || num_written != BIO_number_written(wbio))
+                progress = 1;
+
+            if (!progress) {
+                DEBUG_MSG("!progress");
+                assert(clear_read_select || tls_read_select || clear_write_select || tls_write_select);
+                tls_sockets_select(clear_read_select ? clear_fd : -1, tls_read_select ? tls_fd : -1, clear_write_select ? clear_fd : -1, tls_write_select ? tls_fd : -1, -1);
+            }
+        }
+    } while (!closed);
+    return;
+
+ err:
+    tls_openssl_errors(err_pref_1, err_pref_2, err_def, tls_child_apparg);
+ err_return:
+    return;
+}
+
+
+static int
+tls_get_error(SSL *ssl, int r, int *write_select, int *read_select, int *closed, int *progress)
+{
+    int err = SSL_get_error(ssl, r);
+
+    if (err == SSL_ERROR_NONE) {
+        assert(r > 0);
+        *progress = 1;
+        return 0;
+    }
+
+    assert(r <= 0);
+
+    switch (err) {
+    case SSL_ERROR_ZERO_RETURN:
+        assert(r == 0);
+        *closed = 1;
+        *progress = 1;
+        return 0;
+
+    case SSL_ERROR_WANT_WRITE:
+        *write_select = 1;
+        return 0;
+        
+    case SSL_ERROR_WANT_READ:
+        *read_select = 1;
+        return 0;
+    }
+
+    return -1;
+}
+
+static int
+tls_connect_attempt(SSL *ssl, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref)
+{
+    int n, r;
+
+    DEBUG_MSG("tls_connect_attempt");
+    n = SSL_connect(ssl);
+    DEBUG_MSG2("SSL_connect",n);
+    r = tls_get_error(ssl, n, write_select, read_select, closed, progress);
+    if (r == -1)
+        *err_pref = " during SSL_connect";
+    return r;
+}
+
+static int
+tls_accept_attempt(SSL *ssl, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref)
+{
+    int n, r;
+
+    DEBUG_MSG("tls_accept_attempt");
+    n = SSL_accept(ssl);
+    DEBUG_MSG2("SSL_accept",n);
+    r = tls_get_error(ssl, n, write_select, read_select, closed, progress);
+    if (r == -1)
+        *err_pref = " during SSL_accept";
+    return r;
+}
+
+static int
+tls_write_attempt(SSL *ssl, struct tunnelbuf *buf, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref)
+{
+    int n, r;
+
+    DEBUG_MSG("tls_write_attempt");
+    n = SSL_write(ssl, buf->buf + buf->offset, buf->len);
+    DEBUG_MSG2("SSL_write",n);
+    r = tls_get_error(ssl, n, write_select, read_select, closed, progress);
+    if (n > 0) {
+        buf->len -= n;
+        assert(buf->len >= 0);
+        if (buf->len == 0)
+            buf->offset = 0;
+        else
+            buf->offset += n;
+    }
+    if (r == -1)
+        *err_pref = " during SSL_write";
+    return r;
+}
+
+static int
+tls_read_attempt(SSL *ssl, struct tunnelbuf *buf, int *write_select, int *read_select, int *closed, int *progress, const char **err_pref)
+{
+    int n, r;
+    size_t total;
+
+    DEBUG_MSG("tls_read_attempt");
+    total = buf->offset + buf->len;
+    assert(total < sizeof buf->buf);
+    n = SSL_read(ssl, buf->buf + total, (sizeof buf->buf) - total);
+    DEBUG_MSG2("SSL_read",n);
+    r = tls_get_error(ssl, n, write_select, read_select, closed, progress);
+    if (n > 0) {
+        buf->len += n;
+        assert(buf->offset + buf->len <= sizeof buf->buf);
+    }
+    if (r == -1)
+        *err_pref = " during SSL_read";
+    return r;
+}
+
+static int
+get_error(int r, int *select, int *closed, int *progress)
+{
+    if (r >= 0) {
+        *progress = 1;
+        if (r == 0)
+            *closed = 1;
+        return 0;
+    } else {
+        assert(r == -1);
+        if (errno == EAGAIN || errno == EWOULDBLOCK) {
+            *select = 1;
+            return 0;
+        } else if (errno == EPIPE) {
+            *progress = 1;
+            *closed = 1;
+            return 0;
+        } else
+            return -1;
+    }
+}
+
+static int write_attempt(int fd, struct tunnelbuf *buf, int *select, int *closed, int *progress)
+{
+    int n, r;
+
+    DEBUG_MSG("write_attempt");
+    n = write(fd, buf->buf + buf->offset, buf->len);
+    DEBUG_MSG2("write",n);
+    r = get_error(n, select, closed, progress);
+    if (n > 0) {
+        buf->len -= n;
+        assert(buf->len >= 0);
+        if (buf->len == 0)
+            buf->offset = 0;
+        else
+            buf->offset += n;
+    }
+    if (r == -1)
+        tls_errprintf(1, tls_child_apparg, "write error: %s\n", strerror(errno));
+    return r;
+}
+    
+static int
+read_attempt(int fd, struct tunnelbuf *buf, int *select, int *closed, int *progress)
+{
+    int n, r;
+    size_t total;
+
+    DEBUG_MSG("read_attempt");
+    total = buf->offset + buf->len;
+    assert(total < sizeof buf->buf);
+    n = read(fd, buf->buf + total, (sizeof buf->buf) - total);
+    DEBUG_MSG2("read",n);
+    r = get_error(n, select, closed, progress);
+    if (n > 0) {
+        buf->len += n;
+        assert(buf->offset + buf->len <= sizeof buf->buf);
+    }
+    if (r == -1)
+        tls_errprintf(1, tls_child_apparg, "read error: %s\n", strerror(errno));
+    return r;
+}
diff --git a/src/lib/libssl/src/demos/easy_tls/easy-tls.h b/src/lib/libssl/src/demos/easy_tls/easy-tls.h
new file mode 100644
index 0000000000..0cfbd8fe7b
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/easy-tls.h
@@ -0,0 +1,57 @@
+/* -*- Mode: C; c-file-style: "bsd" -*- */
+/*
+ * easy-tls.h -- generic TLS proxy.
+ * $Id: easy-tls.h,v 1.1 2002/05/15 02:29:18 beck Exp $
+ */
+/*
+ * (c) Copyright 1999 Bodo Moeller.  All rights reserved.
+ */
+
+#ifndef HEADER_TLS_H
+#define HEADER_TLS_H
+
+#ifndef HEADER_SSL_H
+typedef struct ssl_ctx_st SSL_CTX;
+#endif
+
+#define TLS_INFO_SIZE 512 /* max. # of bytes written to infofd */
+
+void tls_set_dhe1024(int i, void* apparg);
+/* Generate DHE parameters:
+ * i >= 0 deterministic (i selects seed), i < 0 random (may take a while).
+ * tls_create_ctx calls this with random non-negative i if the application
+ * has never called it.*/
+
+void tls_rand_seed(void);
+int tls_rand_seed_from_file(const char *filename, size_t n, void *apparg);
+void tls_rand_seed_from_memory(const void *buf, size_t n);
+
+struct tls_create_ctx_args 
+{
+    int client_p;
+    const char *certificate_file;
+    const char *key_file;
+    const char *ca_file;
+    int verify_depth;
+    int fail_unless_verified;
+    int export_p;
+};
+struct tls_create_ctx_args tls_create_ctx_defaultargs(void);
+/* struct tls_create_ctx_args is similar to a conventional argument list,
+ * but it can provide default values and allows for future extension. */
+SSL_CTX *tls_create_ctx(struct tls_create_ctx_args, void *apparg);
+
+struct tls_start_proxy_args
+{
+    int fd;
+    int client_p;
+    SSL_CTX *ctx;
+    pid_t *pid;
+    int *infofd;
+};
+struct tls_start_proxy_args tls_start_proxy_defaultargs(void);
+/* tls_start_proxy return value *MUST* be checked!
+ * 0 means ok, otherwise we've probably run out of some resources. */
+int tls_start_proxy(struct tls_start_proxy_args, void *apparg);
+
+#endif
diff --git a/src/lib/libssl/src/demos/easy_tls/test.c b/src/lib/libssl/src/demos/easy_tls/test.c
new file mode 100644
index 0000000000..4ce676ca93
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/test.c
@@ -0,0 +1,244 @@
+/* test.c */
+/* $Id: test.c,v 1.1 2002/05/15 02:29:18 beck Exp $ */
+
+#define L_PORT 9999
+#define C_PORT 443
+
+#include <arpa/inet.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include "test.h"
+#include "easy-tls.h"
+
+void
+test_process_init(int fd, int client_p, void *apparg)
+{
+    fprintf(stderr, "test_process_init(fd = %d, client_p = %d, apparg = %p)\n", fd, client_p, apparg);
+}
+
+void
+test_errflush(int child_p, char *errbuf, size_t num, void *apparg)
+{
+    fputs(errbuf, stderr);
+}
+
+
+int
+main(int argc, char *argv[])
+{
+    int s, fd, r;
+    FILE *conn_in;
+    FILE *conn_out;
+    char buf[256];
+    SSL_CTX *ctx;
+    int client_p = 0;
+    int port;
+    int tls = 0;
+    char infobuf[TLS_INFO_SIZE + 1];
+
+    if (argc > 1 && argv[1][0] == '-') {
+        fputs("Usage: test [port]                   -- server\n"
+              "       test num.num.num.num [port]   -- client\n",
+              stderr);
+        exit(1);
+    }
+
+    if (argc > 1) {
+        if (strchr(argv[1], '.')) {
+            client_p = 1;
+        }
+    }
+    
+    fputs(client_p ? "Client\n" : "Server\n", stderr);
+    
+    {
+        struct tls_create_ctx_args a = tls_create_ctx_defaultargs();
+        a.client_p = client_p;
+        a.certificate_file = "cert.pem";
+        a.key_file = "cert.pem";
+        a.ca_file = "cacerts.pem";
+        
+        ctx = tls_create_ctx(a, NULL);
+        if (ctx == NULL)
+            exit(1);
+    }
+    
+    s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+    if (s == -1) {
+        perror("socket");
+        exit(1);
+    }
+    
+    if (client_p) {
+        struct sockaddr_in addr;
+        size_t addr_len = sizeof addr;
+            
+        addr.sin_family = AF_INET;
+        assert(argc > 1);
+        if (argc > 2)
+            sscanf(argv[2], "%d", &port);
+        else
+            port = C_PORT;
+        addr.sin_port = htons(port);
+        addr.sin_addr.s_addr = inet_addr(argv[1]);
+            
+        r = connect(s, &addr, addr_len);
+        if (r != 0) {
+            perror("connect");
+            exit(1);
+        }
+        fd = s;
+        fprintf(stderr, "Connect (fd = %d).\n", fd);
+    } else {
+        /* server */
+        {
+            int i = 1;
+
+            r = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *) &i, sizeof i);
+            if (r == -1) {
+                perror("setsockopt");
+                exit(1);
+            }
+        }
+        
+        {
+            struct sockaddr_in addr;
+            size_t addr_len = sizeof addr;
+            
+            if (argc > 1)
+                sscanf(argv[1], "%d", &port);
+            else
+                port = L_PORT;
+            addr.sin_family = AF_INET;
+            addr.sin_port = htons(port);
+            addr.sin_addr.s_addr = INADDR_ANY;
+            
+            r = bind(s, &addr, addr_len);
+            if (r != 0) {
+                perror("bind");
+                exit(1);
+            }
+        }
+    
+        r = listen(s, 1);
+        if (r == -1) {
+            perror("listen");
+            exit(1);
+        }
+
+        fprintf(stderr, "Listening at port %i.\n", port);
+        
+        fd = accept(s, NULL, 0);
+        if (fd == -1) {
+            perror("accept");
+            exit(1);
+        }
+        
+        fprintf(stderr, "Accept (fd = %d).\n", fd);
+    }
+
+    conn_in = fdopen(fd, "r");
+    if (conn_in == NULL) {
+        perror("fdopen");
+        exit(1);
+    }
+    conn_out = fdopen(fd, "w");
+    if (conn_out == NULL) {
+        perror("fdopen");
+        exit(1);
+    }
+
+    setvbuf(conn_in, NULL, _IOLBF, 256);
+    setvbuf(conn_out, NULL, _IOLBF, 256);
+        
+    while (fgets(buf, sizeof buf, stdin) != NULL) {
+        if (buf[0] == 'W') {
+            fprintf(conn_out, "%.*s\r\n", (int)(strlen(buf + 1) - 1), buf + 1);
+            fprintf(stderr, ">>> %.*s\n", (int)(strlen(buf + 1) - 1), buf + 1);
+        } else if (buf[0] == 'C') {
+            fprintf(stderr, "Closing.\n");
+            fclose(conn_in);
+            fclose(conn_out);
+            exit(0);
+        } else if (buf[0] == 'R') {
+            int lines = 0;
+
+            sscanf(buf + 1, "%d", &lines);
+            do {
+                if (fgets(buf, sizeof buf, conn_in) == NULL) {
+                    if (ferror(conn_in)) {
+                        fprintf(stderr, "ERROR\n");
+                        exit(1);
+                    }
+                    fprintf(stderr, "CLOSED\n");
+                    return 0;
+                }
+                fprintf(stderr, "<<< %s", buf);
+            } while (--lines > 0);
+        } else if (buf[0] == 'T') {
+            int infofd;
+
+            tls++;
+            {
+                struct tls_start_proxy_args a = tls_start_proxy_defaultargs();
+                a.fd = fd;
+                a.client_p = client_p;
+                a.ctx = ctx;
+                a.infofd = &infofd;
+                r = tls_start_proxy(a, NULL);
+            }
+            assert(r != 1);
+            if (r != 0) {
+                fprintf(stderr, "tls_start_proxy failed: %d\n", r);
+                switch (r) {
+                case -1:
+                    fputs("socketpair", stderr); break;
+                case 2:
+                    fputs("FD_SETSIZE exceeded", stderr); break;
+                case -3:
+                    fputs("pipe", stderr); break;
+                case -4:
+                    fputs("fork", stderr); break;
+                case -5:
+                    fputs("dup2", stderr); break;
+                default:
+                    fputs("?", stderr);
+                }
+                if (r < 0)
+                    perror("");
+                else
+                    fputc('\n', stderr);
+                exit(1);
+            }
+            
+            r = read(infofd, infobuf, sizeof infobuf - 1);
+            if (r > 0) {
+                const char *info = infobuf;
+                const char *eol;
+                
+                infobuf[r] = '\0';
+                while ((eol = strchr(info, '\n')) != NULL) {
+                    fprintf(stderr, "+++ `%.*s'\n", eol - info, info);
+                    info = eol+1;
+                }
+                close (infofd);
+            }
+        } else {
+            fprintf(stderr, "W...  write line to network\n"
+                    "R[n]  read line (n lines) from network\n"
+                    "C     close\n"
+                    "T     start %sTLS proxy\n", tls ? "another " : "");
+        }
+    }
+    return 0;
+}
diff --git a/src/lib/libssl/src/demos/easy_tls/test.h b/src/lib/libssl/src/demos/easy_tls/test.h
new file mode 100644
index 0000000000..c580169464
--- /dev/null
+++ b/src/lib/libssl/src/demos/easy_tls/test.h
@@ -0,0 +1,11 @@
+/* test.h */
+/* $Id: test.h,v 1.1 2002/05/15 02:29:18 beck Exp $ */
+
+
+void test_process_init(int fd, int client_p, void *apparg);
+#define TLS_APP_PROCESS_INIT test_process_init
+
+#undef TLS_CUMULATE_ERRORS
+
+void test_errflush(int child_p, char *errbuf, size_t num, void *apparg);
+#define TLS_APP_ERRFLUSH test_errflush
diff --git a/src/lib/libssl/src/demos/eay/Makefile b/src/lib/libssl/src/demos/eay/Makefile
new file mode 100644
index 0000000000..2d22eaca56
--- /dev/null
+++ b/src/lib/libssl/src/demos/eay/Makefile
@@ -0,0 +1,24 @@
+CC=cc
+CFLAGS= -g -I../../include
+#LIBS=  -L../.. -lcrypto -lssl
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a
+
+# the file conn.c requires a file "proxy.h" which I couldn't find...
+#EXAMPLES=base64 conn loadrsa
+EXAMPLES=base64 loadrsa
+
+all: $(EXAMPLES) 
+
+base64: base64.o
+        $(CC) -o base64 base64.o $(LIBS)
+#
+# sorry... can't find "proxy.h"
+#conn: conn.o
+#       $(CC) -o conn conn.o $(LIBS)
+
+loadrsa: loadrsa.o
+        $(CC) -o loadrsa loadrsa.o $(LIBS)
+
+clean:  
+        rm -f $(EXAMPLES) *.o
+
diff --git a/src/lib/libssl/src/demos/eay/base64.c b/src/lib/libssl/src/demos/eay/base64.c
new file mode 100644
index 0000000000..4b8b0627d1
--- /dev/null
+++ b/src/lib/libssl/src/demos/eay/base64.c
@@ -0,0 +1,49 @@
+/* This is a simple example of using the base64 BIO to a memory BIO and then
+ * getting the data.
+ */
+#include <stdio.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+
+main()
+        {
+        int i;
+        BIO *mbio,*b64bio,*bio;
+        char buf[512];
+        char *p;
+
+        mbio=BIO_new(BIO_s_mem());
+        b64bio=BIO_new(BIO_f_base64());
+
+        bio=BIO_push(b64bio,mbio);
+        /* We now have bio pointing at b64->mem, the base64 bio encodes on
+         * write and decodes on read */
+
+        for (;;)
+                {
+                i=fread(buf,1,512,stdin);
+                if (i <= 0) break;
+                BIO_write(bio,buf,i);
+                }
+        /* We need to 'flush' things to push out the encoding of the
+         * last few bytes.  There is special encoding if it is not a
+         * multiple of 3
+         */
+        BIO_flush(bio);
+
+        printf("We have %d bytes available\n",BIO_pending(mbio));
+
+        /* We will now get a pointer to the data and the number of elements. */
+        /* hmm... this one was not defined by a macro in bio.h, it will be for
+         * 0.9.1.  The other option is too just read from the memory bio.
+         */
+        i=(int)BIO_ctrl(mbio,BIO_CTRL_INFO,0,(char *)&p);
+
+        printf("%d\n",i);
+        fwrite("---\n",1,4,stdout);
+        fwrite(p,1,i,stdout);
+        fwrite("---\n",1,4,stdout);
+
+        /* This call will walk the chain freeing all the BIOs */
+        BIO_free_all(bio);
+        }
diff --git a/src/lib/libssl/src/demos/eay/conn.c b/src/lib/libssl/src/demos/eay/conn.c
new file mode 100644
index 0000000000..c4b8f5163e
--- /dev/null
+++ b/src/lib/libssl/src/demos/eay/conn.c
@@ -0,0 +1,105 @@
+/* NOCW */
+/* demos/eay/conn.c */
+
+/* A minimal program to connect to a port using the sock4a protocol.
+ *
+ * cc -I../../include conn.c -L../.. -lcrypto
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+/* #include "proxy.h" */
+
+extern int errno;
+
+int main(argc,argv)
+int argc;
+char *argv[];
+        {
+        PROXY *pxy;
+        char *host;
+        char buf[1024*10],*p;
+        BIO *bio;
+        int i,len,off,ret=1;
+
+        if (argc <= 1)
+                host="localhost:4433";
+        else
+                host=argv[1];
+
+        /* Lets get nice error messages */
+        ERR_load_crypto_strings();
+
+        /* First, configure proxy settings */
+        pxy=PROXY_new();
+        PROXY_add_server(pxy,PROXY_PROTOCOL_SOCKS,"gromit:1080");
+
+        bio=BIO_new(BIO_s_socks4a_connect());
+
+        BIO_set_conn_hostname(bio,host);
+        BIO_set_proxies(bio,pxy);
+        BIO_set_socks_userid(bio,"eay");
+        BIO_set_nbio(bio,1);
+
+        p="GET / HTTP/1.0\r\n\r\n";
+        len=strlen(p);
+
+        off=0;
+        for (;;)
+                {
+                i=BIO_write(bio,&(p[off]),len);
+                if (i <= 0)
+                        {
+                        if (BIO_should_retry(bio))
+                                {
+                                fprintf(stderr,"write DELAY\n");
+                                sleep(1);
+                                continue;
+                                }
+                        else
+                                {
+                                goto err;
+                                }
+                        }
+                off+=i;
+                len-=i;
+                if (len <= 0) break;
+                }
+
+        for (;;)
+                {
+                i=BIO_read(bio,buf,sizeof(buf));
+                if (i == 0) break;
+                if (i < 0)
+                        {
+                        if (BIO_should_retry(bio))
+                                {
+                                fprintf(stderr,"read DELAY\n");
+                                sleep(1);
+                                continue;
+                                }
+                        goto err;
+                        }
+                fwrite(buf,1,i,stdout);
+                }
+
+        ret=1;
+
+        if (0)
+                {
+err:
+                if (ERR_peek_error() == 0) /* system call error */
+                        {
+                        fprintf(stderr,"errno=%d ",errno);
+                        perror("error");
+                        }
+                else
+                        ERR_print_errors_fp(stderr);
+                }
+        BIO_free_all(bio);
+        if (pxy != NULL) PROXY_free(pxy);
+        exit(!ret);
+        return(ret);
+        }
+
diff --git a/src/lib/libssl/src/demos/eay/loadrsa.c b/src/lib/libssl/src/demos/eay/loadrsa.c
new file mode 100644
index 0000000000..79f1885ca4
--- /dev/null
+++ b/src/lib/libssl/src/demos/eay/loadrsa.c
@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <openssl/rsa.h>
+
+/* This is a simple program to generate an RSA private key.  It then
+ * saves both the public and private key into a char array, then
+ * re-reads them.  It saves them as DER encoded binary data.
+ */
+
+void callback(stage,count,arg)
+int stage,count;
+char *arg;
+        {
+        FILE *out;
+
+        out=(FILE *)arg;
+        fprintf(out,"%d",stage);
+        if (stage == 3)
+                fprintf(out,"\n");
+        fflush(out);
+        }
+
+main()
+        {
+        RSA *rsa,*pub_rsa,*priv_rsa;
+        int len;
+        unsigned char buf[1024],*p;
+
+        rsa=RSA_generate_key(512,RSA_F4,callback,(char *)stdout);
+
+        p=buf;
+
+        /* Save the public key into buffer, we know it will be big enough
+         * but we should really check how much space we need by calling the
+         * i2d functions with a NULL second parameter */
+        len=i2d_RSAPublicKey(rsa,&p);
+        len+=i2d_RSAPrivateKey(rsa,&p);
+
+        printf("The public and private key are now both in a char array\n");
+        printf("and are taking up %d bytes\n",len);
+
+        RSA_free(rsa);
+
+        p=buf;
+        pub_rsa=d2i_RSAPublicKey(NULL,&p,(long)len);
+        len-=(p-buf);
+        priv_rsa=d2i_RSAPrivateKey(NULL,&p,(long)len);
+
+        if ((pub_rsa == NULL) || (priv_rsa == NULL))
+                ERR_print_errors_fp(stderr);
+
+        RSA_free(pub_rsa);
+        RSA_free(priv_rsa);
+        }
diff --git a/src/lib/libssl/src/demos/pkcs12/README b/src/lib/libssl/src/demos/pkcs12/README
new file mode 100644
index 0000000000..c87434b04f
--- /dev/null
+++ b/src/lib/libssl/src/demos/pkcs12/README
@@ -0,0 +1,3 @@
+PKCS#12 demo applications
+
+Written by Steve Henson.
diff --git a/src/lib/libssl/src/demos/pkcs12/pkread.c b/src/lib/libssl/src/demos/pkcs12/pkread.c
new file mode 100644
index 0000000000..8e1b686312
--- /dev/null
+++ b/src/lib/libssl/src/demos/pkcs12/pkread.c
@@ -0,0 +1,61 @@
+/* pkread.c */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* Simple PKCS#12 file reader */
+
+int main(int argc, char **argv)
+{
+        FILE *fp;
+        EVP_PKEY *pkey;
+        X509 *cert;
+        STACK_OF(X509) *ca = NULL;
+        PKCS12 *p12;
+        int i;
+        if (argc != 4) {
+                fprintf(stderr, "Usage: pkread p12file password opfile\n");
+                exit (1);
+        }
+        SSLeay_add_all_algorithms();
+        ERR_load_crypto_strings();
+        if (!(fp = fopen(argv[1], "rb"))) {
+                fprintf(stderr, "Error opening file %s\n", argv[1]);
+                exit(1);
+        }
+        p12 = d2i_PKCS12_fp(fp, NULL);
+        fclose (fp);
+        if (!p12) {
+                fprintf(stderr, "Error reading PKCS#12 file\n");
+                ERR_print_errors_fp(stderr);
+                exit (1);
+        }
+        if (!PKCS12_parse(p12, argv[2], &pkey, &cert, &ca)) {
+                fprintf(stderr, "Error parsing PKCS#12 file\n");
+                ERR_print_errors_fp(stderr);
+                exit (1);
+        }
+        PKCS12_free(p12);
+        if (!(fp = fopen(argv[3], "w"))) {
+                fprintf(stderr, "Error opening file %s\n", argv[1]);
+                exit(1);
+        }
+        if (pkey) {
+                fprintf(fp, "***Private Key***\n");
+                PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
+        }
+        if (cert) {
+                fprintf(fp, "***User Certificate***\n");
+                PEM_write_X509_AUX(fp, cert);
+        }
+        if (ca && sk_num(ca)) {
+                fprintf(fp, "***Other Certificates***\n");
+                for (i = 0; i < sk_X509_num(ca); i++) 
+                    PEM_write_X509_AUX(fp, sk_X509_value(ca, i));
+        }
+        fclose(fp);
+        return 0;
+}
diff --git a/src/lib/libssl/src/demos/pkcs12/pkwrite.c b/src/lib/libssl/src/demos/pkcs12/pkwrite.c
new file mode 100644
index 0000000000..15f839d1eb
--- /dev/null
+++ b/src/lib/libssl/src/demos/pkcs12/pkwrite.c
@@ -0,0 +1,46 @@
+/* pkwrite.c */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+/* Simple PKCS#12 file creator */
+
+int main(int argc, char **argv)
+{
+        FILE *fp;
+        EVP_PKEY *pkey;
+        X509 *cert;
+        PKCS12 *p12;
+        if (argc != 5) {
+                fprintf(stderr, "Usage: pkwrite infile password name p12file\n");
+                exit(1);
+        }
+        SSLeay_add_all_algorithms();
+        ERR_load_crypto_strings();
+        if (!(fp = fopen(argv[1], "r"))) {
+                fprintf(stderr, "Error opening file %s\n", argv[1]);
+                exit(1);
+        }
+        cert = PEM_read_X509(fp, NULL, NULL, NULL);
+        rewind(fp);
+        pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
+        fclose(fp);
+        p12 = PKCS12_create(argv[2], argv[3], pkey, cert, NULL, 0,0,0,0,0);
+        if(!p12) {
+                fprintf(stderr, "Error creating PKCS#12 structure\n");
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+        if (!(fp = fopen(argv[4], "wb"))) {
+                fprintf(stderr, "Error opening file %s\n", argv[1]);
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+        i2d_PKCS12_fp(fp, p12);
+        PKCS12_free(p12);
+        fclose(fp);
+        return 0;
+}
diff --git a/src/lib/libssl/src/demos/prime/Makefile b/src/lib/libssl/src/demos/prime/Makefile
new file mode 100644
index 0000000000..0166cd46fe
--- /dev/null
+++ b/src/lib/libssl/src/demos/prime/Makefile
@@ -0,0 +1,20 @@
+CC=cc
+CFLAGS= -g -I../../include -Wall
+LIBS=  -L../.. -lcrypto
+EXAMPLES=prime
+
+all: $(EXAMPLES) 
+
+prime: prime.o
+        $(CC) -o prime prime.o $(LIBS)
+
+clean:  
+        rm -f $(EXAMPLES) *.o
+
+test: all
+        @echo Test creating a 128-bit prime
+        ./prime 128
+        @echo Test creating a 256-bit prime
+        ./prime 256
+        @echo Test creating a 512-bit prime
+        ./prime 512
diff --git a/src/lib/libssl/src/demos/sign/Makefile b/src/lib/libssl/src/demos/sign/Makefile
new file mode 100644
index 0000000000..e6d391e4ad
--- /dev/null
+++ b/src/lib/libssl/src/demos/sign/Makefile
@@ -0,0 +1,15 @@
+CC=cc
+CFLAGS= -g -I../../include -Wall
+LIBS=  -L../.. -lcrypto
+EXAMPLES=sign
+
+all: $(EXAMPLES) 
+
+sign: sign.o
+        $(CC) -o sign sign.o $(LIBS)
+
+clean:  
+        rm -f $(EXAMPLES) *.o
+
+test: all
+        ./sign
diff --git a/src/lib/libssl/src/demos/state_machine/Makefile b/src/lib/libssl/src/demos/state_machine/Makefile
new file mode 100644
index 0000000000..c7a114540d
--- /dev/null
+++ b/src/lib/libssl/src/demos/state_machine/Makefile
@@ -0,0 +1,9 @@
+CFLAGS=-I../../include -Wall -Werror -g
+
+all: state_machine
+
+state_machine: state_machine.o
+        $(CC) -o state_machine state_machine.o -L../.. -lssl -lcrypto
+
+test: state_machine
+        ./state_machine 10000 ../../apps/server.pem ../../apps/server.pem
diff --git a/src/lib/libssl/src/demos/state_machine/state_machine.c b/src/lib/libssl/src/demos/state_machine/state_machine.c
new file mode 100644
index 0000000000..fef3f3e3d1
--- /dev/null
+++ b/src/lib/libssl/src/demos/state_machine/state_machine.c
@@ -0,0 +1,416 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * Nuron, a leader in hardware encryption technology, generously
+ * sponsored the development of this demo by Ben Laurie.
+ *
+ * See http://www.nuron.com/.
+ */
+
+/*
+ * the aim of this demo is to provide a fully working state-machine
+ * style SSL implementation, i.e. one where the main loop acquires
+ * some data, then converts it from or to SSL by feeding it into the
+ * SSL state machine. It then does any I/O required by the state machine
+ * and loops.
+ *
+ * In order to keep things as simple as possible, this implementation
+ * listens on a TCP socket, which it expects to get an SSL connection
+ * on (for example, from s_client) and from then on writes decrypted
+ * data to stdout and encrypts anything arriving on stdin. Verbose
+ * commentary is written to stderr.
+ *
+ * This implementation acts as a server, but it can also be done for a client.  */
+
+#include <openssl/ssl.h>
+#include <assert.h>
+#include <unistd.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+/* die_unless is intended to work like assert, except that it happens
+   always, even if NDEBUG is defined. Use assert as a stopgap. */
+
+#define die_unless(x)   assert(x)
+
+typedef struct
+    {
+    SSL_CTX *pCtx;
+    BIO *pbioRead;
+    BIO *pbioWrite;
+    SSL *pSSL;
+    } SSLStateMachine;
+
+void SSLStateMachine_print_error(SSLStateMachine *pMachine,const char *szErr)
+    {
+    unsigned long l;
+
+    fprintf(stderr,"%s\n",szErr);
+    while((l=ERR_get_error()))
+        {
+        char buf[1024];
+
+        ERR_error_string_n(l,buf,sizeof buf);
+        fprintf(stderr,"Error %lx: %s\n",l,buf);
+        }
+    }
+
+SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile,
+                                     const char *szKeyFile)
+    {
+    SSLStateMachine *pMachine=malloc(sizeof *pMachine);
+    int n;
+
+    die_unless(pMachine);
+
+    pMachine->pCtx=SSL_CTX_new(SSLv23_server_method());
+    die_unless(pMachine->pCtx);
+
+    n=SSL_CTX_use_certificate_file(pMachine->pCtx,szCertificateFile,
+                                   SSL_FILETYPE_PEM);
+    die_unless(n > 0);
+
+    n=SSL_CTX_use_PrivateKey_file(pMachine->pCtx,szKeyFile,SSL_FILETYPE_PEM);
+    die_unless(n > 0);
+
+    pMachine->pSSL=SSL_new(pMachine->pCtx);
+    die_unless(pMachine->pSSL);
+
+    pMachine->pbioRead=BIO_new(BIO_s_mem());
+
+    pMachine->pbioWrite=BIO_new(BIO_s_mem());
+
+    SSL_set_bio(pMachine->pSSL,pMachine->pbioRead,pMachine->pbioWrite);
+
+    SSL_set_accept_state(pMachine->pSSL);
+
+    return pMachine;
+    }
+
+void SSLStateMachine_read_inject(SSLStateMachine *pMachine,
+                                 const unsigned char *aucBuf,int nBuf)
+    {
+    int n=BIO_write(pMachine->pbioRead,aucBuf,nBuf);
+    /* If it turns out this assert fails, then buffer the data here
+     * and just feed it in in churn instead. Seems to me that it
+     * should be guaranteed to succeed, though.
+     */
+    assert(n == nBuf);
+    fprintf(stderr,"%d bytes of encrypted data fed to state machine\n",n);
+    }
+
+int SSLStateMachine_read_extract(SSLStateMachine *pMachine,
+                                 unsigned char *aucBuf,int nBuf)
+    {
+    int n;
+
+    if(!SSL_is_init_finished(pMachine->pSSL))
+        {
+        fprintf(stderr,"Doing SSL_accept\n");
+        n=SSL_accept(pMachine->pSSL);
+        if(n == 0)
+            fprintf(stderr,"SSL_accept returned zero\n");
+        if(n < 0)
+            {
+            int err;
+
+            if((err=SSL_get_error(pMachine->pSSL,n)) == SSL_ERROR_WANT_READ)
+                {
+                fprintf(stderr,"SSL_accept wants more data\n");
+                return 0;
+                }
+
+            SSLStateMachine_print_error(pMachine,"SSL_accept error");
+            exit(7);
+            }
+        return 0;
+        }
+
+    n=SSL_read(pMachine->pSSL,aucBuf,nBuf);
+    if(n < 0)
+        {
+        int err=SSL_get_error(pMachine->pSSL,n);
+
+        if(err == SSL_ERROR_WANT_READ)
+            {
+            fprintf(stderr,"SSL_read wants more data\n");
+            return 0;
+            }
+
+        SSLStateMachine_print_error(pMachine,"SSL_read error");
+        exit(8);
+        }
+
+    fprintf(stderr,"%d bytes of decrypted data read from state machine\n",n);
+    return n;
+    }
+
+int SSLStateMachine_write_can_extract(SSLStateMachine *pMachine)
+    {
+    int n=BIO_pending(pMachine->pbioWrite);
+    if(n)
+        fprintf(stderr,"There is encrypted data available to write\n");
+    else
+        fprintf(stderr,"There is no encrypted data available to write\n");
+
+    return n;
+    }
+
+int SSLStateMachine_write_extract(SSLStateMachine *pMachine,
+                                  unsigned char *aucBuf,int nBuf)
+    {
+    int n;
+
+    n=BIO_read(pMachine->pbioWrite,aucBuf,nBuf);
+    fprintf(stderr,"%d bytes of encrypted data read from state machine\n",n);
+    return n;
+    }
+
+void SSLStateMachine_write_inject(SSLStateMachine *pMachine,
+                                  const unsigned char *aucBuf,int nBuf)
+    {
+    int n=SSL_write(pMachine->pSSL,aucBuf,nBuf);
+    /* If it turns out this assert fails, then buffer the data here
+     * and just feed it in in churn instead. Seems to me that it
+     * should be guaranteed to succeed, though.
+     */
+    assert(n == nBuf);
+    fprintf(stderr,"%d bytes of unencrypted data fed to state machine\n",n);
+    }
+
+int OpenSocket(int nPort)
+    {
+    int nSocket;
+    struct sockaddr_in saServer;
+    struct sockaddr_in saClient;
+    int one=1;
+    int nSize;
+    int nFD;
+    int nLen;
+
+    nSocket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+    if(nSocket < 0)
+        {
+        perror("socket");
+        exit(1);
+        }
+
+    if(setsockopt(nSocket,SOL_SOCKET,SO_REUSEADDR,(char *)&one,sizeof one) < 0)
+        {
+        perror("setsockopt");
+        exit(2);
+        }
+
+    memset(&saServer,0,sizeof saServer);
+    saServer.sin_family=AF_INET;
+    saServer.sin_port=htons(nPort);
+    nSize=sizeof saServer;
+    if(bind(nSocket,(struct sockaddr *)&saServer,nSize) < 0)
+        {
+        perror("bind");
+        exit(3);
+        }
+
+    if(listen(nSocket,512) < 0)
+        {
+        perror("listen");
+        exit(4);
+        }
+
+    nLen=sizeof saClient;
+    nFD=accept(nSocket,(struct sockaddr *)&saClient,&nLen);
+    if(nFD < 0)
+        {
+        perror("accept");
+        exit(5);
+        }
+
+    fprintf(stderr,"Incoming accepted on port %d\n",nPort);
+
+    return nFD;
+    }
+
+int main(int argc,char **argv)
+    {
+    SSLStateMachine *pMachine;
+    int nPort;
+    int nFD;
+    const char *szCertificateFile;
+    const char *szKeyFile;
+    char rbuf[1];
+    int nrbuf=0;
+
+    if(argc != 4)
+        {
+        fprintf(stderr,"%s <port> <certificate file> <key file>\n",argv[0]);
+        exit(6);
+        }
+
+    nPort=atoi(argv[1]);
+    szCertificateFile=argv[2];
+    szKeyFile=argv[3];
+
+    SSL_library_init();
+    OpenSSL_add_ssl_algorithms();
+    SSL_load_error_strings();
+    ERR_load_crypto_strings();
+
+    nFD=OpenSocket(nPort);
+
+    pMachine=SSLStateMachine_new(szCertificateFile,szKeyFile);
+
+    for( ; ; )
+        {
+        fd_set rfds,wfds;
+        unsigned char buf[1024];
+        int n;
+
+        FD_ZERO(&rfds);
+        FD_ZERO(&wfds);
+
+        /* Select socket for input */
+        FD_SET(nFD,&rfds);
+
+        /* check whether there's decrypted data */
+        if(!nrbuf)
+            nrbuf=SSLStateMachine_read_extract(pMachine,rbuf,1);
+
+        /* if there's decrypted data, check whether we can write it */
+        if(nrbuf)
+            FD_SET(1,&wfds);
+
+        /* Select socket for output */
+        if(SSLStateMachine_write_can_extract(pMachine))
+            FD_SET(nFD,&wfds);
+
+        /* Select stdin for input */
+        FD_SET(0,&rfds);
+
+        /* Wait for something to do something */
+        n=select(nFD+1,&rfds,&wfds,NULL,NULL);
+        assert(n > 0);
+
+        /* Socket is ready for input */
+        if(FD_ISSET(nFD,&rfds))
+            {
+            n=read(nFD,buf,sizeof buf);
+            if(n == 0)
+                {
+                fprintf(stderr,"Got EOF on socket\n");
+                exit(0);
+                }
+            assert(n > 0);
+
+            SSLStateMachine_read_inject(pMachine,buf,n);
+            }
+
+        /* stdout is ready for output (and hence we have some to send it) */
+        if(FD_ISSET(1,&wfds))
+            {
+            assert(nrbuf == 1);
+            buf[0]=rbuf[0];
+            nrbuf=0;
+
+            n=SSLStateMachine_read_extract(pMachine,buf+1,sizeof buf-1);
+            if(n < 0)
+                {
+                SSLStateMachine_print_error(pMachine,"read extract failed");
+                break;
+                }
+            assert(n >= 0);
+            ++n;
+            if(n > 0) /* FIXME: has to be true now */
+                {
+                int w;
+                
+                w=write(1,buf,n);
+                /* FIXME: we should push back any unwritten data */
+                assert(w == n);
+                }
+            }
+
+        /* Socket is ready for output (and therefore we have output to send) */
+        if(FD_ISSET(nFD,&wfds))
+            {
+            int w;
+
+            n=SSLStateMachine_write_extract(pMachine,buf,sizeof buf);
+            assert(n > 0);
+
+            w=write(nFD,buf,n);
+            /* FIXME: we should push back any unwritten data */
+            assert(w == n);
+            }
+
+        /* Stdin is ready for input */
+        if(FD_ISSET(0,&rfds))
+            {
+            n=read(0,buf,sizeof buf);
+            if(n == 0)
+                {
+                fprintf(stderr,"Got EOF on stdin\n");
+                exit(0);
+                }
+            assert(n > 0);
+
+            SSLStateMachine_write_inject(pMachine,buf,n);
+            }
+        }
+    /* not reached */
+    return 0;
+    }
diff --git a/src/lib/libssl/src/demos/tunala/A-client.pem b/src/lib/libssl/src/demos/tunala/A-client.pem
new file mode 100644
index 0000000000..a4caf6ef8a
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/A-client.pem
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=NZ, L=Wellington, O=Really Irresponsible Authorisation Authority (RIAA), OU=Cert-stamping, CN=Jackov al-Trades/Email=none@fake.domain
+        Validity
+            Not Before: Jan 16 05:19:30 2002 GMT
+            Not After : Jan 14 05:19:30 2012 GMT
+        Subject: C=NZ, L=Auckland, O=Mordor, OU=SSL grunt things, CN=tunala-client/Email=client@fake.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:b0:d3:56:5c:c8:7f:fb:f4:95:9d:04:84:4f:82:
+                    b7:a2:75:5c:81:48:8c:56:5d:52:ee:38:e1:5c:c8:
+                    9a:70:8e:72:f2:00:1c:17:ef:df:b7:06:59:82:04:
+                    f1:f6:49:11:12:a6:4d:cb:1e:ed:ac:59:1c:4a:d0:
+                    3d:de:e6:f2:8d:cd:39:c2:0f:e0:46:2f:db:cb:9f:
+                    47:f7:56:e7:f8:16:5f:68:71:fb:3a:e3:ab:d2:e5:
+                    05:b7:da:65:61:fe:6d:30:e4:12:a8:b5:c1:71:24:
+                    6b:aa:80:05:41:17:a0:8b:6e:8b:e6:04:cf:85:7b:
+                    2a:ac:a1:79:7d:f4:96:6e:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                F8:43:CB:4F:4D:4F:BC:6E:52:1A:FD:F9:7B:E1:12:3F:A7:A3:BA:93
+            X509v3 Authority Key Identifier: 
+                keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
+                DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/Email=none@fake.domain
+                serial:00
+
+    Signature Algorithm: md5WithRSAEncryption
+        8f:5f:0e:43:da:9d:61:43:7e:03:38:9a:e6:50:9d:42:e8:95:
+        34:49:75:ec:04:8d:5c:85:99:94:70:a0:e7:1f:1e:a0:8b:0f:
+        d6:e2:cb:f7:35:d9:96:72:bd:a6:e9:8d:4e:b1:e2:ac:97:7f:
+        2f:70:01:9d:aa:04:bc:d4:01:2b:63:77:a5:de:63:3c:a8:f5:
+        f2:72:af:ec:11:12:c0:d4:70:cf:71:a6:fb:e9:1d:b3:27:07:
+        aa:f2:b1:f3:87:d6:ab:8b:ce:c2:08:1b:3c:f9:ba:ff:77:71:
+        86:09:ef:9e:4e:04:06:63:44:e9:93:20:90:c7:2d:50:c6:50:
+        f8:66
+-----BEGIN CERTIFICATE-----
+MIID9TCCA16gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
+EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
+YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
+dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
+DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTE5MzBaFw0xMjAxMTQw
+NTE5MzBaMIGHMQswCQYDVQQGEwJOWjERMA8GA1UEBxMIQXVja2xhbmQxDzANBgNV
+BAoTBk1vcmRvcjEZMBcGA1UECxMQU1NMIGdydW50IHRoaW5nczEWMBQGA1UEAxMN
+dHVuYWxhLWNsaWVudDEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGZha2UuZG9tYWlu
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw01ZcyH/79JWdBIRPgreidVyB
+SIxWXVLuOOFcyJpwjnLyABwX79+3BlmCBPH2SRESpk3LHu2sWRxK0D3e5vKNzTnC
+D+BGL9vLn0f3Vuf4Fl9ocfs646vS5QW32mVh/m0w5BKotcFxJGuqgAVBF6CLbovm
+BM+FeyqsoXl99JZudwIDAQABo4IBQDCCATwwCQYDVR0TBAIwADAsBglghkgBhvhC
+AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPhD
+y09NT7xuUhr9+XvhEj+no7qTMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzhRaHTCJ6V
+xCxtVT8XoYG6pIG3MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3Rv
+bjE8MDoGA1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBB
+dXRob3JpdHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQD
+ExBKYWNrb3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9t
+YWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAI9fDkPanWFDfgM4muZQnULolTRJdewE
+jVyFmZRwoOcfHqCLD9biy/c12ZZyvabpjU6x4qyXfy9wAZ2qBLzUAStjd6XeYzyo
+9fJyr+wREsDUcM9xpvvpHbMnB6rysfOH1quLzsIIGzz5uv93cYYJ755OBAZjROmT
+IJDHLVDGUPhm
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQCw01ZcyH/79JWdBIRPgreidVyBSIxWXVLuOOFcyJpwjnLyABwX
+79+3BlmCBPH2SRESpk3LHu2sWRxK0D3e5vKNzTnCD+BGL9vLn0f3Vuf4Fl9ocfs6
+46vS5QW32mVh/m0w5BKotcFxJGuqgAVBF6CLbovmBM+FeyqsoXl99JZudwIDAQAB
+AoGAU4chbqbPvkclPYzaq2yGLlneHrwUft+KwzlfS6L/QVgo+CQRIUWQmjaHpaGM
+YtjVFcg1S1QK1bUqZjTEZT0XKhfbYmqW8yYTfbcDEbnY7esoYlvIlW8qRlPRlTBE
+utKrtZafmVhLgoNawYGD0aLZofPqpYjbGUlrC7nrem2vNJECQQDVLD3Qb+OlEMET
+73ApnJhYsK3e+G2LTrtjrS8y5zS4+Xv61XUqvdV7ogzRl0tpvSAmMOItVyoYadkB
+S3xSIWX9AkEA1Fm1FhkQSZwGG5rf4c6gMN71jJ6JE3/kocdVa0sUjRevIupo4XQ2
+Vkykxi84MRP8cfHqyjewq7Ozv3op2MGWgwJBAKemsb66IJjzAkaBav7u70nhOf0/
++Dc1Zl7QF2y7NVW8sGrnccx5m+ot2lMD4AV6/kvK6jaqdKrapBZGnbGiHqkCQQDI
+T1r33mqz1R8Z2S2Jtzz6/McKf930a/dC+GLGVEutkILf39lRmytKmv/wB0jtWtoO
+rlJ5sLDSNzC+1cE1u997AkEAu3IrtGmLKiuS6kDj6W47m+iiTIsuSJtTJb1SbUaK
+fIoBNFxbvJYW6rUU9+PxpMRaEhzh5s24/jBOE+mlb17mRQ==
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/demos/tunala/A-server.pem b/src/lib/libssl/src/demos/tunala/A-server.pem
new file mode 100644
index 0000000000..e9f37b1895
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/A-server.pem
@@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=NZ, L=Wellington, O=Really Irresponsible Authorisation Authority (RIAA), OU=Cert-stamping, CN=Jackov al-Trades/Email=none@fake.domain
+        Validity
+            Not Before: Jan 16 05:14:06 2002 GMT
+            Not After : Jan 14 05:14:06 2012 GMT
+        Subject: C=NZ, L=Wellington, O=Middle Earth, OU=SSL dev things, CN=tunala-server/Email=server@fake.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:a9:3e:62:87:97:13:6b:de:8f:bc:1d:0a:3f:65:
+                    0c:f9:76:a3:53:ce:97:30:27:0d:c6:df:72:1f:8d:
+                    5a:ce:58:23:6a:65:e5:e3:72:1a:8d:7f:fe:90:01:
+                    ea:42:f1:9f:6e:7b:0a:bd:eb:52:15:7b:f4:3d:9c:
+                    4e:db:74:29:2b:d1:81:9d:b9:9e:18:2b:87:e1:da:
+                    50:20:3c:59:6c:c9:83:3e:2c:11:0b:78:1e:03:f4:
+                    56:3a:db:95:6a:75:33:85:a9:7b:cc:3c:4a:67:96:
+                    f2:24:b2:a0:cb:2e:cc:52:18:16:6f:44:d9:29:64:
+                    07:2e:fb:56:cc:7c:dc:a2:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                70:AC:7A:B5:6E:97:C2:82:AF:11:9E:32:CB:8D:48:49:93:B7:DC:22
+            X509v3 Authority Key Identifier: 
+                keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
+                DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/Email=none@fake.domain
+                serial:00
+
+    Signature Algorithm: md5WithRSAEncryption
+        2e:cb:a3:cd:6d:a8:9d:d1:dc:e5:f0:e0:27:7e:4b:5a:90:a8:
+        85:43:f0:05:f7:04:43:d7:5f:d1:a5:8f:5c:58:eb:fc:da:c6:
+        7c:e0:0b:2b:98:72:95:f6:79:48:96:7a:fa:0c:6b:09:ec:c6:
+        8c:91:74:45:9f:8f:0f:16:78:e3:66:14:fa:1e:f4:f0:23:ec:
+        cd:a9:52:77:20:4d:c5:05:2c:52:b6:7b:f3:42:33:fd:90:1f:
+        3e:88:6f:9b:23:61:c8:80:3b:e6:57:84:2e:f7:26:c7:35:ed:
+        00:8b:08:30:9b:aa:21:83:b6:6d:b8:7c:8a:9b:2a:ef:79:3d:
+        96:31
+-----BEGIN CERTIFICATE-----
+MIID+zCCA2SgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
+EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
+YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
+dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
+DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTE0MDZaFw0xMjAxMTQw
+NTE0MDZaMIGNMQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjEVMBMG
+A1UEChMMTWlkZGxlIEVhcnRoMRcwFQYDVQQLEw5TU0wgZGV2IHRoaW5nczEWMBQG
+A1UEAxMNdHVuYWxhLXNlcnZlcjEhMB8GCSqGSIb3DQEJARYSc2VydmVyQGZha2Uu
+ZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpPmKHlxNr3o+8HQo/
+ZQz5dqNTzpcwJw3G33IfjVrOWCNqZeXjchqNf/6QAepC8Z9uewq961IVe/Q9nE7b
+dCkr0YGduZ4YK4fh2lAgPFlsyYM+LBELeB4D9FY625VqdTOFqXvMPEpnlvIksqDL
+LsxSGBZvRNkpZAcu+1bMfNyi1wIDAQABo4IBQDCCATwwCQYDVR0TBAIwADAsBglg
+hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFHCserVul8KCrxGeMsuNSEmTt9wiMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzh
+RaHTCJ6VxCxtVT8XoYG6pIG3MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2Vs
+bGluZ3RvbjE8MDoGA1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNh
+dGlvbiBBdXRob3JpdHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkw
+FwYDVQQDExBKYWNrb3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZh
+a2UuZG9tYWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAC7Lo81tqJ3R3OXw4Cd+S1qQ
+qIVD8AX3BEPXX9Glj1xY6/zaxnzgCyuYcpX2eUiWevoMawnsxoyRdEWfjw8WeONm
+FPoe9PAj7M2pUncgTcUFLFK2e/NCM/2QHz6Ib5sjYciAO+ZXhC73Jsc17QCLCDCb
+qiGDtm24fIqbKu95PZYx
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCpPmKHlxNr3o+8HQo/ZQz5dqNTzpcwJw3G33IfjVrOWCNqZeXj
+chqNf/6QAepC8Z9uewq961IVe/Q9nE7bdCkr0YGduZ4YK4fh2lAgPFlsyYM+LBEL
+eB4D9FY625VqdTOFqXvMPEpnlvIksqDLLsxSGBZvRNkpZAcu+1bMfNyi1wIDAQAB
+AoGANCwqHZhiAU/TyW6+WPqivEhpYw19p/dyFMuPF9DwnEmpaUROUQY8z0AUznn4
+qHhp6Jn/nrprTHowucl0ucweYIYVxZoUiUDFpxdFUbzMdFvo6HcyV1Pe4Rt81HaY
+KYWrTZ6PaPtN65hLms8NhPEdGcGAFlY1owYv4QNGq2bU1JECQQDd32LM0NSfyGmK
+4ziajqGcvzK9NO2XyV/nJsGlJZNgMh2zm1t7yR28l/6Q2uyU49cCN+2aYULZCAfs
+taNvxBspAkEAw0alNub+xj2AVQvaxOB1sGfKzsJjHCzKIxUXn/tJi3j0+2asmkBZ
+Umx1MWr9jKQBnCMciCRUbnMEZiElOxCN/wJAfAeQl6Z19gx206lJzzzEo3dOye54
+k02DSxijT8q9pBzf9bN3ZK987BybtiZr8p+bZiYVsSOF1wViSLURdD1QYQJAIaMU
+qH1n24wShBPTrmAfxbBLTgxL+Dl65Eoo1KT7iSvfv0JzbuqwuDL4iPeuD0DdCiE+
+M/FWHeRwGIuTFzaFzwJBANKwx0jZS/h093w9g0Clw6UzeA1P5VcAt9y+qMC9hO3c
+4KXwIxQAt9yRaFLpiIR9do5bjjKNnMguf3aO/XRSDQM=
+-----END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/src/demos/tunala/CA.pem b/src/lib/libssl/src/demos/tunala/CA.pem
new file mode 100644
index 0000000000..7a55b5463e
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/CA.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9zCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
+EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
+YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
+dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
+DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTA5NTlaFw0xMjAxMTQw
+NTA5NTlaMIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjE8MDoG
+A1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBBdXRob3Jp
+dHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQDExBKYWNr
+b3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9tYWluMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7QdDfFIrJn3X24hKmpkyk3TG0Ivxd
+K2wWmDPXq1wjr8lUTwrA6hM5Ba9N36jLieWpXhviLOWu9DBza5GmtgCuXloATKTC
+94xOdKHlciTVujG3wDlLDB5e710Kar84nnj6VueL1RyZ0bmP5PANa4mbGW9Tqc7J
+CkBTTW2y9d0SgQIDAQABo4IBFTCCAREwHQYDVR0OBBYEFEn7RXISxMzhRaHTCJ6V
+xCxtVT8XMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzhRaHTCJ6VxCxtVT8XoYG6pIG3
+MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjE8MDoGA1UEChMz
+UmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBBdXRob3JpdHkgKFJJ
+QUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQDExBKYWNrb3YgYWwt
+VHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9tYWluggEAMAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYQo95V/NY+eKxYxkhibZiUQygph+
+gTfgbDG20MsnH6+8//w5ArHauFCgDrf0P2VyACgq+N4pBTWFGaAaLwbjKy9HCe2E
+j9C91tO1CqDS4MJkDB5AP13FTkK6fP1ZCiTQranOAp3DlGWTTWsFVyW5kVfQ9diS
+ZOyJZ9Fit5XM2X0=
+-----END CERTIFICATE-----
diff --git a/src/lib/libssl/src/demos/tunala/INSTALL b/src/lib/libssl/src/demos/tunala/INSTALL
new file mode 100644
index 0000000000..a65bbeb8d1
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/INSTALL
@@ -0,0 +1,107 @@
+There are two ways to build this code;
+
+(1) Manually
+
+(2) Using all-singing all-dancing (all-confusing) autotools, ie. autoconf,
+automake, and their little friends (autoheader, etc).
+
+=================
+Building Manually
+=================
+
+There is a basic "Makefile" in this directory that gets moved out of the way and
+ignored when building with autoconf et al. This Makefile is suitable for
+building tunala on Linux using gcc. Any other platform probably requires some
+tweaking. Here are the various bits you might need to do if you want to build
+this way and the default Makefile isn't sufficient;
+
+* Compiler: Edit the "CC" definition in Makefile
+
+* Headers, features: tunala.h controls what happens in the non-autoconf world.
+  It, by default, assumes the system has *everything* (except autoconf's
+  "config.h") so if a target system is missing something it must define the
+  appropriate "NO_***" symbols in CFLAGS. These include;
+
+  - NO_HAVE_UNISTD_H, NO_HAVE_FCNTL_H, NO_HAVE_LIMITS_H
+    Indicates the compiling system doesn't have (or need) these header files.
+  - NO_HAVE_STRSTR, NO_HAVE_STRTOUL
+    Indicates the compiling system doesn't have these functions. Replacements
+    are compiled and used in breakage.c
+  - NO_HAVE_SELECT, NO_HAVE_SOCKET
+    Pointless symbols - these indicate select() and/or socket() are missing in
+    which case the program won't compile anyway.
+
+  If you want to specify any of these, add them with "-D" prefixed to each in
+  the CFLAGS definition in Makefile.
+
+* Compilation flags: edit DEBUG_FLAGS and/or CFLAGS directly to control the
+  flags passed to the compiler. This can also be used to change the degree of
+  optimisation.
+
+* Linker flags: some systems (eg. Solaris) require extra linker flags such as;
+  -ldl, -lsocket, -lnsl, etc. If unsure, bring up the man page for whichever
+  function is "undefined" when the linker fails - that usually indicates what
+  you need to add. Make changes to the LINK_FLAGS symbol.
+
+* Linker command: if a different linker syntax or even a different program is
+  required to link, edit the linker line directly in the "tunala:" target
+  definition - it currently assumes the "CC" (compiler) program is used to link.
+
+======================
+Building Automagically
+======================
+
+Automagic building is handled courtesy of autoconf, automake, etc. There are in
+fact two steps required to build, and only the first has to be done on a system
+with these tools installed (and if I was prepared to bloat out the CVS
+repository, I could store these extra files, but I'm not).
+
+First step: "autogunk.sh"
+-------------------------
+
+The "./autogunk.sh" script will call all the necessary autotool commands to
+create missing files and run automake and autoconf. The result is that a
+"./configure" script should be generated and a "Makefile.in" generated from the
+supplied "Makefile.am". NB: This script also moves the "manual" Makefile (see
+above) out of the way and calls it "Makefile.plain" - the "ungunk" script
+reverses this to leave the directory it was previously.
+
+Once "ungunk" has been run, the resulting directory should be able to build on
+other systems without autoconf, automake, or libtool. Which is what the second
+step describes;
+
+Second step: "./configure"
+--------------------------
+
+The second step is to run the generated "./configure" script to create a
+config.h header for your system and to generate a "Makefile" (generated from
+"Makefile.in") tweaked to compile on your system. This is the standard sort of
+thing you see in GNU packages, for example, and the standard tricks also work.
+Eg. to override "configure"'s choice of compiler, set the CC environment
+variable prior to running configure, eg.
+
+    CC=gcc ./configure
+
+would cause "gcc" to be used even if there is an otherwise preferable (to
+autoconf) native compiler on your system.
+
+After this run "make" and it should build the "tunala" executable.
+
+Notes
+-----
+
+- Some versions of autoconf (or automake?) generate a Makefile syntax that gives
+  trouble to some "make" programs on some systems (eg. OpenBSD). If this
+  happens, either build 'Manually' (see above) or use "gmake" instead of "make".
+  I don't like this either but like even less the idea of sifting into all the
+  script magic crud that's involved.
+
+- On a solaris system I tried, the "configure" script specified some broken
+  compiler flags in the resulting Makefile that don't even get echoed to
+  stdout/err when the error happens (evil!). If this happens, go into the
+  generated Makefile, find the two affected targets ("%.o:" and "%.lo"), and
+  remove the offending hidden option in the $(COMPILE) line all the sludge after
+  the two first lines of script (ie. after the "echo" and the "COMPILE" lines).
+  NB: This will probably only function if "--disable-shared" was used, otherwise
+  who knows what would result ...
+
diff --git a/src/lib/libssl/src/demos/tunala/Makefile b/src/lib/libssl/src/demos/tunala/Makefile
new file mode 100644
index 0000000000..bef1704a3c
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/Makefile
@@ -0,0 +1,41 @@
+# Edit these to suit
+#
+# Oh yeah, and please read the README too.
+
+
+SSL_HOMEDIR=../..
+SSL_INCLUDEDIR=$(SSL_HOMEDIR)/include
+SSL_LIBDIR=$(SSL_HOMEDIR)
+
+RM=rm -f
+CC=gcc
+DEBUG_FLAGS=-g -ggdb3 -Wall -Wshadow
+INCLUDE_FLAGS=-I$(SSL_INCLUDEDIR)
+CFLAGS=$(DEBUG_FLAGS) $(INCLUDE_FLAGS) -DNO_CONFIG_H
+COMPILE=$(CC) $(CFLAGS) -c
+
+# Edit, particularly the "-ldl" if not building with "dlfcn" support
+LINK_FLAGS=-L$(SSL_LIBDIR) -lssl -lcrypto -ldl
+
+SRCS=buffer.c cb.c ip.c sm.c tunala.c breakage.c
+OBJS=buffer.o cb.o ip.o sm.o tunala.o breakage.o
+
+TARGETS=tunala
+
+default: $(TARGETS)
+
+clean:
+        $(RM) $(OBJS) $(TARGETS) *.bak core
+
+.c.o:
+        $(COMPILE) $<
+
+tunala: $(OBJS)
+        $(CC) -o tunala $(OBJS) $(LINK_FLAGS)
+
+# Extra dependencies, should really use makedepend
+buffer.o: buffer.c tunala.h
+cb.o: cb.c tunala.h
+ip.o: ip.c tunala.h
+sm.o: sm.c tunala.h
+tunala.o: tunala.c tunala.h
diff --git a/src/lib/libssl/src/demos/tunala/Makefile.am b/src/lib/libssl/src/demos/tunala/Makefile.am
new file mode 100644
index 0000000000..706c7806c9
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/Makefile.am
@@ -0,0 +1,7 @@
+# Our includes come from the OpenSSL build-tree we're in
+INCLUDES                = -I$(top_builddir)/../../include
+
+bin_PROGRAMS            = tunala
+
+tunala_SOURCES          = tunala.c buffer.c cb.c ip.c sm.c breakage.c
+tunala_LDADD            = -L$(top_builddir)/../.. -lssl -lcrypto
diff --git a/src/lib/libssl/src/demos/tunala/README b/src/lib/libssl/src/demos/tunala/README
new file mode 100644
index 0000000000..15690088f3
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/README
@@ -0,0 +1,233 @@
+This is intended to be an example of a state-machine driven SSL application. It
+acts as an SSL tunneler (functioning as either the server or client half,
+depending on command-line arguments). *PLEASE* read the comments in tunala.h
+before you treat this stuff as anything more than a curiosity - YOU HAVE BEEN
+WARNED!! There, that's the draconian bit out of the way ...
+
+
+Why "tunala"??
+--------------
+
+I thought I asked you to read tunala.h?? :-)
+
+
+Show me
+-------
+
+If you want to simply see it running, skip to the end and see some example
+command-line arguments to demonstrate with.
+
+
+Where to look and what to do?
+-----------------------------
+
+The code is split up roughly coinciding with the detaching of an "abstract" SSL
+state machine (which is the purpose of all this) and its surrounding application
+specifics. This is primarily to make it possible for me to know when I could cut
+corners and when I needed to be rigorous (or at least maintain the pretense as
+such :-).
+
+Network stuff:
+
+Basically, the network part of all this is what is supposed to be abstracted out
+of the way. The intention is to illustrate one way to stick OpenSSL's mechanisms
+inside a little memory-driven sandbox and operate it like a pure state-machine.
+So, the network code is inside both ip.c (general utility functions and gory
+IPv4 details) and tunala.c itself, which takes care of application specifics
+like the main select() loop. The connectivity between the specifics of this
+application (TCP/IP tunneling and the associated network code) and the
+underlying abstract SSL state machine stuff is through the use of the "buffer_t"
+type, declared in tunala.h and implemented in buffer.c.
+
+State machine:
+
+Which leaves us, generally speaking, with the abstract "state machine" code left
+over and this is sitting inside sm.c, with declarations inside tunala.h. As can
+be seen by the definition of the state_machine_t structure and the associated
+functions to manipulate it, there are the 3 OpenSSL "handles" plus 4 buffer_t
+structures dealing with IO on both the encrypted and unencrypted sides ("dirty"
+and "clean" respectively). The "SSL" handle is what facilitates the reading and
+writing of the unencrypted (tunneled) data. The two "BIO" handles act as the
+read and write channels for encrypted tunnel traffic - in other applications
+these are often socket BIOs so that the OpenSSL framework operates with the
+network layer directly. In this example, those two BIOs are memory BIOs
+(BIO_s_mem()) so that the sending and receiving of the tunnel traffic stays
+within the state-machine, and we can handle where this gets send to (or read
+from) ourselves.
+
+
+Why?
+----
+
+If you take a look at the "state_machine_t" section of tunala.h and the code in
+sm.c, you will notice that nothing related to the concept of 'transport' is
+involved. The binding to TCP/IP networking occurs in tunala.c, specifically
+within the "tunala_item_t" structure that associates a state_machine_t object
+with 4 file-descriptors. The way to best see where the bridge between the
+outside world (TCP/IP reads, writes, select()s, file-descriptors, etc) and the
+state machine is, is to examine the "tunala_item_io()" function in tunala.c.
+This is currently around lines 641-732 but of course could be subject to change.
+
+
+And...?
+-------
+
+Well, although that function is around 90 lines of code, it could easily have
+been a lot less only I was trying to address an easily missed "gotcha" (item (2)
+below). The main() code that drives the select/accept/IO loop initialises new
+tunala_item_t structures when connections arrive, and works out which
+file-descriptors go where depending on whether we're an SSL client or server
+(client --> accepted connection is clean and proxied is dirty, server -->
+accepted connection is dirty and proxied is clean). What that tunala_item_io()
+function is attempting to do is 2 things;
+
+  (1) Perform all reads and writes on the network directly into the
+      state_machine_t's buffers (based on a previous select() result), and only
+      then allow the abstact state_machine_t to "churn()" using those buffers.
+      This will cause the SSL machine to consume as much input data from the two
+      "IN" buffers as possible, and generate as much output data into the two
+      "OUT" buffers as possible. Back up in the main() function, the next main
+      loop loop will examine these output buffers and select() for writability
+      on the corresponding sockets if the buffers are non-empty.
+
+  (2) Handle the complicated tunneling-specific issue of cascading "close"s.
+      This is the reason for most of the complexity in the logic - if one side
+      of the tunnel is closed, you can't simply close the other side and throw
+      away the whole thing - (a) there may still be outgoing data on the other
+      side of the tunnel that hasn't been sent yet, (b) the close (or things
+      happening during the close) may cause more data to be generated that needs
+      sending on the other side. Of course, this logic is complicated yet futher
+      by the fact that it's different depending on which side closes first :-)
+      state_machine_close_clean() will indicate to the state machine that the
+      unencrypted side of the tunnel has closed, so any existing outgoing data
+      needs to be flushed, and the SSL stream needs to be closed down using the
+      appropriate shutdown sequence. state_machine_close_dirty() is simpler
+      because it indicates that the SSL stream has been disconnected, so all
+      that remains before closing the other side is to flush out anything that
+      remains and wait for it to all be sent.
+
+Anyway, with those things in mind, the code should be a little easier to follow
+in terms of "what is *this* bit supposed to achieve??!!".
+
+
+How might this help?
+--------------------
+
+Well, the reason I wrote this is that there seemed to be rather a flood of
+questions of late on the openssl-dev and openssl-users lists about getting this
+whole IO logic thing sorted out, particularly by those who were trying to either
+use non-blocking IO, or wanted SSL in an environment where "something else" was
+handling the network already and they needed to operate in memory only. This
+code is loosely based on some other stuff I've been working on, although that
+stuff is far more complete, far more dependant on a whole slew of other
+network/framework code I don't want to incorporate here, and far harder to look
+at for 5 minutes and follow where everything is going. I will be trying over
+time to suck in a few things from that into this demo in the hopes it might be
+more useful, and maybe to even make this demo usable as a utility of its own.
+Possible things include:
+
+  * controlling multiple processes/threads - this can be used to combat
+    latencies and get passed file-descriptor limits on some systems, and it uses
+    a "controller" process/thread that maintains IPC links with the
+    processes/threads doing the real work.
+
+  * cert verification rules - having some say over which certs get in or out :-)
+
+  * control over SSL protocols and cipher suites
+
+  * A few other things you can already do in s_client and s_server :-)
+
+  * Support (and control over) session resuming, particularly when functioning
+    as an SSL client.
+
+If you have a particular environment where this model might work to let you "do
+SSL" without having OpenSSL be aware of the transport, then you should find you
+could use the state_machine_t structure (or your own variant thereof) and hook
+it up to your transport stuff in much the way tunala.c matches it up with those
+4 file-descriptors. The state_machine_churn(), state_machine_close_clean(), and
+state_machine_close_dirty() functions are the main things to understand - after
+that's done, you just have to ensure you're feeding and bleeding the 4
+state_machine buffers in a logical fashion. This state_machine loop handles not
+only handshakes and normal streaming, but also renegotiates - there's no special
+handling required beyond keeping an eye on those 4 buffers and keeping them in
+sync with your outer "loop" logic. Ie. if one of the OUT buffers is not empty,
+you need to find an opportunity to try and forward its data on. If one of the IN
+buffers is not full, you should keep an eye out for data arriving that should be
+placed there.
+
+This approach could hopefully also allow you to run the SSL protocol in very
+different environments. As an example, you could support encrypted event-driven
+IPC where threads/processes pass messages to each other inside an SSL layer;
+each IPC-message's payload would be in fact the "dirty" content, and the "clean"
+payload coming out of the tunnel at each end would be the real intended message.
+Likewise, this could *easily* be made to work across unix domain sockets, or
+even entirely different network/comms protocols.
+
+This is also a quick and easy way to do VPN if you (and the remote network's
+gateway) support virtual network devices that are encapsulted in a single
+network connection, perhaps PPP going through an SSL tunnel?
+
+
+Suggestions
+-----------
+
+Please let me know if you find this useful, or if there's anything wrong or
+simply too confusing about it. Patches are also welcome, but please attach a
+description of what it changes and why, and "diff -urN" format is preferred.
+Mail to geoff@openssl.org should do the trick.
+
+
+Example
+-------
+
+Here is an example of how to use "tunala" ...
+
+First, it's assumed that OpenSSL has already built, and that you are building
+inside the ./demos/tunala/ directory. If not - please correct the paths and
+flags inside the Makefile. Likewise, if you want to tweak the building, it's
+best to try and do so in the makefile (eg. removing the debug flags and adding
+optimisation flags).
+
+Secondly, this code has mostly only been tested on Linux. However, some
+autoconf/etc support has been added and the code has been compiled on openbsd
+and solaris using that.
+
+Thirdly, if you are Win32, you probably need to do some *major* rewriting of
+ip.c to stand a hope in hell. Good luck, and please mail me the diff if you do
+this, otherwise I will take a look at another time. It can certainly be done,
+but it's very non-POSIXy.
+
+See the INSTALL document for details on building.
+
+Now, if you don't have an executable "tunala" compiled, go back to "First,...".
+Rinse and repeat.
+
+Inside one console, try typing;
+
+(i)  ./tunala -listen localhost:8080 -proxy localhost:8081 -cacert CA.pem \
+              -cert A-client.pem -out_totals -v_peer -v_strict
+
+In another console, type;
+
+(ii) ./tunala -listen localhost:8081 -proxy localhost:23 -cacert CA.pem \
+              -cert A-server.pem -server 1 -out_totals -v_peer -v_strict
+
+Now if you open another console and "telnet localhost 8080", you should be
+tunneled through to the telnet service on your local machine (if it's running -
+you could change it to port "22" and tunnel ssh instead if you so desired). When
+you logout of the telnet session, the tunnel should cleanly shutdown and show
+you some traffic stats in both consoles. Feel free to experiment. :-)
+
+Notes:
+
+ - the format for the "-listen" argument can skip the host part (eg. "-listen
+   8080" is fine). If you do, the listening socket will listen on all interfaces
+   so you can connect from other machines for example. Using the "localhost"
+   form listens only on 127.0.0.1 so you can only connect locally (unless, of
+   course, you've set up weird stuff with your networking in which case probably
+   none of the above applies).
+
+ - ./tunala -? gives you a list of other command-line options, but tunala.c is
+   also a good place to look :-)
+
+
diff --git a/src/lib/libssl/src/demos/tunala/autogunk.sh b/src/lib/libssl/src/demos/tunala/autogunk.sh
new file mode 100644
index 0000000000..c9783c6261
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/autogunk.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# This script tries to follow the "GNU way" w.r.t. the autobits.
+# This does of course generate a number of irritating files.
+# Try to get over it (I am getting there myself).
+
+# This should generate any missing crud, and then run autoconf which should turn
+# configure.in into a "./configure" script and "Makefile.am" into a
+# "Makefile.in". Then running "./configure" should turn "Makefile.in" into
+# "Makefile" and should generate the config.h containing your systems various
+# settings. I know ... what a hassle ...
+
+# Also, sometimes these autobits things generate bizarre output (looking like
+# errors). So I direct everything "elsewhere" ...
+
+(aclocal
+autoheader
+libtoolize --copy --force
+automake --foreign --add-missing --copy
+autoconf) 1> /dev/null 2>&1
+
+# Move the "no-autotools" Makefile out of the way
+if test ! -f Makefile.plain; then
+        mv Makefile Makefile.plain
+fi
diff --git a/src/lib/libssl/src/demos/tunala/autoungunk.sh b/src/lib/libssl/src/demos/tunala/autoungunk.sh
new file mode 100644
index 0000000000..14d10790fd
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/autoungunk.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# This script tries to clean up as much as is possible from whatever diabolical
+# mess has been left in the directory thanks to autoconf, automake, and their
+# friends.
+
+if test -f Makefile; then
+        make distclean
+        rm -f Makefile
+fi
+
+if test -f Makefile.plain; then
+        mv Makefile.plain Makefile
+fi
+
+rm -f aclocal.m4 config.* configure install-sh \
+        missing mkinstalldirs stamp-h.* Makefile.in \
+        ltconfig ltmain.sh
diff --git a/src/lib/libssl/src/demos/tunala/breakage.c b/src/lib/libssl/src/demos/tunala/breakage.c
new file mode 100644
index 0000000000..dcdd64b0ef
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/breakage.c
@@ -0,0 +1,66 @@
+#include "tunala.h"
+
+int int_strtoul(const char *str, unsigned long *val)
+{
+#ifdef HAVE_STRTOUL
+        char *tmp;
+        unsigned long ret = strtoul(str, &tmp, 10);
+        if((str == tmp) || (*tmp != '\0'))
+                /* The value didn't parse cleanly */
+                return 0;
+        if(ret == ULONG_MAX)
+                /* We hit a limit */
+                return 0;
+        *val = ret;
+        return 1;
+#else
+        char buf[2];
+        unsigned long ret = 0;
+        buf[1] = '\0';
+        if(str == '\0')
+                /* An empty string ... */
+                return 0;
+        while(*str != '\0') {
+                /* We have to multiply 'ret' by 10 before absorbing the next
+                 * digit. If this will overflow, catch it now. */
+                if(ret && (((ULONG_MAX + 10) / ret) < 10))
+                        return 0;
+                ret *= 10;
+                if(!isdigit(*str))
+                        return 0;
+                buf[0] = *str;
+                ret += atoi(buf);
+                str++;
+        }
+        *val = ret;
+        return 1;
+#endif
+}
+
+#ifndef HAVE_STRSTR
+char *int_strstr(const char *haystack, const char *needle)
+{
+        const char *sub_haystack = haystack, *sub_needle = needle;
+        unsigned int offset = 0;
+        if(!needle)
+                return haystack;
+        if(!haystack)
+                return NULL;
+        while((*sub_haystack != '\0') && (*sub_needle != '\0')) {
+                if(sub_haystack[offset] == sub_needle) {
+                        /* sub_haystack is still a candidate */
+                        offset++;
+                        sub_needle++;
+                } else {
+                        /* sub_haystack is no longer a possibility */
+                        sub_haystack++;
+                        offset = 0;
+                        sub_needle = needle;
+                }
+        }
+        if(*sub_haystack == '\0')
+                /* Found nothing */
+                return NULL;
+        return sub_haystack;
+}
+#endif
diff --git a/src/lib/libssl/src/demos/tunala/buffer.c b/src/lib/libssl/src/demos/tunala/buffer.c
new file mode 100644
index 0000000000..c5cd004209
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/buffer.c
@@ -0,0 +1,205 @@
+#include "tunala.h"
+
+#ifndef NO_BUFFER
+
+void buffer_init(buffer_t *buf)
+{
+        buf->used = 0;
+        buf->total_in = buf->total_out = 0;
+}
+
+void buffer_close(buffer_t *buf)
+{
+        /* Our data is static - nothing needs "release", just reset it */
+        buf->used = 0;
+}
+
+/* Code these simple ones in compact form */
+unsigned int buffer_used(buffer_t *buf) {
+        return buf->used; }
+unsigned int buffer_unused(buffer_t *buf) {
+        return (MAX_DATA_SIZE - buf->used); }
+int buffer_full(buffer_t *buf) {
+        return (buf->used == MAX_DATA_SIZE ? 1 : 0); }
+int buffer_notfull(buffer_t *buf) {
+        return (buf->used < MAX_DATA_SIZE ? 1 : 0); }
+int buffer_empty(buffer_t *buf) {
+        return (buf->used == 0 ? 1 : 0); }
+int buffer_notempty(buffer_t *buf) {
+        return (buf->used > 0 ? 1 : 0); }
+unsigned long buffer_total_in(buffer_t *buf) {
+        return buf->total_in; }
+unsigned long buffer_total_out(buffer_t *buf) {
+        return buf->total_out; }
+
+/* These 3 static (internal) functions don't adjust the "total" variables as
+ * it's not sure when they're called how it should be interpreted. Only the
+ * higher-level "buffer_[to|from]_[fd|SSL|BIO]" functions should alter these
+ * values. */
+#if 0 /* To avoid "unused" warnings */
+static unsigned int buffer_adddata(buffer_t *buf, const unsigned char *ptr,
+                unsigned int size)
+{
+        unsigned int added = MAX_DATA_SIZE - buf->used;
+        if(added > size)
+                added = size;
+        if(added == 0)
+                return 0;
+        memcpy(buf->data + buf->used, ptr, added);
+        buf->used += added;
+        buf->total_in += added;
+        return added;
+}
+
+static unsigned int buffer_tobuffer(buffer_t *to, buffer_t *from, int cap)
+{
+        unsigned int moved, tomove = from->used;
+        if((int)tomove > cap)
+                tomove = cap;
+        if(tomove == 0)
+                return 0;
+        moved = buffer_adddata(to, from->data, tomove);
+        if(moved == 0)
+                return 0;
+        buffer_takedata(from, NULL, moved);
+        return moved;
+}
+#endif
+
+static unsigned int buffer_takedata(buffer_t *buf, unsigned char *ptr,
+                unsigned int size)
+{
+        unsigned int taken = buf->used;
+        if(taken > size)
+                taken = size;
+        if(taken == 0)
+                return 0;
+        if(ptr)
+                memcpy(ptr, buf->data, taken);
+        buf->used -= taken;
+        /* Do we have to scroll? */
+        if(buf->used > 0)
+                memmove(buf->data, buf->data + taken, buf->used);
+        return taken;
+}
+
+#ifndef NO_IP
+
+int buffer_from_fd(buffer_t *buf, int fd)
+{
+        int toread = buffer_unused(buf);
+        if(toread == 0)
+                /* Shouldn't be called in this case! */
+                abort();
+        toread = read(fd, buf->data + buf->used, toread);
+        if(toread > 0) {
+                buf->used += toread;
+                buf->total_in += toread;
+        }
+        return toread;
+}
+
+int buffer_to_fd(buffer_t *buf, int fd)
+{
+        int towrite = buffer_used(buf);
+        if(towrite == 0)
+                /* Shouldn't be called in this case! */
+                abort();
+        towrite = write(fd, buf->data, towrite);
+        if(towrite > 0) {
+                buffer_takedata(buf, NULL, towrite);
+                buf->total_out += towrite;
+        }
+        return towrite;
+}
+
+#endif /* !defined(NO_IP) */
+
+#ifndef NO_OPENSSL
+
+static void int_ssl_check(SSL *s, int ret)
+{
+        int e = SSL_get_error(s, ret);
+        switch(e) {
+                /* These seem to be harmless and already "dealt with" by our
+                 * non-blocking environment. NB: "ZERO_RETURN" is the clean
+                 * "error" indicating a successfully closed SSL tunnel. We let
+                 * this happen because our IO loop should not appear to have
+                 * broken on this condition - and outside the IO loop, the
+                 * "shutdown" state is checked. */
+        case SSL_ERROR_NONE:
+        case SSL_ERROR_WANT_READ:
+        case SSL_ERROR_WANT_WRITE:
+        case SSL_ERROR_WANT_X509_LOOKUP:
+        case SSL_ERROR_ZERO_RETURN:
+                return;
+                /* These seem to be indications of a genuine error that should
+                 * result in the SSL tunnel being regarded as "dead". */
+        case SSL_ERROR_SYSCALL:
+        case SSL_ERROR_SSL:
+                SSL_set_app_data(s, (char *)1);
+                return;
+        default:
+                break;
+        }
+        /* For any other errors that (a) exist, and (b) crop up - we need to
+         * interpret what to do with them - so "politely inform" the caller that
+         * the code needs updating here. */
+        abort();
+}
+
+void buffer_from_SSL(buffer_t *buf, SSL *ssl)
+{
+        int ret;
+        if(!ssl || buffer_full(buf))
+                return;
+        ret = SSL_read(ssl, buf->data + buf->used, buffer_unused(buf));
+        if(ret > 0) {
+                buf->used += ret;
+                buf->total_in += ret;
+        }
+        if(ret < 0)
+                int_ssl_check(ssl, ret);
+}
+
+void buffer_to_SSL(buffer_t *buf, SSL *ssl)
+{
+        int ret;
+        if(!ssl || buffer_empty(buf))
+                return;
+        ret = SSL_write(ssl, buf->data, buf->used);
+        if(ret > 0) {
+                buffer_takedata(buf, NULL, ret);
+                buf->total_out += ret;
+        }
+        if(ret < 0)
+                int_ssl_check(ssl, ret);
+}
+
+void buffer_from_BIO(buffer_t *buf, BIO *bio)
+{
+        int ret;
+        if(!bio || buffer_full(buf))
+                return;
+        ret = BIO_read(bio, buf->data + buf->used, buffer_unused(buf));
+        if(ret > 0) {
+                buf->used += ret;
+                buf->total_in += ret;
+        }
+}
+
+void buffer_to_BIO(buffer_t *buf, BIO *bio)
+{
+        int ret;
+        if(!bio || buffer_empty(buf))
+                return;
+        ret = BIO_write(bio, buf->data, buf->used);
+        if(ret > 0) {
+                buffer_takedata(buf, NULL, ret);
+                buf->total_out += ret;
+        }
+}
+
+#endif /* !defined(NO_OPENSSL) */
+
+#endif /* !defined(NO_BUFFER) */
diff --git a/src/lib/libssl/src/demos/tunala/cb.c b/src/lib/libssl/src/demos/tunala/cb.c
new file mode 100644
index 0000000000..cd32f74c70
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/cb.c
@@ -0,0 +1,133 @@
+#include "tunala.h"
+
+#ifndef NO_OPENSSL
+
+/* For callbacks generating output, here are their file-descriptors. */
+static FILE *fp_cb_ssl_info = NULL;
+static FILE *fp_cb_ssl_verify = NULL;
+/* Output level:
+ *     0 = nothing,
+ *     1 = minimal, just errors,
+ *     2 = minimal, all steps,
+ *     3 = detail, all steps */
+static unsigned int cb_ssl_verify_level = 1;
+
+/* Other static rubbish (to mirror s_cb.c where required) */
+static int int_verify_depth = 10;
+
+/* This function is largely borrowed from the one used in OpenSSL's "s_client"
+ * and "s_server" utilities. */
+void cb_ssl_info(const SSL *s, int where, int ret)
+{
+        const char *str1, *str2;
+        int w;
+
+        if(!fp_cb_ssl_info)
+                return;
+
+        w = where & ~SSL_ST_MASK;
+        str1 = (w & SSL_ST_CONNECT ? "SSL_connect" : (w & SSL_ST_ACCEPT ?
+                                "SSL_accept" : "undefined")),
+        str2 = SSL_state_string_long(s);
+
+        if (where & SSL_CB_LOOP)
+                fprintf(fp_cb_ssl_info, "(%s) %s\n", str1, str2);
+        else if (where & SSL_CB_EXIT) {
+                if (ret == 0)
+                        fprintf(fp_cb_ssl_info, "(%s) failed in %s\n", str1, str2);
+/* In a non-blocking model, we get a few of these "error"s simply because we're
+ * calling "reads" and "writes" on the state-machine that are virtual NOPs
+ * simply to avoid wasting the time seeing if we *should* call them. Removing
+ * this case makes the "-out_state" output a lot easier on the eye. */
+#if 0
+                else if (ret < 0)
+                        fprintf(fp_cb_ssl_info, "%s:error in %s\n", str1, str2);
+#endif
+        }
+}
+
+void cb_ssl_info_set_output(FILE *fp)
+{
+        fp_cb_ssl_info = fp;
+}
+
+static const char *int_reason_no_issuer = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT";
+static const char *int_reason_not_yet = "X509_V_ERR_CERT_NOT_YET_VALID";
+static const char *int_reason_before = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD";
+static const char *int_reason_expired = "X509_V_ERR_CERT_HAS_EXPIRED";
+static const char *int_reason_after = "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD";
+
+/* Stolen wholesale from apps/s_cb.c :-) And since then, mutilated ... */
+int cb_ssl_verify(int ok, X509_STORE_CTX *ctx)
+{
+        char buf1[256]; /* Used for the subject name */
+        char buf2[256]; /* Used for the issuer name */
+        const char *reason = NULL; /* Error reason (if any) */
+        X509 *err_cert;
+        int err, depth;
+
+        if(!fp_cb_ssl_verify || (cb_ssl_verify_level == 0))
+                return ok;
+        err_cert = X509_STORE_CTX_get_current_cert(ctx);
+        err = X509_STORE_CTX_get_error(ctx);
+        depth = X509_STORE_CTX_get_error_depth(ctx);
+
+        buf1[0] = buf2[0] = '\0';
+        /* Fill buf1 */
+        X509_NAME_oneline(X509_get_subject_name(err_cert), buf1, 256);
+        /* Fill buf2 */
+        X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf2, 256);
+        switch (ctx->error) {
+        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+                reason = int_reason_no_issuer;
+                break;
+        case X509_V_ERR_CERT_NOT_YET_VALID:
+                reason = int_reason_not_yet;
+                break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+                reason = int_reason_before;
+                break;
+        case X509_V_ERR_CERT_HAS_EXPIRED:
+                reason = int_reason_expired;
+                break;
+        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+                reason = int_reason_after;
+                break;
+        }
+
+        if((cb_ssl_verify_level == 1) && ok)
+                return ok;
+        fprintf(fp_cb_ssl_verify, "chain-depth=%d, ", depth);
+        if(reason)
+                fprintf(fp_cb_ssl_verify, "error=%s\n", reason);
+        else
+                fprintf(fp_cb_ssl_verify, "error=%d\n", err);
+        if(cb_ssl_verify_level < 3)
+                return ok;
+        fprintf(fp_cb_ssl_verify, "--> subject = %s\n", buf1);
+        fprintf(fp_cb_ssl_verify, "--> issuer  = %s\n", buf2);
+        if(!ok)
+                fprintf(fp_cb_ssl_verify,"--> verify error:num=%d:%s\n",err,
+                        X509_verify_cert_error_string(err));
+        fprintf(fp_cb_ssl_verify, "--> verify return:%d\n",ok);
+        return ok;
+}
+
+void cb_ssl_verify_set_output(FILE *fp)
+{
+        fp_cb_ssl_verify = fp;
+}
+
+void cb_ssl_verify_set_depth(unsigned int verify_depth)
+{
+        int_verify_depth = verify_depth;
+}
+
+void cb_ssl_verify_set_level(unsigned int level)
+{
+        if(level < 4)
+                cb_ssl_verify_level = level;
+}
+
+#endif /* !defined(NO_OPENSSL) */
+
diff --git a/src/lib/libssl/src/demos/tunala/configure.in b/src/lib/libssl/src/demos/tunala/configure.in
new file mode 100644
index 0000000000..b2a6ffc756
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/configure.in
@@ -0,0 +1,28 @@
+dnl Process this file with autoconf to produce a configure script.
+AC_INIT(tunala.c)
+AM_CONFIG_HEADER(config.h)
+AM_INIT_AUTOMAKE(tunala, 0.0.1-dev)
+
+dnl Checks for programs. (Though skip libtool)
+AC_PROG_CC
+dnl AC_PROG_LIBTOOL
+dnl AM_PROG_LIBTOOL
+
+dnl Checks for libraries.
+AC_CHECK_LIB(dl, dlopen)
+AC_CHECK_LIB(socket, socket)
+AC_CHECK_LIB(nsl, gethostbyname)
+
+dnl Checks for header files.
+AC_HEADER_STDC
+AC_CHECK_HEADERS(fcntl.h limits.h unistd.h)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+
+dnl Checks for library functions.
+AC_CHECK_FUNCS(strstr strtoul)
+AC_CHECK_FUNCS(select socket)
+AC_CHECK_FUNCS(dlopen)
+
+AC_OUTPUT(Makefile)
diff --git a/src/lib/libssl/src/demos/tunala/ip.c b/src/lib/libssl/src/demos/tunala/ip.c
new file mode 100644
index 0000000000..96ef4e6536
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/ip.c
@@ -0,0 +1,146 @@
+#include "tunala.h"
+
+#ifndef NO_IP
+
+#define IP_LISTENER_BACKLOG 511 /* So if it gets masked by 256 or some other
+                                   such value it'll still be respectable */
+
+/* Any IP-related initialisations. For now, this means blocking SIGPIPE */
+int ip_initialise(void)
+{
+        struct sigaction sa;
+
+        sa.sa_handler = SIG_IGN;
+        sa.sa_flags = 0;
+        sigemptyset(&sa.sa_mask);
+        if(sigaction(SIGPIPE, &sa, NULL) != 0)
+                return 0;
+        return 1;
+}
+
+int ip_create_listener_split(const char *ip, unsigned short port)
+{
+        struct sockaddr_in in_addr;
+        int fd = -1;
+        int reuseVal = 1;
+
+        /* Create the socket */
+        if((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
+                goto err;
+        /* Set the SO_REUSEADDR flag - servers act weird without it */
+        if(setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)(&reuseVal),
+                                sizeof(reuseVal)) != 0)
+                goto err;
+        /* Prepare the listen address stuff */
+        in_addr.sin_family = AF_INET;
+        memcpy(&in_addr.sin_addr.s_addr, ip, 4);
+        in_addr.sin_port = htons(port);
+        /* Bind to the required port/address/interface */
+        if(bind(fd, (struct sockaddr *)&in_addr, sizeof(struct sockaddr_in)) != 0)
+                goto err;
+        /* Start "listening" */
+        if(listen(fd, IP_LISTENER_BACKLOG) != 0)
+                goto err;
+        return fd;
+err:
+        if(fd != -1)
+                close(fd);
+        return -1;
+}
+
+int ip_create_connection_split(const char *ip, unsigned short port)
+{
+        struct sockaddr_in in_addr;
+        int flags, fd = -1;
+
+        /* Create the socket */
+        if((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
+                goto err;
+        /* Make it non-blocking */
+        if(((flags = fcntl(fd, F_GETFL, 0)) < 0) ||
+                        (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0))
+                goto err;
+        /* Prepare the connection address stuff */
+        in_addr.sin_family = AF_INET;
+        memcpy(&in_addr.sin_addr.s_addr, ip, 4);
+        in_addr.sin_port = htons(port);
+        /* Start a connect (non-blocking, in all likelihood) */
+        if((connect(fd, (struct sockaddr *)&in_addr,
+                        sizeof(struct sockaddr_in)) != 0) &&
+                        (errno != EINPROGRESS))
+                goto err;
+        return fd;
+err:
+        if(fd != -1)
+                close(fd);
+        return -1;
+}
+
+static char all_local_ip[] = {0x00,0x00,0x00,0x00};
+
+int ip_parse_address(const char *address, const char **parsed_ip,
+                unsigned short *parsed_port, int accept_all_ip)
+{
+        char buf[256];
+        struct hostent *lookup;
+        unsigned long port;
+        const char *ptr = strstr(address, ":");
+        const char *ip = all_local_ip;
+
+        if(!ptr) {
+                /* We assume we're listening on all local interfaces and have
+                 * only specified a port. */
+                if(!accept_all_ip)
+                        return 0;
+                ptr = address;
+                goto determine_port;
+        }
+        if((ptr - address) > 255)
+                return 0;
+        memset(buf, 0, 256);
+        memcpy(buf, address, ptr - address);
+        ptr++;
+        if((lookup = gethostbyname(buf)) == NULL) {
+                /* Spit a message to differentiate between lookup failures and
+                 * bad strings. */
+                fprintf(stderr, "hostname lookup for '%s' failed\n", buf);
+                return 0;
+        }
+        ip = lookup->h_addr_list[0];
+determine_port:
+        if(strlen(ptr) < 1)
+                return 0;
+        if(!int_strtoul(ptr, &port) || (port > 65535))
+                return 0;
+        *parsed_ip = ip;
+        *parsed_port = (unsigned short)port;
+        return 1;
+}
+
+int ip_create_listener(const char *address)
+{
+        const char *ip;
+        unsigned short port;
+
+        if(!ip_parse_address(address, &ip, &port, 1))
+                return -1;
+        return ip_create_listener_split(ip, port);
+}
+
+int ip_create_connection(const char *address)
+{
+        const char *ip;
+        unsigned short port;
+
+        if(!ip_parse_address(address, &ip, &port, 0))
+                return -1;
+        return ip_create_connection_split(ip, port);
+}
+
+int ip_accept_connection(int listen_fd)
+{
+        return accept(listen_fd, NULL, NULL);
+}
+
+#endif /* !defined(NO_IP) */
+
diff --git a/src/lib/libssl/src/demos/tunala/sm.c b/src/lib/libssl/src/demos/tunala/sm.c
new file mode 100644
index 0000000000..25359e67ef
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/sm.c
@@ -0,0 +1,151 @@
+#include "tunala.h"
+
+#ifndef NO_TUNALA
+
+void state_machine_init(state_machine_t *machine)
+{
+        machine->ssl = NULL;
+        machine->bio_intossl = machine->bio_fromssl = NULL;
+        buffer_init(&machine->clean_in);
+        buffer_init(&machine->clean_out);
+        buffer_init(&machine->dirty_in);
+        buffer_init(&machine->dirty_out);
+}
+
+void state_machine_close(state_machine_t *machine)
+{
+        if(machine->ssl)
+                SSL_free(machine->ssl);
+/* SSL_free seems to decrement the reference counts already so doing this goes
+ * kaboom. */
+#if 0
+        if(machine->bio_intossl)
+                BIO_free(machine->bio_intossl);
+        if(machine->bio_fromssl)
+                BIO_free(machine->bio_fromssl);
+#endif
+        buffer_close(&machine->clean_in);
+        buffer_close(&machine->clean_out);
+        buffer_close(&machine->dirty_in);
+        buffer_close(&machine->dirty_out);
+        state_machine_init(machine);
+}
+
+buffer_t *state_machine_get_buffer(state_machine_t *machine, sm_buffer_t type)
+{
+        switch(type) {
+        case SM_CLEAN_IN:
+                return &machine->clean_in;
+        case SM_CLEAN_OUT:
+                return &machine->clean_out;
+        case SM_DIRTY_IN:
+                return &machine->dirty_in;
+        case SM_DIRTY_OUT:
+                return &machine->dirty_out;
+        default:
+                break;
+        }
+        /* Should never get here */
+        abort();
+        return NULL;
+}
+
+SSL *state_machine_get_SSL(state_machine_t *machine)
+{
+        return machine->ssl;
+}
+
+int state_machine_set_SSL(state_machine_t *machine, SSL *ssl, int is_server)
+{
+        if(machine->ssl)
+                /* Shouldn't ever be set twice */
+                abort();
+        machine->ssl = ssl;
+        /* Create the BIOs to handle the dirty side of the SSL */
+        if((machine->bio_intossl = BIO_new(BIO_s_mem())) == NULL)
+                abort();
+        if((machine->bio_fromssl = BIO_new(BIO_s_mem())) == NULL)
+                abort();
+        /* Hook up the BIOs on the dirty side of the SSL */
+        SSL_set_bio(machine->ssl, machine->bio_intossl, machine->bio_fromssl);
+        if(is_server)
+                SSL_set_accept_state(machine->ssl);
+        else
+                SSL_set_connect_state(machine->ssl);
+        /* If we're the first one to generate traffic - do it now otherwise we
+         * go into the next select empty-handed and our peer will not send data
+         * but will similarly wait for us. */
+        return state_machine_churn(machine);
+}
+
+/* Performs the data-IO loop and returns zero if the machine should close */
+int state_machine_churn(state_machine_t *machine)
+{
+        unsigned int loop;
+        if(machine->ssl == NULL) {
+                if(buffer_empty(&machine->clean_out))
+                        /* Time to close this state-machine altogether */
+                        return 0;
+                else
+                        /* Still buffered data on the clean side to go out */
+                        return 1;
+        }
+        /* Do this loop twice to cover any dependencies about which precise
+         * order of reads and writes is required. */
+        for(loop = 0; loop < 2; loop++) {
+                buffer_to_SSL(&machine->clean_in, machine->ssl);
+                buffer_to_BIO(&machine->dirty_in, machine->bio_intossl);
+                buffer_from_SSL(&machine->clean_out, machine->ssl);
+                buffer_from_BIO(&machine->dirty_out, machine->bio_fromssl);
+        }
+        /* We close on the SSL side if the info callback noticed some problems
+         * or an SSL shutdown was underway and shutdown traffic had all been
+         * sent. */
+        if(SSL_get_app_data(machine->ssl) || (SSL_get_shutdown(machine->ssl) &&
+                                buffer_empty(&machine->dirty_out))) {
+                /* Great, we can seal off the dirty side completely */
+                if(!state_machine_close_dirty(machine))
+                        return 0;
+        }
+        /* Either the SSL is alive and well, or the closing process still has
+         * outgoing data waiting to be sent */
+        return 1;
+}
+
+/* Called when the clean side of the SSL has lost its connection */
+int state_machine_close_clean(state_machine_t *machine)
+{
+        /* Well, first thing to do is null out the clean-side buffers - they're
+         * no use any more. */
+        buffer_close(&machine->clean_in);
+        buffer_close(&machine->clean_out);
+        /* And start an SSL shutdown */
+        if(machine->ssl)
+                SSL_shutdown(machine->ssl);
+        /* This is an "event", so flush the SSL of any generated traffic */
+        state_machine_churn(machine);
+        if(buffer_empty(&machine->dirty_in) &&
+                        buffer_empty(&machine->dirty_out))
+                return 0;
+        return 1;
+}
+
+/* Called when the dirty side of the SSL has lost its connection. This is pretty
+ * terminal as all that can be left to do is send any buffered output on the
+ * clean side - after that, we're done. */
+int state_machine_close_dirty(state_machine_t *machine)
+{
+        buffer_close(&machine->dirty_in);
+        buffer_close(&machine->dirty_out);
+        buffer_close(&machine->clean_in);
+        if(machine->ssl)
+                SSL_free(machine->ssl);
+        machine->ssl = NULL;
+        machine->bio_intossl = machine->bio_fromssl = NULL;
+        if(buffer_empty(&machine->clean_out))
+                return 0;
+        return 1;
+}
+
+#endif /* !defined(NO_TUNALA) */
+
diff --git a/src/lib/libssl/src/demos/tunala/tunala.c b/src/lib/libssl/src/demos/tunala/tunala.c
new file mode 100644
index 0000000000..e802a6209f
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/tunala.c
@@ -0,0 +1,1093 @@
+#if defined(NO_BUFFER) || defined(NO_IP) || defined(NO_OPENSSL)
+#error "Badness, NO_BUFFER, NO_IP or NO_OPENSSL is defined, turn them *off*"
+#endif
+
+/* Include our bits'n'pieces */
+#include "tunala.h"
+
+
+/********************************************/
+/* Our local types that specify our "world" */
+/********************************************/
+
+/* These represent running "tunnels". Eg. if you wanted to do SSL in a
+ * "message-passing" scanario, the "int" file-descriptors might be replaced by
+ * thread or process IDs, and the "select" code might be replaced by message
+ * handling code. Whatever. */
+typedef struct _tunala_item_t {
+        /* The underlying SSL state machine. This is a data-only processing unit
+         * and we communicate with it by talking to its four "buffers". */
+        state_machine_t sm;
+        /* The file-descriptors for the "dirty" (encrypted) side of the SSL
+         * setup. In actuality, this is typically a socket and both values are
+         * identical. */
+        int dirty_read, dirty_send;
+        /* The file-descriptors for the "clean" (unencrypted) side of the SSL
+         * setup. These could be stdin/stdout, a socket (both values the same),
+         * or whatever you like. */
+        int clean_read, clean_send;
+} tunala_item_t;
+
+/* This structure is used as the data for running the main loop. Namely, in a
+ * network format such as this, it is stuff for select() - but as pointed out,
+ * when moving the real-world to somewhere else, this might be replaced by
+ * something entirely different. It's basically the stuff that controls when
+ * it's time to do some "work". */
+typedef struct _select_sets_t {
+        int max; /* As required as the first argument to select() */
+        fd_set reads, sends, excepts; /* As passed to select() */
+} select_sets_t;
+typedef struct _tunala_selector_t {
+        select_sets_t last_selected; /* Results of the last select() */
+        select_sets_t next_select; /* What we'll next select on */
+} tunala_selector_t;
+
+/* This structure is *everything*. We do it to avoid the use of globals so that,
+ * for example, it would be easier to shift things around between async-IO,
+ * thread-based, or multi-fork()ed (or combinations thereof). */
+typedef struct _tunala_world_t {
+        /* The file-descriptor we "listen" on for new connections */
+        int listen_fd;
+        /* The array of tunnels */
+        tunala_item_t *tunnels;
+        /* the number of tunnels in use and allocated, respectively */
+        unsigned int tunnels_used, tunnels_size;
+        /* Our outside "loop" context stuff */
+        tunala_selector_t selector;
+        /* Our SSL_CTX, which is configured as the SSL client or server and has
+         * the various cert-settings and callbacks configured. */
+        SSL_CTX *ssl_ctx;
+        /* Simple flag with complex logic :-) Indicates whether we're an SSL
+         * server or an SSL client. */
+        int server_mode;
+} tunala_world_t;
+
+/*****************************/
+/* Internal static functions */
+/*****************************/
+
+static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
+                const char *CAfile, const char *cert, const char *key,
+                const char *dcert, const char *dkey, const char *cipher_list,
+                const char *dh_file, const char *dh_special, int ctx_options,
+                int out_state, int out_verify, int verify_mode,
+                unsigned int verify_depth);
+static void selector_init(tunala_selector_t *selector);
+static void selector_add_listener(tunala_selector_t *selector, int fd);
+static void selector_add_tunala(tunala_selector_t *selector, tunala_item_t *t);
+static int selector_select(tunala_selector_t *selector);
+/* This returns -1 for error, 0 for no new connections, or 1 for success, in
+ * which case *newfd is populated. */
+static int selector_get_listener(tunala_selector_t *selector, int fd, int *newfd);
+static int tunala_world_new_item(tunala_world_t *world, int fd,
+                const char *ip, unsigned short port, int flipped);
+static void tunala_world_del_item(tunala_world_t *world, unsigned int idx);
+static int tunala_item_io(tunala_selector_t *selector, tunala_item_t *item);
+
+/*********************************************/
+/* MAIN FUNCTION (and its utility functions) */
+/*********************************************/
+
+static const char *def_proxyhost = "127.0.0.1:443";
+static const char *def_listenhost = "127.0.0.1:8080";
+static int def_max_tunnels = 50;
+static const char *def_cacert = NULL;
+static const char *def_cert = NULL;
+static const char *def_key = NULL;
+static const char *def_dcert = NULL;
+static const char *def_dkey = NULL;
+static const char *def_engine_id = NULL;
+static int def_server_mode = 0;
+static int def_flipped = 0;
+static const char *def_cipher_list = NULL;
+static const char *def_dh_file = NULL;
+static const char *def_dh_special = NULL;
+static int def_ctx_options = 0;
+static int def_verify_mode = 0;
+static unsigned int def_verify_depth = 10;
+static int def_out_state = 0;
+static unsigned int def_out_verify = 0;
+static int def_out_totals = 0;
+static int def_out_conns = 0;
+
+static const char *helpstring =
+"\n'Tunala' (A tunneler with a New Zealand accent)\n"
+"Usage: tunala [options], where options are from;\n"
+" -listen [host:]<port>  (default = 127.0.0.1:8080)\n"
+" -proxy <host>:<port>   (default = 127.0.0.1:443)\n"
+" -maxtunnels <num>      (default = 50)\n"
+" -cacert <path|NULL>    (default = NULL)\n"
+" -cert <path|NULL>      (default = NULL)\n"
+" -key <path|NULL>       (default = whatever '-cert' is)\n"
+" -dcert <path|NULL>     (usually for DSA, default = NULL)\n"
+" -dkey <path|NULL>      (usually for DSA, default = whatever '-dcert' is)\n"
+" -engine <id|NULL>      (default = NULL)\n"
+" -server <0|1>          (default = 0, ie. an SSL client)\n"
+" -flipped <0|1>         (makes SSL servers be network clients, and vice versa)\n"
+" -cipher <list>         (specifies cipher list to use)\n"
+" -dh_file <path>        (a PEM file containing DH parameters to use)\n"
+" -dh_special <NULL|generate|standard> (see below: def=NULL)\n"
+" -no_ssl2               (disable SSLv2)\n"
+" -no_ssl3               (disable SSLv3)\n"
+" -no_tls1               (disable TLSv1)\n"
+" -v_peer                (verify the peer certificate)\n"
+" -v_strict              (do not continue if peer doesn't authenticate)\n"
+" -v_once                (no verification in renegotiates)\n"
+" -v_depth <num>         (limit certificate chain depth, default = 10)\n"
+" -out_conns             (prints client connections and disconnections)\n"
+" -out_state             (prints SSL handshake states)\n"
+" -out_verify <0|1|2|3>  (prints certificate verification states: def=1)\n"
+" -out_totals            (prints out byte-totals when a tunnel closes)\n"
+" -<h|help|?>            (displays this help screen)\n"
+"Notes:\n"
+"(1) It is recommended to specify a cert+key when operating as an SSL server.\n"
+"    If you only specify '-cert', the same file must contain a matching\n"
+"    private key.\n"
+"(2) Either dh_file or dh_special can be used to specify where DH parameters\n"
+"    will be obtained from (or '-dh_special NULL' for the default choice) but\n"
+"    you cannot specify both. For dh_special, 'generate' will create new DH\n"
+"    parameters on startup, and 'standard' will use embedded parameters\n"
+"    instead.\n"
+"(3) Normally an ssl client connects to an ssl server - so that an 'ssl client\n"
+"    tunala' listens for 'clean' client connections and proxies ssl, and an\n"
+"    'ssl server tunala' listens for ssl connections and proxies 'clean'. With\n"
+"    '-flipped 1', this behaviour is reversed so that an 'ssl server tunala'\n"
+"    listens for clean client connections and proxies ssl (but participating\n"
+"    as an ssl *server* in the SSL/TLS protocol), and an 'ssl client tunala'\n"
+"    listens for ssl connections (participating as an ssl *client* in the\n"
+"    SSL/TLS protocol) and proxies 'clean' to the end destination. This can\n"
+"    be useful for allowing network access to 'servers' where only the server\n"
+"    needs to authenticate the client (ie. the other way is not required).\n"
+"    Even with client and server authentication, this 'technique' mitigates\n"
+"    some DoS (denial-of-service) potential as it will be the network client\n"
+"    having to perform the first private key operation rather than the other\n"
+"    way round.\n"
+"(4) The 'technique' used by setting '-flipped 1' is probably compatible with\n"
+"    absolutely nothing except another complimentary instance of 'tunala'\n"
+"    running with '-flipped 1'. :-)\n";
+
+/* Default DH parameters for use with "-dh_special standard" ... stolen striaght
+ * from s_server. */
+static unsigned char dh512_p[]={
+        0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+        0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+        0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+        0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+        0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+        0x47,0x74,0xE8,0x33,
+        };
+static unsigned char dh512_g[]={
+        0x02,
+        };
+
+/* And the function that parses the above "standard" parameters, again, straight
+ * out of s_server. */
+static DH *get_dh512(void)
+        {
+        DH *dh=NULL;
+
+        if ((dh=DH_new()) == NULL) return(NULL);
+        dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+        dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+        if ((dh->p == NULL) || (dh->g == NULL))
+                return(NULL);
+        return(dh);
+        }
+
+/* Various help/error messages used by main() */
+static int usage(const char *errstr, int isunknownarg)
+{
+        if(isunknownarg)
+                fprintf(stderr, "Error: unknown argument '%s'\n", errstr);
+        else
+                fprintf(stderr, "Error: %s\n", errstr);
+        fprintf(stderr, "%s\n", helpstring);
+        return 1;
+}
+
+static int err_str0(const char *str0)
+{
+        fprintf(stderr, "%s\n", str0);
+        return 1;
+}
+
+static int err_str1(const char *fmt, const char *str1)
+{
+        fprintf(stderr, fmt, str1);
+        fprintf(stderr, "\n");
+        return 1;
+}
+
+static int parse_max_tunnels(const char *s, unsigned int *maxtunnels)
+{
+        unsigned long l;
+        if(!int_strtoul(s, &l) || (l < 1) || (l > 1024)) {
+                fprintf(stderr, "Error, '%s' is an invalid value for "
+                                "maxtunnels\n", s);
+                return 0;
+        }
+        *maxtunnels = (unsigned int)l;
+        return 1;
+}
+
+static int parse_server_mode(const char *s, int *servermode)
+{
+        unsigned long l;
+        if(!int_strtoul(s, &l) || (l > 1)) {
+                fprintf(stderr, "Error, '%s' is an invalid value for the "
+                                "server mode\n", s);
+                return 0;
+        }
+        *servermode = (int)l;
+        return 1;
+}
+
+static int parse_dh_special(const char *s, const char **dh_special)
+{
+        if((strcmp(s, "NULL") == 0) || (strcmp(s, "generate") == 0) ||
+                        (strcmp(s, "standard") == 0)) {
+                *dh_special = s;
+                return 1;
+        }
+        fprintf(stderr, "Error, '%s' is an invalid value for 'dh_special'\n", s);
+        return 0;
+}
+
+static int parse_verify_level(const char *s, unsigned int *verify_level)
+{
+        unsigned long l;
+        if(!int_strtoul(s, &l) || (l > 3)) {
+                fprintf(stderr, "Error, '%s' is an invalid value for "
+                                "out_verify\n", s);
+                return 0;
+        }
+        *verify_level = (unsigned int)l;
+        return 1;
+}
+
+static int parse_verify_depth(const char *s, unsigned int *verify_depth)
+{
+        unsigned long l;
+        if(!int_strtoul(s, &l) || (l < 1) || (l > 50)) {
+                fprintf(stderr, "Error, '%s' is an invalid value for "
+                                "verify_depth\n", s);
+                return 0;
+        }
+        *verify_depth = (unsigned int)l;
+        return 1;
+}
+
+/* Some fprintf format strings used when tunnels close */
+static const char *io_stats_dirty =
+"    SSL traffic;   %8lu bytes in, %8lu bytes out\n";
+static const char *io_stats_clean =
+"    clear traffic; %8lu bytes in, %8lu bytes out\n";
+
+int main(int argc, char *argv[])
+{
+        unsigned int loop;
+        int newfd;
+        tunala_world_t world;
+        tunala_item_t *t_item;
+        const char *proxy_ip;
+        unsigned short proxy_port;
+        /* Overridables */
+        const char *proxyhost = def_proxyhost;
+        const char *listenhost = def_listenhost;
+        unsigned int max_tunnels = def_max_tunnels;
+        const char *cacert = def_cacert;
+        const char *cert = def_cert;
+        const char *key = def_key;
+        const char *dcert = def_dcert;
+        const char *dkey = def_dkey;
+        const char *engine_id = def_engine_id;
+        int server_mode = def_server_mode;
+        int flipped = def_flipped;
+        const char *cipher_list = def_cipher_list;
+        const char *dh_file = def_dh_file;
+        const char *dh_special = def_dh_special;
+        int ctx_options = def_ctx_options;
+        int verify_mode = def_verify_mode;
+        unsigned int verify_depth = def_verify_depth;
+        int out_state = def_out_state;
+        unsigned int out_verify = def_out_verify;
+        int out_totals = def_out_totals;
+        int out_conns = def_out_conns;
+
+/* Parse command-line arguments */
+next_arg:
+        argc--; argv++;
+        if(argc > 0) {
+                if(strcmp(*argv, "-listen") == 0) {
+                        if(argc < 2)
+                                return usage("-listen requires an argument", 0);
+                        argc--; argv++;
+                        listenhost = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-proxy") == 0) {
+                        if(argc < 2)
+                                return usage("-proxy requires an argument", 0);
+                        argc--; argv++;
+                        proxyhost = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-maxtunnels") == 0) {
+                        if(argc < 2)
+                                return usage("-maxtunnels requires an argument", 0);
+                        argc--; argv++;
+                        if(!parse_max_tunnels(*argv, &max_tunnels))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-cacert") == 0) {
+                        if(argc < 2)
+                                return usage("-cacert requires an argument", 0);
+                        argc--; argv++;
+                        if(strcmp(*argv, "NULL") == 0)
+                                cacert = NULL;
+                        else
+                                cacert = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-cert") == 0) {
+                        if(argc < 2)
+                                return usage("-cert requires an argument", 0);
+                        argc--; argv++;
+                        if(strcmp(*argv, "NULL") == 0)
+                                cert = NULL;
+                        else
+                                cert = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-key") == 0) {
+                        if(argc < 2)
+                                return usage("-key requires an argument", 0);
+                        argc--; argv++;
+                        if(strcmp(*argv, "NULL") == 0)
+                                key = NULL;
+                        else
+                                key = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-dcert") == 0) {
+                        if(argc < 2)
+                                return usage("-dcert requires an argument", 0);
+                        argc--; argv++;
+                        if(strcmp(*argv, "NULL") == 0)
+                                dcert = NULL;
+                        else
+                                dcert = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-dkey") == 0) {
+                        if(argc < 2)
+                                return usage("-dkey requires an argument", 0);
+                        argc--; argv++;
+                        if(strcmp(*argv, "NULL") == 0)
+                                dkey = NULL;
+                        else
+                                dkey = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-engine") == 0) {
+                        if(argc < 2)
+                                return usage("-engine requires an argument", 0);
+                        argc--; argv++;
+                        engine_id = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-server") == 0) {
+                        if(argc < 2)
+                                return usage("-server requires an argument", 0);
+                        argc--; argv++;
+                        if(!parse_server_mode(*argv, &server_mode))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-flipped") == 0) {
+                        if(argc < 2)
+                                return usage("-flipped requires an argument", 0);
+                        argc--; argv++;
+                        if(!parse_server_mode(*argv, &flipped))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-cipher") == 0) {
+                        if(argc < 2)
+                                return usage("-cipher requires an argument", 0);
+                        argc--; argv++;
+                        cipher_list = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-dh_file") == 0) {
+                        if(argc < 2)
+                                return usage("-dh_file requires an argument", 0);
+                        if(dh_special)
+                                return usage("cannot mix -dh_file with "
+                                                "-dh_special", 0);
+                        argc--; argv++;
+                        dh_file = *argv;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-dh_special") == 0) {
+                        if(argc < 2)
+                                return usage("-dh_special requires an argument", 0);
+                        if(dh_file)
+                                return usage("cannot mix -dh_file with "
+                                                "-dh_special", 0);
+                        argc--; argv++;
+                        if(!parse_dh_special(*argv, &dh_special))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-no_ssl2") == 0) {
+                        ctx_options |= SSL_OP_NO_SSLv2;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-no_ssl3") == 0) {
+                        ctx_options |= SSL_OP_NO_SSLv3;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-no_tls1") == 0) {
+                        ctx_options |= SSL_OP_NO_TLSv1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-v_peer") == 0) {
+                        verify_mode |= SSL_VERIFY_PEER;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-v_strict") == 0) {
+                        verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-v_once") == 0) {
+                        verify_mode |= SSL_VERIFY_CLIENT_ONCE;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-v_depth") == 0) {
+                        if(argc < 2)
+                                return usage("-v_depth requires an argument", 0);
+                        argc--; argv++;
+                        if(!parse_verify_depth(*argv, &verify_depth))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-out_state") == 0) {
+                        out_state = 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-out_verify") == 0) {
+                        if(argc < 2)
+                                return usage("-out_verify requires an argument", 0);
+                        argc--; argv++;
+                        if(!parse_verify_level(*argv, &out_verify))
+                                return 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-out_totals") == 0) {
+                        out_totals = 1;
+                        goto next_arg;
+                } else if(strcmp(*argv, "-out_conns") == 0) {
+                        out_conns = 1;
+                        goto next_arg;
+                } else if((strcmp(*argv, "-h") == 0) ||
+                                (strcmp(*argv, "-help") == 0) ||
+                                (strcmp(*argv, "-?") == 0)) {
+                        fprintf(stderr, "%s\n", helpstring);
+                        return 0;
+                } else
+                        return usage(*argv, 1);
+        }
+        /* Run any sanity checks we want here */
+        if(!cert && !dcert && server_mode)
+                fprintf(stderr, "WARNING: you are running an SSL server without "
+                                "a certificate - this may not work!\n");
+
+        /* Initialise network stuff */
+        if(!ip_initialise())
+                return err_str0("ip_initialise failed");
+        /* Create the SSL_CTX */
+        if((world.ssl_ctx = initialise_ssl_ctx(server_mode, engine_id,
+                        cacert, cert, key, dcert, dkey, cipher_list, dh_file,
+                        dh_special, ctx_options, out_state, out_verify,
+                        verify_mode, verify_depth)) == NULL)
+                return err_str1("initialise_ssl_ctx(engine_id=%s) failed",
+                        (engine_id == NULL) ? "NULL" : engine_id);
+        if(engine_id)
+                fprintf(stderr, "Info, engine '%s' initialised\n", engine_id);
+        /* Create the listener */
+        if((world.listen_fd = ip_create_listener(listenhost)) == -1)
+                return err_str1("ip_create_listener(%s) failed", listenhost);
+        fprintf(stderr, "Info, listening on '%s'\n", listenhost);
+        if(!ip_parse_address(proxyhost, &proxy_ip, &proxy_port, 0))
+                return err_str1("ip_parse_address(%s) failed", proxyhost);
+        fprintf(stderr, "Info, proxying to '%s' (%d.%d.%d.%d:%d)\n", proxyhost,
+                        (int)proxy_ip[0], (int)proxy_ip[1],
+                        (int)proxy_ip[2], (int)proxy_ip[3], (int)proxy_port);
+        fprintf(stderr, "Info, set maxtunnels to %d\n", (int)max_tunnels);
+        fprintf(stderr, "Info, set to operate as an SSL %s\n",
+                        (server_mode ? "server" : "client"));
+        /* Initialise the rest of the stuff */
+        world.tunnels_used = world.tunnels_size = 0;
+        world.tunnels = NULL;
+        world.server_mode = server_mode;
+        selector_init(&world.selector);
+
+/* We're ready to loop */
+main_loop:
+        /* Should we listen for *new* tunnels? */
+        if(world.tunnels_used < max_tunnels)
+                selector_add_listener(&world.selector, world.listen_fd);
+        /* We should add in our existing tunnels */
+        for(loop = 0; loop < world.tunnels_used; loop++)
+                selector_add_tunala(&world.selector, world.tunnels + loop);
+        /* Now do the select */
+        switch(selector_select(&world.selector)) {
+        case -1:
+                fprintf(stderr, "selector_select returned a badness error.\n");
+                goto shouldnt_happen;
+        case 0:
+                fprintf(stderr, "Warn, selector_select returned 0 - signal?""?\n");
+                goto main_loop;
+        default:
+                break;
+        }
+        /* Accept new connection if we should and can */
+        if((world.tunnels_used < max_tunnels) && (selector_get_listener(
+                                        &world.selector, world.listen_fd,
+                                        &newfd) == 1)) {
+                /* We have a new connection */
+                if(!tunala_world_new_item(&world, newfd, proxy_ip,
+                                                proxy_port, flipped))
+                        fprintf(stderr, "tunala_world_new_item failed\n");
+                else if(out_conns)
+                        fprintf(stderr, "Info, new tunnel opened, now up to "
+                                        "%d\n", world.tunnels_used);
+        }
+        /* Give each tunnel its moment, note the while loop is because it makes
+         * the logic easier than with "for" to deal with an array that may shift
+         * because of deletes. */
+        loop = 0;
+        t_item = world.tunnels;
+        while(loop < world.tunnels_used) {
+                if(!tunala_item_io(&world.selector, t_item)) {
+                        /* We're closing whether for reasons of an error or a
+                         * natural close. Don't increment loop or t_item because
+                         * the next item is moving to us! */
+                        if(!out_totals)
+                                goto skip_totals;
+                        fprintf(stderr, "Tunnel closing, traffic stats follow\n");
+                        /* Display the encrypted (over the network) stats */
+                        fprintf(stderr, io_stats_dirty,
+                                buffer_total_in(state_machine_get_buffer(
+                                                &t_item->sm,SM_DIRTY_IN)),
+                                buffer_total_out(state_machine_get_buffer(
+                                                &t_item->sm,SM_DIRTY_OUT)));
+                        /* Display the local (tunnelled) stats. NB: Data we
+                         * *receive* is data sent *out* of the state_machine on
+                         * its 'clean' side. Hence the apparent back-to-front
+                         * OUT/IN mixup here :-) */
+                        fprintf(stderr, io_stats_clean,
+                                buffer_total_out(state_machine_get_buffer(
+                                                &t_item->sm,SM_CLEAN_OUT)),
+                                buffer_total_in(state_machine_get_buffer(
+                                                &t_item->sm,SM_CLEAN_IN)));
+skip_totals:
+                        tunala_world_del_item(&world, loop);
+                        if(out_conns)
+                                fprintf(stderr, "Info, tunnel closed, down to %d\n",
+                                        world.tunnels_used);
+                }
+                else {
+                        /* Move to the next item */
+                        loop++;
+                        t_item++;
+                }
+        }
+        goto main_loop;
+        /* Should never get here */
+shouldnt_happen:
+        abort();
+        return 1;
+}
+
+/****************/
+/* OpenSSL bits */
+/****************/
+
+static int ctx_set_cert(SSL_CTX *ctx, const char *cert, const char *key)
+{
+        FILE *fp = NULL;
+        X509 *x509 = NULL;
+        EVP_PKEY *pkey = NULL;
+        int toret = 0; /* Assume an error */
+
+        /* cert */
+        if(cert) {
+                if((fp = fopen(cert, "r")) == NULL) {
+                        fprintf(stderr, "Error opening cert file '%s'\n", cert);
+                        goto err;
+                }
+                if(!PEM_read_X509(fp, &x509, NULL, NULL)) {
+                        fprintf(stderr, "Error reading PEM cert from '%s'\n",
+                                        cert);
+                        goto err;
+                }
+                if(!SSL_CTX_use_certificate(ctx, x509)) {
+                        fprintf(stderr, "Error, cert in '%s' can not be used\n",
+                                        cert);
+                        goto err;
+                }
+                /* Clear the FILE* for reuse in the "key" code */
+                fclose(fp);
+                fp = NULL;
+                fprintf(stderr, "Info, operating with cert in '%s'\n", cert);
+                /* If a cert was given without matching key, we assume the same
+                 * file contains the required key. */
+                if(!key)
+                        key = cert;
+        } else {
+                if(key)
+                        fprintf(stderr, "Error, can't specify a key without a "
+                                        "corresponding certificate\n");
+                else
+                        fprintf(stderr, "Error, ctx_set_cert called with "
+                                        "NULLs!\n");
+                goto err;
+        }
+        /* key */
+        if(key) {
+                if((fp = fopen(key, "r")) == NULL) {
+                        fprintf(stderr, "Error opening key file '%s'\n", key);
+                        goto err;
+                }
+                if(!PEM_read_PrivateKey(fp, &pkey, NULL, NULL)) {
+                        fprintf(stderr, "Error reading PEM key from '%s'\n",
+                                        key);
+                        goto err;
+                }
+                if(!SSL_CTX_use_PrivateKey(ctx, pkey)) {
+                        fprintf(stderr, "Error, key in '%s' can not be used\n",
+                                        key);
+                        goto err;
+                }
+                fprintf(stderr, "Info, operating with key in '%s'\n", key);
+        } else
+                fprintf(stderr, "Info, operating without a cert or key\n");
+        /* Success */
+        toret = 1; err:
+        if(x509)
+                X509_free(x509);
+        if(pkey)
+                EVP_PKEY_free(pkey);
+        if(fp)
+                fclose(fp);
+        return toret;
+}
+
+static int ctx_set_dh(SSL_CTX *ctx, const char *dh_file, const char *dh_special)
+{
+        DH *dh = NULL;
+        FILE *fp = NULL;
+
+        if(dh_special) {
+                if(strcmp(dh_special, "NULL") == 0)
+                        return 1;
+                if(strcmp(dh_special, "standard") == 0) {
+                        if((dh = get_dh512()) == NULL) {
+                                fprintf(stderr, "Error, can't parse 'standard'"
+                                                " DH parameters\n");
+                                return 0;
+                        }
+                        fprintf(stderr, "Info, using 'standard' DH parameters\n");
+                        goto do_it;
+                }
+                if(strcmp(dh_special, "generate") != 0)
+                        /* This shouldn't happen - screening values is handled
+                         * in main(). */
+                        abort();
+                fprintf(stderr, "Info, generating DH parameters ... ");
+                fflush(stderr);
+                if((dh = DH_generate_parameters(512, DH_GENERATOR_5,
+                                        NULL, NULL)) == NULL) {
+                        fprintf(stderr, "error!\n");
+                        return 0;
+                }
+                fprintf(stderr, "complete\n");
+                goto do_it;
+        }
+        /* So, we're loading dh_file */
+        if((fp = fopen(dh_file, "r")) == NULL) {
+                fprintf(stderr, "Error, couldn't open '%s' for DH parameters\n",
+                                dh_file);
+                return 0;
+        }
+        dh = PEM_read_DHparams(fp, NULL, NULL, NULL);
+        fclose(fp);
+        if(dh == NULL) {
+                fprintf(stderr, "Error, could not parse DH parameters from '%s'\n",
+                                dh_file);
+                return 0;
+        }
+        fprintf(stderr, "Info, using DH parameters from file '%s'\n", dh_file);
+do_it:
+        SSL_CTX_set_tmp_dh(ctx, dh);
+        DH_free(dh);
+        return 1;
+}
+
+static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
+                const char *CAfile, const char *cert, const char *key,
+                const char *dcert, const char *dkey, const char *cipher_list,
+                const char *dh_file, const char *dh_special, int ctx_options,
+                int out_state, int out_verify, int verify_mode,
+                unsigned int verify_depth)
+{
+        SSL_CTX *ctx = NULL, *ret = NULL;
+        SSL_METHOD *meth;
+        ENGINE *e = NULL;
+
+        OpenSSL_add_ssl_algorithms();
+        SSL_load_error_strings();
+
+        meth = (server_mode ? SSLv23_server_method() : SSLv23_client_method());
+        if(meth == NULL)
+                goto err;
+        if(engine_id) {
+                ENGINE_load_builtin_engines();
+                if((e = ENGINE_by_id(engine_id)) == NULL) {
+                        fprintf(stderr, "Error obtaining '%s' engine, openssl "
+                                        "errors follow\n", engine_id);
+                        goto err;
+                }
+                if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+                        fprintf(stderr, "Error assigning '%s' engine, openssl "
+                                        "errors follow\n", engine_id);
+                        goto err;
+                }
+                ENGINE_free(e);
+        }
+        if((ctx = SSL_CTX_new(meth)) == NULL)
+                goto err;
+        /* cacert */
+        if(CAfile) {
+                if(!X509_STORE_load_locations(SSL_CTX_get_cert_store(ctx),
+                                        CAfile, NULL)) {
+                        fprintf(stderr, "Error loading CA cert(s) in '%s'\n",
+                                        CAfile);
+                        goto err;
+                }
+                fprintf(stderr, "Info, operating with CA cert(s) in '%s'\n",
+                                CAfile);
+        } else
+                fprintf(stderr, "Info, operating without a CA cert(-list)\n");
+        if(!SSL_CTX_set_default_verify_paths(ctx)) {
+                fprintf(stderr, "Error setting default verify paths\n");
+                goto err;
+        }
+
+        /* cert and key */
+        if((cert || key) && !ctx_set_cert(ctx, cert, key))
+                goto err;
+        /* dcert and dkey */
+        if((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey))
+                goto err;
+
+        /* cipher_list */
+        if(cipher_list) {
+                if(!SSL_CTX_set_cipher_list(ctx, cipher_list)) {
+                        fprintf(stderr, "Error setting cipher list '%s'\n",
+                                        cipher_list);
+                        goto err;
+                }
+                fprintf(stderr, "Info, set cipher list '%s'\n", cipher_list);
+        } else
+                fprintf(stderr, "Info, operating with default cipher list\n");
+
+        /* dh_file & dh_special */
+        if((dh_file || dh_special) && !ctx_set_dh(ctx, dh_file, dh_special))
+                goto err;
+
+        /* ctx_options */
+        SSL_CTX_set_options(ctx, ctx_options);
+
+        /* out_state (output of SSL handshake states to screen). */
+        if(out_state)
+                cb_ssl_info_set_output(stderr);
+
+        /* out_verify */
+        if(out_verify > 0) {
+                cb_ssl_verify_set_output(stderr);
+                cb_ssl_verify_set_level(out_verify);
+        }
+
+        /* verify_depth */
+        cb_ssl_verify_set_depth(verify_depth);
+
+        /* Success! (includes setting verify_mode) */
+        SSL_CTX_set_info_callback(ctx, cb_ssl_info);
+        SSL_CTX_set_verify(ctx, verify_mode, cb_ssl_verify);
+        ret = ctx;
+err:
+        if(!ret) {
+                ERR_print_errors_fp(stderr);
+                if(ctx)
+                        SSL_CTX_free(ctx);
+        }
+        return ret;
+}
+
+/*****************/
+/* Selector bits */
+/*****************/
+
+static void selector_sets_init(select_sets_t *s)
+{
+        s->max = 0;
+        FD_ZERO(&s->reads);
+        FD_ZERO(&s->sends);
+        FD_ZERO(&s->excepts);
+}
+static void selector_init(tunala_selector_t *selector)
+{
+        selector_sets_init(&selector->last_selected);
+        selector_sets_init(&selector->next_select);
+}
+
+#define SEL_EXCEPTS 0x00
+#define SEL_READS   0x01
+#define SEL_SENDS   0x02
+static void selector_add_raw_fd(tunala_selector_t *s, int fd, int flags)
+{
+        FD_SET(fd, &s->next_select.excepts);
+        if(flags & SEL_READS)
+                FD_SET(fd, &s->next_select.reads);
+        if(flags & SEL_SENDS)
+                FD_SET(fd, &s->next_select.sends);
+        /* Adjust "max" */
+        if(s->next_select.max < (fd + 1))
+                s->next_select.max = fd + 1;
+}
+
+static void selector_add_listener(tunala_selector_t *selector, int fd)
+{
+        selector_add_raw_fd(selector, fd, SEL_READS);
+}
+
+static void selector_add_tunala(tunala_selector_t *s, tunala_item_t *t)
+{
+        /* Set clean read if sm.clean_in is not full */
+        if(t->clean_read != -1) {
+                selector_add_raw_fd(s, t->clean_read,
+                        (buffer_full(state_machine_get_buffer(&t->sm,
+                                SM_CLEAN_IN)) ? SEL_EXCEPTS : SEL_READS));
+        }
+        /* Set clean send if sm.clean_out is not empty */
+        if(t->clean_send != -1) {
+                selector_add_raw_fd(s, t->clean_send,
+                        (buffer_empty(state_machine_get_buffer(&t->sm,
+                                SM_CLEAN_OUT)) ? SEL_EXCEPTS : SEL_SENDS));
+        }
+        /* Set dirty read if sm.dirty_in is not full */
+        if(t->dirty_read != -1) {
+                selector_add_raw_fd(s, t->dirty_read,
+                        (buffer_full(state_machine_get_buffer(&t->sm,
+                                SM_DIRTY_IN)) ? SEL_EXCEPTS : SEL_READS));
+        }
+        /* Set dirty send if sm.dirty_out is not empty */
+        if(t->dirty_send != -1) {
+                selector_add_raw_fd(s, t->dirty_send,
+                        (buffer_empty(state_machine_get_buffer(&t->sm,
+                                SM_DIRTY_OUT)) ? SEL_EXCEPTS : SEL_SENDS));
+        }
+}
+
+static int selector_select(tunala_selector_t *selector)
+{
+        memcpy(&selector->last_selected, &selector->next_select,
+                        sizeof(select_sets_t));
+        selector_sets_init(&selector->next_select);
+        return select(selector->last_selected.max,
+                        &selector->last_selected.reads,
+                        &selector->last_selected.sends,
+                        &selector->last_selected.excepts, NULL);
+}
+
+/* This returns -1 for error, 0 for no new connections, or 1 for success, in
+ * which case *newfd is populated. */
+static int selector_get_listener(tunala_selector_t *selector, int fd, int *newfd)
+{
+        if(FD_ISSET(fd, &selector->last_selected.excepts))
+                return -1;
+        if(!FD_ISSET(fd, &selector->last_selected.reads))
+                return 0;
+        if((*newfd = ip_accept_connection(fd)) == -1)
+                return -1;
+        return 1;
+}
+
+/************************/
+/* "Tunala" world stuff */
+/************************/
+
+static int tunala_world_make_room(tunala_world_t *world)
+{
+        unsigned int newsize;
+        tunala_item_t *newarray;
+
+        if(world->tunnels_used < world->tunnels_size)
+                return 1;
+        newsize = (world->tunnels_size == 0 ? 16 :
+                        ((world->tunnels_size * 3) / 2));
+        if((newarray = malloc(newsize * sizeof(tunala_item_t))) == NULL)
+                return 0;
+        memset(newarray, 0, newsize * sizeof(tunala_item_t));
+        if(world->tunnels_used > 0)
+                memcpy(newarray, world->tunnels,
+                        world->tunnels_used * sizeof(tunala_item_t));
+        if(world->tunnels_size > 0)
+                free(world->tunnels);
+        /* migrate */
+        world->tunnels = newarray;
+        world->tunnels_size = newsize;
+        return 1;
+}
+
+static int tunala_world_new_item(tunala_world_t *world, int fd,
+                const char *ip, unsigned short port, int flipped)
+{
+        tunala_item_t *item;
+        int newfd;
+        SSL *new_ssl = NULL;
+
+        if(!tunala_world_make_room(world))
+                return 0;
+        if((new_ssl = SSL_new(world->ssl_ctx)) == NULL) {
+                fprintf(stderr, "Error creating new SSL\n");
+                ERR_print_errors_fp(stderr);
+                return 0;
+        }
+        item = world->tunnels + (world->tunnels_used++);
+        state_machine_init(&item->sm);
+        item->clean_read = item->clean_send =
+                item->dirty_read = item->dirty_send = -1;
+        if((newfd = ip_create_connection_split(ip, port)) == -1)
+                goto err;
+        /* Which way round? If we're a server, "fd" is the dirty side and the
+         * connection we open is the clean one. For a client, it's the other way
+         * around. Unless, of course, we're "flipped" in which case everything
+         * gets reversed. :-) */
+        if((world->server_mode && !flipped) ||
+                        (!world->server_mode && flipped)) {
+                item->dirty_read = item->dirty_send = fd;
+                item->clean_read = item->clean_send = newfd;
+        } else {
+                item->clean_read = item->clean_send = fd;
+                item->dirty_read = item->dirty_send = newfd;
+        }
+        /* We use the SSL's "app_data" to indicate a call-back induced "kill" */
+        SSL_set_app_data(new_ssl, NULL);
+        if(!state_machine_set_SSL(&item->sm, new_ssl, world->server_mode))
+                goto err;
+        return 1;
+err:
+        tunala_world_del_item(world, world->tunnels_used - 1);
+        return 0;
+
+}
+
+static void tunala_world_del_item(tunala_world_t *world, unsigned int idx)
+{
+        tunala_item_t *item = world->tunnels + idx;
+        if(item->clean_read != -1)
+                close(item->clean_read);
+        if(item->clean_send != item->clean_read)
+                close(item->clean_send);
+        item->clean_read = item->clean_send = -1;
+        if(item->dirty_read != -1)
+                close(item->dirty_read);
+        if(item->dirty_send != item->dirty_read)
+                close(item->dirty_send);
+        item->dirty_read = item->dirty_send = -1;
+        state_machine_close(&item->sm);
+        /* OK, now we fix the item array */
+        if(idx + 1 < world->tunnels_used)
+                /* We need to scroll entries to the left */
+                memmove(world->tunnels + idx,
+                                world->tunnels + (idx + 1),
+                                (world->tunnels_used - (idx + 1)) *
+                                        sizeof(tunala_item_t));
+        world->tunnels_used--;
+}
+
+static int tunala_item_io(tunala_selector_t *selector, tunala_item_t *item)
+{
+        int c_r, c_s, d_r, d_s; /* Four boolean flags */
+
+        /* Take ourselves out of the gene-pool if there was an except */
+        if((item->clean_read != -1) && FD_ISSET(item->clean_read,
+                                &selector->last_selected.excepts))
+                return 0;
+        if((item->clean_send != -1) && FD_ISSET(item->clean_send,
+                                &selector->last_selected.excepts))
+                return 0;
+        if((item->dirty_read != -1) && FD_ISSET(item->dirty_read,
+                                &selector->last_selected.excepts))
+                return 0;
+        if((item->dirty_send != -1) && FD_ISSET(item->dirty_send,
+                                &selector->last_selected.excepts))
+                return 0;
+        /* Grab our 4 IO flags */
+        c_r = c_s = d_r = d_s = 0;
+        if(item->clean_read != -1)
+                c_r = FD_ISSET(item->clean_read, &selector->last_selected.reads);
+        if(item->clean_send != -1)
+                c_s = FD_ISSET(item->clean_send, &selector->last_selected.sends);
+        if(item->dirty_read != -1)
+                d_r = FD_ISSET(item->dirty_read, &selector->last_selected.reads);
+        if(item->dirty_send != -1)
+                d_s = FD_ISSET(item->dirty_send, &selector->last_selected.sends);
+        /* If no IO has happened for us, skip needless data looping */
+        if(!c_r && !c_s && !d_r && !d_s)
+                return 1;
+        if(c_r)
+                c_r = (buffer_from_fd(state_machine_get_buffer(&item->sm,
+                                SM_CLEAN_IN), item->clean_read) <= 0);
+        if(c_s)
+                c_s = (buffer_to_fd(state_machine_get_buffer(&item->sm,
+                                SM_CLEAN_OUT), item->clean_send) <= 0);
+        if(d_r)
+                d_r = (buffer_from_fd(state_machine_get_buffer(&item->sm,
+                                SM_DIRTY_IN), item->dirty_read) <= 0);
+        if(d_s)
+                d_s = (buffer_to_fd(state_machine_get_buffer(&item->sm,
+                                SM_DIRTY_OUT), item->dirty_send) <= 0);
+        /* If any of the flags is non-zero, that means they need closing */
+        if(c_r) {
+                close(item->clean_read);
+                if(item->clean_send == item->clean_read)
+                        item->clean_send = -1;
+                item->clean_read = -1;
+        }
+        if(c_s && (item->clean_send != -1)) {
+                close(item->clean_send);
+                if(item->clean_send == item->clean_read)
+                        item->clean_read = -1;
+                item->clean_send = -1;
+        }
+        if(d_r) {
+                close(item->dirty_read);
+                if(item->dirty_send == item->dirty_read)
+                        item->dirty_send = -1;
+                item->dirty_read = -1;
+        }
+        if(d_s && (item->dirty_send != -1)) {
+                close(item->dirty_send);
+                if(item->dirty_send == item->dirty_read)
+                        item->dirty_read = -1;
+                item->dirty_send = -1;
+        }
+        /* This function name is attributed to the term donated by David
+         * Schwartz on openssl-dev, message-ID:
+         * <NCBBLIEPOCNJOAEKBEAKEEDGLIAA.davids@webmaster.com>. :-) */
+        if(!state_machine_churn(&item->sm))
+                /* If the SSL closes, it will also zero-out the _in buffers
+                 * and will in future process just outgoing data. As and
+                 * when the outgoing data has gone, it will return zero
+                 * here to tell us to bail out. */
+                return 0;
+        /* Otherwise, we return zero if both sides are dead. */
+        if(((item->clean_read == -1) || (item->clean_send == -1)) &&
+                        ((item->dirty_read == -1) || (item->dirty_send == -1)))
+                return 0;
+        /* If only one side closed, notify the SSL of this so it can take
+         * appropriate action. */
+        if((item->clean_read == -1) || (item->clean_send == -1)) {
+                if(!state_machine_close_clean(&item->sm))
+                        return 0;
+        }
+        if((item->dirty_read == -1) || (item->dirty_send == -1)) {
+                if(!state_machine_close_dirty(&item->sm))
+                        return 0;
+        }
+        return 1;
+}
+
diff --git a/src/lib/libssl/src/demos/tunala/tunala.h b/src/lib/libssl/src/demos/tunala/tunala.h
new file mode 100644
index 0000000000..b4c8ec78d8
--- /dev/null
+++ b/src/lib/libssl/src/demos/tunala/tunala.h
@@ -0,0 +1,214 @@
+/* Tunala ("Tunneler with a New Zealand accent")
+ *
+ * Written by Geoff Thorpe, but endorsed/supported by noone. Please use this is
+ * if it's useful or informative to you, but it's only here as a scratchpad for
+ * ideas about how you might (or might not) program with OpenSSL. If you deploy
+ * this is in a mission-critical environment, and have not read, understood,
+ * audited, and modified this code to your satisfaction, and the result is that
+ * all hell breaks loose and you are looking for a new employer, then it proves
+ * nothing except perhaps that Darwinism is alive and well. Let's just say, *I*
+ * don't use this in a mission-critical environment, so it would be stupid for
+ * anyone to assume that it is solid and/or tested enough when even its author
+ * doesn't place that much trust in it. You have been warned.
+ *
+ * With thanks to Cryptographic Appliances, Inc.
+ */
+
+#ifndef _TUNALA_H
+#define _TUNALA_H
+
+/* pull in autoconf fluff */
+#ifndef NO_CONFIG_H
+#include "config.h"
+#else
+/* We don't have autoconf, we have to set all of these unless a tweaked Makefile
+ * tells us not to ... */
+/* headers */
+#ifndef NO_HAVE_SELECT
+#define HAVE_SELECT
+#endif
+#ifndef NO_HAVE_SOCKET
+#define HAVE_SOCKET
+#endif
+#ifndef NO_HAVE_UNISTD_H
+#define HAVE_UNISTD_H
+#endif
+#ifndef NO_HAVE_FCNTL_H
+#define HAVE_FCNTL_H
+#endif
+#ifndef NO_HAVE_LIMITS_H
+#define HAVE_LIMITS_H
+#endif
+/* features */
+#ifndef NO_HAVE_STRSTR
+#define HAVE_STRSTR
+#endif
+#ifndef NO_HAVE_STRTOUL
+#define HAVE_STRTOUL
+#endif
+#endif
+
+#if !defined(HAVE_SELECT) || !defined(HAVE_SOCKET)
+#error "can't build without some network basics like select() and socket()"
+#endif
+
+#include <stdlib.h>
+#ifndef NO_SYSTEM_H
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#include <netdb.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#endif /* !defined(NO_SYSTEM_H) */
+
+#ifndef NO_OPENSSL
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include <openssl/ssl.h>
+#endif /* !defined(NO_OPENSSL) */
+
+#ifndef OPENSSL_NO_BUFFER
+/* This is the generic "buffer" type that is used when feeding the
+ * state-machine. It's basically a FIFO with respect to the "adddata" &
+ * "takedata" type functions that operate on it. */
+#define MAX_DATA_SIZE 16384
+typedef struct _buffer_t {
+        unsigned char data[MAX_DATA_SIZE];
+        unsigned int used;
+        /* Statistical values - counts the total number of bytes read in and
+         * read out (respectively) since "buffer_init()" */
+        unsigned long total_in, total_out;
+} buffer_t;
+
+/* Initialise a buffer structure before use */
+void buffer_init(buffer_t *buf);
+/* Cleanup a buffer structure - presently not needed, but if buffer_t is
+ * converted to using dynamic allocation, this would be required - so should be
+ * called to protect against an explosion of memory leaks later if the change is
+ * made. */
+void buffer_close(buffer_t *buf);
+
+/* Basic functions to manipulate buffers */
+
+unsigned int buffer_used(buffer_t *buf); /* How much data in the buffer */
+unsigned int buffer_unused(buffer_t *buf); /* How much space in the buffer */
+int buffer_full(buffer_t *buf); /* Boolean, is it full? */
+int buffer_notfull(buffer_t *buf); /* Boolean, is it not full? */
+int buffer_empty(buffer_t *buf); /* Boolean, is it empty? */
+int buffer_notempty(buffer_t *buf); /* Boolean, is it not empty? */
+unsigned long buffer_total_in(buffer_t *buf); /* Total bytes written to buffer */
+unsigned long buffer_total_out(buffer_t *buf); /* Total bytes read from buffer */
+
+#if 0 /* Currently used only within buffer.c - better to expose only
+       * higher-level functions anyway */
+/* Add data to the tail of the buffer, returns the amount that was actually
+ * added (so, you need to check if return value is less than size) */
+unsigned int buffer_adddata(buffer_t *buf, const unsigned char *ptr,
+                unsigned int size);
+
+/* Take data from the front of the buffer (and scroll the rest forward). If
+ * "ptr" is NULL, this just removes data off the front of the buffer. Return
+ * value is the amount actually removed (can be less than size if the buffer has
+ * too little data). */
+unsigned int buffer_takedata(buffer_t *buf, unsigned char *ptr,
+                unsigned int size);
+
+/* Flushes as much data as possible out of the "from" buffer into the "to"
+ * buffer. Return value is the amount moved. The amount moved can be restricted
+ * to a maximum by specifying "cap" - setting it to -1 means no limit. */
+unsigned int buffer_tobuffer(buffer_t *to, buffer_t *from, int cap);
+#endif
+
+#ifndef NO_IP
+/* Read or write between a file-descriptor and a buffer */
+int buffer_from_fd(buffer_t *buf, int fd);
+int buffer_to_fd(buffer_t *buf, int fd);
+#endif /* !defined(NO_IP) */
+
+#ifndef NO_OPENSSL
+/* Read or write between an SSL or BIO and a buffer */
+void buffer_from_SSL(buffer_t *buf, SSL *ssl);
+void buffer_to_SSL(buffer_t *buf, SSL *ssl);
+void buffer_from_BIO(buffer_t *buf, BIO *bio);
+void buffer_to_BIO(buffer_t *buf, BIO *bio);
+
+/* Callbacks */
+void cb_ssl_info(const SSL *s, int where, int ret);
+void cb_ssl_info_set_output(FILE *fp); /* Called if output should be sent too */
+int cb_ssl_verify(int ok, X509_STORE_CTX *ctx);
+void cb_ssl_verify_set_output(FILE *fp);
+void cb_ssl_verify_set_depth(unsigned int verify_depth);
+void cb_ssl_verify_set_level(unsigned int level);
+#endif /* !defined(NO_OPENSSL) */
+#endif /* !defined(OPENSSL_NO_BUFFER) */
+
+#ifndef NO_TUNALA
+#ifdef OPENSSL_NO_BUFFER
+#error "TUNALA section of tunala.h requires BUFFER support"
+#endif
+typedef struct _state_machine_t {
+        SSL *ssl;
+        BIO *bio_intossl;
+        BIO *bio_fromssl;
+        buffer_t clean_in, clean_out;
+        buffer_t dirty_in, dirty_out;
+} state_machine_t;
+typedef enum {
+        SM_CLEAN_IN, SM_CLEAN_OUT,
+        SM_DIRTY_IN, SM_DIRTY_OUT
+} sm_buffer_t;
+void state_machine_init(state_machine_t *machine);
+void state_machine_close(state_machine_t *machine);
+buffer_t *state_machine_get_buffer(state_machine_t *machine, sm_buffer_t type);
+SSL *state_machine_get_SSL(state_machine_t *machine);
+int state_machine_set_SSL(state_machine_t *machine, SSL *ssl, int is_server);
+/* Performs the data-IO loop and returns zero if the machine should close */
+int state_machine_churn(state_machine_t *machine);
+/* Is used to handle closing conditions - namely when one side of the tunnel has
+ * closed but the other should finish flushing. */
+int state_machine_close_clean(state_machine_t *machine);
+int state_machine_close_dirty(state_machine_t *machine);
+#endif /* !defined(NO_TUNALA) */
+
+#ifndef NO_IP
+/* Initialise anything related to the networking. This includes blocking pesky
+ * SIGPIPE signals. */
+int ip_initialise(void);
+/* ip is the 4-byte ip address (eg. 127.0.0.1 is {0x7F,0x00,0x00,0x01}), port is
+ * the port to listen on (host byte order), and the return value is the
+ * file-descriptor or -1 on error. */
+int ip_create_listener_split(const char *ip, unsigned short port);
+/* Same semantics as above. */
+int ip_create_connection_split(const char *ip, unsigned short port);
+/* Converts a string into the ip/port before calling the above */
+int ip_create_listener(const char *address);
+int ip_create_connection(const char *address);
+/* Just does a string conversion on its own. NB: If accept_all_ip is non-zero,
+ * then the address string could be just a port. Ie. it's suitable for a
+ * listening address but not a connecting address. */
+int ip_parse_address(const char *address, const char **parsed_ip,
+                unsigned short *port, int accept_all_ip);
+/* Accepts an incoming connection through the listener. Assumes selects and
+ * what-not have deemed it an appropriate thing to do. */
+int ip_accept_connection(int listen_fd);
+#endif /* !defined(NO_IP) */
+
+/* These functions wrap up things that can be portability hassles. */
+int int_strtoul(const char *str, unsigned long *val);
+#ifdef HAVE_STRSTR
+#define int_strstr strstr
+#else
+char *int_strstr(const char *haystack, const char *needle);
+#endif
+
+#endif /* !defined(_TUNALA_H) */
diff --git a/src/lib/libssl/src/demos/x509/README b/src/lib/libssl/src/demos/x509/README
new file mode 100644
index 0000000000..88f9d6c46e
--- /dev/null
+++ b/src/lib/libssl/src/demos/x509/README
@@ -0,0 +1,3 @@
+This directory contains examples of how to contruct
+various X509 structures. Certificates, certificate requests
+and CRLs.
diff --git a/src/lib/libssl/src/demos/x509/mkcert.c b/src/lib/libssl/src/demos/x509/mkcert.c
new file mode 100644
index 0000000000..4709e18e7c
--- /dev/null
+++ b/src/lib/libssl/src/demos/x509/mkcert.c
@@ -0,0 +1,168 @@
+/* Certificate creation. Demonstrates some certificate related
+ * operations.
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/pem.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include <openssl/engine.h>
+
+int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
+int add_ext(X509 *cert, int nid, char *value);
+
+int main(int argc, char **argv)
+        {
+        BIO *bio_err;
+        X509 *x509=NULL;
+        EVP_PKEY *pkey=NULL;
+
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+        bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
+
+        mkcert(&x509,&pkey,512,0,365);
+
+        RSA_print_fp(stdout,pkey->pkey.rsa,0);
+        X509_print_fp(stdout,x509);
+
+        PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
+        PEM_write_X509(stdout,x509);
+
+        X509_free(x509);
+        EVP_PKEY_free(pkey);
+
+        ENGINE_cleanup();
+        CRYPTO_cleanup_all_ex_data();
+
+        CRYPTO_mem_leaks(bio_err);
+        BIO_free(bio_err);
+        return(0);
+        }
+
+static void callback(int p, int n, void *arg)
+        {
+        char c='B';
+
+        if (p == 0) c='.';
+        if (p == 1) c='+';
+        if (p == 2) c='*';
+        if (p == 3) c='\n';
+        fputc(c,stderr);
+        }
+
+int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
+        {
+        X509 *x;
+        EVP_PKEY *pk;
+        RSA *rsa;
+        X509_NAME *name=NULL;
+        
+        if ((pkeyp == NULL) || (*pkeyp == NULL))
+                {
+                if ((pk=EVP_PKEY_new()) == NULL)
+                        {
+                        abort(); 
+                        return(0);
+                        }
+                }
+        else
+                pk= *pkeyp;
+
+        if ((x509p == NULL) || (*x509p == NULL))
+                {
+                if ((x=X509_new()) == NULL)
+                        goto err;
+                }
+        else
+                x= *x509p;
+
+        rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
+        if (!EVP_PKEY_assign_RSA(pk,rsa))
+                {
+                abort();
+                goto err;
+                }
+        rsa=NULL;
+
+        X509_set_version(x,3);
+        ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
+        X509_gmtime_adj(X509_get_notBefore(x),0);
+        X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
+        X509_set_pubkey(x,pk);
+
+        name=X509_get_subject_name(x);
+
+        /* This function creates and adds the entry, working out the
+         * correct string type and performing checks on its length.
+         * Normally we'd check the return value for errors...
+         */
+        X509_NAME_add_entry_by_txt(name,"C",
+                                MBSTRING_ASC, "UK", -1, -1, 0);
+        X509_NAME_add_entry_by_txt(name,"CN",
+                                MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
+
+        /* Its self signed so set the issuer name to be the same as the
+         * subject.
+         */
+        X509_set_issuer_name(x,name);
+
+        /* Add various extensions: standard extensions */
+        add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
+        add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");
+
+        add_ext(x, NID_subject_key_identifier, "hash");
+
+        /* Some Netscape specific extensions */
+        add_ext(x, NID_netscape_cert_type, "sslCA");
+
+        add_ext(x, NID_netscape_comment, "example comment extension");
+
+
+#ifdef CUSTOM_EXT
+        /* Maybe even add our own extension based on existing */
+        {
+                int nid;
+                nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
+                X509V3_EXT_add_alias(nid, NID_netscape_comment);
+                add_ext(x, nid, "example comment alias");
+        }
+#endif
+        
+        if (!X509_sign(x,pk,EVP_md5()))
+                goto err;
+
+        *x509p=x;
+        *pkeyp=pk;
+        return(1);
+err:
+        return(0);
+        }
+
+/* Add extension using V3 code: we can set the config file as NULL
+ * because we wont reference any other sections.
+ */
+
+int add_ext(X509 *cert, int nid, char *value)
+        {
+        X509_EXTENSION *ex;
+        X509V3_CTX ctx;
+        /* This sets the 'context' of the extensions. */
+        /* No configuration database */
+        X509V3_set_ctx_nodb(&ctx);
+        /* Issuer and subject certs: both the target since it is self signed,
+         * no request and no CRL
+         */
+        X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
+        ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
+        if (!ex)
+                return 0;
+
+        X509_add_ext(cert,ex,-1);
+        X509_EXTENSION_free(ex);
+        return 1;
+        }
+        
diff --git a/src/lib/libssl/src/demos/x509/mkreq.c b/src/lib/libssl/src/demos/x509/mkreq.c
new file mode 100644
index 0000000000..d69dcc392b
--- /dev/null
+++ b/src/lib/libssl/src/demos/x509/mkreq.c
@@ -0,0 +1,157 @@
+/* Certificate request creation. Demonstrates some request related
+ * operations.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/pem.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include <openssl/engine.h>
+
+int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
+int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value);
+
+int main(int argc, char **argv)
+        {
+        BIO *bio_err;
+        X509_REQ *req=NULL;
+        EVP_PKEY *pkey=NULL;
+
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+        bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
+
+        mkreq(&req,&pkey,512,0,365);
+
+        RSA_print_fp(stdout,pkey->pkey.rsa,0);
+        X509_REQ_print_fp(stdout,req);
+
+        PEM_write_X509_REQ(stdout,req);
+
+        X509_REQ_free(req);
+        EVP_PKEY_free(pkey);
+
+        ENGINE_cleanup();
+        CRYPTO_cleanup_all_ex_data();
+
+        CRYPTO_mem_leaks(bio_err);
+        BIO_free(bio_err);
+        return(0);
+        }
+
+static void callback(int p, int n, void *arg)
+        {
+        char c='B';
+
+        if (p == 0) c='.';
+        if (p == 1) c='+';
+        if (p == 2) c='*';
+        if (p == 3) c='\n';
+        fputc(c,stderr);
+        }
+
+int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days)
+        {
+        X509_REQ *x;
+        EVP_PKEY *pk;
+        RSA *rsa;
+        X509_NAME *name=NULL;
+        STACK_OF(X509_EXTENSION) *exts = NULL;
+        
+        if ((pk=EVP_PKEY_new()) == NULL)
+                goto err;
+
+        if ((x=X509_REQ_new()) == NULL)
+                goto err;
+
+        rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
+        if (!EVP_PKEY_assign_RSA(pk,rsa))
+                goto err;
+
+        rsa=NULL;
+
+        X509_REQ_set_pubkey(x,pk);
+
+        name=X509_REQ_get_subject_name(x);
+
+        /* This function creates and adds the entry, working out the
+         * correct string type and performing checks on its length.
+         * Normally we'd check the return value for errors...
+         */
+        X509_NAME_add_entry_by_txt(name,"C",
+                                MBSTRING_ASC, "UK", -1, -1, 0);
+        X509_NAME_add_entry_by_txt(name,"CN",
+                                MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
+
+#ifdef REQUEST_EXTENSIONS
+        /* Certificate requests can contain extensions, which can be used
+         * to indicate the extensions the requestor would like added to 
+         * their certificate. CAs might ignore them however or even choke
+         * if they are present.
+         */
+
+        /* For request extensions they are all packed in a single attribute.
+         * We save them in a STACK and add them all at once later...
+         */
+
+        exts = sk_X509_EXTENSION_new_null();
+        /* Standard extenions */
+
+        add_ext(exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");
+
+        /* This is a typical use for request extensions: requesting a value for
+         * subject alternative name.
+         */
+
+        add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");
+
+        /* Some Netscape specific extensions */
+        add_ext(exts, NID_netscape_cert_type, "client,email");
+
+
+
+#ifdef CUSTOM_EXT
+        /* Maybe even add our own extension based on existing */
+        {
+                int nid;
+                nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
+                X509V3_EXT_add_alias(nid, NID_netscape_comment);
+                add_ext(x, nid, "example comment alias");
+        }
+#endif
+
+        /* Now we've created the extensions we add them to the request */
+
+        X509_REQ_add_extensions(x, exts);
+
+        sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
+#endif
+        
+        if (!X509_REQ_sign(x,pk,EVP_md5()))
+                goto err;
+
+        *req=x;
+        *pkeyp=pk;
+        return(1);
+err:
+        return(0);
+        }
+
+/* Add extension using V3 code: we can set the config file as NULL
+ * because we wont reference any other sections.
+ */
+
+int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
+        {
+        X509_EXTENSION *ex;
+        ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
+        if (!ex)
+                return 0;
+        sk_X509_EXTENSION_push(sk, ex);
+
+        return 1;
+        }
+        
diff --git a/src/lib/libssl/src/doc/HOWTO/certificates.txt b/src/lib/libssl/src/doc/HOWTO/certificates.txt
new file mode 100644
index 0000000000..88048645db
--- /dev/null
+++ b/src/lib/libssl/src/doc/HOWTO/certificates.txt
@@ -0,0 +1,85 @@
+<DRAFT!>
+                        HOWTO certificates
+
+How you handle certificates depend a great deal on what your role is.
+Your role can be one or several of:
+
+  - User of some client software
+  - User of some server software
+  - Certificate authority
+
+This file is for users who wish to get a certificate of their own.
+Certificate authorities should read ca.txt.
+
+In all the cases shown below, the standard configuration file, as
+compiled into openssl, will be used.  You may find it in /etc/,
+/usr/local/ssr/ or somewhere else.  The name is openssl.cnf, and
+is better described in another HOWTO <config.txt?>.  If you want to
+use a different configuration file, use the argument '-config {file}'
+with the command shown below.
+
+
+Certificates are related to public key cryptography by containing a
+public key.  To be useful, there must be a corresponding private key
+somewhere.  With OpenSSL, public keys are easily derived from private
+keys, so before you create a certificate or a certificate request, you
+need to create a private key.
+
+Private keys are generated with 'openssl genrsa' if you want a RSA
+private key, or 'openssl gendsa' if you want a DSA private key.  More
+info on how to handle these commands are found in the manual pages for
+those commands or by running them with the argument '-h'.  For the
+sake of the description in this file, let's assume that the private
+key ended up in the file privkey.pem (which is the default in some
+cases).
+
+
+Let's start with the most normal way of getting a certificate.  Most
+often, you want or need to get a certificate from a certificate
+authority.  To handle that, the certificate authority needs a
+certificate request (or, as some certificate authorities like to put
+it, "certificate signing request", since that's exactly what they do,
+they sign it and give you the result back, thus making it authentic
+according to their policies) from you.  To generate a request, use the
+command 'openssl req' like this:
+
+  openssl req -new -key privkey.pem -out cert.csr
+
+Now, cert.csr can be sent to the certificate authority, if they can
+handle files in PEM format.  If not, use the extra argument '-outform'
+followed by the keyword for the format to use (see another HOWTO
+<formats.txt?>).  In some cases, that isn't sufficient and you will
+have to be more creative.
+
+When the certificate authority has then done the checks the need to
+do (and probably gotten payment from you), they will hand over your
+new certificate to you.
+
+
+[fill in on how to create a self-signed certificate]
+
+
+If you created everything yourself, or if the certificate authority
+was kind enough, your certificate is a raw DER thing in PEM format.
+Your key most definitely is if you have followed the examples above.
+However, some (most?) certificate authorities will encode them with
+things like PKCS7 or PKCS12, or something else.  Depending on your
+applications, this may be perfectly OK, it all depends on what they
+know how to decode.  If not, There are a number of OpenSSL tools to
+convert between some (most?) formats.
+
+So, depending on your application, you may have to convert your
+certificate and your key to various formats, most often also putting
+them together into one file.  The ways to do this is described in
+another HOWTO <formats.txt?>, I will just mention the simplest case.
+In the case of a raw DER thing in PEM format, and assuming that's all
+right for yor applications, simply concatenating the certificate and
+the key into a new file and using that one should be enough.  With
+some applications, you don't even have to do that.
+
+
+By now, you have your cetificate and your private key and can start
+using the software that depend on it.
+
+-- 
+Richard Levitte
diff --git a/src/lib/libssl/src/doc/README b/src/lib/libssl/src/doc/README
new file mode 100644
index 0000000000..a9a588262a
--- /dev/null
+++ b/src/lib/libssl/src/doc/README
@@ -0,0 +1,10 @@
+
+ openssl.pod ..... Documentation of OpenSSL `openssl' command
+ crypto.pod ...... Documentation of OpenSSL crypto.h+libcrypto.a
+ ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a
+ ssleay.txt ...... Assembled documentation files of ancestor SSLeay [obsolete]
+ openssl.txt ..... Assembled documentation files for OpenSSL [not final]
+
+ An archive of HTML documents for the SSLeay library is available from
+ http://www.columbia.edu/~ariel/ssleay/
+
diff --git a/src/lib/libssl/src/doc/apps/CA.pl.pod b/src/lib/libssl/src/doc/apps/CA.pl.pod
new file mode 100644
index 0000000000..83e4c0af81
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/CA.pl.pod
@@ -0,0 +1,138 @@
+
+=pod
+
+=head1 NAME
+
+CA.pl - friendlier interface for OpenSSL certificate programs
+
+=head1 SYNOPSIS
+
+B<CA.pl>
+[B<-?>]
+[B<-h>]
+[B<-help>]
+[B<-newcert>]
+[B<-newreq>]
+[B<-newca>]
+[B<-xsign>]
+[B<-sign>]
+[B<-signreq>]
+[B<-signcert>]
+[B<-verify>]
+[B<files>]
+
+=head1 DESCRIPTION
+
+The B<CA.pl> script is a perl script that supplies the relevant command line
+arguments to the B<openssl> command for some common certificate operations.
+It is intended to simplify the process of certificate creation and management
+by the use of some simple options.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<?>, B<-h>, B<-help>
+
+prints a usage message.
+
+=item B<-newcert>
+
+creates a new self signed certificate. The private key and certificate are
+written to the file "newreq.pem".
+
+=item B<-newreq>
+
+creates a new certificate request. The private key and request are
+written to the file "newreq.pem".
+
+=item B<-newca>
+
+creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
+and B<-xsign> options). The user is prompted to enter the filename of the CA
+certificates (which should also contain the private key) or by hitting ENTER
+details of the CA will be prompted for. The relevant files and directories
+are created in a directory called "demoCA" in the current directory.
+
+=item B<-pkcs12>
+
+create a PKCS#12 file containing the user certificate, private key and CA
+certificate. It expects the user certificate and private key to be in the
+file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
+it creates a file "newcert.p12". This command can thus be called after the
+B<-sign> option. The PKCS#12 file can be imported directly into a browser.
+If there is an additional argument on the command line it will be used as the
+"friendly name" for the certificate (which is typically displayed in the browser
+list box), otherwise the name "My Certificate" is used.
+
+=item B<-sign>, B<-signreq>, B<-xsign>
+
+calls the B<ca> program to sign a certificate request. It expects the request
+to be in the file "newreq.pem". The new certificate is written to the file
+"newcert.pem" except in the case of the B<-xcert> option when it is written
+to standard output.
+
+=item B<-signcert>
+
+this option is the same as B<-sign> except it expects a self signed certificate
+to be present in the file "newreq.pem".
+
+=item B<-verify>
+
+verifies certificates against the CA certificate for "demoCA". If no certificates
+are specified on the command line it tries to verify the file "newcert.pem". 
+
+=item B<files>
+
+one or more optional certificate file names for use with the B<-verify> command.
+
+=back
+
+=head1 EXAMPLES
+
+Create a CA hierarchy:
+
+ CA.pl -newca
+
+Complete certificate creation example: create a CA, create a request, sign
+the request and finally create a PKCS#12 file containing it.
+
+ CA.pl -newca
+ CA.pl -newreq
+ CA.pl -signreq
+ CA.pl -pkcs12 "My Test Certificate"
+
+=head1 NOTES
+
+Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
+
+If the demoCA directory already exists then the B<-newca> command will not
+overwrite it and will do nothing. This can happen if a previous call using
+the B<-newca> option terminated abnormally. To get the correct behaviour
+delete the demoCA directory if it already exists.
+
+Under some environments it may not be possible to run the B<CA.pl> script
+directly (for example Win32) and the default configuration file location may
+be wrong. In this case the command:
+
+ perl -S CA.pl
+
+can be used and the B<OPENSSL_CONF> environment variable changed to point to 
+the correct path of the configuration file "openssl.cnf".
+
+The script is intended as a simple front end for the B<openssl> program for use
+by a beginner. Its behaviour isn't always what is wanted. For more control over the
+behaviour of the certificate commands call the B<openssl> command directly.
+
+=head1 ENVIRONMENT VARIABLES
+
+The variable B<OPENSSL_CONF> if defined allows an alternative configuration
+file location to be specified, it should contain the full path to the
+configuration file, not just its directory.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>,
+L<config(5)|config(5)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/asn1parse.pod b/src/lib/libssl/src/doc/apps/asn1parse.pod
new file mode 100644
index 0000000000..e76e9813ab
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/asn1parse.pod
@@ -0,0 +1,129 @@
+=pod
+
+=head1 NAME
+
+asn1parse - ASN.1 parsing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<asn1parse>
+[B<-inform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-offset number>]
+[B<-length number>]
+[B<-i>]
+[B<-oid filename>]
+[B<-strparse offset>]
+
+=head1 DESCRIPTION
+
+The B<asn1parse> command is a diagnostic utility that can parse ASN.1
+structures. It can also be used to extract data from ASN.1 formatted data.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform> B<DER|PEM>
+
+the input format. B<DER> is binary format and B<PEM> (the default) is base64
+encoded.
+
+=item B<-in filename>
+
+the input file, default is standard input
+
+=item B<-out filename>
+
+output file to place the DER encoded data into. If this
+option is not present then no data will be output. This is most useful when
+combined with the B<-strparse> option.
+
+=item B<-noout>
+
+don't output the parsed version of the input file.
+
+=item B<-offset number>
+
+starting offset to begin parsing, default is start of file.
+
+=item B<-length number>
+
+number of bytes to parse, default is until end of file.
+
+=item B<-i>
+
+indents the output according to the "depth" of the structures.
+
+=item B<-oid filename>
+
+a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
+file is described in the NOTES section below.
+
+=item B<-strparse offset>
+
+parse the contents octets of the ASN.1 object starting at B<offset>. This
+option can be used multiple times to "drill down" into a nested structure.
+
+
+=back
+
+=head2 OUTPUT
+
+The output will typically contain lines like this:
+
+  0:d=0  hl=4 l= 681 cons: SEQUENCE          
+
+.....
+
+  229:d=3  hl=3 l= 141 prim: BIT STRING        
+  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
+  376:d=3  hl=3 l= 159 cons: SEQUENCE          
+  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+  386:d=5  hl=2 l=  22 prim: OCTET STRING      
+  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+  417:d=5  hl=2 l= 105 prim: OCTET STRING      
+  524:d=4  hl=2 l=  12 cons: SEQUENCE          
+
+.....
+
+This example is part of a self signed certificate. Each line starts with the
+offset in decimal. B<d=XX> specifies the current depth. The depth is increased
+within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length
+(tag and length octets) of the current type. B<l=XX> gives the length of
+the contents octets.
+
+The B<-i> option can be used to make the output more readable.
+
+Some knowledge of the ASN.1 structure is needed to interpret the output. 
+
+In this example the BIT STRING at offset 229 is the certificate public key.
+The contents octets of this will contain the public key information. This can
+be examined using the option B<-strparse 229> to yield:
+
+    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
+  135:d=1  hl=2 l=   3 prim: INTEGER           :010001
+
+=head1 NOTES
+
+If an OID is not part of OpenSSL's internal table it will be represented in
+numerical form (for example 1.2.3.4). The file passed to the B<-oid> option 
+allows additional OIDs to be included. Each line consists of three columns,
+the first column is the OID in numerical format and should be followed by white
+space. The second column is the "short name" which is a single word followed
+by white space. The final column is the rest of the line and is the
+"long name". B<asn1parse> displays the long name. Example:
+
+C<1.2.3.4       shortName       A long name>
+
+=head1 BUGS
+
+There should be options to change the format of input lines. The output of some
+ASN.1 types is not well handled (if at all).
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod
new file mode 100644
index 0000000000..03209aa6b1
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/ca.pod
@@ -0,0 +1,479 @@
+
+=pod
+
+=head1 NAME
+
+ca - sample minimal CA application
+
+=head1 SYNOPSIS
+
+B<openssl> B<ca>
+[B<-verbose>]
+[B<-config filename>]
+[B<-name section>]
+[B<-gencrl>]
+[B<-revoke file>]
+[B<-crldays days>]
+[B<-crlhours hours>]
+[B<-crlexts section>]
+[B<-startdate date>]
+[B<-enddate date>]
+[B<-days arg>]
+[B<-md arg>]
+[B<-policy arg>]
+[B<-keyfile arg>]
+[B<-key arg>]
+[B<-cert file>]
+[B<-in file>]
+[B<-out file>]
+[B<-notext>]
+[B<-outdir dir>]
+[B<-infiles>]
+[B<-spkac file>]
+[B<-ss_cert file>]
+[B<-preserveDN>]
+[B<-batch>]
+[B<-msie_hack>]
+[B<-extensions section>]
+
+=head1 DESCRIPTION
+
+The B<ca> command is a minimal CA application. It can be used
+to sign certificate requests in a variety of forms and generate
+CRLs it also maintains a text database of issued certificates
+and their status.
+
+The options descriptions will be divided into each purpose.
+
+=head1 CA OPTIONS
+
+=over 4
+
+=item B<-config filename>
+
+specifies the configuration file to use.
+
+=item B<-in filename>
+
+an input filename containing a single certificate request to be
+signed by the CA.
+
+=item B<-ss_cert filename>
+
+a single self signed certificate to be signed by the CA.
+
+=item B<-spkac filename>
+
+a file containing a single Netscape signed public key and challenge
+and additional field values to be signed by the CA. See the B<NOTES>
+section for information on the required format.
+
+=item B<-infiles>
+
+if present this should be the last option, all subsequent arguments
+are assumed to the the names of files containing certificate requests. 
+
+=item B<-out filename>
+
+the output file to output certificates to. The default is standard
+output. The certificate details will also be printed out to this
+file.
+
+=item B<-outdir directory>
+
+the directory to output certificates to. The certificate will be
+written to a filename consisting of the serial number in hex with
+".pem" appended.
+
+=item B<-cert>
+
+the CA certificate file.
+
+=item B<-keyfile filename>
+
+the private key to sign requests with.
+
+=item B<-key password>
+
+the password used to encrypt the private key. Since on some
+systems the command line arguments are visible (e.g. Unix with
+the 'ps' utility) this option should be used with caution.
+
+=item B<-verbose>
+
+this prints extra details about the operations being performed.
+
+=item B<-notext>
+
+don't output the text form of a certificate to the output file.
+
+=item B<-startdate date>
+
+this allows the start date to be explicitly set. The format of the
+date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
+
+=item B<-enddate date>
+
+this allows the expiry date to be explicitly set. The format of the
+date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
+
+=item B<-days arg>
+
+the number of days to certify the certificate for.
+
+=item B<-md alg>
+
+the message digest to use. Possible values include md5, sha1 and mdc2.
+This option also applies to CRLs.
+
+=item B<-policy arg>
+
+this option defines the CA "policy" to use. This is a section in
+the configuration file which decides which fields should be mandatory
+or match the CA certificate. Check out the B<POLICY FORMAT> section
+for more information.
+
+=item B<-msie_hack>
+
+this is a legacy option to make B<ca> work with very old versions of
+the IE certificate enrollment control "certenr3". It used UniversalStrings
+for almost everything. Since the old control has various security bugs
+its use is strongly discouraged. The newer control "Xenroll" does not
+need this option.
+
+=item B<-preserveDN>
+
+Normally the DN order of a certificate is the same as the order of the
+fields in the relevant policy section. When this option is set the order 
+is the same as the request. This is largely for compatibility with the
+older IE enrollment control which would only accept certificates if their
+DNs match the order of the request. This is not needed for Xenroll.
+
+=item B<-batch>
+
+this sets the batch mode. In this mode no questions will be asked
+and all certificates will be certified automatically.
+
+=item B<-extensions section>
+
+the section of the configuration file containing certificate extensions
+to be added when a certificate is issued. If no extension section is
+present then a V1 certificate is created. If the extension section
+is present (even if it is empty) then a V3 certificate is created.
+
+=back
+
+=head1 CRL OPTIONS
+
+=over 4
+
+=item B<-gencrl>
+
+this option generates a CRL based on information in the index file.
+
+=item B<-crldays num>
+
+the number of days before the next CRL is due. That is the days from
+now to place in the CRL nextUpdate field.
+
+=item B<-crlhours num>
+
+the number of hours before the next CRL is due.
+
+=item B<-revoke filename>
+
+a filename containing a certificate to revoke.
+
+=item B<-crlexts section>
+
+the section of the configuration file containing CRL extensions to
+include. If no CRL extension section is present then a V1 CRL is
+created, if the CRL extension section is present (even if it is
+empty) then a V2 CRL is created. The CRL extensions specified are
+CRL extensions and B<not> CRL entry extensions.  It should be noted
+that some software (for example Netscape) can't handle V2 CRLs. 
+
+=back
+
+=head1 CONFIGURATION FILE OPTIONS
+
+The options for B<ca> are contained in the B<ca> section of the
+configuration file. Many of these are identical to command line
+options. Where the option is present in the configuration file
+and the command line the command line value is used. Where an
+option is described as mandatory then it must be present in
+the configuration file or the command line equivalent (if
+any) used.
+
+=over 4
+
+=item B<oid_file>
+
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+
+=item B<oid_section>
+
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used.
+
+=item B<new_certs_dir>
+
+the same as the B<-outdir> command line option. It specifies
+the directory where new certificates will be placed. Mandatory.
+
+=item B<certificate>
+
+the same as B<-cert>. It gives the file containing the CA
+certificate. Mandatory.
+
+=item B<private_key>
+
+same as the B<-keyfile> option. The file containing the
+CA private key. Mandatory.
+
+=item B<RANDFILE>
+
+a file used to read and write random number seed information, or
+an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+
+=item B<default_days>
+
+the same as the B<-days> option. The number of days to certify
+a certificate for. 
+
+=item B<default_startdate>
+
+the same as the B<-startdate> option. The start date to certify
+a certificate for. If not set the current time is used.
+
+=item B<default_enddate>
+
+the same as the B<-enddate> option. Either this option or
+B<default_days> (or the command line equivalents) must be
+present.
+
+=item B<default_crl_hours default_crl_days>
+
+the same as the B<-crlhours> and the B<-crldays> options. These
+will only be used if neither command line option is present. At
+least one of these must be present to generate a CRL.
+
+=item B<default_md>
+
+the same as the B<-md> option. The message digest to use. Mandatory.
+
+=item B<database>
+
+the text database file to use. Mandatory. This file must be present
+though initially it will be empty.
+
+=item B<serialfile>
+
+a text file containing the next serial number to use in hex. Mandatory.
+This file must be present and contain a valid serial number.
+
+=item B<x509_extensions>
+
+the same as B<-extensions>.
+
+=item B<crl_extensions>
+
+the same as B<-crlexts>.
+
+=item B<preserve>
+
+the same as B<-preserveDN>
+
+=item B<msie_hack>
+
+the same as B<-msie_hack>
+
+=item B<policy>
+
+the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
+for more information.
+
+=back
+
+=head1 POLICY FORMAT
+
+The policy section consists of a set of variables corresponding to
+certificate DN fields. If the value is "match" then the field value
+must match the same field in the CA certificate. If the value is
+"supplied" then it must be present. If the value is "optional" then
+it may be present. Any fields not mentioned in the policy section
+are silently deleted, unless the B<-preserveDN> option is set but
+this can be regarded more of a quirk than intended behaviour.
+
+=head1 SPKAC FORMAT
+
+The input to the B<-spkac> command line option is a Netscape
+signed public key and challenge. This will usually come from
+the B<KEYGEN> tag in an HTML form to create a new private key. 
+It is however possible to create SPKACs using the B<spkac> utility.
+
+The file should contain the variable SPKAC set to the value of
+the SPKAC and also the required DN components as name value pairs.
+If you need to include the same component twice then it can be
+preceded by a number and a '.'.
+
+=head1 EXAMPLES
+
+Note: these examples assume that the B<ca> directory structure is
+already set up and the relevant files already exist. This usually
+involves creating a CA certificate and private key with B<req>, a
+serial number file and an empty index file and placing them in
+the relevant directories.
+
+To use the sample configuration file below the directories demoCA,
+demoCA/private and demoCA/newcerts would be created. The CA
+certificate would be copied to demoCA/cacert.pem and its private
+key to demoCA/private/cakey.pem. A file demoCA/serial would be
+created containing for example "01" and the empty index file
+demoCA/index.txt.
+
+
+Sign a certificate request:
+
+ openssl ca -in req.pem -out newcert.pem
+
+Generate a CRL
+
+ openssl ca -gencrl -out crl.pem
+
+Sign several requests:
+
+ openssl ca -infiles req1.pem req2.pem req3.pem
+
+Certify a Netscape SPKAC:
+
+ openssl ca -spkac spkac.txt
+
+A sample SPKAC file (the SPKAC line has been truncated for clarity):
+
+ SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
+ CN=Steve Test
+ emailAddress=steve@openssl.org
+ 0.OU=OpenSSL Group
+ 1.OU=Another Group
+
+A sample configuration file with the relevant sections for B<ca>:
+
+ [ ca ]
+ default_ca      = CA_default            # The default ca section
+ 
+ [ CA_default ]
+
+ dir            = ./demoCA              # top dir
+ database       = $dir/index.txt        # index file.
+ new_certs_dir  = $dir/newcerts         # new certs dir
+ 
+ certificate    = $dir/cacert.pem       # The CA cert
+ serial         = $dir/serial           # serial no file
+ private_key    = $dir/private/cakey.pem# CA private key
+ RANDFILE       = $dir/private/.rand    # random number file
+ 
+ default_days   = 365                   # how long to certify for
+ default_crl_days= 30                   # how long before next CRL
+ default_md     = md5                   # md to use
+
+ policy         = policy_any            # default policy
+
+ [ policy_any ]
+ countryName            = supplied
+ stateOrProvinceName    = optional
+ organizationName       = optional
+ organizationalUnitName = optional
+ commonName             = supplied
+ emailAddress           = optional
+
+=head1 WARNINGS
+
+The B<ca> command is quirky and at times downright unfriendly.
+
+The B<ca> utility was originally meant as an example of how to do things
+in a CA. It was not supposed be be used as a full blown CA itself:
+nevertheless some people are using it for this purpose.
+
+The B<ca> command is effectively a single user command: no locking is
+done on the various files and attempts to run more than one B<ca> command
+on the same database can have unpredictable results.
+
+=head1 FILES
+
+Note: the location of all files can change either by compile time options,
+configuration file entries, environment variables or command line options.
+The values below reflect the default values.
+
+ /usr/local/ssl/lib/openssl.cnf - master configuration file
+ ./demoCA                       - main CA directory
+ ./demoCA/cacert.pem            - CA certificate
+ ./demoCA/private/cakey.pem     - CA private key
+ ./demoCA/serial                - CA serial number file
+ ./demoCA/serial.old            - CA serial number backup file
+ ./demoCA/index.txt             - CA text database file
+ ./demoCA/index.txt.old         - CA text database backup file
+ ./demoCA/certs                 - certificate output file
+ ./demoCA/.rnd                  - CA random seed information
+
+=head1 ENVIRONMENT VARIABLES
+
+B<OPENSSL_CONF> reflects the location of master configuration file it can
+be overridden by the B<-config> command line option.
+
+=head1 RESTRICTIONS
+
+The text database index file is a critical part of the process and 
+if corrupted it can be difficult to fix. It is theoretically possible
+to rebuild the index file from all the issued certificates and a current
+CRL: however there is no option to do this.
+
+CRL entry extensions cannot currently be created: only CRL extensions
+can be added.
+
+V2 CRL features like delta CRL support and CRL numbers are not currently
+supported.
+
+Although several requests can be input and handled at once it is only
+possible to include one SPKAC or self signed certificate.
+
+=head1 BUGS
+
+The use of an in memory text database can cause problems when large
+numbers of certificates are present because, as the name implies
+the database has to be kept in memory.
+
+Certificate request extensions are ignored: some kind of "policy" should
+be included to use certain static extensions and certain extensions
+from the request.
+
+It is not possible to certify two certificates with the same DN: this
+is a side effect of how the text database is indexed and it cannot easily
+be fixed without introducing other problems. Some S/MIME clients can use
+two certificates with the same DN for separate signing and encryption
+keys.
+
+The B<ca> command really needs rewriting or the required functionality
+exposed at either a command or interface level so a more friendly utility
+(perl script or GUI) can handle things properly. The scripts B<CA.sh> and
+B<CA.pl> help a little but not very much.
+
+Any fields in a request that are not present in a policy are silently
+deleted. This does not happen if the B<-preserveDN> option is used but
+the extra fields are not displayed when the user is asked to certify
+a request. The behaviour should be more friendly and configurable.
+
+Cancelling some commands by refusing to certify a certificate can
+create an empty file.
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
+L<config(5)|config(5)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/ciphers.pod b/src/lib/libssl/src/doc/apps/ciphers.pod
new file mode 100644
index 0000000000..2301e28251
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/ciphers.pod
@@ -0,0 +1,342 @@
+=pod
+
+=head1 NAME
+
+ciphers - SSL cipher display and cipher list tool.
+
+=head1 SYNOPSIS
+
+B<openssl> B<ciphers>
+[B<-v>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<cipherlist>]
+
+=head1 DESCRIPTION
+
+The B<cipherlist> command converts OpenSSL cipher lists into ordered
+SSL cipher preference lists. It can be used as a test tool to determine
+the appropriate cipherlist.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-v>
+
+verbose option. List ciphers with a complete description of the authentication,
+key exchange, encryption and mac algorithms used along with any key size
+restrictions and whether the algorithm is classed as an "export" cipher.
+
+=item B<-ssl3>
+
+only include SSL v3 ciphers.
+
+=item B<-ssl2>
+
+only include SSL v2 ciphers.
+
+=item B<-tls1>
+
+only include TLS v1 ciphers.
+
+=item B<-h>, B<-?>
+
+print a brief usage message.
+
+=item B<cipherlist>
+
+a cipher list to convert to a cipher preference list. If it is not included
+then the default cipher list will be used. The format is described below.
+
+=back
+
+=head1 CIPHER LIST FORMAT
+
+The cipher list consists of one or more I<cipher strings> separated by colons.
+Commas or spaces are also acceptable separators but colons are normally used.
+
+The actual cipher string can take several different forms.
+
+It can consist of a single cipher suite such as B<RC4-SHA>.
+
+It can represent a list of cipher suites containing a certain algorithm, or
+cipher suites of a certain type. For example B<SHA1> represents all ciphers
+suites using the digest algorithm SHA1 and B<SSLv3> represents all SSL v3
+algorithms.
+
+Lists of cipher suites can be combined in a single cipher string using the
+B<+> character. This is used as a logical B<and> operation. For example
+B<SHA1+DES> represents all cipher suites containing the SHA1 B<and> the DES
+algorithms.
+
+Each cipher string can be optionally preceded by the characters B<!>,
+B<-> or B<+>.
+
+If B<!> is used then the ciphers are permanently deleted from the list.
+The ciphers deleted can never reappear in the list even if they are
+explicitly stated.
+
+If B<-> is used then the ciphers are deleted from the list, but some or
+all of the ciphers can be added again by later options.
+
+If B<+> is used then the ciphers are moved to the end of the list. This
+option doesn't add any new ciphers it just moves matching existing ones.
+
+If none of these characters is present then the string is just interpreted
+as a list of ciphers to be appended to the current preference list. If the
+list includes any ciphers already present they will be ignored: that is they
+will not moved to the end of the list.
+
+Additionally the cipher string B<@STRENGTH> can be used at any point to sort
+the current cipher list in order of encryption algorithm key length.
+
+=head1 CIPHER STRINGS
+
+The following is a list of all permitted cipher strings and their meanings.
+
+=over 4
+
+=item B<DEFAULT>
+
+the default cipher list. This is determined at compile time and is normally
+B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
+specified.
+
+=item B<ALL>
+
+all ciphers suites except the B<eNULL> ciphers which must be explicitly enabled.
+
+=item B<HIGH>
+
+"high" encryption cipher suites. This currently means those with key lengths larger
+than 128 bits.
+
+=item B<MEDIUM>
+
+"medium" encryption cipher suites, currently those using 128 bit encryption.
+
+=item B<LOW>
+
+"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
+but excluding export cipher suites.
+
+=item B<EXP>, B<EXPORT>
+
+export encryption algorithms. Including 40 and 56 bits algorithms.
+
+=item B<EXPORT40>
+
+40 bit export encryption algorithms
+
+=item B<EXPORT56>
+
+56 bit export encryption algorithms.
+
+=item B<eNULL>, B<NULL>
+
+the "NULL" ciphers that is those offering no encryption. Because these offer no
+encryption at all and are a security risk they are disabled unless explicitly
+included.
+
+=item B<aNULL>
+
+the cipher suites offering no authentication. This is currently the anonymous
+DH algorithms. These cipher suites are vulnerable to a "man in the middle"
+attack and so their use is normally discouraged.
+
+=item B<kRSA>, B<RSA>
+
+cipher suites using RSA key exchange.
+
+=item B<kEDH>
+
+cipher suites using ephemeral DH key agreement.
+
+=item B<kDHr>, B<kDHd>
+
+cipher suites using DH key agreement and DH certificates signed by CAs with RSA
+and DSS keys respectively. Not implemented.
+
+=item B<aRSA>
+
+cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
+
+=item B<aDSS>, B<DSS>
+
+cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+
+=item B<aDH>
+
+cipher suites effectively using DH authentication, i.e. the certificates carry
+DH keys.  Not implemented.
+
+=item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
+
+ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+FORTEZZA algorithms. Not implemented.
+
+=item B<TLSv1>, B<SSLv3>, B<SSLv2>
+
+TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
+
+=item B<DH>
+
+cipher suites using DH, including anonymous DH.
+
+=item B<ADH>
+
+anonymous DH cipher suites.
+
+=item B<3DES>
+
+cipher suites using triple DES.
+
+=item B<DES>
+
+cipher suites using DES (not triple DES).
+
+=item B<RC4>
+
+cipher suites using RC4.
+
+=item B<RC2>
+
+cipher suites using RC2.
+
+=item B<IDEA>
+
+cipher suites using IDEA.
+
+=item B<MD5>
+
+cipher suites using MD5.
+
+=item B<SHA1>, B<SHA>
+
+cipher suites using SHA1.
+
+=back
+
+=head1 CIPHER SUITE NAMES
+
+The following lists give the SSL or TLS cipher suites names from the
+relevant specification and their OpenSSL equivalents.
+
+=head2 SSL v3.0 cipher suites.
+
+ SSL_RSA_WITH_NULL_MD5                   NULL-MD5
+ SSL_RSA_WITH_NULL_SHA                   NULL-SHA
+ SSL_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+ SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
+ SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
+ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+ SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+ SSL_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+ SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+ SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+ SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+ SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ SSL_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+ SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+ SSL_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+ SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+ SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+ SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+ SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+ SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+ SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+ SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
+ SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
+ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.
+
+=head2 TLS v1.0 cipher suites.
+
+ TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+ TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+ TLS_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+ TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+ TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+ TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+ TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+ TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+ TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+
+ TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+ TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+ TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+ TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+ TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+
+ TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+ TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+ TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+ TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+
+=head2 Additional Export 1024 and other cipher suites
+
+Note: these ciphers can also be used in SSL v3.
+
+ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     EXP1024-DES-CBC-SHA
+ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      EXP1024-RC4-SHA
+ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
+ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
+ TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+
+=head2 SSL v2.0 cipher suites.
+
+ SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+ SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+ SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+ SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+ SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+
+=head1 NOTES
+
+The non-ephemeral DH modes are currently unimplemented in OpenSSL
+because there is no support for DH certificates.
+
+Some compiled versions of OpenSSL may not include all the ciphers
+listed here because some ciphers were excluded at compile time.
+
+=head1 EXAMPLES
+
+Verbose listing of all OpenSSL ciphers including NULL ciphers:
+
+ openssl ciphers -v 'ALL:eNULL'
+
+Include all ciphers except NULL and anonymous DH then sort by
+strength:
+
+ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+
+Include only 3DES ciphers and then place RSA ciphers last:
+
+ openssl ciphers -v '3DES:+RSA'
+
+=head1 SEE ALSO
+
+L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/config.pod b/src/lib/libssl/src/doc/apps/config.pod
new file mode 100644
index 0000000000..ce874a42ce
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/config.pod
@@ -0,0 +1,138 @@
+
+=pod
+
+=head1 NAME
+
+config - OpenSSL CONF library configuration files
+
+=head1 DESCRIPTION
+
+The OpenSSL CONF library can be used to read configuration files.
+It is used for the OpenSSL master configuration file B<openssl.cnf>
+and in a few other places like B<SPKAC> files and certificate extension
+files for the B<x509> utility.
+
+A configuration file is divided into a number of sections. Each section
+starts with a line B<[ section_name ]> and ends when a new section is
+started or end of file is reached. A section name can consist of
+alphanumeric characters and underscores.
+
+The first section of a configuration file is special and is referred
+to as the B<default> section this is usually unnamed and is from the
+start of file until the first named section. When a name is being looked up
+it is first looked up in a named section (if any) and then the
+default section.
+
+The environment is mapped onto a section called B<ENV>.
+
+Comments can be included by preceding them with the B<#> character
+
+Each section in a configuration file consists of a number of name and
+value pairs of the form B<name=value>
+
+The B<name> string can contain any alphanumeric characters as well as
+a few punctuation symbols such as B<.> B<,> B<;> and B<_>.
+
+The B<value> string consists of the string following the B<=> character
+until end of line with any leading and trailing white space removed.
+
+The value string undergoes variable expansion. This can be done by
+including the form B<$var> or B<${var}>: this will substitute the value
+of the named variable in the current section. It is also possible to
+substitute a value from another section using the syntax B<$section::name>
+or B<${section::name}>. By using the form B<$ENV::name> environment
+variables can be substituted. It is also possible to assign values to
+environment variables by using the name B<ENV::name>, this will work
+if the program looks up environment variables using the B<CONF> library
+instead of calling B<getenv()> directly.
+
+It is possible to escape certain characters by using any kind of quote
+or the B<\> character. By making the last character of a line a B<\>
+a B<value> string can be spread across multiple lines. In addition
+the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
+
+=head1 NOTES
+
+If a configuration file attempts to expand a variable that doesn't exist
+then an error is flagged and the file will not load. This can happen
+if an attempt is made to expand an environment variable that doesn't
+exist. For example the default OpenSSL master configuration file used
+the value of B<HOME> which may not be defined on non Unix systems.
+
+This can be worked around by including a B<default> section to provide
+a default value: then if the environment lookup fails the default value
+will be used instead. For this to work properly the default value must
+be defined earlier in the configuration file than the expansion. See
+the B<EXAMPLES> section for an example of how to do this.
+
+If the same variable exists in the same section then all but the last
+value will be silently ignored. In certain circumstances such as with
+DNs the same field may occur multiple times. This is usually worked
+around by ignoring any characters before an initial B<.> e.g.
+
+ 1.OU="My first OU"
+ 2.OU="My Second OU"
+
+=head1 EXAMPLES
+
+Here is a sample configuration file using some of the features
+mentioned above.
+
+ # This is the default section.
+ 
+ HOME=/temp
+ RANDFILE= ${ENV::HOME}/.rnd
+ configdir=$ENV::HOME/config
+
+ [ section_one ]
+
+ # We are now in section one.
+
+ # Quotes permit leading and trailing whitespace
+ any = " any variable name "
+
+ other = A string that can \
+ cover several lines \
+ by including \\ characters
+
+ message = Hello World\n
+
+ [ section_two ]
+
+ greeting = $section_one::message
+
+This next example shows how to expand environment variables safely.
+
+Suppose you want a variable called B<tmpfile> to refer to a
+temporary filename. The directory it is placed in can determined by
+the the B<TEMP> or B<TMP> environment variables but they may not be
+set to any value at all. If you just include the environment variable
+names and the variable doesn't exist then this will cause an error when
+an attempt is made to load the configuration file. By making use of the
+default section both values can be looked up with B<TEMP> taking 
+priority and B</tmp> used if neither is defined:
+
+ TMP=/tmp
+ # The above value is used if TMP isn't in the environment
+ TEMP=$ENV::TMP
+ # The above value is used if TEMP isn't in the environment
+ tmpfile=${ENV::TEMP}/tmp.filename
+
+=head1 BUGS
+
+Currently there is no way to include characters using the octal B<\nnn>
+form. Strings are all null terminated so nulls cannot form part of
+the value.
+
+The escaping isn't quite right: if you want to use sequences like B<\n>
+you can't use any quote escaping on the same line.
+
+Files are loaded in a single pass. This means that an variable expansion
+will only work if the variables referenced are defined earlier in the
+file.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<req(1)|req(1)>, L<ca(1)|ca(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/crl.pod b/src/lib/libssl/src/doc/apps/crl.pod
new file mode 100644
index 0000000000..a40c873b95
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/crl.pod
@@ -0,0 +1,117 @@
+=pod
+
+=head1 NAME
+
+crl - CRL utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<crl>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-text>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-hash>]
+[B<-issuer>]
+[B<-lastupdate>]
+[B<-nextupdate>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+
+=head1 DESCRIPTION
+
+The B<crl> command processes CRL files in DER or PEM format.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. B<DER> format is DER encoded CRL
+structure. B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-text>
+
+print out the CRL in text form.
+
+=item B<-noout>
+
+don't output the encoded version of the CRL.
+
+=item B<-hash>
+
+output a hash of the issuer name. This can be use to lookup CRLs in
+a directory by issuer name.
+
+=item B<-issuer>
+
+output the issuer name.
+
+=item B<-lastupdate>
+
+output the lastUpdate field.
+
+=item B<-nextupdate>
+
+output the nextUpdate field.
+
+=item B<-CAfile file>
+
+verify the signature on a CRL by looking up the issuing certificate in
+B<file>
+
+=item B<-CApath dir>
+
+verify the signature on a CRL by looking up the issuing certificate in
+B<dir>. This directory must be a standard certificate directory: that
+is a hash of each subject name (using B<x509 -hash>) should be linked
+to each certificate.
+
+=back
+
+=head1 NOTES
+
+The PEM CRL format uses the header and footer lines:
+
+ -----BEGIN X509 CRL-----
+ -----END X509 CRL-----
+
+=head1 EXAMPLES
+
+Convert a CRL file from PEM to DER:
+
+ openssl crl -in crl.pem -outform DER -out crl.der
+
+Output the text form of a DER encoded certificate:
+
+ openssl crl -in crl.der -text -noout
+
+=head1 BUGS
+
+Ideally it should be possible to create a CRL using appropriate options
+and files too.
+
+=head1 SEE ALSO
+
+L<crl2pkcs7(1)|crl2pkcs7(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/crl2pkcs7.pod b/src/lib/libssl/src/doc/apps/crl2pkcs7.pod
new file mode 100644
index 0000000000..da199b044a
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/crl2pkcs7.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+
+=head1 DESCRIPTION
+
+The B<crl2pkcs7> command takes an optional CRL and one or more
+certificates and converts them into a PKCS#7 degenerate "certificates
+only" structure.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the CRL input format. B<DER> format is DER encoded CRL
+structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the PKCS#7 structure output format. B<DER> format is DER
+encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-in filename>
+
+This specifies the input filename to read a CRL from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write the PKCS#7 structure to or standard
+output by default.
+
+=item B<-certfile filename>
+
+specifies a filename containing one or more certificates in B<PEM> format.
+All certificates in the file will be added to the PKCS#7 structure. This
+option can be used more than once to read certificates form multiple
+files.
+
+=item B<-nocrl>
+
+normally a CRL is included in the output file. With this option no CRL is
+included in the output file and a CRL is not read from the input file.
+
+=back
+
+=head1 EXAMPLES
+
+Create a PKCS#7 structure from a certificate and CRL:
+
+ openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
+
+Creates a PKCS#7 structure in DER format with no CRL from several
+different certificates:
+
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+        -certfile demoCA/cacert.pem -outform DER -out p7.der
+
+=head1 NOTES
+
+The output file is a PKCS#7 signed data structure containing no signers and
+just certificates and an optional CRL.
+
+This utility can be used to send certificates and CAs to Netscape as part of
+the certificate enrollment process. This involves sending the DER encoded output
+as MIME type application/x-x509-user-cert.
+
+The B<PEM> encoded form with the header and footer lines removed can be used to
+install user certificates and CAs in MSIE using the Xenroll control.
+
+=head1 SEE ALSO
+
+L<pkcs7(1)|pkcs7(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/dgst.pod b/src/lib/libssl/src/doc/apps/dgst.pod
new file mode 100644
index 0000000000..cbf2cc529a
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/dgst.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
+
+=head1 SYNOPSIS
+
+[B<dgst>]
+[B<-md5|-md2|-sha1|-sha|mdc2|-ripemd160>]
+[B<-c>]
+[B<-d>]
+[B<file...>]
+
+[B<md5|md2|sha1|sha|mdc2|ripemd160>]
+[B<-c>]
+[B<-d>]
+[B<file...>]
+
+=head1 DESCRIPTION
+
+The digest functions print out the message digest of a supplied file or files
+in hexadecimal form.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-c>
+
+print out the digest in two digit groups separated by colons.
+
+=item B<-d>
+
+print out BIO debugging information.
+
+=item B<file...>
+
+file or files to digest. If no files are specified then standard input is
+used.
+
+=back
+
+=head1 NOTES
+
+The digest of choice for all new applications is SHA1. Other digests are
+however still widely used.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/dhparam.pod b/src/lib/libssl/src/doc/apps/dhparam.pod
new file mode 100644
index 0000000000..6b237ec05a
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/dhparam.pod
@@ -0,0 +1,115 @@
+=pod
+
+=head1 NAME
+
+dhparam - DH parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl dh>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-2>]
+[B<-5>]
+[B<-rand file(s)>]
+[numbits]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate DH parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#3 DHparameter structure. The PEM form is the
+default format: it consists of the B<DER> format base64 encoded with
+additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+
+=item B<-out filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-2>, B<-5>
+
+The generator to use, either 2 or 5. 2 is the default. If present then the
+input file is ignored and parameters are generated instead.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<numbits>
+
+this option specifies that a parameter set should be generated of size
+B<numbits>. It must be the last option. If not present then a value of 512
+is used. If this option is present then the input file is ignored and 
+parameters are generated instead.
+
+=item B<-noout>
+
+this option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+this option prints out the DH parameters in human readable form.
+
+=item B<-C>
+
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the B<get_dhXXX()> function.
+
+=back
+
+=head1 WARNINGS
+
+The program B<dhparam> combines the functionality of the programs B<dh> and
+B<gendh> in previous versions of OpenSSL and SSLeay. The B<dh> and B<gendh>
+programs are retained for now but may have different purposes in future 
+versions of OpenSSL.
+
+=head1 NOTES
+
+PEM format DH parameters use the header and footer lines:
+
+ -----BEGIN DH PARAMETERS-----
+ -----END DH PARAMETERS-----
+
+OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
+DH.
+
+This program manipulates DH parameters not keys.
+
+=head1 BUGS
+
+There should be a way to generate and manipulate DH keys.
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/dsa.pod b/src/lib/libssl/src/doc/apps/dsa.pod
new file mode 100644
index 0000000000..28e534bb95
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/dsa.pod
@@ -0,0 +1,150 @@
+=pod
+
+=head1 NAME
+
+dsa - DSA key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<dsa>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-pubin>]
+[B<-pubout>]
+
+=head1 DESCRIPTION
+
+The B<dsa> command processes DSA keys. They can be converted between various
+forms and their components printed out. B<Note> This command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the B<pkcs8>
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option with a private key uses
+an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
+version (currently zero), p, q, g, the public and private key components
+respectively as ASN.1 INTEGERs. When used with a public key it uses a
+SubjectPublicKeyInfo structure: it is an error if the key is not DSA.
+
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. In the case of a private key
+PKCS#8 format is also accepted.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<dsa> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the public key component of the key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this option a
+public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To remove the pass phrase on a DSA private key:
+
+ openssl dsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl dsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl dsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl dsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl dsa -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>, L<gendsa(1)|gendsa(1)>, L<rsa(1)|rsa(1)>,
+L<genrsa(1)|genrsa(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/dsaparam.pod b/src/lib/libssl/src/doc/apps/dsaparam.pod
new file mode 100644
index 0000000000..8647f34698
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/dsaparam.pod
@@ -0,0 +1,102 @@
+=pod
+
+=head1 NAME
+
+dsaparam - DSA parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl dsaparam>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-rand file(s)>]
+[B<-genkey>]
+[B<numbits>]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate or generate DSA parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
+of p, q and g respectively. The PEM form is the default format: it consists
+of the B<DER> format base64 encoded with additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified. If the B<numbits> parameter is included then
+this option will be ignored.
+
+=item B<-out filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-noout>
+
+this option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+this option prints out the DSA parameters in human readable form.
+
+=item B<-C>
+
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the B<get_dsaXXX()> function.
+
+=item B<-genkey>
+
+this option will generate a DSA either using the specified or generated
+parameters.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<numbits>
+
+this option specifies that a parameter set should be generated of size
+B<numbits>. It must be the last option. If this option is included then
+the input file (if any) is ignored.
+
+=back
+
+=head1 NOTES
+
+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
+DSA parameter generation is a slow process and as a result the same set of
+DSA parameters is often used to generate several distinct keys.
+
+=head1 SEE ALSO
+
+L<gendsa(1)|gendsa(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<rsa(1)|rsa(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/enc.pod b/src/lib/libssl/src/doc/apps/enc.pod
new file mode 100644
index 0000000000..e436ccc37e
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/enc.pod
@@ -0,0 +1,257 @@
+=pod
+
+=head1 NAME
+
+enc - symmetric cipher routines
+
+=head1 SYNOPSIS
+
+B<openssl enc -ciphername>
+[B<-in filename>]
+[B<-out filename>]
+[B<-pass arg>]
+[B<-e>]
+[B<-d>]
+[B<-a>]
+[B<-A>]
+[B<-k password>]
+[B<-kfile filename>]
+[B<-K key>]
+[B<-iv IV>]
+[B<-p>]
+[B<-P>]
+[B<-bufsize number>]
+[B<-debug>]
+
+=head1 DESCRIPTION
+
+The symmetric cipher commands allow data to be encrypted or decrypted
+using various block and stream ciphers using keys based on passwords
+or explicitly provided. Base64 encoding or decoding can also be performed
+either by itself or in addition to the encryption or decryption.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+the input filename, standard input by default.
+
+=item B<-out filename>
+
+the output filename, standard output by default.
+
+=item B<-pass arg>
+
+the password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-salt>
+
+use a salt in the key derivation routines. This option should B<ALWAYS>
+be used unless compatibility with previous versions of OpenSSL or SSLeay
+is required. This option is only present on OpenSSL versions 0.9.5 or
+above.
+
+=item B<-nosalt>
+
+don't use a salt in the key derivation routines. This is the default for
+compatibility with previous versions of OpenSSL and SSLeay.
+
+=item B<-e>
+
+encrypt the input data: this is the default.
+
+=item B<-d>
+
+decrypt the input data.
+
+=item B<-a>
+
+base64 process the data. This means that if encryption is taking place
+the data is base64 encoded after encryption. If decryption is set then
+the input data is base64 decoded before being decrypted.
+
+=item B<-A>
+
+if the B<-a> option is set then base64 process the data on one line.
+
+=item B<-k password>
+
+the password to derive the key from. This is for compatibility with previous
+versions of OpenSSL. Superseded by the B<-pass> argument.
+
+=item B<-kfile filename>
+
+read the password to derive the key from the first line of B<filename>.
+This is for computability with previous versions of OpenSSL. Superseded by
+the B<-pass> argument.
+
+=item B<-S salt>
+
+the actual salt to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-K key>
+
+the actual key to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-iv IV>
+
+the actual IV to use: this must be represented as a string comprised only
+of hex digits.
+
+=item B<-p>
+
+print out the key and IV used.
+
+=item B<-P>
+
+print out the key and IV used then immediately exit: don't do any encryption
+or decryption.
+
+=item B<-bufsize number>
+
+set the buffer size for I/O
+
+=item B<-debug>
+
+debug the BIOs used for I/O.
+
+=back
+
+=head1 NOTES
+
+The program can be called either as B<openssl ciphername> or
+B<openssl enc -ciphername>.
+
+A password will be prompted for to derive the key and IV if necessary.
+
+The B<-salt> option should B<ALWAYS> be used if the key is being derived
+from a password unless you want compatibility with previous versions of
+OpenSSL and SSLeay.
+
+Without the B<-salt> option it is possible to perform efficient dictionary
+attacks on the password and to attack stream cipher encrypted data. The reason
+for this is that without the salt the same password always generates the same
+encryption key. When the salt is being used the first eight bytes of the
+encrypted data are reserved for the salt: it is generated at random when
+encrypting a file and read from the encrypted file when it is decrypted.
+
+Some of the ciphers do not have large keys and others have security
+implications if not used correctly. A beginner is advised to just use
+a strong block cipher in CBC mode such as bf or des3.
+
+All the block ciphers use PKCS#5 padding also known as standard block
+padding: this allows a rudimentary integrity or password check to be
+performed. However since the chance of random data passing the test is
+better than 1 in 256 it isn't a very good test.
+
+All RC2 ciphers have the same key and effective key length.
+
+Blowfish and RC5 algorithms use a 128 bit key.
+
+=head1 SUPPORTED CIPHERS
+
+ base64             Base 64
+
+ bf-cbc             Blowfish in CBC mode
+ bf                 Alias for bf-cbc
+ bf-cfb             Blowfish in CFB mode
+ bf-ecb             Blowfish in ECB mode
+ bf-ofb             Blowfish in OFB mode
+
+ cast-cbc           CAST in CBC mode
+ cast               Alias for cast-cbc
+ cast5-cbc          CAST5 in CBC mode
+ cast5-cfb          CAST5 in CFB mode
+ cast5-ecb          CAST5 in ECB mode
+ cast5-ofb          CAST5 in OFB mode
+
+ des-cbc            DES in CBC mode
+ des                Alias for des-cbc
+ des-cfb            DES in CBC mode
+ des-ofb            DES in OFB mode
+ des-ecb            DES in ECB mode
+
+ des-ede-cbc        Two key triple DES EDE in CBC mode
+ des-ede            Alias for des-ede
+ des-ede-cfb        Two key triple DES EDE in CFB mode
+ des-ede-ofb        Two key triple DES EDE in OFB mode
+
+ des-ede3-cbc       Three key triple DES EDE in CBC mode
+ des-ede3           Alias for des-ede3-cbc
+ des3               Alias for des-ede3-cbc
+ des-ede3-cfb       Three key triple DES EDE CFB mode
+ des-ede3-ofb       Three key triple DES EDE in OFB mode
+
+ desx               DESX algorithm.
+
+ idea-cbc           IDEA algorithm in CBC mode
+ idea               same as idea-cbc
+ idea-cfb           IDEA in CFB mode
+ idea-ecb           IDEA in ECB mode
+ idea-ofb           IDEA in OFB mode
+
+ rc2-cbc            128 bit RC2 in CBC mode
+ rc2                Alias for rc2-cbc
+ rc2-cfb            128 bit RC2 in CBC mode
+ rc2-ecb            128 bit RC2 in CBC mode
+ rc2-ofb            128 bit RC2 in CBC mode
+ rc2-64-cbc         64 bit RC2 in CBC mode
+ rc2-40-cbc         40 bit RC2 in CBC mode
+
+ rc4                128 bit RC4
+ rc4-64             64 bit RC4
+ rc4-40             40 bit RC4
+
+ rc5-cbc            RC5 cipher in CBC mode
+ rc5                Alias for rc5-cbc
+ rc5-cfb            RC5 cipher in CBC mode
+ rc5-ecb            RC5 cipher in CBC mode
+ rc5-ofb            RC5 cipher in CBC mode
+
+=head1 EXAMPLES
+
+Just base64 encode a binary file:
+
+ openssl base64 -in file.bin -out file.b64
+
+Decode the same file
+
+ openssl base64 -d -in file.b64 -out file.bin 
+
+Encrypt a file using triple DES in CBC mode using a prompted password:
+
+ openssl des3 -salt -in file.txt -out file.des3 
+
+Decrypt a file using a supplied password:
+
+ openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
+
+Encrypt a file then base64 encode it (so it can be sent via mail for example)
+using Blowfish in CBC mode:
+
+ openssl bf -a -salt -in file.txt -out file.bf
+
+Base64 decode a file then decrypt it:
+
+ openssl bf -d -salt -a -in file.bf -out file.txt
+
+Decrypt some data using a supplied 40 bit RC4 key:
+
+ openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
+
+=head1 BUGS
+
+The B<-A> option when used with large files doesn't work properly.
+
+There should be an option to allow an iteration count to be included.
+
+Like the EVP library the B<enc> program only supports a fixed number of
+algorithms with certain parameters. So if, for example, you want to use RC2
+with a 76 bit key or RC4 with an 84 bit key you can't use this program.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/gendsa.pod b/src/lib/libssl/src/doc/apps/gendsa.pod
new file mode 100644
index 0000000000..3314ace517
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/gendsa.pod
@@ -0,0 +1,58 @@
+=pod
+
+=head1 NAME
+
+gendsa - generate a DSA private key from a set of parameters
+
+=head1 SYNOPSIS
+
+B<openssl> B<gendsa>
+[B<-out filename>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-rand file(s)>]
+[B<paramfile>]
+
+=head1 DESCRIPTION
+
+The B<gendsa> command generates a DSA private key from a DSA parameter file
+(which will be typically generated by the B<openssl dsaparam> command).
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified no encryption is used.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<paramfile>
+
+This option specifies the DSA parameter file to use. The parameters in this
+file determine the size of the private key. DSA parameters can be generated
+and examined using the B<openssl dsaparam> command.
+
+=back
+
+=head1 NOTES
+
+DSA key generation is little more than random number generation so it is
+much quicker that RSA key generation for example.
+
+=head1 SEE ALSO
+
+L<dsaparam(1)|dsaparam(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<rsa(1)|rsa(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/genrsa.pod b/src/lib/libssl/src/doc/apps/genrsa.pod
new file mode 100644
index 0000000000..a2d878410b
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/genrsa.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+genrsa - generate an RSA private key
+
+=head1 SYNOPSIS
+
+B<openssl> B<genrsa>
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-f4>]
+[B<-3>]
+[B<-rand file(s)>]
+[B<numbits>]
+
+=head1 DESCRIPTION
+
+The B<genrsa> command generates an RSA private key.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-out filename>
+
+the output filename. If this argument is not specified then standard output is
+used.  
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the B<-passout> argument.
+
+=item B<-F4|-3>
+
+the public exponent to use, either 65537 or 3. The default is 65537.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<numbits>
+
+the size of the private key to generate in bits. This must be the last option
+specified. The default is 512.
+
+=back
+
+=head1 NOTES
+
+RSA private key generation essentially involves the generation of two prime
+numbers. When generating a private key various symbols will be output to
+indicate the progress of the generation. A B<.> represents each number which
+has passed an initial sieve test, B<+> means a number has passed a single
+round of the Miller-Rabin primality test. A newline means that the number has
+passed all the prime tests (the actual number depends on the key size).
+
+Because key generation is a random process the time taken to generate a key
+may vary somewhat.
+
+=head1 BUGS
+
+A quirk of the prime generation algorithm is that it cannot generate small
+primes. Therefore the number of bits should not be less that 64. For typical
+private keys this will not matter because for security reasons they will
+be much larger (typically 1024 bits).
+
+=head1 SEE ALSO
+
+L<gendsa(1)|gendsa(1)>
diff --git a/src/lib/libssl/src/doc/apps/nseq.pod b/src/lib/libssl/src/doc/apps/nseq.pod
new file mode 100644
index 0000000000..989c3108fb
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/nseq.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate enrollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/ocsp.pod b/src/lib/libssl/src/doc/apps/ocsp.pod
new file mode 100644
index 0000000000..da201b95e6
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/ocsp.pod
@@ -0,0 +1,348 @@
+=pod
+
+=head1 NAME
+
+ocsp - Online Certificate Status Protocol utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<ocsp>
+[B<-out file>]
+[B<-issuer file>]
+[B<-cert file>]
+[B<-serial n>]
+[B<-req_text>]
+[B<-resp_text>]
+[B<-text>]
+[B<-reqout file>]
+[B<-respout file>]
+[B<-reqin file>]
+[B<-respin file>]
+[B<-nonce>]
+[B<-no_nonce>]
+[B<-url responder_url>]
+[B<-host host:n>]
+[B<-path>]
+[B<-CApath file>]
+[B<-CAfile file>]
+[B<-VAfile file>]
+[B<-verify_certs file>]
+[B<-noverify>]
+[B<-trust_other>]
+[B<-no_intern>]
+[B<-no_sig_verify>]
+[B<-no_cert_verify>]
+[B<-no_chain>]
+[B<-no_cert_checks>]
+[B<-validity_period nsec>]
+[B<-status_age nsec>]
+
+=head1 DESCRIPTION
+
+B<WARNING: this documentation is preliminary and subject to change.>
+
+The Online Certificate Status Protocol (OCSP) enables applications to
+determine the (revocation) state of an identified certificate (RFC 2560).
+
+The B<ocsp> command performs many common OCSP tasks. It can be used
+to print out requests and responses, create requests and send queries
+to an OCSP responder and behave like a mini OCSP server itself.
+
+=head1 OCSP CLIENT OPTIONS
+
+=over 4
+
+=item B<-out filename>
+
+specify output filename, default is standard output.
+
+=item B<-issuer filename>
+
+This specifies the current issuer certificate. This option can be used
+multiple times. The certificate specified in B<filename> must be in
+PEM format.
+
+=item B<-cert filename>
+
+Add the certificate B<filename> to the request. The issuer certificate
+is taken from the previous B<issuer> option, or an error occurs if no
+issuer certificate is specified.
+
+=item B<-serial num>
+
+Same as the B<cert> option except the certificate with serial number
+B<num> is added to the request. The serial number is interpreted as a
+decimal integer unless preceded by B<0x>. Negative integers can also
+be specified by preceding the value by a B<-> sign.
+
+=item B<-signer filename>, B<-signkey filename>
+
+Sign the OCSP request using the certificate specified in the B<signer>
+option and the private key specified by the B<signkey> option. If
+the B<signkey> option is not present then the private key is read
+from the same file as the certificate. If neither option is specified then
+the OCSP request is not signed.
+
+=item B<-nonce>, B<-no_nonce>
+
+Add an OCSP nonce extension to a request or disable OCSP nonce addition.
+Normally if an OCSP request is input using the B<respin> option no
+nonce is added: using the B<nonce> option will force addition of a nonce.
+If an OCSP request is being created (using B<cert> and B<serial> options)
+a nonce is automatically added specifying B<no_nonce> overrides this.
+
+=item B<-req_text>, B<-resp_text>, B<-text>
+
+print out the text form of the OCSP request, response or both respectively.
+
+=item B<-reqout file>, B<-respout file>
+
+write out the DER encoded certificate request or response to B<file>.
+
+=item B<-reqin file>, B<-respin file>
+
+read OCSP request or response file from B<file>. These option are ignored
+if OCSP request or response creation is implied by other options (for example
+with B<serial>, B<cert> and B<host> options).
+
+=item B<-url responder_url>
+
+specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+
+=item B<-host hostname:port>, B<-path pathname>
+
+if the B<host> option is present then the OCSP request is sent to the host
+B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
+or "/" by default.
+
+=item B<-CAfile file>, B<-CApath pathname>
+
+file or pathname containing trusted CA certificates. These are used to verify
+the signature on the OCSP response.
+
+=item B<-verify_certs file>
+
+file containing additional certificates to search when attempting to locate
+the OCSP response signing certificate. Some responders omit the actual signer's
+certificate from the response: this option can be used to supply the necessary
+certificate in such cases.
+
+=item B<-trust_other>
+
+the certificates specified by the B<-verify_certs> option should be explicitly
+trusted and no additional checks will be performed on them. This is useful
+when the complete responder certificate chain is not available or trusting a
+root CA is not appropriate.
+
+=item B<-VAfile file>
+
+file containing explicitly trusted responder certificates. Equivalent to the
+B<-verify_certs> and B<-trust_other> options.
+
+=item B<-noverify>
+
+don't attempt to verify the OCSP response signature or the nonce values. This
+option will normally only be used for debugging since it disables all verification
+of the responders certificate.
+
+=item B<-no_intern>
+
+ignore certificates contained in the OCSP response when searching for the
+signers certificate. With this option the signers certificate must be specified
+with either the B<-verify_certs> or B<-VAfile> options.
+
+=item B<-no_sig_verify>
+
+don't check the signature on the OCSP response. Since this option tolerates invalid
+signatures on OCSP responses it will normally only be used for testing purposes.
+
+=item B<-no_cert_verify>
+
+don't verify the OCSP response signers certificate at all. Since this option allows
+the OCSP response to be signed by any certificate it should only be used for
+testing purposes.
+
+=item B<-no_chain>
+
+do not use certificates in the response as additional untrusted CA
+certificates.
+
+=item B<-no_cert_checks>
+
+don't perform any additional checks on the OCSP response signers certificate.
+That is do not make any checks to see if the signers certificate is authorised
+to provide the necessary status information: as a result this option should
+only be used for testing purposes.
+
+=item B<-validity_period nsec>, B<-status_age age>
+
+these options specify the range of times, in seconds, which will be tolerated
+in an OCSP response. Each certificate status response includes a B<notBefore> time and
+an optional B<notAfter> time. The current time should fall between these two values, but
+the interval between the two times may be only a few seconds. In practice the OCSP
+responder and clients clocks may not be precisely synchronised and so such a check
+may fail. To avoid this the B<-validity_period> option can be used to specify an
+acceptable error range in seconds, the default value is 5 minutes.
+
+If the B<notAfter> time is omitted from a response then this means that new status
+information is immediately available. In this case the age of the B<notBefore> field
+is checked to see it is not older than B<age> seconds old. By default this additional
+check is not performed.
+
+=back
+
+=head1 OCSP SERVER OPTIONS
+
+=over 4
+
+=item B<-index indexfile>
+
+B<indexfile> is a text index file in B<ca> format containing certificate revocation
+information.
+
+If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
+it is in client mode. The request(s) the responder processes can be either specified on
+the command line (using B<issuer> and B<serial> options), supplied in a file (using the
+B<respin> option) or via external OCSP clients (if B<port> or B<url> is specified).
+
+If the B<index> option is present then the B<CA> and B<rsigner> options must also be
+present.
+
+=item B<-CA file>
+
+CA certificate corresponding to the revocation information in B<indexfile>.
+
+=item B<-rsigner file>
+
+The certificate to sign OCSP responses with.
+
+=item B<-rother file>
+
+Additional certificates to include in the OCSP response.
+
+=item B<-resp_no_certs>
+
+Don't include any certificates in the OCSP response.
+
+=item B<-resp_key_id>
+
+Identify the signer certificate using the key ID, default is to use the subject name.
+
+=item B<-rkey file>
+
+The private key to sign OCSP responses with: if not present the file specified in the
+B<rsigner> option is used.
+
+=item B<-port portnum>
+
+Port to listen for OCSP requests on. The port may also be specified using the B<url>
+option.
+
+=item B<-nrequest number>
+
+The OCSP server will exit after receiving B<number> requests, default unlimited. 
+
+=item B<-nmin minutes>, B<-ndays days>
+
+Number of minutes or days when fresh revocation information is available: used in the
+B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is 
+omitted meaning fresh revocation information is immediately available.
+
+=back
+
+=head1 OCSP Response verification.
+
+OCSP Response follows the rules specified in RFC2560.
+
+Initially the OCSP responder certificate is located and the signature on
+the OCSP request checked using the responder certificate's public key.
+
+Then a normal certificate verify is performed on the OCSP responder certificate
+building up a certificate chain in the process. The locations of the trusted
+certificates used to build the chain can be specified by the B<CAfile>
+and B<CApath> options or they will be looked for in the standard OpenSSL
+certificates directory.
+
+If the initial verify fails then the OCSP verify process halts with an
+error.
+
+Otherwise the issuing CA certificate in the request is compared to the OCSP
+responder certificate: if there is a match then the OCSP verify succeeds.
+
+Otherwise the OCSP responder certificate's CA is checked against the issuing
+CA certificate in the request. If there is a match and the OCSPSigning
+extended key usage is present in the OCSP responder certificate then the
+OCSP verify succeeds.
+
+Otherwise the root CA of the OCSP responders CA is checked to see if it
+is trusted for OCSP signing. If it is the OCSP verify succeeds.
+
+If none of these checks is successful then the OCSP verify fails.
+
+What this effectively means if that if the OCSP responder certificate is
+authorised directly by the CA it is issuing revocation information about
+(and it is correctly configured) then verification will succeed.
+
+If the OCSP responder is a "global responder" which can give details about
+multiple CAs and has its own separate certificate chain then its root
+CA can be trusted for OCSP signing. For example:
+
+ openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
+
+Alternatively the responder certificate itself can be explicitly trusted
+with the B<-VAfile> option.
+
+=head1 NOTES
+
+As noted, most of the verify options are for testing or debugging purposes.
+Normally only the B<-CApath>, B<-CAfile> and (if the responder is a 'global
+VA') B<-VAfile> options need to be used.
+
+The OCSP server is only useful for test and demonstration purposes: it is
+not really usable as a full OCSP responder. It contains only a very
+simple HTTP request handling and can only handle the POST form of OCSP
+queries. It also handles requests serially meaning it cannot respond to
+new requests until it has processed the current one. The text index file
+format of revocation is also inefficient for large quantities of revocation
+data.
+
+It is possible to run the B<ocsp> application in responder mode via a CGI
+script using the B<respin> and B<respout> options.
+
+=head1 EXAMPLES
+
+Create an OCSP request and write it to a file:
+
+ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
+
+Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the 
+response to a file and print it out in text form
+
+ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
+     -url http://ocsp.myhost.com/ -resp_text -respout resp.der
+
+Read in an OCSP response and print out text form:
+
+ openssl ocsp -respin resp.der -text
+
+OCSP server on port 8888 using a standard B<ca> configuration, and a separate
+responder certificate. All requests and responses are printed to a file.
+
+ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
+        -text -out log.txt
+
+As above but exit after processing one request:
+
+ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
+     -nrequest 1
+
+Query status information using internally generated request:
+
+ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
+     -issuer demoCA/cacert.pem -serial 1
+
+Query status information using request read from a file, write response to a
+second file.
+
+ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
+     -reqin req.der -respout resp.der
diff --git a/src/lib/libssl/src/doc/apps/openssl.pod b/src/lib/libssl/src/doc/apps/openssl.pod
new file mode 100644
index 0000000000..9b1320606b
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/openssl.pod
@@ -0,0 +1,298 @@
+
+=pod
+
+=head1 NAME
+
+openssl - OpenSSL command line tool
+
+=head1 SYNOPSIS
+
+B<openssl>
+I<command>
+[ I<command_opts> ]
+[ I<command_args> ]
+
+=head1 DESCRIPTION
+
+OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
+v2/v3) and Transport Layer Security (TLS v1) network protocols and related
+cryptography standards required by them.
+
+The B<openssl> program is a command line tool for using the various
+cryptography functions of OpenSSL's B<crypto> library from the shell. 
+It can be used for 
+
+ o  Creation of RSA, DH and DSA key parameters
+ o  Creation of X.509 certificates, CSRs and CRLs 
+ o  Calculation of Message Digests
+ o  Encryption and Decryption with Ciphers
+ o  SSL/TLS Client and Server Tests
+ o  Handling of S/MIME signed or encrypted mail
+
+=head1 COMMAND SUMMARY
+
+The B<openssl> program provides a rich variety of commands (I<command> in the
+SYNOPSIS above), each of which often has a wealth of options and arguments
+(I<command_opts> and I<command_args> in the SYNOPSIS).
+
+=head2 STANDARD COMMANDS
+
+=over 10
+
+=item L<B<asn1parse>|asn1parse(1)>
+
+Parse an ASN.1 sequence.
+
+=item L<B<ca>|ca(1)>
+
+Certificate Authority (CA) Management.  
+
+=item L<B<ciphers>|ciphers(1)>
+
+Cipher Suite Description Determination.
+
+=item L<B<crl>|crl(1)>
+
+Certificate Revocation List (CRL) Management.
+
+=item L<B<crl2pkcs7>|crl2pkcs7(1)>
+
+CRL to PKCS#7 Conversion.
+
+=item L<B<dgst>|dgst(1)>
+
+Message Digest Calculation.
+
+=item L<B<dh>|dh(1)>
+
+Diffie-Hellman Data Management.
+
+=item L<B<dsa>|dsa(1)>
+
+DSA Data Management.
+
+=item L<B<dsaparam>|dsaparam(1)>
+
+DSA Parameter Generation.
+
+=item L<B<enc>|enc(1)>
+
+Encoding with Ciphers.
+
+=item L<B<errstr>|errstr(1)>
+
+Error Number to Error String Conversion.
+
+=item L<B<gendh>|gendh(1)>
+
+Generation of Diffie-Hellman Parameters.
+
+=item L<B<gendsa>|gendsa(1)>
+
+Generation of DSA Parameters.
+
+=item L<B<genrsa>|genrsa(1)>
+
+Generation of RSA Parameters.
+
+=item L<B<passwd>|passwd(1)>
+
+Generation of hashed passwords.
+
+=item L<B<pkcs7>|pkcs7(1)>
+
+PKCS#7 Data Management.
+
+=item L<B<req>|req(1)>
+
+X.509 Certificate Signing Request (CSR) Management.
+
+=item L<B<rsa>|rsa(1)>
+
+RSA Data Management.
+
+=item L<B<s_client>|s_client(1)>
+
+This implements a generic SSL/TLS client which can establish a transparent
+connection to a remote server speaking SSL/TLS. It's intended for testing
+purposes only and provides only rudimentary interface functionality but
+internally uses mostly all functionality of the OpenSSL B<ssl> library.
+
+=item L<B<s_server>|s_server(1)>
+
+This implements a generic SSL/TLS server which accepts connections from remote
+clients speaking SSL/TLS. It's intended for testing purposes only and provides
+only rudimentary interface functionality but internally uses mostly all
+functionality of the OpenSSL B<ssl> library.  It provides both an own command
+line oriented protocol for testing SSL functions and a simple HTTP response
+facility to emulate an SSL/TLS-aware webserver.
+
+=item L<B<s_time>|s_time(1)>
+
+SSL Connection Timer.
+
+=item L<B<sess_id>|sess_id(1)>
+
+SSL Session Data Management.
+
+=item L<B<smime>|smime(1)>
+
+S/MIME mail processing.
+
+=item L<B<speed>|speed(1)>
+
+Algorithm Speed Measurement.
+
+=item L<B<verify>|verify(1)>
+
+X.509 Certificate Verification.
+
+=item L<B<version>|version(1)>
+
+OpenSSL Version Information.
+
+=item L<B<x509>|x509(1)>
+
+X.509 Certificate Data Management.
+
+=back
+
+=head2 MESSAGE DIGEST COMMANDS
+
+=over 10
+
+=item B<md2>
+
+MD2 Digest
+
+=item B<md5>
+
+MD5 Digest
+
+=item B<mdc2>
+
+MDC2 Digest
+
+=item B<rmd160>
+
+RMD-160 Digest
+
+=item B<sha>            
+
+SHA Digest
+
+=item B<sha1>           
+
+SHA-1 Digest
+
+=back
+
+=head2 ENCODING AND CIPHER COMMANDS
+
+=over 10
+
+=item B<base64>
+
+Base64 Encoding
+
+=item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
+
+Blowfish Cipher
+
+=item B<cast cast-cbc>
+
+CAST Cipher
+
+=item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
+
+CAST5 Cipher
+
+=item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
+
+DES Cipher
+
+=item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
+
+Triple-DES Cipher
+
+=item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
+
+IDEA Cipher
+
+=item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
+
+RC2 Cipher
+
+=item B<rc4>
+
+RC4 Cipher
+
+=item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
+
+RC5 Cipher
+
+=back
+
+=head1 PASS PHRASE ARGUMENTS
+
+Several commands accept password arguments, typically using B<-passin>
+and B<-passout> for input and output passwords respectively. These allow
+the password to be obtained from a variety of sources. Both of these
+options take a single argument whose format is described below. If no
+password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+
+=over 10
+
+=item B<pass:password>
+
+the actual password is B<password>. Since the password is visible
+to utilities (like 'ps' under Unix) this form should only be used
+where security is not important.
+
+=item B<env:var>
+
+obtain the password from the environment variable B<var>. Since
+the environment of other processes is visible on certain platforms
+(e.g. ps under certain Unix OSes) this option should be used with caution.
+
+=item B<file:pathname>
+
+the first line of B<pathname> is the password. If the same B<pathname>
+argument is supplied to B<-passin> and B<-passout> arguments then the first
+line will be used for the input password and the next line for the output
+password. B<pathname> need not refer to a regular file: it could for example
+refer to a device or named pipe.
+
+=item B<fd:number>
+
+read the password from the file descriptor B<number>. This can be used to
+send the data via a pipe for example.
+
+=item B<stdin>
+
+read the password from standard input.
+
+=back
+
+=head1 SEE ALSO
+
+L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
+L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
+L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>,
+L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+L<passwd(1)|passwd(1)>,
+L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<s_client(1)|s_client(1)>,
+L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
+L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> 
+
+=head1 HISTORY
+
+The openssl(1) document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/src/lib/libssl/src/doc/apps/passwd.pod b/src/lib/libssl/src/doc/apps/passwd.pod
new file mode 100644
index 0000000000..cee6a2f172
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/passwd.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+passwd - compute password hashes
+
+=head1 SYNOPSIS
+
+B<openssl passwd>
+[B<-crypt>]
+[B<-apr1>]
+[B<-salt> I<string>]
+[B<-in> I<file>]
+[B<-stdin>]
+[B<-quiet>]
+[B<-table>]
+{I<password>}
+
+=head1 DESCRIPTION
+
+The B<passwd> command computes the hash of a password typed at
+run-time or the hash of each password in a list.  The password list is
+taken from the named file for option B<-in file>, from stdin for
+option B<-stdin>, and from the command line otherwise.
+The Unix standard algorithm B<crypt> and the MD5-based B<apr1> algorithm
+are available.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-crypt>
+
+Use the B<crypt> algorithm (default).
+
+=item B<-apr1>
+
+Use the B<apr1> algorithm.
+
+=item B<-salt> I<string>
+
+Use the specified salt.
+
+=item B<-in> I<file>
+
+Read passwords from I<file>.
+
+=item B<-stdin>
+
+Read passwords from B<stdin>.
+
+=item B<-quiet>
+
+Don't output warnings when passwords given at the command line are truncated.
+
+=item B<-table>
+
+In the output list, prepend the cleartext password and a TAB character
+to each password hash.
+
+=back
+
+=head1 EXAMPLES
+
+B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
+
+B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/pkcs12.pod b/src/lib/libssl/src/doc/apps/pkcs12.pod
new file mode 100644
index 0000000000..241f9c4a8b
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/pkcs12.pod
@@ -0,0 +1,310 @@
+
+=pod
+
+=head1 NAME
+
+pkcs12 - PKCS#12 file utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs12>
+[B<-export>]
+[B<-chain>]
+[B<-inkey filename>]
+[B<-certfile filename>]
+[B<-name name>]
+[B<-caname name>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-nomacver>]
+[B<-nocerts>]
+[B<-clcerts>]
+[B<-cacerts>]
+[B<-nokeys>]
+[B<-info>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-nodes>]
+[B<-noiter>]
+[B<-maciter>]
+[B<-twopass>]
+[B<-descert>]
+[B<-certpbe>]
+[B<-keypbe>]
+[B<-keyex>]
+[B<-keysig>]
+[B<-password arg>]
+[B<-passin arg>]
+[B<-passout arg>]
+[B<-rand file(s)>]
+
+=head1 DESCRIPTION
+
+The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
+PFX files) to be created and parsed. PKCS#12 files are used by several
+programs including Netscape, MSIE and MS Outlook.
+
+=head1 COMMAND OPTIONS
+
+There are a lot of options the meaning of some depends of whether a PKCS#12 file
+is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
+file can be created by using the B<-export> option (see below).
+
+=head1 PARSING OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies filename of the PKCS#12 file to be parsed. Standard input is used
+by default.
+
+=item B<-out filename>
+
+The filename to write certificates and private keys to, standard output by default.
+They are all written in PEM format.
+
+=item B<-pass arg>, B<-passin arg>
+
+the PKCS#12 file (i.e. input file) password source. For more information about the
+format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-passout arg>
+
+pass phrase source to encrypt any outputed private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-noout>
+
+this option inhibits output of the keys and certificates to the output file version
+of the PKCS#12 file.
+
+=item B<-clcerts>
+
+only output client certificates (not CA certificates).
+
+=item B<-cacerts>
+
+only output CA certificates (not client certificates).
+
+=item B<-nocerts>
+
+no certificates at all will be output.
+
+=item B<-nokeys>
+
+no private keys will be output.
+
+=item B<-info>
+
+output additional information about the PKCS#12 file structure, algorithms used and
+iteration counts.
+
+=item B<-des>
+
+use DES to encrypt private keys before outputting.
+
+=item B<-des3>
+
+use triple DES to encrypt private keys before outputting, this is the default.
+
+=item B<-idea>
+
+use IDEA to encrypt private keys before outputting.
+
+=item B<-nodes>
+
+don't encrypt the private keys at all.
+
+=item B<-nomacver>
+
+don't attempt to verify the integrity MAC before reading the file.
+
+=item B<-twopass>
+
+prompt for separate integrity and encryption passwords: most software
+always assumes these are the same so this option will render such
+PKCS#12 files unreadable.
+
+=back
+
+=head1 FILE CREATION OPTIONS
+
+=over 4
+
+=item B<-export>
+
+This option specifies that a PKCS#12 file will be created rather than
+parsed.
+
+=item B<-out filename>
+
+This specifies filename to write the PKCS#12 file to. Standard output is used
+by default.
+
+=item B<-in filename>
+
+The filename to read certificates and private keys from, standard input by default.
+They must all be in PEM format. The order doesn't matter but one private key and
+its corresponding certificate should be present. If additional certificates are
+present they will also be included in the PKCS#12 file.
+
+=item B<-inkey filename>
+
+file to read private key from. If not present then a private key must be present
+in the input file.
+
+=item B<-name friendlyname>
+
+This specifies the "friendly name" for the certificate and private key. This name
+is typically displayed in list boxes by software importing the file.
+
+=item B<-certfile filename>
+
+A filename to read additional certificates from.
+
+=item B<-caname friendlyname>
+
+This specifies the "friendly name" for other certificates. This option may be
+used multiple times to specify names for all certificates in the order they
+appear. Netscape ignores friendly names on other certificates whereas MSIE
+displays them.
+
+=item B<-pass arg>, B<-passout arg>
+
+the PKCS#12 file (i.e. output file) password source. For more information about
+the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-passin password>
+
+pass phrase source to decrypt any input private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)|openssl(1)>.
+
+=item B<-chain>
+
+if this option is present then an attempt is made to include the entire
+certificate chain of the user certificate. The standard CA store is used
+for this search. If the search fails it is considered a fatal error.
+
+=item B<-descert>
+
+encrypt the certificate using triple DES, this may render the PKCS#12
+file unreadable by some "export grade" software. By default the private
+key is encrypted using triple DES and the certificate using 40 bit RC2.
+
+=item B<-keypbe alg>, B<-certpbe alg>
+
+these options allow the algorithm used to encrypt the private key and
+certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
+can be selected it is advisable only to use PKCS#12 algorithms. See the list
+in the B<NOTES> section for more information.
+
+=item B<-keyex|-keysig>
+
+specifies that the private key is to be used for key exchange or just signing.
+This option is only interpreted by MSIE and similar MS software. Normally
+"export grade" software will only allow 512 bit RSA keys to be used for
+encryption purposes but arbitrary length keys for signing. The B<-keysig>
+option marks the key for signing only. Signing only keys can be used for
+S/MIME signing, authenticode (ActiveX control signing)  and SSL client
+authentication, however due to a bug only MSIE 5.0 and later support
+the use of signing only keys for SSL client authentication.
+
+=item B<-nomaciter>, B<-noiter>
+
+these options affect the iteration counts on the MAC and key algorithms.
+Unless you wish to produce files compatible with MSIE 4.0 you should leave
+these options alone.
+
+To discourage attacks by using large dictionaries of common passwords the
+algorithm that derives keys from passwords can have an iteration count applied
+to it: this causes a certain part of the algorithm to be repeated and slows it
+down. The MAC is used to check the file integrity but since it will normally
+have the same password as the keys and certificates it could also be attacked.
+By default both MAC and encryption iteration counts are set to 2048, using
+these options the MAC and encryption iteration counts can be set to 1, since
+this reduces the file security you should not use these options unless you
+really have to. Most software supports both MAC and key iteration counts.
+MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter>
+option.
+
+=item B<-maciter>
+
+This option is included for compatibility with previous versions, it used
+to be needed to use MAC iterations counts but they are now used by default.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=back
+
+=head1 NOTES
+
+Although there are a large number of options most of them are very rarely
+used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
+for PKCS#12 file creation B<-export> and B<-name> are also used.
+
+If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
+then all certificates will be output in the order they appear in the input
+PKCS#12 files. There is no guarantee that the first certificate present is
+the one corresponding to the private key. Certain software which requires
+a private key and certificate and assumes the first certificate in the
+file is the one corresponding to the private key: this may not always
+be the case. Using the B<-clcerts> option will solve this problem by only
+outputing the certificate corresponding to the private key. If the CA
+certificates are required then they can be output to a separate file using
+the B<-nokeys -cacerts> options to just output CA certificates.
+
+The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
+algorithms for private keys and certificates to be specified. Normally
+the defaults are fine but occasionally software can't handle triple DES
+encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
+be used to reduce the private key encryption to 40 bit RC2. A complete
+description of all algorithms is contained in the B<pkcs8> manual page.
+
+=head1 EXAMPLES
+
+Parse a PKCS#12 file and output it to a file:
+
+ openssl pkcs12 -in file.p12 -out file.pem
+
+Output only client certificates to a file:
+
+ openssl pkcs12 -in file.p12 -clcerts -out file.pem
+
+Don't encrypt the private key:
+ 
+ openssl pkcs12 -in file.p12 -out file.pem -nodes
+
+Print some info about a PKCS#12 file:
+
+ openssl pkcs12 -in file.p12 -info -noout
+
+Create a PKCS#12 file:
+
+ openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
+
+Include some extra certificates:
+
+ openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
+  -certfile othercerts.pem
+
+=head1 BUGS
+
+Some would argue that the PKCS#12 standard is one big bug :-)
+
+=head1 SEE ALSO
+
+L<pkcs8(1)|pkcs8(1)>
+
diff --git a/src/lib/libssl/src/doc/apps/pkcs7.pod b/src/lib/libssl/src/doc/apps/pkcs7.pod
new file mode 100644
index 0000000000..4e9bd6e46b
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/pkcs7.pod
@@ -0,0 +1,97 @@
+=pod
+
+=head1 NAME
+
+pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+[B<-text>]
+[B<-noout>]
+
+=head1 DESCRIPTION
+
+The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. B<DER> format is DER encoded PKCS#7
+v1.5 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-print_certs>
+
+prints out any certificates or CRLs contained in the file. They are
+preceded by their subject and issuer names in one line format.
+
+=item B<-text>
+
+prints out certificates details in full rather than just subject and
+issuer names.
+
+=item B<-noout>
+
+don't output the encoded version of the PKCS#7 structure (or certificates
+is B<-print_certs> is set).
+
+=back
+
+=head1 EXAMPLES
+
+Convert a PKCS#7 file from PEM to DER:
+
+ openssl pkcs7 -in file.pem -outform DER -out file.der
+
+Output all certificates in a file:
+
+ openssl pkcs7 -in file.pem -print_certs -out certs.pem
+
+=head1 NOTES
+
+The PEM PKCS#7 format uses the header and footer lines:
+
+ -----BEGIN PKCS7-----
+ -----END PKCS7-----
+
+For compatability with some CAs it will also accept:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+=head1 RESTRICTIONS
+
+There is no option to print out all the fields of a PKCS#7 file.
+
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they 
+cannot currently parse, for example, the new CMS as described in RFC2630.
+
+=head1 SEE ALSO
+
+L<crl2pkcs7(1)|crl2pkcs7(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/pkcs8.pod b/src/lib/libssl/src/doc/apps/pkcs8.pod
new file mode 100644
index 0000000000..a56b2dd002
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/pkcs8.pod
@@ -0,0 +1,235 @@
+=pod
+
+=head1 NAME
+
+pkcs8 - PKCS#8 format private key conversion tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs8>
+[B<-topk8>]
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-noiter>]
+[B<-nocrypt>]
+[B<-nooct>]
+[B<-embed>]
+[B<-nsdb>]
+[B<-v2 alg>]
+[B<-v1 alg>]
+
+=head1 DESCRIPTION
+
+The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
+both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
+format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-topk8>
+
+Normally a PKCS#8 private key is expected on input and a traditional format
+private key will be written. With the B<-topk8> option the situation is
+reversed: it reads a traditional format private key and writes a PKCS#8
+format key.
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. If a PKCS#8 format key is expected on input
+then either a B<DER> or B<PEM> encoded version of a PKCS#8 key will be
+expected. Otherwise the B<DER> or B<PEM> format of the traditional format
+private key is used.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+default. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-nocrypt>
+
+PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
+structures using an appropriate password based encryption algorithm. With
+this option an unencrypted PrivateKeyInfo structure is expected or output.
+This option does not encrypt private keys at all and should only be used
+when absolutely necessary. Certain software such as some versions of Java
+code signing software used unencrypted private keys.
+
+=item B<-nooct>
+
+This option generates RSA private keys in a broken format that some software
+uses. Specifically the private key should be enclosed in a OCTET STRING
+but some software just includes the structure itself without the
+surrounding OCTET STRING.
+
+=item B<-embed>
+
+This option generates DSA keys in a broken format. The DSA parameters are
+embedded inside the PrivateKey structure. In this form the OCTET STRING
+contains an ASN1 SEQUENCE consisting of two structures: a SEQUENCE containing
+the parameters and an ASN1 INTEGER containing the private key.
+
+=item B<-nsdb>
+
+This option generates DSA keys in a broken format compatible with Netscape
+private key databases. The PrivateKey contains a SEQUENCE consisting of
+the public and private keys respectively.
+
+=item B<-v2 alg>
+
+This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
+private keys are encrypted with the password based encryption algorithm
+called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
+was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
+the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
+encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
+not many implementations support PKCS#5 v2.0 yet. If you are just using
+private keys with OpenSSL then this doesn't matter.
+
+The B<alg> argument is the encryption algorithm to use, valid values include
+B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+
+=item B<-v1 alg>
+
+This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
+list of possible algorithms is included below.
+
+=back
+
+=head1 NOTES
+
+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
+Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
+counts are more secure that those encrypted using the traditional
+SSLeay compatible formats. So if additional security is considered
+important the keys should be converted.
+
+The default encryption is only 56 bits because this is the encryption
+that most current implementations of PKCS#8 will support.
+
+Some software may use PKCS#12 password based encryption algorithms
+with PKCS#8 format private keys: these are handled automatically
+but there is no option to produce them.
+
+It is possible to write out DER encoded encrypted private keys in
+PKCS#8 format because the encryption details are included at an ASN1
+level whereas the traditional format includes them at a PEM level.
+
+=head1 PKCS#5 v1.5 and PKCS#12 algorithms.
+
+Various algorithms can be used with the B<-v1> command line option,
+including PKCS#5 v1.5 and PKCS#12. These are described in more detail
+below.
+
+=over 4
+
+=item B<PBE-MD2-DES PBE-MD5-DES>
+
+These algorithms were included in the original PKCS#5 v1.5 specification.
+They only offer 56 bits of protection since they both use DES.
+
+=item B<PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES>
+
+These algorithms are not mentioned in the original PKCS#5 v1.5 specification
+but they use the same key derivation algorithm and are supported by some
+software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or
+56 bit DES.
+
+=item B<PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40>
+
+These algorithms use the PKCS#12 password based encryption algorithm and
+allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
+
+=back
+
+=head1 EXAMPLES
+
+Convert a private from traditional to PKCS#5 v2.0 format using triple
+DES:
+
+ openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
+
+Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
+(DES):
+
+ openssl pkcs8 -in key.pem -topk8 -out enckey.pem
+
+Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
+(3DES):
+
+ openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
+
+Read a DER unencrypted PKCS#8 format private key:
+
+ openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
+
+Convert a private key from any PKCS#8 format to traditional format:
+
+ openssl pkcs8 -in pk8.pem -out key.pem
+
+=head1 STANDARDS
+
+Test vectors from this PKCS#5 v2.0 implementation were posted to the
+pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
+counts, several people confirmed that they could decrypt the private
+keys produced and Therefore it can be assumed that the PKCS#5 v2.0
+implementation is reasonably accurate at least as far as these
+algorithms are concerned.
+
+The format of PKCS#8 DSA (and other) private keys is not well documented:
+it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
+PKCS#8 private key format complies with this standard.
+
+=head1 BUGS
+
+There should be an option that prints out the encryption algorithm
+in use and other details such as the iteration count.
+
+PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
+key format for OpenSSL: for compatibility several of the utilities use
+the old format at present.
+
+=head1 SEE ALSO
+
+L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/rand.pod b/src/lib/libssl/src/doc/apps/rand.pod
new file mode 100644
index 0000000000..f81eab0457
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/rand.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+rand - generate pseudo-random bytes
+
+=head1 SYNOPSIS
+
+B<openssl rand>
+[B<-out> I<file>]
+[B<-rand> I<file(s)>]
+[B<-base64>]
+I<num>
+
+=head1 DESCRIPTION
+
+The B<rand> command outputs I<num> pseudo-random bytes after seeding
+the random number generater once.  As in other B<openssl> command
+line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd>
+in addition to the files given in the B<-rand> option.  A new
+I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough
+seeding was obtained from these sources.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-out> I<file>
+
+Write to I<file> instead of standard output.
+
+=item B<-rand> I<file(s)>
+
+Use specified file or files or EGD socket (see L<RAND_egd(3)|RAND_egd(3)>)
+for seeding the random number generator.
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<-base64>
+
+Perform base64 encoding on the output.
+
+=back
+
+=head1 SEE ALSO
+
+L<RAND_bytes(3)|RAND_bytes(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/req.pod b/src/lib/libssl/src/doc/apps/req.pod
new file mode 100644
index 0000000000..fde6ff2e9f
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/req.pod
@@ -0,0 +1,528 @@
+
+=pod
+
+=head1 NAME
+
+req - PKCS#10 certificate and certificate generating utility.
+
+=head1 SYNOPSIS
+
+B<openssl> B<req>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-text>]
+[B<-noout>]
+[B<-verify>]
+[B<-modulus>]
+[B<-new>]
+[B<-newkey rsa:bits>]
+[B<-newkey dsa:file>]
+[B<-nodes>]
+[B<-key filename>]
+[B<-keyform PEM|DER>]
+[B<-keyout filename>]
+[B<-[md5|sha1|md2|mdc2]>]
+[B<-config filename>]
+[B<-x509>]
+[B<-days n>]
+[B<-asn1-kludge>]
+[B<-newhdr>]
+[B<-extensions section>]
+[B<-reqexts section>]
+
+=head1 DESCRIPTION
+
+The B<req> command primarily creates and processes certificate requests
+in PKCS#10 format. It can additionally create self signed certificates
+for use as root CAs for example.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#10. The B<PEM> form is the default format: it
+consists of the B<DER> format base64 encoded with additional header and
+footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a request from or standard input
+if this option is not specified. A request is only read if the creation
+options (B<-new> and B<-newkey>) are not specified.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write to or standard output by
+default.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-text>
+
+prints out the certificate request in text form.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the request.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the public key
+contained in the request.
+
+=item B<-verify>
+
+verifies the signature on the request.
+
+=item B<-new>
+
+this option generates a new certificate request. It will prompt
+the user for the relevant field values. The actual fields
+prompted for and their maximum and minimum sizes are specified
+in the configuration file and any requested extensions.
+
+If the B<-key> option is not used it will generate a new RSA private
+key using information specified in the configuration file.
+
+=item B<-newkey arg>
+
+this option creates a new certificate request and a new private
+key. The argument takes one of two forms. B<rsa:nbits>, where
+B<nbits> is the number of bits, generates an RSA key B<nbits>
+in size. B<dsa:filename> generates a DSA key using the parameters
+in the file B<filename>.
+
+=item B<-key filename>
+
+This specifies the file to read the private key from. It also
+accepts PKCS#8 format private keys for PEM format files.
+
+=item B<-keyform PEM|DER>
+
+the format of the private key file specified in the B<-key>
+argument. PEM is the default.
+
+=item B<-keyout filename>
+
+this gives the filename to write the newly created private key to.
+If this option is not specified then the filename present in the
+configuration file is used.
+
+=item B<-nodes>
+
+if this option is specified then if a private key is created it
+will not be encrypted.
+
+=item B<-[md5|sha1|md2|mdc2]>
+
+this specifies the message digest to sign the request with. This
+overrides the digest algorithm specified in the configuration file.
+This option is ignored for DSA requests: they always use SHA1.
+
+=item B<-config filename>
+
+this allows an alternative configuration file to be specified,
+this overrides the compile time filename or any specified in
+the B<OPENSSL_CONF> environment variable.
+
+=item B<-x509>
+
+this option outputs a self signed certificate instead of a certificate
+request. This is typically used to generate a test certificate or
+a self signed root CA. The extensions added to the certificate
+(if any) are specified in the configuration file.
+
+=item B<-days n>
+
+when the B<-x509> option is being used this specifies the number of
+days to certify the certificate for. The default is 30 days.
+
+=item B<-extensions section>
+=item B<-reqexts section>
+
+these options specify alternative sections to include certificate
+extensions (if the B<-x509> option is present) or certificate
+request extensions. This allows several different sections to
+be used in the same configuration file to specify requests for
+a variety of purposes.
+
+=item B<-asn1-kludge>
+
+by default the B<req> command outputs certificate requests containing
+no attributes in the correct PKCS#10 format. However certain CAs will only
+accept requests containing no attributes in an invalid form: this
+option produces this invalid format.
+
+More precisely the B<Attributes> in a PKCS#10 certificate request
+are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so
+if no attributes are present then they should be encoded as an
+empty B<SET OF>. The invalid form does not include the empty
+B<SET OF> whereas the correct form does.
+
+It should be noted that very few CAs still require the use of this option.
+
+=item B<-newhdr>
+
+Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+request. Some software (Netscape certificate server) and some CAs need this.
+
+=back
+
+=head1 CONFIGURATION FILE FORMAT
+
+The configuration options are specified in the B<req> section of
+the configuration file. As with all configuration files if no
+value is specified in the specific section (i.e. B<req>) then
+the initial unnamed or B<default> section is searched too.
+
+The options available are described in detail below.
+
+=over 4
+
+=item B<input_password output_password>
+
+The passwords for the input private key file (if present) and
+the output private key file (if one will be created). The
+command line options B<passin> and B<passout> override the
+configuration file values.
+
+=item B<default_bits>
+
+This specifies the default key size in bits. If not specified then
+512 is used. It is used if the B<-new> option is used. It can be
+overridden by using the B<-newkey> option.
+
+=item B<default_keyfile>
+
+This is the default filename to write a private key to. If not
+specified the key is written to standard output. This can be
+overridden by the B<-keyout> option.
+
+=item B<oid_file>
+
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+
+=item B<oid_section>
+
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used.
+
+=item B<RANDFILE>
+
+This specifies a filename in which random number seed information is
+placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+It is used for private key generation.
+
+=item B<encrypt_key>
+
+If this is set to B<no> then if a private key is generated it is
+B<not> encrypted. This is equivalent to the B<-nodes> command line
+option. For compatibility B<encrypt_rsa_key> is an equivalent option.
+
+=item B<default_md>
+
+This option specifies the digest algorithm to use. Possible values
+include B<md5 sha1 mdc2>. If not present then MD5 is used. This
+option can be overridden on the command line.
+
+=item B<string_mask>
+
+This option masks out the use of certain string types in certain
+fields. Most users will not need to change this option.
+
+It can be set to several values B<default> which is also the default
+option uses PrintableStrings, T61Strings and BMPStrings if the 
+B<pkix> value is used then only PrintableStrings and BMPStrings will
+be used. This follows the PKIX recommendation in RFC2459. If the
+B<utf8only> option is used then only UTF8Strings will be used: this
+is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr>
+option just uses PrintableStrings and T61Strings: certain software has
+problems with BMPStrings and UTF8Strings: in particular Netscape.
+
+=item B<req_extensions>
+
+this specifies the configuration file section containing a list of
+extensions to add to the certificate request. It can be overridden
+by the B<-reqexts> command line switch.
+
+=item B<x509_extensions>
+
+this specifies the configuration file section containing a list of
+extensions to add to certificate generated when the B<-x509> switch
+is used. It can be overridden by the B<-extensions> command line switch.
+
+=item B<prompt>
+
+if set to the value B<no> this disables prompting of certificate fields
+and just takes values from the config file directly. It also changes the
+expected format of the B<distinguished_name> and B<attributes> sections.
+
+=item B<attributes>
+
+this specifies the section containing any request attributes: its format
+is the same as B<distinguished_name>. Typically these may contain the
+challengePassword or unstructuredName types. They are currently ignored
+by OpenSSL's request signing utilities but some CAs might want them.
+
+=item B<distinguished_name>
+
+This specifies the section containing the distinguished name fields to
+prompt for when generating a certificate or certificate request. The format
+is described in the next section.
+
+=back
+
+=head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
+
+There are two separate formats for the distinguished name and attribute
+sections. If the B<prompt> option is set to B<no> then these sections
+just consist of field names and values: for example,
+
+ CN=My Name
+ OU=My Organization
+ emailAddress=someone@somewhere.org
+
+This allows external programs (e.g. GUI based) to generate a template file
+with all the field names and values and just pass it to B<req>. An example
+of this kind of configuration file is contained in the B<EXAMPLES> section.
+
+Alternatively if the B<prompt> option is absent or not set to B<no> then the
+file contains field prompting information. It consists of lines of the form:
+
+ fieldName="prompt"
+ fieldName_default="default field value"
+ fieldName_min= 2
+ fieldName_max= 4
+
+"fieldName" is the field name being used, for example commonName (or CN).
+The "prompt" string is used to ask the user to enter the relevant
+details. If the user enters nothing then the default value is used if no
+default value is present then the field is omitted. A field can
+still be omitted if a default value is present if the user just
+enters the '.' character.
+
+The number of characters entered must be between the fieldName_min and
+fieldName_max limits: there may be additional restrictions based
+on the field being used (for example countryName can only ever be
+two characters long and must fit in a PrintableString).
+
+Some fields (such as organizationName) can be used more than once
+in a DN. This presents a problem because configuration files will
+not recognize the same name occurring twice. To avoid this problem
+if the fieldName contains some characters followed by a full stop
+they will be ignored. So for example a second organizationName can
+be input by calling it "1.organizationName".
+
+The actual permitted field names are any object identifier short or
+long names. These are compiled into OpenSSL and include the usual
+values such as commonName, countryName, localityName, organizationName,
+organizationUnitName, stateOrPrivinceName. Additionally emailAddress
+is include as well as name, surname, givenName initials and dnQualifier.
+
+Additional object identifiers can be defined with the B<oid_file> or
+B<oid_section> options in the configuration file. Any additional fields
+will be treated as though they were a DirectoryString.
+
+
+=head1 EXAMPLES
+
+Examine and verify certificate request:
+
+ openssl req -in req.pem -text -verify -noout
+
+Create a private key and then generate a certificate request from it:
+
+ openssl genrsa -out key.pem 1024
+ openssl req -new -key key.pem -out req.pem
+
+The same but just using req:
+
+ openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+
+Generate a self signed root certificate:
+
+ openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+
+Example of a file pointed to by the B<oid_file> option:
+
+ 1.2.3.4        shortName       A longer Name
+ 1.2.3.6        otherName       Other longer Name
+
+Example of a section pointed to by B<oid_section> making use of variable
+expansion:
+
+ testoid1=1.2.3.5
+ testoid2=${testoid1}.6
+
+Sample configuration file prompting for field values:
+
+ [ req ]
+ default_bits           = 1024
+ default_keyfile        = privkey.pem
+ distinguished_name     = req_distinguished_name
+ attributes             = req_attributes
+ x509_extensions        = v3_ca
+
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ countryName                    = Country Name (2 letter code)
+ countryName_default            = AU
+ countryName_min                = 2
+ countryName_max                = 2
+
+ localityName                   = Locality Name (eg, city)
+
+ organizationalUnitName         = Organizational Unit Name (eg, section)
+
+ commonName                     = Common Name (eg, YOUR name)
+ commonName_max                 = 64
+
+ emailAddress                   = Email Address
+ emailAddress_max               = 40
+
+ [ req_attributes ]
+ challengePassword              = A challenge password
+ challengePassword_min          = 4
+ challengePassword_max          = 20
+
+ [ v3_ca ]
+
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer:always
+ basicConstraints = CA:true
+
+Sample configuration containing all field values:
+
+
+ RANDFILE               = $ENV::HOME/.rnd
+
+ [ req ]
+ default_bits           = 1024
+ default_keyfile        = keyfile.pem
+ distinguished_name     = req_distinguished_name
+ attributes             = req_attributes
+ prompt                 = no
+ output_password        = mypass
+
+ [ req_distinguished_name ]
+ C                      = GB
+ ST                     = Test State or Province
+ L                      = Test Locality
+ O                      = Organization Name
+ OU                     = Organizational Unit Name
+ CN                     = Common Name
+ emailAddress           = test@email.address
+
+ [ req_attributes ]
+ challengePassword              = A challenge password
+
+
+=head1 NOTES
+
+The header and footer lines in the B<PEM> format are normally:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+which is produced with the B<-newhdr> option but is otherwise compatible.
+Either form is accepted transparently on input.
+
+The certificate requests generated by B<Xenroll> with MSIE have extensions
+added. It includes the B<keyUsage> extension which determines the type of
+key (signature only or general purpose) and any additional OIDs entered
+by the script in an extendedKeyUsage extension.
+
+=head1 DIAGNOSTICS
+
+The following messages are frequently asked about:
+
+        Using configuration from /some/path/openssl.cnf
+        Unable to load config info
+
+This is followed some time later by...
+
+        unable to find 'distinguished_name' in config
+        problems making Certificate Request
+
+The first error message is the clue: it can't find the configuration
+file! Certain operations (like examining a certificate request) don't
+need a configuration file so its use isn't enforced. Generation of
+certificates or requests however does need a configuration file. This
+could be regarded as a bug.
+
+Another puzzling message is this:
+
+        Attributes:
+            a0:00
+
+this is displayed when no attributes are present and the request includes
+the correct empty B<SET OF> structure (the DER encoding of which is 0xa0
+0x00). If you just see:
+
+        Attributes:
+
+then the B<SET OF> is missing and the encoding is technically invalid (but
+it is tolerated). See the description of the command line option B<-asn1-kludge>
+for more information.
+
+=head1 ENVIRONMENT VARIABLES
+
+The variable B<OPENSSL_CONF> if defined allows an alternative configuration
+file location to be specified, it will be overridden by the B<-config> command
+line switch if it is present. For compatibility reasons the B<SSLEAY_CONF>
+environment variable serves the same purpose but its use is discouraged.
+
+=head1 BUGS
+
+OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
+This can cause problems if you need characters that aren't available in
+PrintableStrings and you don't want to or can't use BMPStrings.
+
+As a consequence of the T61String handling the only correct way to represent
+accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
+currently chokes on these. If you have to use accented characters with Netscape
+and MSIE then you currently need to use the invalid T61String form.
+
+The current prompting is not very friendly. It doesn't allow you to confirm what
+you've just entered. Other things like extensions in certificate requests are
+statically defined in the configuration file. Some of these: like an email
+address in subjectAltName should be input by the user.
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/rsa.pod b/src/lib/libssl/src/doc/apps/rsa.pod
new file mode 100644
index 0000000000..62ad62e23d
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/rsa.pod
@@ -0,0 +1,156 @@
+
+=pod
+
+=head1 NAME
+
+rsa - RSA key processing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<rsa>
+[B<-inform PEM|NET|DER>]
+[B<-outform PEM|NET|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-check>]
+[B<-pubin>]
+[B<-pubout>]
+
+=head1 DESCRIPTION
+
+The B<rsa> command processes RSA keys. They can be converted between various
+forms and their components printed out. B<Note> this command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the B<pkcs8>
+utility.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|NET|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. On input PKCS#8 format private
+keys are also accepted. The B<NET> form is a format compatible with older Netscape
+servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very
+secure and so should only be used when necessary.
+
+=item B<-outform DER|NET|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout password>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<rsa> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the key.
+
+=item B<-check>
+
+this option checks the consistency of an RSA private key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this
+option a public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To remove the pass phrase on an RSA private key:
+
+ openssl rsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl rsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl rsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl rsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl rsa -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/rsautl.pod b/src/lib/libssl/src/doc/apps/rsautl.pod
new file mode 100644
index 0000000000..7a334bc8d6
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/rsautl.pod
@@ -0,0 +1,183 @@
+=pod
+
+=head1 NAME
+
+rsautl - RSA utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<rsautl>
+[B<-in file>]
+[B<-out file>]
+[B<-inkey file>]
+[B<-pubin>]
+[B<-certin>]
+[B<-sign>]
+[B<-verify>]
+[B<-encrypt>]
+[B<-decrypt>]
+[B<-pkcs>]
+[B<-ssl>]
+[B<-raw>]
+[B<-hexdump>]
+[B<-asn1parse>]
+
+=head1 DESCRIPTION
+
+The B<rsautl> command can be used to sign, verify, encrypt and decrypt
+data using the RSA algorithm.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read data from or standard input
+if this option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-inkey file>
+
+the input key file, by default it should be an RSA private key.
+
+=item B<-pubin>
+
+the input file is an RSA public key. 
+
+=item B<-certin>
+
+the input is a certificate containing an RSA public key. 
+
+=item B<-sign>
+
+sign the input data and output the signed result. This requires
+and RSA private key.
+
+=item B<-verify>
+
+verify the input data and output the recovered data.
+
+=item B<-encrypt>
+
+encrypt the input data using an RSA public key.
+
+=item B<-decrypt>
+
+decrypt the input data using an RSA private key.
+
+=item B<-pkcs, -oaep, -ssl, -raw>
+
+the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+special padding used in SSL v2 backwards compatible handshakes,
+or no padding, respectively.
+For signatures, only B<-pkcs> and B<-raw> can be used.
+
+=item B<-hexdump>
+
+hex dump the output data.
+
+=item B<-asn1parse>
+
+asn1parse the output data, this is useful when combined with the
+B<-verify> option.
+
+=back
+
+=head1 NOTES
+
+B<rsautl> because it uses the RSA algorithm directly can only be
+used to sign or verify small pieces of data.
+
+=head1 EXAMPLES
+
+Sign some data using a private key:
+
+ openssl rsautl -sign -in file -inkey key.pem -out sig
+
+Recover the signed data
+
+ openssl rsautl -sign -in sig -inkey key.pem
+
+Examine the raw signed data:
+
+ openssl rsautl -sign -in file -inkey key.pem -raw -hexdump
+
+ 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+ 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
+
+The PKCS#1 block formatting is evident from this. If this was done using
+encrypt and decrypt the block would have been of type 2 (the second byte)
+and random padding data visible instead of the 0xff bytes.
+
+It is possible to analyse the signature of certificates using this
+utility in conjunction with B<asn1parse>. Consider the self signed
+example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
+
+ openssl asn1parse -in pca-cert.pem
+
+    0:d=0  hl=4 l= 742 cons: SEQUENCE          
+    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
+    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
+   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
+   13:d=2  hl=2 l=   1 prim:   INTEGER           :00
+   16:d=2  hl=2 l=  13 cons:   SEQUENCE          
+   18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
+   29:d=3  hl=2 l=   0 prim:    NULL              
+   31:d=2  hl=2 l=  92 cons:   SEQUENCE          
+   33:d=3  hl=2 l=  11 cons:    SET               
+   35:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
+  ....
+  599:d=1  hl=2 l=  13 cons:  SEQUENCE          
+  601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
+  612:d=2  hl=2 l=   0 prim:   NULL              
+  614:d=1  hl=3 l= 129 prim:  BIT STRING        
+
+
+The final BIT STRING contains the actual signature. It can be extracted with:
+
+ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
+
+The certificate public key can be extracted with:
+ 
+ openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
+
+The signature can be analysed with:
+
+ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
+
+    0:d=0  hl=2 l=  32 cons: SEQUENCE          
+    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
+    4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
+   14:d=2  hl=2 l=   0 prim:   NULL              
+   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
+      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
+
+This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
+the digest used was md5. The actual part of the certificate that was signed can
+be extracted with:
+
+ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
+
+and its digest computed with:
+
+ openssl md5 -c tbs
+ MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
+
+which it can be seen agrees with the recovered value above.
+
+=head1 SEE ALSO
+
+L<dgst(1)|dgst(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>
diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod
new file mode 100644
index 0000000000..3ede134164
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/s_client.pod
@@ -0,0 +1,213 @@
+
+=pod
+
+=head1 NAME
+
+s_client - SSL/TLS client program
+
+=head1 SYNOPSIS
+
+B<openssl> B<s_client>
+[B<-connect> host:port>]
+[B<-verify depth>]
+[B<-cert filename>]
+[B<-key filename>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-reconnect>]
+[B<-pause>]
+[B<-showcerts>]
+[B<-debug>]
+[B<-nbio_test>]
+[B<-state>]
+[B<-nbio>]
+[B<-crlf>]
+[B<-quiet>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-bugs>]
+[B<-cipher cipherlist>]
+
+=head1 DESCRIPTION
+
+The B<s_client> command implements a generic SSL/TLS client which connects
+to a remote host using SSL/TLS. It is a I<very> useful diagnostic tool for
+SSL servers.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-connect host:port>
+
+This specifies the host and optional port to connect to. If not specified
+then an attempt is made to connect to the local host on port 4433.
+
+=item B<-cert certname>
+
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate.
+
+=item B<-key keyfile>
+
+The private key to use. If not specified then the certificate file will
+be used.
+
+=item B<-verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+
+=item B<-CApath directory>
+
+The directory to use for server certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the client certificate chain.
+
+=item B<-CAfile file>
+
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+
+=item B<-reconnect>
+
+reconnects to the same server 5 times using the same session ID, this can
+be used as a test that session caching is working.
+
+=item B<-pause>
+
+pauses 1 second between each read and write call.
+
+=item B<-showcerts>
+
+display the whole server certificate chain: normally only the server
+certificate itself is displayed.
+
+=item B<-prexit>
+
+print session information when the program exits. This will always attempt
+to print out information even if the connection fails. Normally information
+will only be printed out once if the connection succeeds. This option is useful
+because the cipher in use may be renegotiated or the connection may fail
+because a client certificate is required or is requested only after an
+attempt is made to access a certain URL. Note: the output produced by this
+option is not always accurate because a connection might never have been
+established.
+
+=item B<-state>
+
+prints out the SSL session states.
+
+=item B<-debug>
+
+print extensive debugging information including a hex dump of all traffic.
+
+=item B<-nbio_test>
+
+tests non-blocking I/O
+
+=item B<-nbio>
+
+turns on non-blocking I/O
+
+=item B<-crlf>
+
+this option translated a line feed from the terminal into CR+LF as required
+by some servers.
+
+=item B<-quiet>
+
+inhibit printing of session and certificate information.
+
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if TLS is turned off with the B<-no_tls> option others will only
+support SSL v2 and may need the B<-ssl2> option.
+
+=item B<-bugs>
+
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+
+=item B<-cipher cipherlist>
+
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the B<ciphers>
+command for more information.
+
+=back
+
+=head1 CONNECTED COMMANDS
+
+If a connection is established with an SSL server then any data received
+from the server is displayed and any key presses will be sent to the
+server. If the line begins with an B<R> then the session will be
+renegotiated. If the line begins with a B<Q> the connection will be closed
+down.
+
+=head1 NOTES
+
+B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
+server the command:
+
+ openssl s_client -connect servername:443
+
+would typically be used (https uses port 443). If the connection succeeds
+then an HTTP command can be given such as "GET /" to retrieve a web page.
+
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried
+in case it is a buggy server. In particular you should play with these
+options B<before> submitting a bug report to an OpenSSL mailing list.
+
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its "acceptable CA list" when it
+requests a certificate. By using B<s_client> the CA list can be viewed
+and checked. However some servers only request client authentication
+after a specific URL is requested. To obtain the list in this case it
+is necessary to use the B<-prexit> command and send an HTTP request
+for an appropriate page.
+
+If a certificate is specified on the command line using the B<-cert>
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+
+If there are problems verifying a server certificate then the
+B<-showcerts> option can be used to show the whole chain.
+
+=head1 BUGS
+
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_client is rather
+hard to read and not a model of how things should be done. A typical
+SSL client program would be much simpler.
+
+The B<-verify> option should really exit if the server verification
+fails.
+
+The B<-prexit> option is a bit of a hack. We should really report
+information whenever a session is renegotiated.
+
+=head1 SEE ALSO
+
+L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/s_server.pod b/src/lib/libssl/src/doc/apps/s_server.pod
new file mode 100644
index 0000000000..0f29c361d9
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/s_server.pod
@@ -0,0 +1,265 @@
+
+=pod
+
+=head1 NAME
+
+s_server - SSL/TLS server program
+
+=head1 SYNOPSIS
+
+B<openssl> B<s_client>
+[B<-accept port>]
+[B<-context id>]
+[B<-verify depth>]
+[B<-Verify depth>]
+[B<-cert filename>]
+[B<-key keyfile>]
+[B<-dcert filename>]
+[B<-dkey keyfile>]
+[B<-dhparam filename>]
+[B<-nbio>]
+[B<-nbio_test>]
+[B<-crlf>]
+[B<-debug>]
+[B<-state>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-nocert>]
+[B<-cipher cipherlist>]
+[B<-quiet>]
+[B<-no_tmp_rsa>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-tls1>]
+[B<-no_ssl2>]
+[B<-no_ssl3>]
+[B<-no_tls1>]
+[B<-no_dhe>]
+[B<-bugs>]
+[B<-hack>]
+[B<-www>]
+[B<-WWW>]
+
+=head1 DESCRIPTION
+
+The B<s_server> command implements a generic SSL/TLS server which listens
+for connections on a given port using SSL/TLS.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-accept port>
+
+the TCP port to listen on for connections. If not specified 4433 is used.
+
+=item B<-context id>
+
+sets the SSL context id. It can be given any string value. If this option
+is not present a default value will be used.
+
+=item B<-cert certname>
+
+The certificate to use, most servers cipher suites require the use of a
+certificate and some require a certificate with a certain public key type:
+for example the DSS cipher suites require a certificate containing a DSS
+(DSA) key. If not specified then the filename "server.pem" will be used.
+
+=item B<-key keyfile>
+
+The private key to use. If not specified then the certificate file will
+be used.
+
+=item B<-dcert filename>, B<-dkey keyname>
+
+specify an additional certificate and private key, these behave in the
+same manner as the B<-cert> and B<-key> options except there is no default
+if they are not specified (no additional certificate and key is used). As
+noted above some cipher suites require a certificate containing a key of
+a certain type. Some cipher suites need a certificate carrying an RSA key
+and some a DSS (DSA) key. By using RSA and DSS certificates and keys
+a server can support clients which only support RSA or DSS cipher suites
+by using an appropriate certificate.
+
+=item B<-nocert>
+
+if this option is set then no certificate is used. This restricts the
+cipher suites available to the anonymous ones (currently just anonymous
+DH).
+
+=item B<-dhparam filename>
+
+the DH parameter file to use. The ephemeral DH cipher suites generate keys
+using a set of DH parameters. If not specified then an attempt is made to
+load the parameters from the server certificate file. If this fails then
+a static set of parameters hard coded into the s_server program will be used.
+
+=item B<-nodhe>
+
+if this option is set then no DH parameters will be loaded effectively
+disabling the ephemeral DH cipher suites.
+
+=item B<-no_tmp_rsa>
+
+certain export cipher suites sometimes use a temporary RSA key, this option
+disables temporary RSA key generation.
+
+=item B<-verify depth>, B<-Verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the B<-verify> option a certificate is requested but the
+client does not have to send one, with the B<-Verify> option the client
+must supply a certificate or an error occurs.
+
+=item B<-CApath directory>
+
+The directory to use for client certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the server certificate chain.
+
+=item B<-CAfile file>
+
+A file containing trusted certificates to use during client authentication
+and to use when attempting to build the server certificate chain. The list
+is also used in the list of acceptable client CAs passed to the client when
+a certificate is requested.
+
+=item B<-state>
+
+prints out the SSL session states.
+
+=item B<-debug>
+
+print extensive debugging information including a hex dump of all traffic.
+
+=item B<-nbio_test>
+
+tests non blocking I/O
+
+=item B<-nbio>
+
+turns on non blocking I/O
+
+=item B<-crlf>
+
+this option translated a line feed from the terminal into CR+LF.
+
+=item B<-quiet>
+
+inhibit printing of session and certificate information.
+
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+
+=item B<-bugs>
+
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+
+=item B<-hack>
+
+this option enables a further workaround for some some early Netscape
+SSL code (?).
+
+=item B<-cipher cipherlist>
+
+this allows the cipher list used by the server to be modified.  When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.
+
+=item B<-www>
+
+sends a status message back to the client when it connects. This includes
+lots of information about the ciphers used and various session parameters.
+The output is in HTML format so this option will normally be used with a
+web browser.
+
+=item B<-WWW>
+
+emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the URL https://myhost/page.html is
+requested the file ./page.html will be loaded.
+
+=back
+
+=head1 CONNECTED COMMANDS
+
+If a connection request is established with an SSL client and neither the
+B<-www> nor the B<-WWW> option has been used then normally any data received
+from the client is displayed and any key presses will be sent to the client. 
+
+Certain single letter commands are also recognized which perform special
+operations: these are listed below.
+
+=over 4
+
+=item B<q>
+
+end the current SSL connection but still accept new connections.
+
+=item B<Q>
+
+end the current SSL connection and exit.
+
+=item B<r>
+
+renegotiate the SSL session.
+
+=item B<R>
+
+renegotiate the SSL session and request a client certificate.
+
+=item B<P>
+
+send some plain text down the underlying TCP connection: this should
+cause the client to disconnect due to a protocol violation.
+
+=item B<S>
+
+print out some session cache status information.
+
+=back
+
+=head1 NOTES
+
+B<s_server> can be used to debug SSL clients. To accept connections from
+a web browser the command:
+
+ openssl s_server -accept 443 -www
+
+can be used for example.
+
+Most web browsers (in particular Netscape and MSIE) only support RSA cipher
+suites, so they cannot connect to servers which don't use a certificate
+carrying an RSA key or a version of OpenSSL with RSA disabled.
+
+Although specifying an empty list of CAs when requesting a client certificate
+is strictly speaking a protocol violation, some SSL clients interpret this to
+mean any CA is acceptable. This is useful for debugging purposes.
+
+The session parameters can printed out using the B<sess_id> program.
+
+=head1 BUGS
+
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_server is rather
+hard to read and not a model of how things should be done. A typical
+SSL server program would be much simpler.
+
+The output of common ciphers is wrong: it just gives the list of ciphers that
+OpenSSL recognizes and the client supports.
+
+There should be a way for the B<s_server> program to print out details of any
+unknown cipher suites a client says it supports.
+
+=head1 SEE ALSO
+
+L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/sess_id.pod b/src/lib/libssl/src/doc/apps/sess_id.pod
new file mode 100644
index 0000000000..9988d2cd3d
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/sess_id.pod
@@ -0,0 +1,151 @@
+
+=pod
+
+=head1 NAME
+
+sess_id - SSL/TLS session handling utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<sess_id>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-text>]
+[B<-noout>]
+[B<-context ID>]
+
+=head1 DESCRIPTION
+
+The B<sess_id> process the encoded version of the SSL session structure
+and optionally prints out SSL session details (for example the SSL session
+master key) in human readable format. Since this is a diagnostic tool that
+needs some knowledge of the SSL protocol to use properly, most users will
+not need to use it.
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+format containing session details. The precise format can vary from one version
+to the next.  The B<PEM> form is the default format: it consists of the B<DER>
+format base64 encoded with additional header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read session information from or standard
+input by default.
+
+=item B<-out filename>
+
+This specifies the output filename to write session information to or standard
+output if this option is not specified.
+
+=item B<-text>
+
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+
+=item B<-cert>
+
+if a certificate is present in the session it will be output using this option,
+if the B<-text> option is also present then it will be printed out in text form.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the session.
+
+=item B<-context ID>
+
+this option can set the session id so the output session information uses the
+supplied ID. The ID can be any string of characters. This option wont normally
+be used.
+
+=back
+
+=head1 OUTPUT
+
+Typical output:
+
+ SSL-Session:
+     Protocol  : TLSv1
+     Cipher    : 0016
+     Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
+     Session-ID-ctx: 01000000
+     Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
+     Key-Arg   : None
+     Start Time: 948459261
+     Timeout   : 300 (sec)
+     Verify return code 0 (ok)
+
+Theses are described below in more detail.
+
+=over 4
+
+=item B<Protocol>
+
+this is the protocol in use TLSv1, SSLv3 or SSLv2.
+
+=item B<Cipher>
+
+the cipher used this is the actual raw SSL or TLS cipher code, see the SSL
+or TLS specifications for more information.
+
+=item B<Session-ID>
+
+the SSL session ID in hex format.
+
+=item B<Session-ID-ctx>
+
+the session ID context in hex format.
+
+=item B<Master-Key>
+
+this is the SSL session master key.
+
+=item B<Key-Arg>
+
+the key argument, this is only used in SSL v2.
+
+=item B<Start Time>
+
+this is the session start time represented as an integer in standard Unix format.
+
+=item B<Timeout>
+
+the timeout in seconds.
+
+=item B<Verify return code>
+
+this is the return code when an SSL client certificate is verified.
+
+=back
+
+=head1 NOTES
+
+The PEM encoded session format uses the header and footer lines:
+
+ -----BEGIN SSL SESSION PARAMETERS-----
+ -----END SSL SESSION PARAMETERS-----
+
+Since the SSL session output contains the master key it is possible to read the contents
+of an encrypted session using this information. Therefore appropriate security precautions
+should be taken if the information is being output by a "real" application. This is
+however strongly discouraged and should only be used for debugging purposes.
+
+=head1 BUGS
+
+The cipher and start time should be printed out in human readable form.
+
+=head1 SEE ALSO
+
+L<ciphers(1)|ciphers(1)>, L<s_server(1)|s_server(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/smime.pod b/src/lib/libssl/src/doc/apps/smime.pod
new file mode 100644
index 0000000000..631ecdc241
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/smime.pod
@@ -0,0 +1,325 @@
+=pod
+
+=head1 NAME
+
+smime - S/MIME utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<smime>
+[B<-encrypt>]
+[B<-decrypt>]
+[B<-sign>]
+[B<-verify>]
+[B<-pk7out>]
+[B<-des>]
+[B<-des3>]
+[B<-rc2-40>]
+[B<-rc2-64>]
+[B<-rc2-128>]
+[B<-in file>]
+[B<-certfile file>]
+[B<-signer file>]
+[B<-recip  file>]
+[B<-in file>]
+[B<-inkey file>]
+[B<-out file>]
+[B<-to addr>]
+[B<-from ad>]
+[B<-subject s>]
+[B<-text>]
+[B<-rand file(s)>]
+[cert.pem]...
+
+=head1 DESCRIPTION
+
+The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and
+verify S/MIME messages.
+
+=head1 COMMAND OPTIONS
+
+There are five operation options that set the type of operation to be performed.
+The meaning of the other options varies according to the operation type.
+
+=over 4
+
+=item B<-encrypt>
+
+encrypt mail for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted mail in MIME format.
+
+=item B<-decrypt>
+
+decrypt mail using the supplied certificate and private key. Expects an
+encrypted mail message in MIME format for the input file. The decrypted mail
+is written to the output file.
+
+=item B<-sign>
+
+sign mail using the supplied certificate and private key. Input file is
+the message to be signed. The signed message in MIME format is written
+to the output file.
+
+=item B<-verify>
+
+verify signed mail. Expects a signed mail message on input and outputs
+the signed data. Both clear text and opaque signing is supported.
+
+=item B<-pk7out>
+
+takes an input message and writes out a PEM encoded PKCS#7 structure.
+
+=item B<-in filename>
+
+the input message to be encrypted or signed or the MIME message to
+be decrypted or verified.
+
+=item B<-out filename>
+
+the message text that has been decrypted or verified or the output MIME
+format message that has been signed or verified.
+
+=item B<-text>
+
+this option adds plain text (text/plain) MIME headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of MIME 
+type text/plain then an error occurs.
+
+=item B<-CAfile file>
+
+a file containing trusted CA certificates, only used with B<-verify>.
+
+=item B<-CApath dir>
+
+a directory containing trusted CA certificates, only used with
+B<-verify>. This directory must be a standard certificate directory: that
+is a hash of each subject name (using B<x509 -hash>) should be linked
+to each certificate.
+
+=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128>
+
+the encryption algorithm to use. DES (56 bits), triple DES (168 bits)
+or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is
+used. Only used with B<-encrypt>.
+
+=item B<-nointern>
+
+when verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the B<-certfile> option are used.
+The supplied certificates can still be used as untrusted CAs however.
+
+=item B<-noverify>
+
+do not verify the signers certificate of a signed message.
+
+=item B<-nochain>
+
+do not do chain verification of signers certificates: that is don't
+use the certificates in the signed message as untrusted CAs.
+
+=item B<-nosigs>
+
+don't try to verify the signatures on the message.
+
+=item B<-nocerts>
+
+when signing a message the signer's certificate is normally included
+with this option it is excluded. This will reduce the size of the
+signed message but the verifier must have a copy of the signers certificate
+available locally (passed using the B<-certfile> option for example).
+
+=item B<-noattr>
+
+normally when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms. With this
+option they are not included.
+
+=item B<-binary>
+
+normally the input message is converted to "canonical" format which is
+effectively using CR and LF as end of line: as required by the S/MIME
+specification. When this option is present no translation occurs. This
+is useful when handling binary data which may not be in MIME format.
+
+=item B<-nodetach>
+
+when signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the MIME type multipart/signed is used.
+
+=item B<-certfile file>
+
+allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates. The certificates should be in PEM format.
+
+=item B<-signer file>
+
+the signers certificate when signing a message. If a message is
+being verified then the signers certificates will be written to this
+file if the verification was successful.
+
+=item B<-recip file>
+
+the recipients certificate when decrypting a message. This certificate
+must match one of the recipients of the message or an error occurs.
+
+=item B<-inkey file>
+
+the private key to use when signing or decrypting. This must match the
+corresponding certificate. If this option is not specified then the
+private key must be included in the certificate file specified with
+the B<-recip> or B<-signer> file.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for
+all others.
+
+=item B<cert.pem...>
+
+one or more certificates of message recipients: used when encrypting
+a message. 
+
+=item B<-to, -from, -subject>
+
+the relevant mail headers. These are included outside the signed
+portion of a message so they may be included manually. If signing
+then many S/MIME mail clients check the signers certificate's email
+address matches that specified in the From: address.
+
+=back
+
+=head1 NOTES
+
+The MIME message must be sent without any blank lines between the
+headers and the output. Some mail programs will automatically add
+a blank line. Piping the mail directly to sendmail is one way to
+achieve the correct format.
+
+The supplied message to be signed or encrypted must include the
+necessary MIME headers: or many S/MIME clients wont display it
+properly (if at all). You can use the B<-text> option to automatically
+add plain text headers.
+
+A "signed and encrypted" message is one where a signed message is
+then encrypted. This can be produced by encrypting an already signed
+message: see the examples section.
+
+This version of the program only allows one signer per message but it
+will verify multiple signers on received messages. Some S/MIME clients
+choke if a message contains multiple signers. It is possible to sign
+messages "in parallel" by signing an already signed message.
+
+The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
+clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
+encrypted data is used for other purposes.
+
+=head1 EXIT CODES
+
+=over 4
+
+=item 0
+
+the operation was completely successfully.
+
+=item 1 
+
+an error occurred parsing the command options.
+
+=item 2
+
+one of the input files could not be read.
+
+=item 3
+
+an error occurred creating the PKCS#7 file or when reading the MIME
+message.
+
+=item 4
+
+an error occurred decrypting or verifying the message.
+
+=item 5
+
+the message was verified correctly but an error occurred writing out
+the signers certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Create a cleartext signed message:
+
+ openssl smime -sign -in message.txt -text -out mail.msg \
+        -signer mycert.pem
+
+Create and opaque signed message
+
+ openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
+        -signer mycert.pem
+
+Create a signed message, include some additional certificates and
+read the private key from another file:
+
+ openssl smime -sign -in in.txt -text -out mail.msg \
+        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+
+Send a signed message under Unix directly to sendmail, including headers:
+
+ openssl smime -sign -in in.txt -text -signer mycert.pem \
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed message" | sendmail someone@somewhere
+
+Verify a message and extract the signer's certificate if successful:
+
+ openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
+
+Send encrypted mail using triple DES:
+
+ openssl smime -encrypt -in in.txt -from steve@openssl.org \
+        -to someone@somewhere -subject "Encrypted message" \
+        -des3 user.pem -out mail.msg
+
+Sign and encrypt mail:
+
+ openssl smime -sign -in ml.txt -signer my.pem -text \
+        | openssl -encrypt -out mail.msg \
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed and Encrypted message" -des3 user.pem
+
+Note: the encryption command does not include the B<-text> option because the message
+being encrypted already has MIME headers.
+
+Decrypt mail:
+
+ openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
+
+=head1 BUGS
+
+The MIME parser isn't very clever: it seems to handle most messages that I've thrown
+at it but it may choke on others.
+
+The code currently will only write out the signer's certificate to a file: if the
+signer has a separate encryption certificate this must be manually extracted. There
+should be some heuristic that determines the correct encryption certificate.
+
+Ideally a database should be maintained of a certificates for each email address.
+
+The code doesn't currently take note of the permitted symmetric encryption
+algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+user has to manually include the correct encryption algorithm. It should store
+the list of permitted ciphers in a database and only use those.
+
+No revocation checking is done on the signer's certificate.
+
+The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
+structures may cause parsing errors.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/speed.pod b/src/lib/libssl/src/doc/apps/speed.pod
new file mode 100644
index 0000000000..fecd9a994d
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/speed.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+speed - test library performance
+
+=head1 SYNOPSIS
+
+B<openssl speed>
+[B<md2>]
+[B<mdc2>]
+[B<md5>]
+[B<hmac>]
+[B<sha1>]
+[B<rmd160>]
+[B<idea-cbc>]
+[B<rc2-cbc>]
+[B<rc5-cbc>]
+[B<bf-cbc>]
+[B<des-cbc>]
+[B<des-ede3>]
+[B<rc4>]
+[B<rsa512>]
+[B<rsa1024>]
+[B<rsa2048>]
+[B<rsa4096>]
+[B<dsa512>]
+[B<dsa1024>]
+[B<dsa2048>]
+[B<idea>]
+[B<rc2>]
+[B<des>]
+[B<rsa>]
+[B<blowfish>]
+
+=head1 DESCRIPTION
+
+This command is used to test the performance of cryptographic algorithms.
+
+=head1 OPTIONS
+
+If an option is given, B<speed> test that algorithm, otherwise all of
+the above are tested.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/spkac.pod b/src/lib/libssl/src/doc/apps/spkac.pod
new file mode 100644
index 0000000000..bb84dfbe33
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/spkac.pod
@@ -0,0 +1,127 @@
+=pod
+
+=head1 NAME
+
+spkac - SPKAC printing and generating utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<spkac>
+[B<-in filename>]
+[B<-out filename>]
+[B<-key keyfile>]
+[B<-passin arg>]
+[B<-challenge string>]
+[B<-pubkey>]
+[B<-spkac spkacname>]
+[B<-spksect section>]
+[B<-noout>]
+[B<-verify>]
+
+
+=head1 DESCRIPTION
+
+The B<spkac> command processes Netscape signed public key and challenge
+(SPKAC) files. It can print out their contents, verify the signature and
+produce its own SPKACs from a supplied private key.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified. Ignored if the B<-key> option is used.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-key keyfile>
+
+create an SPKAC file using the private key in B<keyfile>. The
+B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
+present.
+
+=item B<-passin password>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-challenge string>
+
+specifies the challenge string if an SPKAC is being created.
+
+=item B<-spkac spkacname>
+
+allows an alternative name form the variable containing the
+SPKAC. The default is "SPKAC". This option affects both
+generated and input SPKAC files.
+
+=item B<-spksect section>
+
+allows an alternative name form the section containing the
+SPKAC. The default is the default section.
+
+=item B<-noout>
+
+don't output the text version of the SPKAC (not used if an
+SPKAC is being created).
+
+=item B<-pubkey>
+
+output the public key of an SPKAC (not used if an SPKAC is
+being created).
+
+=item B<-verify>
+
+verifies the digital signature on the supplied SPKAC.
+
+
+=back
+
+=head1 EXAMPLES
+
+Print out the contents of an SPKAC:
+
+ openssl spkac -in spkac.cnf
+
+Verify the signature of an SPKAC:
+
+ openssl spkac -in spkac.cnf -noout -verify
+
+Create an SPKAC using the challenge string "hello":
+
+ openssl spkac -key key.pem -challenge hello -out spkac.cnf
+
+Example of an SPKAC, (long lines split up for clarity):
+
+ SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\
+ PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\
+ PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\
+ 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\
+ 4=
+
+=head1 NOTES
+
+A created SPKAC with suitable DN components appended can be fed into
+the B<ca> utility.
+
+SPKACs are typically generated by Netscape when a form is submitted
+containing the B<KEYGEN> tag as part of the certificate enrollment
+process.
+
+The challenge string permits a primitive form of proof of possession
+of private key. By checking the SPKAC signature and a random challenge
+string some guarantee is given that the user knows the private key
+corresponding to the public key being certified. This is important in
+some applications. Without this it is possible for a previous SPKAC
+to be used in a "replay attack".
+
+=head1 SEE ALSO
+
+L<ca(1)|ca(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/verify.pod b/src/lib/libssl/src/doc/apps/verify.pod
new file mode 100644
index 0000000000..4a6572d3b8
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/verify.pod
@@ -0,0 +1,273 @@
+=pod
+
+=head1 NAME
+
+pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<verify>
+[B<-CApath directory>]
+[B<-CAfile file>]
+[B<-purpose purpose>]
+[B<-untrusted file>]
+[B<-help>]
+[B<-verbose>]
+[B<->]
+[certificates]
+
+
+=head1 DESCRIPTION
+
+The B<verify> command verifies certificate chains.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-CApath directory>
+
+A directory of trusted certificates. The certificates should have names
+of the form: hash.0 or have symbolic links to them of this
+form ("hash" is the hashed certificate subject name: see the B<-hash> option
+of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
+create symbolic links to a directory of certificates.
+
+=item B<-CAfile file>
+
+A file of trusted certificates. The file should contain multiple certificates
+in PEM format concatenated together.
+
+=item B<-untrusted file>
+
+A file of untrusted certificates. The file should contain multiple certificates
+
+=item B<-purpose purpose>
+
+the intended use for the certificate. Without this option no chain verification
+will be done. Currently accepted uses are B<sslclient>, B<sslserver>,
+B<nssslserver>, B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION>
+section for more information.
+
+=item B<-help>
+
+prints out a usage message.
+
+=item B<-verbose>
+
+print extra information about the operations being performed.
+
+=item B<->
+
+marks the last option. All arguments following this are assumed to be
+certificate files. This is useful if the first certificate filename begins
+with a B<->.
+
+=item B<certificates>
+
+one or more certificates to verify. If no certificate filenames are included
+then an attempt is made to read a certificate from standard input. They should
+all be in PEM format.
+
+
+=back
+
+=head1 VERIFY OPERATION
+
+The B<verify> program uses the same functions as the internal SSL and S/MIME
+verification, therefore this description applies to these verify operations
+too.
+
+There is one crucial difference between the verify operations performed
+by the B<verify> program: wherever possible an attempt is made to continue
+after an error whereas normally the verify operation would halt on the
+first error. This allows all the problems with a certificate chain to be
+determined.
+
+The verify operation consists of a number of separate steps.
+
+Firstly a certificate chain is built up starting from the supplied certificate
+and ending in the root CA. It is an error if the whole chain cannot be built
+up. The chain is built up by looking up a certificate whose subject name
+matches the issuer name of the current certificate. If a certificate is found
+whose subject and issuer names are identical it is assumed to be the root CA.
+The lookup first looks in the list of untrusted certificates and if no match
+is found the remaining lookups are from the trusted certificates. The root CA
+is always looked up in the trusted certificate list: if the certificate to
+verify is a root certificate then an exact match must be found in the trusted
+list.
+
+The second operation is to check every untrusted certificate's extensions for
+consistency with the supplied purpose. If the B<-purpose> option is not included
+then no checks are done. The supplied or "leaf" certificate must have extensions
+compatible with the supplied purpose and all other certificates must also be valid
+CA certificates. The precise extensions required are described in more detail in
+the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
+
+The third operation is to check the trust settings on the root CA. The root
+CA should be trusted for the supplied purpose. For compatibility with previous
+versions of SSLeay and OpenSSL a certificate with no trust settings is considered
+to be valid for all purposes. 
+
+The final operation is to check the validity of the certificate chain. The validity
+period is checked against the current system time and the notBefore and notAfter
+dates in the certificate. The certificate signatures are also checked at this
+point.
+
+If all operations complete successfully then certificate is considered valid. If
+any operation fails then the certificate is not valid.
+
+=head1 DIAGNOSTICS
+
+When a verify operation fails the output messages can be somewhat cryptic. The
+general form of the error message is:
+
+ server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+ error 24 at 1 depth lookup:invalid CA certificate
+
+The first line contains the name of the certificate being verified followed by
+the subject name of the certificate. The second line contains the error number
+and the depth. The depth is number of the certificate being verified when a
+problem was detected starting with zero for the certificate being verified itself
+then 1 for the CA that signed the certificate and so on. Finally a text version
+of the error number is presented.
+
+An exhaustive list of the error codes and messages is shown below, this also
+includes the name of the error code as defined in the header file x509_vfy.h
+Some of the error codes are defined but never returned: these are described
+as "unused".
+
+=over 4
+
+=item B<0 X509_V_OK: ok>
+
+the operation was successful.
+
+=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
+
+the issuer certificate could not be found: this occurs if the issuer certificate
+of an untrusted certificate cannot be found.
+
+=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL>
+
+the CRL of a certificate could not be found. Unused.
+
+=item B<4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
+
+the certificate signature could not be decrypted. This means that the actual signature value
+could not be determined rather than it not matching the expected value, this is only
+meaningful for RSA keys.
+
+=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
+
+the CRL signature could not be decrypted: this means that the actual signature value
+could not be determined rather than it not matching the expected value. Unused.
+
+=item B<6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
+
+the public key in the certificate SubjectPublicKeyInfo could not be read.
+
+=item B<7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
+
+the signature of the certificate is invalid.
+
+=item B<8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
+
+the signature of the certificate is invalid. Unused.
+
+=item B<9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
+
+the certificate is not yet valid: the notBefore date is after the current time.
+
+=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
+
+the CRL is not yet valid. Unused.
+
+=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired>
+
+the certificate has expired: that is the notAfter date is before the current time.
+
+=item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
+
+the CRL has expired. Unused.
+
+=item B<13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
+
+the certificate notBefore field contains an invalid time.
+
+=item B<14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
+
+the certificate notAfter field contains an invalid time.
+
+=item B<15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
+
+the CRL lastUpdate field contains an invalid time. Unused.
+
+=item B<16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
+
+the CRL nextUpdate field contains an invalid time. Unused.
+
+=item B<17 X509_V_ERR_OUT_OF_MEM: out of memory>
+
+an error occurred trying to allocate memory. This should never happen.
+
+=item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
+
+the passed certificate is self signed and the same certificate cannot be found in the list of
+trusted certificates.
+
+=item B<19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
+
+the certificate chain could be built up using the untrusted certificates but the root could not
+be found locally.
+
+=item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
+
+the issuer certificate of a locally looked up certificate could not be found. This normally means
+the list of trusted certificates is not complete.
+
+=item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
+
+no signatures could be verified because the chain contains only one certificate and it is not
+self signed.
+
+=item B<22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
+
+the certificate chain length is greater than the supplied maximum depth. Unused.
+
+=item B<23 X509_V_ERR_CERT_REVOKED: certificate revoked>
+
+the certificate has been revoked. Unused.
+
+=item B<24 X509_V_ERR_INVALID_CA: invalid CA certificate>
+
+a CA certificate is invalid. Either it is not a CA or its extensions are not consistent
+with the supplied purpose.
+
+=item B<25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
+
+the basicConstraints pathlength parameter has been exceeded.
+
+=item B<26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
+
+the supplied certificate cannot be used for the specified purpose.
+
+=item B<27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
+
+the root CA is not marked as trusted for the specified purpose.
+
+=item B<28 X509_V_ERR_CERT_REJECTED: certificate rejected>
+
+the root CA is marked to reject the specified purpose.
+
+=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
+
+an application specific error. Unused.
+
+=back
+
+=head1 SEE ALSO
+
+L<x509(1)|x509(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/version.pod b/src/lib/libssl/src/doc/apps/version.pod
new file mode 100644
index 0000000000..5d261a6405
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/version.pod
@@ -0,0 +1,56 @@
+=pod
+
+=head1 NAME
+
+version - print OpenSSL version information
+
+=head1 SYNOPSIS
+
+B<openssl version>
+[B<-a>]
+[B<-v>]
+[B<-b>]
+[B<-o>]
+[B<-f>]
+[B<-p>]
+
+=head1 DESCRIPTION
+
+This command is used to print out version information about OpenSSL.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-a>
+
+all information, this is the same as setting all the other flags.
+
+=item B<-v>
+
+the current OpenSSL version.
+
+=item B<-b>
+
+the date the current version of OpenSSL was built.
+
+=item B<-o>
+
+option information: various options set when the library was built.
+
+=item B<-c>
+
+compilation flags.
+
+=item B<-p>
+
+platform setting.
+
+=back
+
+=head1 NOTES
+
+The output of B<openssl version -a> would typically be used when sending
+in a bug report.
+
+=cut
diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod
new file mode 100644
index 0000000000..b127182bbb
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/x509.pod
@@ -0,0 +1,543 @@
+
+=pod
+
+=head1 NAME
+
+x509 - Certificate display and signing utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<x509>
+[B<-inform DER|PEM|NET>]
+[B<-outform DER|PEM|NET>]
+[B<-keyform DER|PEM>]
+[B<-CAform DER|PEM>]
+[B<-CAkeyform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-serial>]
+[B<-hash>]
+[B<-subject>]
+[B<-issuer>]
+[B<-startdate>]
+[B<-enddate>]
+[B<-purpose>]
+[B<-dates>]
+[B<-modulus>]
+[B<-fingerprint>]
+[B<-alias>]
+[B<-noout>]
+[B<-trustout>]
+[B<-clrtrust>]
+[B<-clrreject>]
+[B<-addtrust arg>]
+[B<-addreject arg>]
+[B<-setalias arg>]
+[B<-days arg>]
+[B<-signkey filename>]
+[B<-x509toreq>]
+[B<-req>]
+[B<-CA filename>]
+[B<-CAkey filename>]
+[B<-CAcreateserial>]
+[B<-CAserial filename>]
+[B<-text>]
+[B<-C>]
+[B<-md2|-md5|-sha1|-mdc2>]
+[B<-clrext>]
+[B<-extfile filename>]
+[B<-extensions section>]
+
+=head1 DESCRIPTION
+
+The B<x509> command is a multi purpose certificate utility. It can be
+used to display certificate information, convert certificates to
+various forms, sign certificate requests like a "mini CA" or edit
+certificate trust settings.
+
+Since there are a large number of options they will split up into
+various sections.
+
+
+=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM|NET>
+
+This specifies the input format normally the command will expect an X509
+certificate but this can change if other options such as B<-req> are
+present. The DER format is the DER encoding of the certificate and PEM
+is the base64 encoding of the DER encoding with header and footer lines
+added. The NET option is an obscure Netscape server format that is now
+obsolete.
+
+=item B<-outform DER|PEM|NET>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a certificate from or standard input
+if this option is not specified.
+
+=item B<-out filename>
+
+This specifies the output filename to write to or standard output by
+default.
+
+=item B<-md2|-md5|-sha1|-mdc2>
+
+the digest to use. This affects any signing or display option that uses a message
+digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
+specified then MD5 is used. If the key being used to sign with is a DSA key then
+this option has no effect: SHA1 is always used with DSA keys.
+
+
+=back
+
+=head1 DISPLAY OPTIONS
+
+Note: the B<-alias> and B<-purpose> options are also display options
+but are described in the B<TRUST OPTIONS> section.
+
+=over 4
+
+=item B<-text>
+
+prints out the certificate in text form. Full details are output including the
+public key, signature algorithms, issuer and subject names, serial number
+any extensions present and any trust settings.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the request.
+
+=item B<-modulus>
+
+this option prints out the value of the modulus of the public key
+contained in the certificate.
+
+=item B<-serial>
+
+outputs the certificate serial number.
+
+=item B<-hash>
+
+outputs the "hash" of the certificate subject name. This is used in OpenSSL to
+form an index to allow certificates in a directory to be looked up by subject
+name.
+
+=item B<-subject>
+
+outputs the subject name.
+
+=item B<-issuer>
+
+outputs the issuer name.
+
+=item B<-startdate>
+
+prints out the start date of the certificate, that is the notBefore date.
+
+=item B<-enddate>
+
+prints out the expiry date of the certificate, that is the notAfter date.
+
+=item B<-dates>
+
+prints out the start and expiry dates of a certificate.
+
+=item B<-fingerprint>
+
+prints out the digest of the DER encoded version of the whole certificate.
+
+=item B<-C>
+
+this outputs the certificate in the form of a C source file.
+
+=back
+
+=head1 TRUST SETTINGS
+
+Please note these options are currently experimental and may well change.
+
+A B<trusted certificate> is an ordinary certificate which has several
+additional pieces of information attached to it such as the permitted
+and prohibited uses of the certificate and an "alias".
+
+Normally when a certificate is being verified at least one certificate
+must be "trusted". By default a trusted certificate must be stored
+locally and must be a root CA: any certificate chain ending in this CA
+is then usable for any purpose.
+
+Trust settings currently are only used with a root CA. They allow a finer
+control over the purposes the root CA can be used for. For example a CA
+may be trusted for SSL client but not SSL server use.
+
+See the description of the B<verify> utility for more information on the
+meaning of trust settings.
+
+Future versions of OpenSSL will recognize trust settings on any
+certificate: not just root CAs.
+
+
+=over 4
+
+=item B<-trustout>
+
+this causes B<x509> to output a B<trusted> certificate. An ordinary
+or trusted certificate can be input but by default an ordinary
+certificate is output and any trust settings are discarded. With the
+B<-trustout> option a trusted certificate is output. A trusted
+certificate is automatically output if any trust settings are modified.
+
+=item B<-setalias arg>
+
+sets the alias of the certificate. This will allow the certificate
+to be referred to using a nickname for example "Steve's Certificate".
+
+=item B<-alias>
+
+outputs the certificate alias, if any.
+
+=item B<-clrtrust>
+
+clears all the permitted or trusted uses of the certificate.
+
+=item B<-clrreject>
+
+clears all the prohibited or rejected uses of the certificate.
+
+=item B<-addtrust arg>
+
+adds a trusted certificate use. Currently acceptable values
+are B<all> (any purpose), B<sslclient> (SSL client use), B<sslserver>
+(SSL server use) B<email> (S/MIME email) and B<objsign> (Object signing).
+
+=item B<-addreject arg>
+
+adds a prohibited use. It accepts the same values as the B<-addtrust>
+option.
+
+=item B<-purpose>
+
+this option performs tests on the certificate extensions and outputs
+the results. For a more complete description see the B<CERTIFICATE
+EXTENSIONS> section.
+
+=back
+
+=head1 SIGNING OPTIONS
+
+The B<x509> utility can be used to sign certificates and requests: it
+can thus behave like a "mini CA".
+
+=over 4
+
+=item B<-signkey filename>
+
+this option causes the input file to be self signed using the supplied
+private key. 
+
+If the input file is a certificate it sets the issuer name to the
+subject name (i.e.  makes it self signed) changes the public key to the
+supplied value and changes the start and end dates. The start date is
+set to the current time and the end date is set to a value determined
+by the B<-days> option. Any certificate extensions are retained unless
+the B<-clrext> option is supplied.
+
+If the input is a certificate request then a self signed certificate
+is created using the supplied private key using the subject name in
+the request.
+
+=item B<-clrext>
+
+delete any extensions from a certificate. This option is used when a
+certificate is being created from another certificate (for example with
+the B<-signkey> or the B<-CA> options). Normally all extensions are
+retained.
+
+=item B<-keyform PEM|DER>
+
+specifies the format (DER or PEM) of the private key file used in the
+B<-signkey> option.
+
+=item B<-days arg>
+
+specifies the number of days to make a certificate valid for. The default
+is 30 days.
+
+=item B<-x509toreq>
+
+converts a certificate into a certificate request. The B<-signkey> option
+is used to pass the required private key.
+
+=item B<-req>
+
+by default a certificate is expected on input. With this option a
+certificate request is expected instead.
+
+=item B<-CA filename>
+
+specifies the CA certificate to be used for signing. When this option is
+present B<x509> behaves like a "mini CA". The input file is signed by this
+CA using this option: that is its issuer name is set to the subject name
+of the CA and it is digitally signed using the CAs private key.
+
+This option is normally combined with the B<-req> option. Without the
+B<-req> option the input is a certificate which must be self signed.
+
+=item B<-CAkey filename>
+
+sets the CA private key to sign a certificate with. If this option is
+not specified then it is assumed that the CA private key is present in
+the CA certificate file.
+
+=item B<-CAserial filename>
+
+sets the CA serial number file to use.
+
+When the B<-CA> option is used to sign a certificate it uses a serial
+number specified in a file. This file consist of one line containing
+an even number of hex digits with the serial number to use. After each
+use the serial number is incremented and written out to the file again.
+
+The default filename consists of the CA certificate file base name with
+".srl" appended. For example if the CA certificate file is called 
+"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
+
+=item B<-CAcreateserial filename>
+
+with this option the CA serial number file is created if it does not exist:
+it will contain the serial number "02" and the certificate being signed will
+have the 1 as its serial number. Normally if the B<-CA> option is specified
+and the serial number file does not exist it is an error.
+
+=item B<-extfile filename>
+
+file containing certificate extensions to use. If not specified then
+no extensions are added to the certificate.
+
+=item B<-extensions section>
+
+the section to add certificate extensions from. If this option is not
+specified then the extensions should either be contained in the unnamed
+(default) section or the default section should contain a variable called
+"extensions" which contains the section to use.
+
+=back
+
+=head1 EXAMPLES
+
+Note: in these examples the '\' means the example should be all on one
+line.
+
+Display the contents of a certificate:
+
+ openssl x509 -in cert.pem -noout -text
+
+Display the certificate serial number:
+
+ openssl x509 -in cert.pem -noout -serial
+
+Display the certificate MD5 fingerprint:
+
+ openssl x509 -in cert.pem -noout -fingerprint
+
+Display the certificate SHA1 fingerprint:
+
+ openssl x509 -sha1 -in cert.pem -noout -fingerprint
+
+Convert a certificate from PEM to DER format:
+
+ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
+
+Convert a certificate to a certificate request:
+
+ openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+
+Convert a certificate request into a self signed certificate using
+extensions for a CA:
+
+ openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
+        -signkey key.pem -out cacert.pem
+
+Sign a certificate request using the CA certificate above and add user
+certificate extensions:
+
+ openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
+        -CA cacert.pem -CAkey key.pem -CAcreateserial
+
+
+Set a certificate to be trusted for SSL client use and change set its alias to
+"Steve's Class 1 CA"
+
+ openssl x509 -in cert.pem -addtrust sslclient \
+        -alias "Steve's Class 1 CA" -out trust.pem
+
+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
+Trusted certificates have the lines
+
+ -----BEGIN TRUSTED CERTIFICATE----
+ -----END TRUSTED CERTIFICATE----
+
+The B<-fingerprint> option takes the digest of the DER encoded certificate.
+This is commonly called a "fingerprint". Because of the nature of message
+digests the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+
+The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
+
+=head1 CERTIFICATE EXTENSIONS
+
+The B<-purpose> option checks the certificate extensions and determines
+what the certificate can be used for. The actual checks done are rather
+complex and include various hacks and workarounds to handle broken
+certificates and software.
+
+The same code is used when verifying untrusted certificates in chains
+so this section is useful if a chain is rejected by the verify code.
+
+The basicConstraints extension CA flag is used to determine whether the
+certificate can be used as a CA. If the CA flag is true then it is a CA,
+if the CA flag is false then it is not a CA. B<All> CAs should have the
+CA flag set to true.
+
+If the basicConstraints extension is absent then the certificate is
+considered to be a "possible CA" other extensions are checked according
+to the intended use of the certificate. A warning is given in this case
+because the certificate should really not be regarded as a CA: however
+it is allowed to be a CA to work around some broken software.
+
+If the certificate is a V1 certificate (and thus has no extensions) and
+it is self signed it is also assumed to be a CA but a warning is again
+given: this is to work around the problem of Verisign roots which are V1
+self signed certificates.
+
+If the keyUsage extension is present then additional restraints are
+made on the uses of the certificate. A CA certificate B<must> have the
+keyCertSign bit set if the keyUsage extension is present.
+
+The extended key usage extension places additional restrictions on the
+certificate uses. If this extension is present (whether critical or not)
+the key can only be used for the purposes specified.
+
+A complete description of each test is given below. The comments about
+basicConstraints and keyUsage and V1 certificates above apply to B<all>
+CA certificates.
+
+
+=over 4
+
+=item B<SSL Client>
+
+The extended key usage extension must be absent or include the "web client
+authentication" OID.  keyUsage must be absent or it must have the
+digitalSignature bit set. Netscape certificate type must be absent or it must
+have the SSL client bit set.
+
+=item B<SSL Client CA>
+
+The extended key usage extension must be absent or include the "web client
+authentication" OID. Netscape certificate type must be absent or it must have
+the SSL CA bit set: this is used as a work around if the basicConstraints
+extension is absent.
+
+=item B<SSL Server>
+
+The extended key usage extension must be absent or include the "web server
+authentication" and/or one of the SGC OIDs.  keyUsage must be absent or it
+must have the digitalSignature, the keyEncipherment set or both bits set.
+Netscape certificate type must be absent or have the SSL server bit set.
+
+=item B<SSL Server CA>
+
+The extended key usage extension must be absent or include the "web server
+authentication" and/or one of the SGC OIDs.  Netscape certificate type must
+be absent or the SSL CA bit must be set: this is used as a work around if the
+basicConstraints extension is absent.
+
+=item B<Netscape SSL Server>
+
+For Netscape SSL clients to connect to an SSL server it must have the
+keyEncipherment bit set if the keyUsage extension is present. This isn't
+always valid because some cipher suites use the key for digital signing.
+Otherwise it is the same as a normal SSL server.
+
+=item B<Common S/MIME Client Tests>
+
+The extended key usage extension must be absent or include the "email
+protection" OID. Netscape certificate type must be absent or should have the
+S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
+then the SSL client bit is tolerated as an alternative but a warning is shown:
+this is because some Verisign certificates don't set the S/MIME bit.
+
+=item B<S/MIME Signing>
+
+In addition to the common S/MIME client tests the digitalSignature bit must
+be set if the keyUsage extension is present.
+
+=item B<S/MIME Encryption>
+
+In addition to the common S/MIME tests the keyEncipherment bit must be set
+if the keyUsage extension is present.
+
+=item B<S/MIME CA>
+
+The extended key usage extension must be absent or include the "email
+protection" OID. Netscape certificate type must be absent or must have the
+S/MIME CA bit set: this is used as a work around if the basicConstraints
+extension is absent. 
+
+=item B<CRL Signing>
+
+The keyUsage extension must be absent or it must have the CRL signing bit
+set.
+
+=item B<CRL Signing CA>
+
+The normal CA tests apply. Except in this case the basicConstraints extension
+must be present.
+
+=back
+
+=head1 BUGS
+
+The way DNs are printed is in a "historical SSLeay" format which doesn't
+follow any published standard. It should follow some standard like RFC2253
+or RFC1779 with options to make the stuff more readable.
+
+Extensions in certificates are not transferred to certificate requests and
+vice versa.
+
+It is possible to produce invalid certificates or requests by specifying the
+wrong private key or using inconsistent options in some cases: these should
+be checked.
+
+There should be options to explicitly set such things as start and end
+dates rather than an offset from the current time.
+
+The code to implement the verify behaviour described in the B<TRUST SETTINGS>
+is currently being developed. It thus describes the intended behavior rather
+than the current behaviour. It is hoped that it will represent reality in
+OpenSSL 0.9.5 and later.
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/c-indentation.el b/src/lib/libssl/src/doc/c-indentation.el
new file mode 100644
index 0000000000..9a4a0be598
--- /dev/null
+++ b/src/lib/libssl/src/doc/c-indentation.el
@@ -0,0 +1,36 @@
+; This Emacs Lisp file defines a C indentation style that closely
+; follows most aspects of the one that is used throughout SSLeay,
+; and hence in OpenSSL.
+; 
+; This definition is for the "CC mode" package, which is the default
+; mode for editing C source files in Emacs 20, not for the older
+; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;
+; Copy the definition in your .emacs file or use M-x eval-buffer.
+; To activate this indentation style, visit a C file, type
+; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;
+; Apparently statement blocks that are not introduced by a statement
+; such as "if" and that are not the body of a function cannot
+; be handled too well by CC mode with this indentation style.
+; The style defined below does not indent them at all.
+; To insert tabs manually, prefix them with ^Q (the "quoted-insert"
+; command of Emacs).  If you know a solution to this problem
+; or find other problems with this indentation style definition,
+; please send e-mail to bodo@openssl.org.
+
+(c-add-style "eay"
+             '((c-basic-offset . 8)
+               (c-comment-only-line-offset . 0)
+               (c-hanging-braces-alist)
+               (c-offsets-alist . ((defun-open . +)
+                                   (defun-block-intro . 0)
+                                   (block-open . 0)
+                                   (substatement-open . +)
+                                   (statement-block-intro . 0)
+                                   (statement-case-open . +)
+                                   (statement-case-intro . +)
+                                   (case-label . -)
+                                   (label . -)
+                                   (arglist-cont-nonempty . +)))))
diff --git a/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod b/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod
new file mode 100644
index 0000000000..722e8b8f46
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod
@@ -0,0 +1,128 @@
+=pod
+
+=head1 NAME
+
+BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset,
+BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close,
+BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending,
+BIO_get_info_callback, BIO_set_info_callback - BIO control operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
+ long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long));
+ char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
+ long BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg);
+
+ int BIO_reset(BIO *b);
+ int BIO_seek(BIO *b, int ofs);
+ int BIO_tell(BIO *b);
+ int BIO_flush(BIO *b);
+ int BIO_eof(BIO *b);
+ int BIO_set_close(BIO *b,long flag);
+ int BIO_get_close(BIO *b);
+ int BIO_pending(BIO *b);
+ int BIO_wpending(BIO *b);
+ size_t BIO_ctrl_pending(BIO *b);
+ size_t BIO_ctrl_wpending(BIO *b);
+
+ int BIO_get_info_callback(BIO *b,bio_info_cb **cbp);
+ int BIO_set_info_callback(BIO *b,bio_info_cb *cb);
+
+ typedef void bio_info_cb(BIO *b, int oper, const char *ptr, int arg1, long arg2, long arg3);
+
+=head1 DESCRIPTION
+
+BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl()
+are BIO "control" operations taking arguments of various types.
+These functions are not normally called directly, various macros
+are used instead. The standard macros are described below, macros
+specific to a particular type of BIO are described in the specific
+BIOs manual page as well as any special features of the standard
+calls.
+
+BIO_reset() typically resets a BIO to some initial state, in the case
+of file related BIOs for example it rewinds the file pointer to the
+start of the file.
+
+BIO_seek() resets a file related BIO's (that is file descriptor and
+FILE BIOs) file position pointer to B<ofs> bytes from start of file.
+
+BIO_tell() returns the current file position of a file related BIO.
+
+BIO_flush() normally writes out any internally buffered data, in some
+cases it is used to signal EOF and that no more data will be written.
+
+BIO_eof() returns 1 if the BIO has read EOF, the precise meaning of
+"EOF" varies according to the BIO type.
+
+BIO_set_close() sets the BIO B<b> close flag to B<flag>. B<flag> can
+take the value BIO_CLOSE or BIO_NOCLOSE. Typically BIO_CLOSE is used
+in a source/sink BIO to indicate that the underlying I/O stream should
+be closed when the BIO is freed.
+
+BIO_get_close() returns the BIOs close flag.
+
+BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
+return the number of pending characters in the BIOs read and write buffers.
+Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending()
+return a size_t type and are functions, BIO_pending() and BIO_wpending() are
+macros which call BIO_ctrl().
+
+=head1 RETURN VALUES
+
+BIO_reset() normally returns 1 for success and 0 or -1 for failure. File
+BIOs are an exception, they return 0 for success and -1 for failure.
+
+BIO_seek() and BIO_tell() both return the current file position on success
+and -1 for failure, except file BIOs which for BIO_seek() always return 0
+for success and -1 for failure.
+
+BIO_flush() returns 1 for success and 0 or -1 for failure.
+
+BIO_eof() returns 1 if EOF has been reached 0 otherwise.
+
+BIO_set_close() always returns 1.
+
+BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE.
+
+BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
+return the amount of pending data.
+
+=head1 NOTES
+
+BIO_flush(), because it can write data may return 0 or -1 indicating
+that the call should be retried later in a similar manner to BIO_write(). 
+The BIO_should_retry() call should be used and appropriate action taken
+is the call fails.
+
+The return values of BIO_pending() and BIO_wpending() may not reliably
+determine the amount of pending data in all cases. For example in the
+case of a file BIO some data may be available in the FILE structures
+internal buffers but it is not possible to determine this in a
+portably way. For other types of BIO they may not be supported.
+
+Filter BIOs if they do not internally handle a particular BIO_ctrl()
+operation usually pass the operation to the next BIO in the chain.
+This often means there is no need to locate the required BIO for
+a particular operation, it can be called on a chain and it will
+be automatically passed to the relevant BIO. However this can cause
+unexpected results: for example no current filter BIOs implement
+BIO_seek(), but this may still succeed if the chain ends in a FILE
+or file descriptor BIO.
+
+Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl()
+operation.
+
+=head1 BUGS
+
+Some of the return values are ambiguous and care should be taken. In
+particular a return value of 0 can be returned if an operation is not
+supported, if an error occurred, if EOF has not been reached and in
+the case of BIO_seek() on a file BIO for a successful operation. 
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod b/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod
new file mode 100644
index 0000000000..fdb603b38e
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_base64.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+BIO_f_base64 - base64 BIO filter
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+ #include <openssl/evp.h>
+
+ BIO_METHOD *   BIO_f_base64(void);
+
+=head1 DESCRIPTION
+
+BIO_f_base64() returns the base64 BIO method. This is a filter
+BIO that base64 encodes any data written through it and decodes
+any data read through it.
+
+Base64 BIOs do not support BIO_gets() or BIO_puts(). 
+
+BIO_flush() on a base64 BIO that is being written through is
+used to signal that no more data is to be encoded: this is used
+to flush the final block through the BIO.
+
+The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags()
+to encode the data all on one line or expect the data to be all
+on one line.
+
+=head1 NOTES
+
+Because of the format of base64 encoding the end of the encoded
+block cannot always be reliably determined.
+
+=head1 RETURN VALUES
+
+BIO_f_base64() returns the base64 BIO method.
+
+=head1 EXAMPLES
+
+Base64 encode the string "Hello World\n" and write the result
+to standard output:
+
+ BIO *bio, *b64;
+ char message[] = "Hello World \n";
+
+ b64 = BIO_new(BIO_f_base64());
+ bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+ bio = BIO_push(b64, bio);
+ BIO_write(bio, message, strlen(message));
+ BIO_flush(bio);
+
+ BIO_free_all(bio);
+
+Read Base64 encoded data from standard input and write the decoded
+data to standard output:
+
+ BIO *bio, *b64, bio_out;
+ char inbuf[512];
+ int inlen;
+ char message[] = "Hello World \n";
+
+ b64 = BIO_new(BIO_f_base64());
+ bio = BIO_new_fp(stdin, BIO_NOCLOSE);
+ bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+ bio = BIO_push(b64, bio);
+ while((inlen = BIO_read(bio, inbuf, strlen(message))) > 0) 
+        BIO_write(bio_out, inbuf, inlen);
+
+ BIO_free_all(bio);
+
+=head1 BUGS
+
+The ambiguity of EOF in base64 encoded data can cause additional
+data following the base64 encoded block to be misinterpreted.
+
+There should be some way of specifying a test that the BIO can perform
+to reliably determine EOF (for example a MIME boundary).
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod b/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod
new file mode 100644
index 0000000000..c9093c6a57
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+BIO_f_buffer - buffering BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD * BIO_f_buffer(void);
+
+ #define BIO_get_buffer_num_lines(b)    BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL)
+ #define BIO_set_read_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,0)
+ #define BIO_set_write_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,1)
+ #define BIO_set_buffer_size(b,size)    BIO_ctrl(b,BIO_C_SET_BUFF_SIZE,size,NULL)
+ #define BIO_set_buffer_read_data(b,buf,num) BIO_ctrl(b,BIO_C_SET_BUFF_READ_DATA,num,buf)
+
+=head1 DESCRIPTION
+
+BIO_f_buffer() returns the buffering BIO method.
+
+Data written to a buffering BIO is buffered and periodically written
+to the next BIO in the chain. Data read from a buffering BIO comes from
+an internal buffer which is filled from the next BIO in the chain.
+Both BIO_gets() and BIO_puts() are supported.
+
+Calling BIO_reset() on a buffering BIO clears any buffered data.
+
+BIO_get_buffer_num_lines() returns the number of lines currently buffered.
+
+BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
+set the read, write or both read and write buffer sizes to B<size>. The initial
+buffer size is DEFAULT_BUFFER_SIZE, currently 1024. Any attempt to reduce the
+buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared
+when the buffer is resized.
+
+BIO_set_buffer_read_data() clears the read buffer and fills it with B<num>
+bytes of B<buf>. If B<num> is larger than the current buffer size the buffer
+is expanded.
+
+=head1 NOTES
+
+Buffering BIOs implement BIO_gets() by using BIO_read() operations on the
+next BIO in the chain. By prepending a buffering BIO to a chain it is therefore
+possible to provide BIO_gets() functionality if the following BIOs do not
+support it (for example SSL BIOs).
+
+Data is only written to the next BIO in the chain when the write buffer fills
+or when BIO_flush() is called. It is therefore important to call BIO_flush()
+whenever any pending data should be written such as when removing a buffering
+BIO using BIO_pop(). BIO_flush() may need to be retried if the ultimate
+source/sink BIO is non blocking.
+
+=head1 RETURN VALUES
+
+BIO_f_buffer() returns the buffering BIO method.
+
+BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0).
+
+BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
+return 1 if the buffer was successfully resized or 0 for failure.
+
+BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if
+there was an error.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
new file mode 100644
index 0000000000..4182f2c309
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
@@ -0,0 +1,76 @@
+=pod
+
+=head1 NAME
+
+BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher BIO filter
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+ #include <openssl/evp.h>
+
+ BIO_METHOD *   BIO_f_cipher(void);
+ void BIO_set_cipher(BIO *b,const EVP_CIPHER *cipher,
+                unsigned char *key, unsigned char *iv, int enc);
+ int BIO_get_cipher_status(BIO *b)
+ int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx)
+
+=head1 DESCRIPTION
+
+BIO_f_cipher() returns the cipher BIO method. This is a filter
+BIO that encrypts any data written through it, and decrypts any data
+read from it. It is a BIO wrapper for the cipher routines
+EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal().
+
+Cipher BIOs do not support BIO_gets() or BIO_puts(). 
+
+BIO_flush() on an encryption BIO that is being written through is
+used to signal that no more data is to be encrypted: this is used
+to flush and possibly pad the final block through the BIO.
+
+BIO_set_cipher() sets the cipher of BIO <b> to B<cipher> using key B<key>
+and IV B<iv>. B<enc> should be set to 1 for encryption and zero for
+decryption.
+
+When reading from an encryption BIO the final block is automatically
+decrypted and checked when EOF is detected. BIO_get_cipher_status()
+is a BIO_ctrl() macro which can be called to determine whether the
+decryption operation was successful.
+
+BIO_get_cipher_ctx() is a BIO_ctrl() macro which retrieves the internal
+BIO cipher context. The retrieved context can be used in conjunction
+with the standard cipher routines to set it up. This is useful when
+BIO_set_cipher() is not flexible enough for the applications needs.
+
+=head1 NOTES
+
+When encrypting BIO_flush() B<must> be called to flush the final block
+through the BIO. If it is not then the final block will fail a subsequent
+decrypt.
+
+When decrypting an error on the final block is signalled by a zero
+return value from the read operation. A successful decrypt followed
+by EOF will also return zero for the final read. BIO_get_cipher_status()
+should be called to determine if the decrypt was successful.
+
+As always, if BIO_gets() or BIO_puts() support is needed then it can
+be achieved by preceding the cipher BIO with a buffering BIO.
+
+=head1 RETURN VALUES
+
+BIO_f_cipher() returns the cipher BIO method.
+
+BIO_set_cipher() does not return a value.
+
+BIO_get_cipher_status() returns 1 for a successful decrypt and 0
+for failure.
+
+BIO_get_cipher_ctx() currently always returns 1.
+
+=head1 EXAMPLES
+
+TBA
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_md.pod b/src/lib/libssl/src/doc/crypto/BIO_f_md.pod
new file mode 100644
index 0000000000..c32504dfb1
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_md.pod
@@ -0,0 +1,138 @@
+=pod
+
+=head1 NAME
+
+BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx - message digest BIO filter
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+ #include <openssl/evp.h>
+
+ BIO_METHOD *   BIO_f_md(void);
+ int BIO_set_md(BIO *b,EVP_MD *md);
+ int BIO_get_md(BIO *b,EVP_MD **mdp);
+ int BIO_get_md_ctx(BIO *b,EVP_MD_CTX **mdcp);
+
+=head1 DESCRIPTION
+
+BIO_f_md() returns the message digest BIO method. This is a filter
+BIO that digests any data passed through it, it is a BIO wrapper
+for the digest routines EVP_DigestInit(), EVP_DigestUpdate()
+and EVP_DigestFinal().
+
+Any data written or read through a digest BIO using BIO_read() and
+BIO_write() is digested.
+
+BIO_gets(), if its B<size> parameter is large enough finishes the
+digest calculation and returns the digest value. BIO_puts() is
+not supported.
+
+BIO_reset() reinitializes a digest BIO.
+
+BIO_set_md() sets the message digest of BIO B<b> to B<md>: this
+must be called to initialize a digest BIO before any data is
+passed through it. It is a BIO_ctrl() macro.
+
+BIO_get_md() places the a pointer to the digest BIOs digest method
+in B<mdp>, it is a BIO_ctrl() macro.
+
+BIO_get_md_ctx() returns the digest BIOs context into B<mdcp>.
+
+=head1 NOTES
+
+The context returned by BIO_get_md_ctx() can be used in calls
+to EVP_DigestFinal() and also the signature routines EVP_SignFinal()
+and EVP_VerifyFinal().
+
+The context returned by BIO_get_md_ctx() is an internal context
+structure. Changes made to this context will affect the digest
+BIO itself and the context pointer will become invalid when the digest
+BIO is freed.
+
+After the digest has been retrieved from a digest BIO it must be
+reinitialized by calling BIO_reset(), or BIO_set_md() before any more
+data is passed through it.
+
+If an application needs to call BIO_gets() or BIO_puts() through
+a chain containing digest BIOs then this can be done by prepending
+a buffering BIO.
+
+=head1 RETURN VALUES
+
+BIO_f_md() returns the digest BIO method.
+
+BIO_set_md(), BIO_get_md() and BIO_md_ctx() return 1 for success and
+0 for failure.
+
+=head1 EXAMPLES
+
+The following example creates a BIO chain containing an SHA1 and MD5
+digest BIO and passes the string "Hello World" through it. Error
+checking has been omitted for clarity.
+
+ BIO *bio, *mdtmp;
+ char message[] = "Hello World";
+ bio = BIO_new(BIO_s_null());
+ mdtmp = BIO_new(BIO_f_md());
+ BIO_set_md(mdtmp, EVP_sha1());
+ /* For BIO_push() we want to append the sink BIO and keep a note of
+  * the start of the chain.
+  */
+ bio = BIO_push(mdtmp, bio);
+ mdtmp = BIO_new(BIO_f_md());
+ BIO_set_md(mdtmp, EVP_md5());
+ bio = BIO_push(mdtmp, bio);
+ /* Note: mdtmp can now be discarded */
+ BIO_write(bio, message, strlen(message));
+
+The next example digests data by reading through a chain instead:
+
+ BIO *bio, *mdtmp;
+ char buf[1024];
+ int rdlen;
+ bio = BIO_new_file(file, "rb");
+ mdtmp = BIO_new(BIO_f_md());
+ BIO_set_md(mdtmp, EVP_sha1());
+ bio = BIO_push(mdtmp, bio);
+ mdtmp = BIO_new(BIO_f_md());
+ BIO_set_md(mdtmp, EVP_md5());
+ bio = BIO_push(mdtmp, bio);
+ do {
+        rdlen = BIO_read(bio, buf, sizeof(buf));
+        /* Might want to do something with the data here */
+ } while(rdlen > 0);
+
+This next example retrieves the message digests from a BIO chain and
+outputs them. This could be used with the examples above.
+
+ BIO *mdtmp;
+ unsigned char mdbuf[EVP_MAX_MD_SIZE];
+ int mdlen;
+ int i;
+ mdtmp = bio;   /* Assume bio has previously been set up */
+ do {
+        EVP_MD *md;
+        mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
+        if(!mdtmp) break;
+        BIO_get_md(mdtmp, &md);
+        printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
+        mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
+        for(i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]);
+        printf("\n");
+        mdtmp = BIO_next(mdtmp);
+ } while(mdtmp);
+
+ BIO_free_all(bio);
+
+=head1 BUGS
+
+The lack of support for BIO_puts() and the non standard behaviour of
+BIO_gets() could be regarded as anomalous. It could be argued that BIO_gets()
+and BIO_puts() should be passed to the next BIO in the chain and digest
+the data passed through and that digests should be retrieved using a
+separate BIO_ctrl() call.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_null.pod b/src/lib/libssl/src/doc/crypto/BIO_f_null.pod
new file mode 100644
index 0000000000..b057c18408
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_null.pod
@@ -0,0 +1,32 @@
+=pod
+
+=head1 NAME
+
+BIO_f_null - null filter
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_f_null(void);
+
+=head1 DESCRIPTION
+
+BIO_f_null() returns the null filter BIO method. This is a filter BIO
+that does nothing.
+
+All requests to a null filter BIO are passed through to the next BIO in
+the chain: this means that a BIO chain containing a null filter BIO
+behaves just as though the BIO was not there.
+
+=head1 NOTES
+
+As may be apparent a null filter BIO is not particularly useful.
+
+=head1 RETURN VALUES
+
+BIO_f_null() returns the null filter BIO method.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod b/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
new file mode 100644
index 0000000000..a56ee2b92f
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
@@ -0,0 +1,313 @@
+=pod
+
+=head1 NAME
+
+BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes,
+BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
+BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
+BIO_ssl_shutdown - SSL BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+ #include <openssl/ssl.h>
+
+ BIO_METHOD *BIO_f_ssl(void);
+
+ #define BIO_set_ssl(b,ssl,c)   BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl)
+ #define BIO_get_ssl(b,sslp)    BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
+ #define BIO_set_ssl_mode(b,client)     BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
+ #define BIO_set_ssl_renegotiate_bytes(b,num) \
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
+ #define BIO_set_ssl_renegotiate_timeout(b,seconds) \
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
+ #define BIO_get_num_renegotiates(b) \
+        BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
+
+ BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
+ BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
+ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
+ int BIO_ssl_copy_session_id(BIO *to,BIO *from);
+ void BIO_ssl_shutdown(BIO *bio);
+
+ #define BIO_do_handshake(b)    BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
+
+=head1 DESCRIPTION
+
+BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which
+is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to
+SSL I/O. 
+
+I/O performed on an SSL BIO communicates using the SSL protocol with
+the SSLs read and write BIOs. If an SSL connection is not established
+then an attempt is made to establish one on the first I/O call.
+
+If a BIO is appended to an SSL BIO using BIO_push() it is automatically
+used as the SSL BIOs read and write BIOs.
+
+Calling BIO_reset() on an SSL BIO closes down any current SSL connection
+by calling SSL_shutdown(). BIO_reset() is then sent to the next BIO in
+the chain: this will typically disconnect the underlying transport.
+The SSL BIO is then reset to the initial accept or connect state.
+
+If the close flag is set when an SSL BIO is freed then the internal
+SSL structure is also freed using SSL_free().
+
+BIO_set_ssl() sets the internal SSL pointer of BIO B<b> to B<ssl> using
+the close flag B<c>.
+
+BIO_get_ssl() retrieves the SSL pointer of BIO B<b>, it can then be
+manipulated using the standard SSL library functions.
+
+BIO_set_ssl_mode() sets the SSL BIO mode to B<client>. If B<client>
+is 1 client mode is set. If B<client> is 0 server mode is set.
+
+BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
+to B<num>. When set after every B<num> bytes of I/O (read and write) 
+the SSL session is automatically renegotiated. B<num> must be at
+least 512 bytes.
+
+BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to
+B<seconds>. When the renegotiate timeout elapses the session is
+automatically renegotiated.
+
+BIO_get_num_renegotiates() returns the total number of session
+renegotiations due to I/O or timeout.
+
+BIO_new_ssl() allocates an SSL BIO using SSL_CTX B<ctx> and using
+client mode if B<client> is non zero.
+
+BIO_new_ssl_connect() creates a new BIO chain consisting of an
+SSL BIO (using B<ctx>) followed by a connect BIO.
+
+BIO_new_buffer_ssl_connect() creates a new BIO chain consisting
+of a buffering BIO, an SSL BIO (using B<ctx>) and a connect
+BIO.
+
+BIO_ssl_copy_session_id() copies an SSL session id between 
+BIO chains B<from> and B<to>. It does this by locating the
+SSL BIOs in each chain and calling SSL_copy_session_id() on
+the internal SSL pointer.
+
+BIO_ssl_shutdown() closes down an SSL connection on BIO
+chain B<bio>. It does this by locating the SSL BIO in the
+chain and calling SSL_shutdown() on its internal SSL
+pointer.
+
+BIO_do_handshake() attempts to complete an SSL handshake on the
+supplied BIO and establish the SSL connection. It returns 1
+if the connection was established successfully. A zero or negative
+value is returned if the connection could not be established, the
+call BIO_should_retry() should be used for non blocking connect BIOs
+to determine if the call should be retried. If an SSL connection has
+already been established this call has no effect.
+
+=head1 NOTES
+
+SSL BIOs are exceptional in that if the underlying transport
+is non blocking they can still request a retry in exceptional
+circumstances. Specifically this will happen if a session
+renegotiation takes place during a BIO_read() operation, one
+case where this happens is when SGC or step up occurs.
+
+In OpenSSL 0.9.6 and later the SSL flag SSL_AUTO_RETRY can be
+set to disable this behaviour. That is when this flag is set
+an SSL BIO using a blocking transport will never request a
+retry.
+
+Since unknown BIO_ctrl() operations are sent through filter
+BIOs the servers name and port can be set using BIO_set_host()
+on the BIO returned by BIO_new_ssl_connect() without having
+to locate the connect BIO first.
+
+Applications do not have to call BIO_do_handshake() but may wish
+to do so to separate the handshake process from other I/O
+processing.
+
+=head1 RETURN VALUES
+
+TBA
+
+=head1 EXAMPLE
+
+This SSL/TLS client example, attempts to retrieve a page from an
+SSL/TLS web server. The I/O routines are identical to those of the
+unencrypted example in L<BIO_s_connect(3)|BIO_s_connect(3)>.
+
+ BIO *sbio, *out;
+ int len;
+ char tmpbuf[1024];
+ SSL_CTX *ctx;
+ SSL *ssl;
+
+ ERR_load_crypto_strings();
+ ERR_load_SSL_strings();
+ OpenSSL_add_all_algorithms();
+
+ /* We would seed the PRNG here if the platform didn't
+  * do it automatically
+  */
+
+ ctx = SSL_CTX_new(SSLv23_client_method());
+
+ /* We'd normally set some stuff like the verify paths and
+  * mode here because as things stand this will connect to
+  * any server whose certificate is signed by any CA.
+  */
+
+ sbio = BIO_new_ssl_connect(ctx);
+
+ BIO_get_ssl(sbio, &ssl);
+
+ if(!ssl) {
+   fprintf(stderr, "Can't locate SSL pointer\n");
+   /* whatever ... */
+ }
+
+ /* Don't want any retries */
+ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+
+ /* We might want to do other things with ssl here */
+
+ BIO_set_conn_hostname(sbio, "localhost:https");
+
+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
+ if(BIO_do_connect(sbio) <= 0) {
+        fprintf(stderr, "Error connecting to server\n");
+        ERR_print_errors_fp(stderr);
+        /* whatever ... */
+ }
+
+ if(BIO_do_handshake(sbio) <= 0) {
+        fprintf(stderr, "Error establishing SSL connection\n");
+        ERR_print_errors_fp(stderr);
+        /* whatever ... */
+ }
+
+ /* Could examine ssl here to get connection info */
+
+ BIO_puts(sbio, "GET / HTTP/1.0\n\n");
+ for(;;) {      
+        len = BIO_read(sbio, tmpbuf, 1024);
+        if(len <= 0) break;
+        BIO_write(out, tmpbuf, len);
+ }
+ BIO_free_all(sbio);
+ BIO_free(out);
+
+Here is a simple server example. It makes use of a buffering
+BIO to allow lines to be read from the SSL BIO using BIO_gets.
+It creates a pseudo web page containing the actual request from
+a client and also echoes the request to standard output.
+
+ BIO *sbio, *bbio, *acpt, *out;
+ int len;
+ char tmpbuf[1024];
+ SSL_CTX *ctx;
+ SSL *ssl;
+
+ ERR_load_crypto_strings();
+ ERR_load_SSL_strings();
+ OpenSSL_add_all_algorithms();
+
+ /* Might seed PRNG here */
+
+ ctx = SSL_CTX_new(SSLv23_server_method());
+
+ if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
+        || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
+        || !SSL_CTX_check_private_key(ctx)) {
+
+        fprintf(stderr, "Error setting up SSL_CTX\n");
+        ERR_print_errors_fp(stderr);
+        return 0;
+ }
+
+ /* Might do other things here like setting verify locations and
+  * DH and/or RSA temporary key callbacks
+  */
+
+ /* New SSL BIO setup as server */
+ sbio=BIO_new_ssl(ctx,0);
+
+ BIO_get_ssl(sbio, &ssl);
+
+ if(!ssl) {
+   fprintf(stderr, "Can't locate SSL pointer\n");
+   /* whatever ... */
+ }
+
+ /* Don't want any retries */
+ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+
+ /* Create the buffering BIO */
+
+ bbio = BIO_new(BIO_f_buffer());
+
+ /* Add to chain */
+ sbio = BIO_push(bbio, sbio);
+
+ acpt=BIO_new_accept("4433");
+
+ /* By doing this when a new connection is established
+  * we automatically have sbio inserted into it. The
+  * BIO chain is now 'swallowed' by the accept BIO and
+  * will be freed when the accept BIO is freed. 
+  */
+ 
+ BIO_set_accept_bios(acpt,sbio);
+
+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
+
+ /* Setup accept BIO */
+ if(BIO_do_accept(acpt) <= 0) {
+        fprintf(stderr, "Error setting up accept BIO\n");
+        ERR_print_errors_fp(stderr);
+        return 0;
+ }
+
+ /* Now wait for incoming connection */
+ if(BIO_do_accept(acpt) <= 0) {
+        fprintf(stderr, "Error in connection\n");
+        ERR_print_errors_fp(stderr);
+        return 0;
+ }
+
+ /* We only want one connection so remove and free
+  * accept BIO
+  */
+
+ sbio = BIO_pop(acpt);
+
+ BIO_free_all(acpt);
+
+ if(BIO_do_handshake(sbio) <= 0) {
+        fprintf(stderr, "Error in SSL handshake\n");
+        ERR_print_errors_fp(stderr);
+        return 0;
+ }
+
+ BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n");
+ BIO_puts(sbio, "<pre>\r\nConnection Established\r\nRequest headers:\r\n");
+ BIO_puts(sbio, "--------------------------------------------------\r\n");
+
+ for(;;) {
+        len = BIO_gets(sbio, tmpbuf, 1024);
+        if(len <= 0) break;
+        BIO_write(sbio, tmpbuf, len);
+        BIO_write(out, tmpbuf, len);
+        /* Look for blank line signifying end of headers*/
+        if((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break;
+ }
+
+ BIO_puts(sbio, "--------------------------------------------------\r\n");
+ BIO_puts(sbio, "</pre>\r\n");
+
+ /* Since there is a buffering BIO present we had better flush it */
+ BIO_flush(sbio);
+
+ BIO_free_all(sbio);
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_find_type.pod b/src/lib/libssl/src/doc/crypto/BIO_find_type.pod
new file mode 100644
index 0000000000..bd3b256196
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_find_type.pod
@@ -0,0 +1,98 @@
+=pod
+
+=head1 NAME
+
+BIO_find_type, BIO_next - BIO chain traversal
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO *  BIO_find_type(BIO *b,int bio_type);
+ BIO *  BIO_next(BIO *b);
+
+ #define BIO_method_type(b)             ((b)->method->type)
+
+ #define BIO_TYPE_NONE          0
+ #define BIO_TYPE_MEM           (1|0x0400)
+ #define BIO_TYPE_FILE          (2|0x0400)
+
+ #define BIO_TYPE_FD            (4|0x0400|0x0100)
+ #define BIO_TYPE_SOCKET                (5|0x0400|0x0100)
+ #define BIO_TYPE_NULL          (6|0x0400)
+ #define BIO_TYPE_SSL           (7|0x0200)
+ #define BIO_TYPE_MD            (8|0x0200)
+ #define BIO_TYPE_BUFFER                (9|0x0200)
+ #define BIO_TYPE_CIPHER                (10|0x0200)
+ #define BIO_TYPE_BASE64                (11|0x0200)
+ #define BIO_TYPE_CONNECT       (12|0x0400|0x0100)
+ #define BIO_TYPE_ACCEPT                (13|0x0400|0x0100)
+ #define BIO_TYPE_PROXY_CLIENT  (14|0x0200)
+ #define BIO_TYPE_PROXY_SERVER  (15|0x0200)
+ #define BIO_TYPE_NBIO_TEST     (16|0x0200)
+ #define BIO_TYPE_NULL_FILTER   (17|0x0200)
+ #define BIO_TYPE_BER           (18|0x0200)
+ #define BIO_TYPE_BIO           (19|0x0400)
+
+ #define BIO_TYPE_DESCRIPTOR    0x0100
+ #define BIO_TYPE_FILTER                0x0200
+ #define BIO_TYPE_SOURCE_SINK   0x0400
+
+=head1 DESCRIPTION
+
+The BIO_find_type() searches for a BIO of a given type in a chain, starting
+at BIO B<b>. If B<type> is a specific type (such as BIO_TYPE_MEM) then a search
+is made for a BIO of that type. If B<type> is a general type (such as
+B<BIO_TYPE_SOURCE_SINK>) then the next matching BIO of the given general type is
+searched for. BIO_find_type() returns the next matching BIO or NULL if none is
+found.
+
+Note: not all the B<BIO_TYPE_*> types above have corresponding BIO implementations.
+
+BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs
+in a chain or used in conjunction with BIO_find_type() to find all BIOs of a
+certain type.
+
+BIO_method_type() returns the type of a BIO.
+
+=head1 RETURN VALUES
+
+BIO_find_type() returns a matching BIO or NULL for no match.
+
+BIO_next() returns the next BIO in a chain.
+
+BIO_method_type() returns the type of the BIO B<b>.
+
+=head1 NOTES
+
+BIO_next() was added to OpenSSL 0.9.6 to provide a 'clean' way to traverse a BIO
+chain or find multiple matches using BIO_find_type(). Previous versions had to
+use:
+
+ next = bio->next_bio;
+
+=head1 BUGS
+
+BIO_find_type() in OpenSSL 0.9.5a and earlier could not be safely passed a
+NULL pointer for the B<b> argument.
+
+=head1 EXAMPLE
+
+Traverse a chain looking for digest BIOs:
+
+ BIO *btmp;
+ btmp = in_bio; /* in_bio is chain to search through */
+
+ do {
+        btmp = BIO_find_type(btmp, BIO_TYPE_MD);
+        if(btmp == NULL) break; /* Not found */
+        /* btmp is a digest BIO, do something with it ...*/
+        ...
+
+        btmp = BIO_next(btmp);
+ } while(btmp);
+
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_new.pod b/src/lib/libssl/src/doc/crypto/BIO_new.pod
new file mode 100644
index 0000000000..2a245fc8de
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_new.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all - BIO allocation and freeing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO *  BIO_new(BIO_METHOD *type);
+ int    BIO_set(BIO *a,BIO_METHOD *type);
+ int    BIO_free(BIO *a);
+ void   BIO_vfree(BIO *a);
+ void   BIO_free_all(BIO *a);
+
+=head1 DESCRIPTION
+
+The BIO_new() function returns a new BIO using method B<type>.
+
+BIO_set() sets the method of an already existing BIO.
+
+BIO_free() frees up a single BIO, BIO_vfree() also frees up a single BIO
+but it does not return a value. Calling BIO_free() may also have some effect
+on the underlying I/O structure, for example it may close the file being
+referred to under certain circumstances. For more details see the individual
+BIO_METHOD descriptions.
+
+BIO_free_all() frees up an entire BIO chain, it does not halt if an error
+occurs freeing up an individual BIO in the chain.
+
+=head1 RETURN VALUES
+
+BIO_new() returns a newly created BIO or NULL if the call fails.
+
+BIO_set(), BIO_free() return 1 for success and 0 for failure.
+
+BIO_free_all() and BIO_vfree() do not return values.
+
+=head1 NOTES
+
+Some BIOs (such as memory BIOs) can be used immediately after calling
+BIO_new(). Others (such as file BIOs) need some additional initialization,
+and frequently a utility function exists to create and initialize such BIOs.
+
+If BIO_free() is called on a BIO chain it will only free one BIO resulting
+in a memory leak.
+
+Calling BIO_free_all() a single BIO has the same effect as calling BIO_free()
+on it other than the discarded return value.
+
+Normally the B<type> argument is supplied by a function which returns a
+pointer to a BIO_METHOD. There is a naming convention for such functions:
+a source/sink BIO is normally called BIO_s_*() and a filter BIO
+BIO_f_*();
+
+=head1 EXAMPLE
+
+Create a memory BIO:
+
+ BIO *mem = BIO_new(BIO_s_mem());
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_push.pod b/src/lib/libssl/src/doc/crypto/BIO_push.pod
new file mode 100644
index 0000000000..8af1d3c097
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_push.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+BIO_push, BIO_pop - add and remove BIOs from a chain.
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO *  BIO_push(BIO *b,BIO *append);
+ BIO *  BIO_pop(BIO *b);
+
+=head1 DESCRIPTION
+
+The BIO_push() function appends the BIO B<append> to B<b>, it returns
+B<b>.
+
+BIO_pop() removes the BIO B<b> from a chain and returns the next BIO
+in the chain, or NULL if there is no next BIO. The removed BIO then
+becomes a single BIO with no association with the original chain,
+it can thus be freed or attached to a different chain.
+
+=head1 NOTES
+
+The names of these functions are perhaps a little misleading. BIO_push()
+joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain,
+the deleted BIO does not need to be at the end of a chain.
+
+The process of calling BIO_push() and BIO_pop() on a BIO may have additional
+consequences (a control call is made to the affected BIOs) any effects will
+be noted in the descriptions of individual BIOs.
+
+=head1 EXAMPLES
+
+For these examples suppose B<md1> and B<md2> are digest BIOs, B<b64> is
+a base64 BIO and B<f> is a file BIO.
+
+If the call:
+
+ BIO_push(b64, f);
+
+is made then the new chain will be B<b64-chain>. After making the calls
+
+ BIO_push(md2, b64);
+ BIO_push(md1, md2);
+
+the new chain is B<md1-md2-b64-f>. Data written to B<md1> will be digested
+by B<md1> and B<md2>, B<base64> encoded and written to B<f>.
+
+It should be noted that reading causes data to pass in the reverse
+direction, that is data is read from B<f>, base64 B<decoded> and digested
+by B<md1> and B<md2>. If the call:
+
+ BIO_pop(md2);
+
+The call will return B<b64> and the new chain will be B<md1-b64-f> data can
+be written to B<md1> as before.
+
+=head1 RETURN VALUES
+
+BIO_push() returns the end of the chain, B<b>.
+
+BIO_pop() returns the next BIO in the chain, or NULL if there is no next
+BIO.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_read.pod b/src/lib/libssl/src/doc/crypto/BIO_read.pod
new file mode 100644
index 0000000000..b34528104d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_read.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+BIO_read, BIO_write, BIO_gets, BIO_puts - BIO I/O functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ int    BIO_read(BIO *b, void *buf, int len);
+ int    BIO_gets(BIO *b,char *buf, int size);
+ int    BIO_write(BIO *b, const void *buf, int len);
+ int    BIO_puts(BIO *b,const char *buf);
+
+=head1 DESCRIPTION
+
+BIO_read() attempts to read B<len> bytes from BIO B<b> and places
+the data in B<buf>.
+
+BIO_gets() performs the BIOs "gets" operation and places the data
+in B<buf>. Usually this operation will attempt to read a line of data
+from the BIO of maximum length B<len>. There are exceptions to this
+however, for example BIO_gets() on a digest BIO will calculate and
+return the digest and other BIOs may not support BIO_gets() at all.
+
+BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
+
+BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>
+
+=head1 RETURN VALUES
+
+All these functions return either the amount of data successfully read or
+written (if the return value is positive) or that no data was successfully
+read or written if the result is 0 or -1. If the return value is -2 then
+the operation is not implemented in the specific BIO type.
+
+=head1 NOTES
+
+A 0 or -1 return is not necessarily an indication of an error. In
+particular when the source/sink is non-blocking or of a certain type
+it may merely be an indication that no data is currently available and that
+the application should retry the operation later.
+
+One technique sometimes used with blocking sockets is to use a system call
+(such as select(), poll() or equivalent) to determine when data is available
+and then call read() to read the data. The equivalent with BIOs (that is call
+select() on the underlying I/O structure and then call BIO_read() to
+read the data) should B<not> be used because a single call to BIO_read()
+can cause several reads (and writes in the case of SSL BIOs) on the underlying
+I/O structure and may block as a result. Instead select() (or equivalent)
+should be combined with non blocking I/O so successive reads will request
+a retry instead of blocking.
+
+See L<BIO_should_retry(3)|BIO_should_retry(3)> for details of how to
+determine the cause of a retry and other I/O issues.
+
+If the BIO_gets() function is not supported by a BIO then it possible to
+work around this by adding a buffering BIO L<BIO_f_buffer(3)|BIO_f_buffer(3)>
+to the chain.
+
+=head1 SEE ALSO
+
+L<BIO_should_retry(3)|BIO_should_retry(3)>
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod b/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod
new file mode 100644
index 0000000000..c49da7fb02
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_accept.pod
@@ -0,0 +1,184 @@
+=pod
+
+=head1 NAME
+
+BIO_s_accept, BIO_set_nbio, BIO_set_accept_port, BIO_get_accept_port,
+BIO_set_nbio_accept, BIO_set_accept_bios, BIO_set_bind_mode,
+BIO_get_bind_mode, BIO_do_accept - accept BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD * BIO_s_accept(void);
+
+ #define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
+ #define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
+
+ BIO *BIO_new_accept(char *host_port);
+
+ #define BIO_set_nbio_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,1,(n)?"a":NULL)
+ #define BIO_set_accept_bios(b,bio) BIO_ctrl(b,BIO_C_SET_ACCEPT,2,(char *)bio)
+
+ #define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
+ #define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
+
+ #define BIO_BIND_NORMAL                0
+ #define BIO_BIND_REUSEADDR_IF_UNUSED   1
+ #define BIO_BIND_REUSEADDR             2
+
+ #define BIO_do_accept(b)       BIO_do_handshake(b)
+
+=head1 DESCRIPTION
+
+BIO_s_accept() returns the accept BIO method. This is a wrapper
+round the platform's TCP/IP socket accept routines.
+
+Using accept BIOs TCP/IP connections can be accepted and data
+transferred using only BIO routines. In this way any platform
+specific operations are hidden by the BIO abstraction.
+
+Read and write operations on an accept BIO will perform I/O
+on the underlying connection. If no connection is established
+and the port (see below) is set up properly then the BIO
+waits for an incoming connection.
+
+Accept BIOs support BIO_puts() but not BIO_gets().
+
+If the close flag is set on an accept BIO then any active
+connection on that chain is shutdown and the socket closed when
+the BIO is freed.
+
+Calling BIO_reset() on a accept BIO will close any active
+connection and reset the BIO into a state where it awaits another
+incoming connection.
+
+BIO_get_fd() and BIO_set_fd() can be called to retrieve or set
+the accept socket. See L<BIO_s_fd(3)|BIO_s_fd(3)>
+
+BIO_set_accept_port() uses the string B<name> to set the accept
+port. The port is represented as a string of the form "host:port",
+where "host" is the interface to use and "port" is the port.
+Either or both values can be "*" which is interpreted as meaning
+any interface or port respectively. "port" has the same syntax
+as the port specified in BIO_set_conn_port() for connect BIOs,
+that is it can be a numerical port string or a string to lookup
+using getservbyname() and a string table.
+
+BIO_new_accept() combines BIO_new() and BIO_set_accept_port() into
+a single call: that is it creates a new accept BIO with port
+B<host_port>.
+
+BIO_set_nbio_accept() sets the accept socket to blocking mode
+(the default) if B<n> is 0 or non blocking mode if B<n> is 1.
+
+BIO_set_accept_bios() can be used to set a chain of BIOs which
+will be duplicated and prepended to the chain when an incoming
+connection is received. This is useful if, for example, a 
+buffering or SSL BIO is required for each connection. The
+chain of BIOs must not be freed after this call, they will
+be automatically freed when the accept BIO is freed.
+
+BIO_set_bind_mode() and BIO_get_bind_mode() set and retrieve
+the current bind mode. If BIO_BIND_NORMAL (the default) is set
+then another socket cannot be bound to the same port. If
+BIO_BIND_REUSEADDR is set then other sockets can bind to the
+same port. If BIO_BIND_REUSEADDR_IF_UNUSED is set then and
+attempt is first made to use BIO_BIN_NORMAL, if this fails
+and the port is not in use then a second attempt is made
+using BIO_BIND_REUSEADDR.
+
+BIO_do_accept() serves two functions. When it is first
+called, after the accept BIO has been setup, it will attempt
+to create the accept socket and bind an address to it. Second
+and subsequent calls to BIO_do_accept() will await an incoming
+connection.
+
+=head1 NOTES
+
+When an accept BIO is at the end of a chain it will await an
+incoming connection before processing I/O calls. When an accept
+BIO is not at then end of a chain it passes I/O calls to the next
+BIO in the chain.
+
+When a connection is established a new socket BIO is created for
+the connection and appended to the chain. That is the chain is now
+accept->socket. This effectively means that attempting I/O on
+an initial accept socket will await an incoming connection then
+perform I/O on it.
+
+If any additional BIOs have been set using BIO_set_accept_bios()
+then they are placed between the socket and the accept BIO,
+that is the chain will be accept->otherbios->socket.
+
+If a server wishes to process multiple connections (as is normally
+the case) then the accept BIO must be made available for further
+incoming connections. This can be done by waiting for a connection and
+then calling:
+
+ connection = BIO_pop(accept);
+
+After this call B<connection> will contain a BIO for the recently
+established connection and B<accept> will now be a single BIO
+again which can be used to await further incoming connections.
+If no further connections will be accepted the B<accept> can
+be freed using BIO_free().
+
+If only a single connection will be processed it is possible to
+perform I/O using the accept BIO itself. This is often undesirable
+however because the accept BIO will still accept additional incoming
+connections. This can be resolved by using BIO_pop() (see above)
+and freeing up the accept BIO after the initial connection.
+
+=head1 RETURN VALUES
+
+TBA
+
+=head1 EXAMPLE
+
+This example accepts two connections on port 4444, sends messages
+down each and finally closes both down.
+
+ BIO *abio, *cbio, *cbio2;
+ ERR_load_crypto_strings();
+ abio = BIO_new_accept("4444");
+
+ /* First call to BIO_accept() sets up accept BIO */
+ if(BIO_do_accept(abio) <= 0) {
+        fprintf(stderr, "Error setting up accept\n");
+        ERR_print_errors_fp(stderr);
+        exit(0);                
+ }
+
+ /* Wait for incoming connection */
+ if(BIO_do_accept(abio) <= 0) {
+        fprintf(stderr, "Error accepting connection\n");
+        ERR_print_errors_fp(stderr);
+        exit(0);                
+ }
+ fprintf(stderr, "Connection 1 established\n");
+ /* Retrieve BIO for connection */
+ cbio = BIO_pop(abio);
+ BIO_puts(cbio, "Connection 1: Sending out Data on initial connection\n");
+ fprintf(stderr, "Sent out data on connection 1\n");
+ /* Wait for another connection */
+ if(BIO_do_accept(abio) <= 0) {
+        fprintf(stderr, "Error accepting connection\n");
+        ERR_print_errors_fp(stderr);
+        exit(0);                
+ }
+ fprintf(stderr, "Connection 2 established\n");
+ /* Close accept BIO to refuse further connections */
+ cbio2 = BIO_pop(abio);
+ BIO_free(abio);
+ BIO_puts(cbio2, "Connection 2: Sending out Data on second\n");
+ fprintf(stderr, "Sent out data on connection 2\n");
+
+ BIO_puts(cbio, "Connection 1: Second connection established\n");
+ /* Close the two established connections */
+ BIO_free(cbio);
+ BIO_free(cbio2);
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
new file mode 100644
index 0000000000..95ae802e47
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
@@ -0,0 +1,130 @@
+=pod
+
+=head1 NAME
+
+BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, 
+BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair,
+BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request,
+BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request - BIO pair BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *BIO_s_bio(void);
+
+ #define BIO_make_bio_pair(b1,b2)   (int)BIO_ctrl(b1,BIO_C_MAKE_BIO_PAIR,0,b2)
+ #define BIO_destroy_bio_pair(b)    (int)BIO_ctrl(b,BIO_C_DESTROY_BIO_PAIR,0,NULL)
+
+ #define BIO_shutdown_wr(b) (int)BIO_ctrl(b, BIO_C_SHUTDOWN_WR, 0, NULL)
+
+ #define BIO_set_write_buf_size(b,size) (int)BIO_ctrl(b,BIO_C_SET_WRITE_BUF_SIZE,size,NULL)
+ #define BIO_get_write_buf_size(b,size) (size_t)BIO_ctrl(b,BIO_C_GET_WRITE_BUF_SIZE,size,NULL)
+
+ int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, BIO **bio2, size_t writebuf2);
+
+ #define BIO_get_write_guarantee(b) (int)BIO_ctrl(b,BIO_C_GET_WRITE_GUARANTEE,0,NULL)
+ size_t BIO_ctrl_get_write_guarantee(BIO *b);
+
+ #define BIO_get_read_request(b)    (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL)
+ size_t BIO_ctrl_get_read_request(BIO *b);
+
+ int BIO_ctrl_reset_read_request(BIO *b);
+
+=head1 DESCRIPTION
+
+BIO_s_bio() returns the method for a BIO pair. A BIO pair is a pair of source/sink
+BIOs where data written to either half of the pair is buffered and can be read from
+the other half. Both halves must usually by handled by the same application thread
+since no locking is done on the internal data structures.
+
+Since BIO chains typically end in a source/sink BIO it is possible to make this
+one half of a BIO pair and have all the data processed by the chain under application
+control.
+
+One typical use of BIO pairs is to place TLS/SSL I/O under application control, this
+can be used when the application wishes to use a non standard transport for
+TLS/SSL or the normal socket routines are inappropriate.
+
+Calls to BIO_read() will read data from the buffer or request a retry if no
+data is available.
+
+Calls to BIO_write() will place data in the buffer or request a retry if the
+buffer is full.
+
+The standard calls BIO_ctrl_pending() and BIO_ctrl_wpending() can be used to
+determine the amount of pending data in the read or write buffer.
+
+BIO_reset() clears any data in the write buffer.
+
+BIO_make_bio_pair() joins two separate BIOs into a connected pair.
+
+BIO_destroy_pair() destroys the association between two connected BIOs. Freeing
+up any half of the pair will automatically destroy the association.
+
+BIO_shutdown_wr() is used to close down a BIO B<b>. After this call no further
+writes on BIO B<b> are allowed (they will return an error). Reads on the other
+half of the pair will return any pending data or EOF when all pending data has
+been read. 
+
+BIO_set_write_buf_size() sets the write buffer size of BIO B<b> to B<size>.
+If the size is not initialized a default value is used. This is currently
+17K, sufficient for a maximum size TLS record.
+
+BIO_get_write_buf_size() returns the size of the write buffer.
+
+BIO_new_bio_pair() combines the calls to BIO_new(), BIO_make_bio_pair() and
+BIO_set_write_buf_size() to create a connected pair of BIOs B<bio1>, B<bio2>
+with write buffer sizes B<writebuf1> and B<writebuf2>. If either size is
+zero then the default size is used.
+
+BIO_get_write_guarantee() and BIO_ctrl_get_write_guarantee() return the maximum
+length of data that can be currently written to the BIO. Writes larger than this
+value will return a value from BIO_write() less than the amount requested or if the
+buffer is full request a retry. BIO_ctrl_get_write_guarantee() is a function
+whereas BIO_get_write_guarantee() is a macro.
+
+BIO_get_read_request() and BIO_ctrl_get_read_request() return the
+amount of data requested, or the buffer size if it is less, if the
+last read attempt at the other half of the BIO pair failed due to an
+empty buffer.  This can be used to determine how much data should be
+written to the BIO so the next read will succeed: this is most useful
+in TLS/SSL applications where the amount of data read is usually
+meaningful rather than just a buffer size. After a successful read
+this call will return zero.  It also will return zero once new data
+has been written satisfying the read request or part of it.
+Note that BIO_get_read_request() never returns an amount larger
+than that returned by BIO_get_write_guarantee().
+
+BIO_ctrl_reset_read_request() can also be used to reset the value returned by
+BIO_get_read_request() to zero.
+
+=head1 NOTES
+
+Both halves of a BIO pair should be freed. That is even if one half is implicit
+freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed.
+
+When used in bidirectional applications (such as TLS/SSL) care should be taken to
+flush any data in the write buffer. This can be done by calling BIO_pending()
+on the other half of the pair and, if any data is pending, reading it and sending
+it to the underlying transport. This must be done before any normal processing
+(such as calling select() ) due to a request and BIO_should_read() being true.
+
+To see why this is important consider a case where a request is sent using
+BIO_write() and a response read with BIO_read(), this can occur during an
+TLS/SSL handshake for example. BIO_write() will succeed and place data in the write
+buffer. BIO_read() will initially fail and BIO_should_read() will be true. If
+the application then waits for data to be available on the underlying transport
+before flushing the write buffer it will never succeed because the request was
+never sent!
+
+=head1 EXAMPLE
+
+TBA
+
+=head1 SEE ALSO
+
+L<SSL_set_bio(3)|SSL_set_bio(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
+L<BIO_should_retry(3)|BIO_should_retry(3)>, L<BIO_read(3)|BIO_read(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_connect.pod b/src/lib/libssl/src/doc/crypto/BIO_s_connect.pod
new file mode 100644
index 0000000000..fe1aa679d4
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_connect.pod
@@ -0,0 +1,182 @@
+=pod
+
+=head1 NAME
+
+BIO_s_connect, BIO_set_conn_hostname, BIO_set_conn_port,
+BIO_set_conn_ip, BIO_set_conn_int_port, BIO_get_conn_hostname,
+BIO_get_conn_port, BIO_get_conn_ip, BIO_get_conn_int_port,
+BIO_set_nbio, BIO_do_connect - connect BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD * BIO_s_connect(void);
+
+ #define BIO_set_conn_hostname(b,name) BIO_ctrl(b,BIO_C_SET_CONNECT,0,(char *)name)
+ #define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1,(char *)port)
+ #define BIO_set_conn_ip(b,ip)    BIO_ctrl(b,BIO_C_SET_CONNECT,2,(char *)ip)
+ #define BIO_set_conn_int_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,3,(char *)port)
+ #define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
+ #define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
+ #define BIO_get_conn_ip(b,ip) BIO_ptr_ctrl(b,BIO_C_SET_CONNECT,2)
+ #define BIO_get_conn_int_port(b,port) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,port)
+
+ #define BIO_set_nbio(b,n)      BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
+
+ #define BIO_do_connect(b)      BIO_do_handshake(b)
+
+=head1 DESCRIPTION
+
+BIO_s_connect() returns the connect BIO method. This is a wrapper
+round the platform's TCP/IP socket connection routines.
+
+Using connect BIOs TCP/IP connections can be made and data
+transferred using only BIO routines. In this way any platform
+specific operations are hidden by the BIO abstraction.
+
+Read and write operations on a connect BIO will perform I/O
+on the underlying connection. If no connection is established
+and the port and hostname (see below) is set up properly then
+a connection is established first.
+
+Connect BIOs support BIO_puts() but not BIO_gets().
+
+If the close flag is set on a connect BIO then any active
+connection is shutdown and the socket closed when the BIO
+is freed.
+
+Calling BIO_reset() on a connect BIO will close any active
+connection and reset the BIO into a state where it can connect
+to the same host again.
+
+BIO_get_fd() places the underlying socket in B<c> if it is not NULL,
+it also returns the socket . If B<c> is not NULL it should be of
+type (int *).
+
+BIO_set_conn_hostname() uses the string B<name> to set the hostname
+The hostname can be an IP address. The hostname can also include the
+port in the form hostname:port . It is also acceptable to use the
+form "hostname/any/other/path" or "hostname:port/any/other/path".
+
+BIO_set_conn_port() sets the port to B<port>. B<port> can be the
+numerical form or a string such as "http". A string will be looked
+up first using getservbyname() on the host platform but if that
+fails a standard table of port names will be used. Currently the
+list is http, telnet, socks, https, ssl, ftp, gopher and wais.
+
+BIO_set_conn_ip() sets the IP address to B<ip> using binary form,
+that is four bytes specifying the IP address in big-endian form.
+
+BIO_set_conn_int_port() sets the port using B<port>. B<port> should
+be of type (int *).
+
+BIO_get_conn_hostname() returns the hostname of the connect BIO or
+NULL if the BIO is initialized but no hostname is set.
+This return value is an internal pointer which should not be modified.
+
+BIO_get_conn_port() returns the port as a string.
+
+BIO_get_conn_ip() returns the IP address in binary form.
+
+BIO_get_conn_int_port() returns the port as an int.
+
+BIO_set_nbio() sets the non blocking I/O flag to B<n>. If B<n> is
+zero then blocking I/O is set. If B<n> is 1 then non blocking I/O
+is set. Blocking I/O is the default. The call to BIO_set_nbio()
+should be made before the connection is established because 
+non blocking I/O is set during the connect process.
+
+BIO_do_connect() attempts to connect the supplied BIO. It returns 1
+if the connection was established successfully. A zero or negative
+value is returned if the connection could not be established, the
+call BIO_should_retry() should be used for non blocking connect BIOs
+to determine if the call should be retried.
+
+=head1 NOTES
+
+If blocking I/O is set then a non positive return value from any
+I/O call is caused by an error condition, although a zero return
+will normally mean that the connection was closed.
+
+If the port name is supplied as part of the host name then this will
+override any value set with BIO_set_conn_port(). This may be undesirable
+if the application does not wish to allow connection to arbitrary
+ports. This can be avoided by checking for the presence of the ':'
+character in the passed hostname and either indicating an error or
+truncating the string at that point.
+
+The values returned by BIO_get_conn_hostname(), BIO_get_conn_port(),
+BIO_get_conn_ip() and BIO_get_conn_int_port() are updated when a
+connection attempt is made. Before any connection attempt the values
+returned are those set by the application itself.
+
+Applications do not have to call BIO_do_connect() but may wish to do
+so to separate the connection process from other I/O processing.
+
+If non blocking I/O is set then retries will be requested as appropriate.
+
+It addition to BIO_should_read() and BIO_should_write() it is also
+possible for BIO_should_io_special() to be true during the initial
+connection process with the reason BIO_RR_CONNECT. If this is returned
+then this is an indication that a connection attempt would block,
+the application should then take appropriate action to wait until
+the underlying socket has connected and retry the call.
+
+=head1 RETURN VALUES
+
+BIO_s_connect() returns the connect BIO method.
+
+BIO_get_fd() returns the socket or -1 if the BIO has not
+been initialized.
+
+BIO_set_conn_hostname(), BIO_set_conn_port(), BIO_set_conn_ip() and
+BIO_set_conn_int_port() always return 1.
+
+BIO_get_conn_hostname() returns the connected hostname or NULL is
+none was set.
+
+BIO_get_conn_port() returns a string representing the connected
+port or NULL if not set.
+
+BIO_get_conn_ip() returns a pointer to the connected IP address in
+binary form or all zeros if not set.
+
+BIO_get_conn_int_port() returns the connected port or 0 if none was
+set.
+
+BIO_set_nbio() always returns 1.
+
+BIO_do_connect() returns 1 if the connection was successfully
+established and 0 or -1 if the connection failed.
+
+=head1 EXAMPLE
+
+This is example connects to a webserver on the local host and attempts
+to retrieve a page and copy the result to standard output.
+
+
+ BIO *cbio, *out;
+ int len;
+ char tmpbuf[1024];
+ ERR_load_crypto_strings();
+ cbio = BIO_new_connect("localhost:http");
+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
+ if(BIO_do_connect(cbio) <= 0) {
+        fprintf(stderr, "Error connecting to server\n");
+        ERR_print_errors_fp(stderr);
+        /* whatever ... */
+        }
+ BIO_puts(cbio, "GET / HTTP/1.0\n\n");
+ for(;;) {      
+        len = BIO_read(cbio, tmpbuf, 1024);
+        if(len <= 0) break;
+        BIO_write(out, tmpbuf, len);
+ }
+ BIO_free(cbio);
+ BIO_free(out);
+
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod b/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod
new file mode 100644
index 0000000000..b1de1d1015
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod
@@ -0,0 +1,89 @@
+=pod
+
+=head1 NAME
+
+BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd - file descriptor BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_s_fd(void);
+
+ #define BIO_set_fd(b,fd,c)     BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
+ #define BIO_get_fd(b,c)        BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
+
+ BIO *BIO_new_fd(int fd, int close_flag);
+
+=head1 DESCRIPTION
+
+BIO_s_fd() returns the file descriptor BIO method. This is a wrapper
+round the platforms file descriptor routines such as read() and write().
+
+BIO_read() and BIO_write() read or write the underlying descriptor.
+BIO_puts() is supported but BIO_gets() is not.
+
+If the close flag is set then then close() is called on the underlying
+file descriptor when the BIO is freed.
+
+BIO_reset() attempts to change the file pointer to the start of file
+using lseek(fd, 0, 0).
+
+BIO_seek() sets the file pointer to position B<ofs> from start of file
+using lseek(fd, ofs, 0).
+
+BIO_tell() returns the current file position by calling lseek(fd, 0, 1).
+
+BIO_set_fd() sets the file descriptor of BIO B<b> to B<fd> and the close
+flag to B<c>.
+
+BIO_get_fd() places the file descriptor in B<c> if it is not NULL, it also
+returns the file descriptor. If B<c> is not NULL it should be of type
+(int *).
+
+BIO_new_fd() returns a file descriptor BIO using B<fd> and B<close_flag>.
+
+=head1 NOTES
+
+The behaviour of BIO_read() and BIO_write() depends on the behavior of the
+platforms read() and write() calls on the descriptor. If the underlying 
+file descriptor is in a non blocking mode then the BIO will behave in the
+manner described in the L<BIO_read(3)|BIO_read(3)> and L<BIO_should_retry(3)|BIO_should_retry(3)>
+manual pages.
+
+File descriptor BIOs should not be used for socket I/O. Use socket BIOs
+instead.
+
+=head1 RETURN VALUES
+
+BIO_s_fd() returns the file descriptor BIO method.
+
+BIO_reset() returns zero for success and -1 if an error occurred.
+BIO_seek() and BIO_tell() return the current file position or -1
+is an error occurred. These values reflect the underlying lseek()
+behaviour.
+
+BIO_set_fd() always returns 1.
+
+BIO_get_fd() returns the file descriptor or -1 if the BIO has not
+been initialized.
+
+BIO_new_fd() returns the newly allocated BIO or NULL is an error
+occurred.
+
+=head1 EXAMPLE
+
+This is a file descriptor BIO version of "Hello World":
+
+ BIO *out;
+ out = BIO_new_fd(fileno(stdout), BIO_NOCLOSE);
+ BIO_printf(out, "Hello World\n");
+ BIO_free(out);
+
+=head1 SEE ALSO
+
+L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
+L<BIO_reset(3)|BIO_reset(3)>, L<BIO_read(3)|BIO_read(3)>,
+L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
+L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
+L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_file.pod b/src/lib/libssl/src/doc/crypto/BIO_s_file.pod
new file mode 100644
index 0000000000..b2a29263f4
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_file.pod
@@ -0,0 +1,144 @@
+=pod
+
+=head1 NAME
+
+BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp,
+BIO_read_filename, BIO_write_filename, BIO_append_filename,
+BIO_rw_filename - FILE bio
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_s_file(void);
+ BIO *BIO_new_file(const char *filename, const char *mode);
+ BIO *BIO_new_fp(FILE *stream, int flags);
+
+ BIO_set_fp(BIO *b,FILE *fp, int flags);
+ BIO_get_fp(BIO *b,FILE **fpp);
+
+ int BIO_read_filename(BIO *b, char *name)
+ int BIO_write_filename(BIO *b, char *name)
+ int BIO_append_filename(BIO *b, char *name)
+ int BIO_rw_filename(BIO *b, char *name)
+
+=head1 DESCRIPTION
+
+BIO_s_file() returns the BIO file method. As its name implies it
+is a wrapper round the stdio FILE structure and it is a
+source/sink BIO.
+
+Calls to BIO_read() and BIO_write() read and write data to the
+underlying stream. BIO_gets() and BIO_puts() are supported on file BIOs.
+
+BIO_flush() on a file BIO calls the fflush() function on the wrapped
+stream.
+
+BIO_reset() attempts to change the file pointer to the start of file
+using fseek(stream, 0, 0).
+
+BIO_seek() sets the file pointer to position B<ofs> from start of file
+using fseek(stream, ofs, 0).
+
+BIO_eof() calls feof().
+
+Setting the BIO_CLOSE flag calls fclose() on the stream when the BIO
+is freed.
+
+BIO_new_file() creates a new file BIO with mode B<mode> the meaning
+of B<mode> is the same as the stdio function fopen(). The BIO_CLOSE
+flag is set on the returned BIO.
+
+BIO_new_fp() creates a file BIO wrapping B<stream>. Flags can be:
+BIO_CLOSE, BIO_NOCLOSE (the close flag) BIO_FP_TEXT (sets the underlying
+stream to text mode, default is binary: this only has any effect under
+Win32).
+
+BIO_set_fp() set the fp of a file BIO to B<fp>. B<flags> has the same
+meaning as in BIO_new_fp(), it is a macro.
+
+BIO_get_fp() retrieves the fp of a file BIO, it is a macro.
+
+BIO_seek() is a macro that sets the position pointer to B<offset> bytes
+from the start of file.
+
+BIO_tell() returns the value of the position pointer.
+
+BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and
+BIO_rw_filename() set the file BIO B<b> to use file B<name> for
+reading, writing, append or read write respectively.
+
+=head1 NOTES
+
+When wrapping stdout, stdin or stderr the underlying stream should not
+normally be closed so the BIO_NOCLOSE flag should be set.
+
+Because the file BIO calls the underlying stdio functions any quirks
+in stdio behaviour will be mirrored by the corresponding BIO.
+
+=head1 EXAMPLES
+
+File BIO "hello world":
+
+ BIO *bio_out;
+ bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+ BIO_printf(bio_out, "Hello World\n");
+
+Alternative technique:
+
+ BIO *bio_out;
+ bio_out = BIO_new(BIO_s_file());
+ if(bio_out == NULL) /* Error ... */
+ if(!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */
+ BIO_printf(bio_out, "Hello World\n");
+
+Write to a file:
+
+ BIO *out;
+ out = BIO_new_file("filename.txt", "w");
+ if(!out) /* Error occurred */
+ BIO_printf(out, "Hello World\n");
+ BIO_free(out);
+
+Alternative technique:
+
+ BIO *out;
+ out = BIO_new(BIO_s_file());
+ if(out == NULL) /* Error ... */
+ if(!BIO_write_filename(out, "filename.txt")) /* Error ... */
+ BIO_printf(out, "Hello World\n");
+ BIO_free(out);
+
+=head1 RETURN VALUES
+
+BIO_s_file() returns the file BIO method.
+
+BIO_new_file() and BIO_new_fp() return a file BIO or NULL if an error
+occurred.
+
+BIO_set_fp() and BIO_get_fp() return 1 for success or 0 for failure
+(although the current implementation never return 0).
+
+BIO_seek() returns the same value as the underlying fseek() function:
+0 for success or -1 for failure.
+
+BIO_tell() returns the current file position.
+
+BIO_read_filename(), BIO_write_filename(),  BIO_append_filename() and
+BIO_rw_filename() return 1 for success or 0 for failure.
+
+=head1 BUGS
+
+BIO_reset() and BIO_seek() are implemented using fseek() on the underlying
+stream. The return value for fseek() is 0 for success or -1 if an error
+occurred this differs from other types of BIO which will typically return
+1 for success and a non positive value if an error occurred.
+
+=head1 SEE ALSO
+
+L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
+L<BIO_reset(3)|BIO_reset(3)>, L<BIO_flush(3)|BIO_flush(3)>,
+L<BIO_read(3)|BIO_read(3)>,
+L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
+L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
+L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_mem.pod b/src/lib/libssl/src/doc/crypto/BIO_s_mem.pod
new file mode 100644
index 0000000000..19648acfae
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_mem.pod
@@ -0,0 +1,115 @@
+=pod
+
+=head1 NAME
+
+BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf,
+BIO_get_mem_ptr, BIO_new_mem_buf - memory BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_s_mem(void);
+
+ BIO_set_mem_eof_return(BIO *b,int v)
+ long BIO_get_mem_data(BIO *b, char **pp)
+ BIO_set_mem_buf(BIO *b,BUF_MEM *bm,int c)
+ BIO_get_mem_ptr(BIO *b,BUF_MEM **pp)
+
+ BIO *BIO_new_mem_buf(void *buf, int len);
+
+=head1 DESCRIPTION
+
+BIO_s_mem() return the memory BIO method function. 
+
+A memory BIO is a source/sink BIO which uses memory for its I/O. Data
+written to a memory BIO is stored in a BUF_MEM structure which is extended
+as appropriate to accommodate the stored data.
+
+Any data written to a memory BIO can be recalled by reading from it.
+Unless the memory BIO is read only any data read from it is deleted from
+the BIO.
+
+Memory BIOs support BIO_gets() and BIO_puts().
+
+If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying
+BUF_MEM structure is also freed.
+
+Calling BIO_reset() on a read write memory BIO clears any data in it. On a
+read only BIO it restores the BIO to its original state and the read only
+data can be read again.
+
+BIO_eof() is true if no data is in the BIO.
+
+BIO_ctrl_pending() returns the number of bytes currently stored.
+
+BIO_set_mem_eof_return() sets the behaviour of memory BIO B<b> when it is
+empty. If the B<v> is zero then an empty memory BIO will return EOF (that is
+it will return zero and BIO_should_retry(b) will be false. If B<v> is non
+zero then it will return B<v> when it is empty and it will set the read retry
+flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal
+positive return value B<v> should be set to a negative value, typically -1.
+
+BIO_get_mem_data() sets B<pp> to a pointer to the start of the memory BIOs data
+and returns the total amount of data available. It is implemented as a macro.
+
+BIO_set_mem_buf() sets the internal BUF_MEM structure to B<bm> and sets the
+close flag to B<c>, that is B<c> should be either BIO_CLOSE or BIO_NOCLOSE.
+It is a macro.
+
+BIO_get_mem_ptr() places the underlying BUF_MEM structure in B<pp>. It is
+a macro.
+
+BIO_new_mem_buf() creates a memory BIO using B<len> bytes of data at B<buf>,
+if B<len> is -1 then the B<buf> is assumed to be null terminated and its
+length is determined by B<strlen>. The BIO is set to a read only state and
+as a result cannot be written to. This is useful when some data needs to be
+made available from a static area of memory in the form of a BIO. The
+supplied data is read directly from the supplied buffer: it is B<not> copied
+first, so the supplied area of memory must be unchanged until the BIO is freed.
+
+=head1 NOTES
+
+Writes to memory BIOs will always succeed if memory is available: that is
+their size can grow indefinitely.
+
+Every read from a read write memory BIO will remove the data just read with
+an internal copy operation, if a BIO contains a lots of data and it is
+read in small chunks the operation can be very slow. The use of a read only
+memory BIO avoids this problem. If the BIO must be read write then adding
+a buffering BIO to the chain will speed up the process.
+
+=head1 BUGS
+
+There should be an option to set the maximum size of a memory BIO.
+
+There should be a way to "rewind" a read write BIO without destroying
+its contents.
+
+The copying operation should not occur after every small read of a large BIO
+to improve efficiency.
+
+=head1 EXAMPLE
+
+Create a memory BIO and write some data to it:
+
+ BIO *mem = BIO_new(BIO_s_mem());
+ BIO_puts(mem, "Hello World\n"); 
+
+Create a read only memory BIO:
+
+ char data[] = "Hello World";
+ BIO *mem;
+ mem = BIO_new_mem_buf(data, -1);
+
+Extract the BUF_MEM structure from a memory BIO and then free up the BIO:
+
+ BUF_MEM *bptr;
+ BIO_get_mem_ptr(mem, &bptr);
+ BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */
+ BIO_free(mem);
+ 
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_null.pod b/src/lib/libssl/src/doc/crypto/BIO_s_null.pod
new file mode 100644
index 0000000000..e5514f7238
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_null.pod
@@ -0,0 +1,37 @@
+=pod
+
+=head1 NAME
+
+BIO_s_null - null data sink
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_s_null(void);
+
+=head1 DESCRIPTION
+
+BIO_s_null() returns the null sink BIO method. Data written to
+the null sink is discarded, reads return EOF.
+
+=head1 NOTES
+
+A null sink BIO behaves in a similar manner to the Unix /dev/null
+device.
+
+A null bio can be placed on the end of a chain to discard any data
+passed through it.
+
+A null sink is useful if, for example, an application wishes to digest some
+data by writing through a digest bio but not send the digested data anywhere.
+Since a BIO chain must normally include a source/sink BIO this can be achieved
+by adding a null sink BIO to the end of the chain
+
+=head1 RETURN VALUES
+
+BIO_s_null() returns the null sink BIO method.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_socket.pod b/src/lib/libssl/src/doc/crypto/BIO_s_socket.pod
new file mode 100644
index 0000000000..253185185c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_socket.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+BIO_s_socket, BIO_new_socket - socket BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ BIO_METHOD *   BIO_s_socket(void);
+
+ #define BIO_set_fd(b,fd,c)     BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
+ #define BIO_get_fd(b,c)        BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
+
+ BIO *BIO_new_socket(int sock, int close_flag);
+
+=head1 DESCRIPTION
+
+BIO_s_socket() returns the socket BIO method. This is a wrapper
+round the platform's socket routines.
+
+BIO_read() and BIO_write() read or write the underlying socket.
+BIO_puts() is supported but BIO_gets() is not.
+
+If the close flag is set then the socket is shut down and closed
+when the BIO is freed.
+
+BIO_set_fd() sets the socket of BIO B<b> to B<fd> and the close
+flag to B<c>.
+
+BIO_get_fd() places the socket in B<c> if it is not NULL, it also
+returns the socket . If B<c> is not NULL it should be of type (int *).
+
+BIO_new_socket() returns a socket BIO using B<sock> and B<close_flag>.
+
+=head1 NOTES
+
+Socket BIOs also support any relevant functionality of file descriptor
+BIOs.
+
+The reason for having separate file descriptor and socket BIOs is that on some
+platforms sockets are not file descriptors and use distinct I/O routines,
+Windows is one such platform. Any code mixing the two will not work on
+all platforms.
+
+=head1 RETURN VALUES
+
+BIO_s_socket() returns the socket BIO method.
+
+BIO_set_fd() always returns 1.
+
+BIO_get_fd() returns the socket or -1 if the BIO has not been
+initialized.
+
+BIO_new_socket() returns the newly allocated BIO or NULL is an error
+occurred.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod b/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod
new file mode 100644
index 0000000000..9b6961ca8d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod
@@ -0,0 +1,108 @@
+=pod
+
+=head1 NAME
+
+BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg,
+BIO_debug_callback - BIO callback functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ #define BIO_set_callback(b,cb)         ((b)->callback=(cb))
+ #define BIO_get_callback(b)            ((b)->callback)
+ #define BIO_set_callback_arg(b,arg)    ((b)->cb_arg=(char *)(arg))
+ #define BIO_get_callback_arg(b)                ((b)->cb_arg)
+
+ long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
+        long argl,long ret);
+
+ typedef long callback(BIO *b, int oper, const char *argp,
+                        int argi, long argl, long retvalue);
+
+=head1 DESCRIPTION
+
+BIO_set_callback() and BIO_get_callback() set and retrieve the BIO callback,
+they are both macros. The callback is called during most high level BIO
+operations. It can be used for debugging purposes to trace operations on
+a BIO or to modify its operation.
+
+BIO_set_callback_arg() and BIO_get_callback_arg() are macros which can be
+used to set and retrieve an argument for use in the callback.
+
+BIO_debug_callback() is a standard debugging callback which prints
+out information relating to each BIO operation. If the callback
+argument is set if is interpreted as a BIO to send the information
+to, otherwise stderr is used.
+
+callback() is the callback function itself. The meaning of each
+argument is described below.
+
+The BIO the callback is attached to is passed in B<b>.
+
+B<oper> is set to the operation being performed. For some operations
+the callback is called twice, once before and once after the actual
+operation, the latter case has B<oper> or'ed with BIO_CB_RETURN.
+
+The meaning of the arguments B<argp>, B<argi> and B<argl> depends on
+the value of B<oper>, that is the operation being performed.
+
+B<retvalue> is the return value that would be returned to the
+application if no callback were present. The actual value returned
+is the return value of the callback itself. In the case of callbacks
+called before the actual BIO operation 1 is placed in retvalue, if
+the return value is not positive it will be immediately returned to
+the application and the BIO operation will not be performed.
+
+The callback should normally simply return B<retvalue> when it has
+finished processing, unless if specifically wishes to modify the
+value returned to the application.
+
+=head1 CALLBACK OPERATIONS
+
+=over 4
+
+=item B<BIO_free(b)>
+
+callback(b, BIO_CB_FREE, NULL, 0L, 0L, 1L) is called before the
+free operation.
+
+=item B<BIO_read(b, out, outl)>
+
+callback(b, BIO_CB_READ, out, outl, 0L, 1L) is called before
+the read and callback(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0L, retvalue)
+after.
+
+=item B<BIO_write(b, in, inl)>
+
+callback(b, BIO_CB_WRITE, in, inl, 0L, 1L) is called before
+the write and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl, 0L, retvalue)
+after.
+
+=item B<BIO_gets(b, out, outl)>
+
+callback(b, BIO_CB_GETS, out, outl, 0L, 1L) is called before
+the operation and callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue)
+after.
+
+=item B<BIO_puts(b, in)>
+
+callback(b, BIO_CB_WRITE, in, 0, 0L, 1L) is called before
+the operation and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, 0, 0L, retvalue)
+after.
+
+=item B<BIO_ctrl(BIO *b, int cmd, long larg, void *parg)>
+
+callback(b,BIO_CB_CTRL,parg,cmd,larg,1L) is called before the call and
+callback(b,BIO_CB_CTRL|BIO_CB_RETURN,parg,cmd, larg,ret) after.
+
+=back
+
+=head1 EXAMPLE
+
+The BIO_debug_callback() function is a good example, its source is
+in crypto/bio/bio_cb.c
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BIO_should_retry.pod b/src/lib/libssl/src/doc/crypto/BIO_should_retry.pod
new file mode 100644
index 0000000000..539c391272
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BIO_should_retry.pod
@@ -0,0 +1,114 @@
+=pod
+
+=head1 NAME
+
+BIO_should_retry, BIO_should_read, BIO_should_write,
+BIO_should_io_special, BIO_retry_type, BIO_should_retry,
+BIO_get_retry_BIO, BIO_get_retry_reason - BIO retry functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+ #define BIO_should_read(a)             ((a)->flags & BIO_FLAGS_READ)
+ #define BIO_should_write(a)            ((a)->flags & BIO_FLAGS_WRITE)
+ #define BIO_should_io_special(a)       ((a)->flags & BIO_FLAGS_IO_SPECIAL)
+ #define BIO_retry_type(a)              ((a)->flags & BIO_FLAGS_RWS)
+ #define BIO_should_retry(a)            ((a)->flags & BIO_FLAGS_SHOULD_RETRY)
+
+ #define BIO_FLAGS_READ         0x01
+ #define BIO_FLAGS_WRITE        0x02
+ #define BIO_FLAGS_IO_SPECIAL   0x04
+ #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
+ #define BIO_FLAGS_SHOULD_RETRY 0x08
+
+ BIO *  BIO_get_retry_BIO(BIO *bio, int *reason);
+ int    BIO_get_retry_reason(BIO *bio);
+
+=head1 DESCRIPTION
+
+These functions determine why a BIO is not able to read or write data.
+They will typically be called after a failed BIO_read() or BIO_write()
+call.
+
+BIO_should_retry() is true if the call that produced this condition
+should then be retried at a later time.
+
+If BIO_should_retry() is false then the cause is an error condition.
+
+BIO_should_read() is true if the cause of the condition is that a BIO
+needs to read data.
+
+BIO_should_write() is true if the cause of the condition is that a BIO
+needs to read data.
+
+BIO_should_io_special() is true if some "special" condition, that is a
+reason other than reading or writing is the cause of the condition.
+
+BIO_get_retry_reason() returns a mask of the cause of a retry condition
+consisting of the values B<BIO_FLAGS_READ>, B<BIO_FLAGS_WRITE>,
+B<BIO_FLAGS_IO_SPECIAL> though current BIO types will only set one of
+these.
+
+BIO_get_retry_BIO() determines the precise reason for the special
+condition, it returns the BIO that caused this condition and if 
+B<reason> is not NULL it contains the reason code. The meaning of
+the reason code and the action that should be taken depends on
+the type of BIO that resulted in this condition.
+
+BIO_get_retry_reason() returns the reason for a special condition if
+passed the relevant BIO, for example as returned by BIO_get_retry_BIO().
+
+=head1 NOTES
+
+If BIO_should_retry() returns false then the precise "error condition"
+depends on the BIO type that caused it and the return code of the BIO
+operation. For example if a call to BIO_read() on a socket BIO returns
+0 and BIO_should_retry() is false then the cause will be that the
+connection closed. A similar condition on a file BIO will mean that it
+has reached EOF. Some BIO types may place additional information on
+the error queue. For more details see the individual BIO type manual
+pages.
+
+If the underlying I/O structure is in a blocking mode almost all current
+BIO types will not request a retry, because the underlying I/O
+calls will not. If the application knows that the BIO type will never
+signal a retry then it need not call BIO_should_retry() after a failed
+BIO I/O call. This is typically done with file BIOs.
+
+SSL BIOs are the only current exception to this rule: they can request a
+retry even if the underlying I/O structure is blocking, if a handshake
+occurs during a call to BIO_read(). An application can retry the failed
+call immediately or avoid this situation by setting SSL_MODE_AUTO_RETRY
+on the underlying SSL structure.
+
+While an application may retry a failed non blocking call immediately
+this is likely to be very inefficient because the call will fail
+repeatedly until data can be processed or is available. An application
+will normally wait until the necessary condition is satisfied. How
+this is done depends on the underlying I/O structure.
+
+For example if the cause is ultimately a socket and BIO_should_read()
+is true then a call to select() may be made to wait until data is
+available and then retry the BIO operation. By combining the retry
+conditions of several non blocking BIOs in a single select() call
+it is possible to service several BIOs in a single thread, though
+the performance may be poor if SSL BIOs are present because long delays
+can occur during the initial handshake process. 
+
+It is possible for a BIO to block indefinitely if the underlying I/O
+structure cannot process or return any data. This depends on the behaviour of
+the platforms I/O functions. This is often not desirable: one solution
+is to use non blocking I/O and use a timeout on the select() (or
+equivalent) call.
+
+=head1 BUGS
+
+The OpenSSL ASN1 functions cannot gracefully deal with non blocking I/O:
+that is they cannot retry after a partial read or write. This is usually
+worked around by only passing the relevant data to ASN1 functions when
+the entire structure can be read or written.
+
+=head1 SEE ALSO
+
+TBA
diff --git a/src/lib/libssl/src/doc/crypto/BN_CTX_new.pod b/src/lib/libssl/src/doc/crypto/BN_CTX_new.pod
new file mode 100644
index 0000000000..c94d8c610d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_CTX_new.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+BN_CTX_new, BN_CTX_init, BN_CTX_free - allocate and free BN_CTX structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_CTX *BN_CTX_new(void);
+
+ void BN_CTX_init(BN_CTX *c);
+
+ void BN_CTX_free(BN_CTX *c);
+
+=head1 DESCRIPTION
+
+A B<BN_CTX> is a structure that holds B<BIGNUM> temporary variables used by
+library functions. Since dynamic memory allocation to create B<BIGNUM>s
+is rather expensive when used in conjunction with repeated subroutine
+calls, the B<BN_CTX> structure is used.
+
+BN_CTX_new() allocates and initializes a B<BN_CTX>
+structure. BN_CTX_init() initializes an existing uninitialized
+B<BN_CTX>.
+
+BN_CTX_free() frees the components of the B<BN_CTX>, and if it was
+created by BN_CTX_new(), also the structure itself.
+If L<BN_CTX_start(3)|BN_CTX_start(3)> has been used on the B<BN_CTX>,
+L<BN_CTX_end(3)|BN_CTX_end(3)> must be called before the B<BN_CTX>
+may be freed by BN_CTX_free().
+
+
+=head1 RETURN VALUES
+
+BN_CTX_new() returns a pointer to the B<BN_CTX>. If the allocation fails,
+it returns B<NULL> and sets an error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_CTX_init() and BN_CTX_free() have no return values.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_start(3)|BN_CTX_start(3)>
+
+=head1 HISTORY
+
+BN_CTX_new() and BN_CTX_free() are available in all versions on SSLeay
+and OpenSSL. BN_CTX_init() was added in SSLeay 0.9.1b.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_CTX_start.pod b/src/lib/libssl/src/doc/crypto/BN_CTX_start.pod
new file mode 100644
index 0000000000..c30552b122
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_CTX_start.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+BN_CTX_start, BN_CTX_get, BN_CTX_end - use temporary BIGNUM variables
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ void BN_CTX_start(BN_CTX *ctx);
+
+ BIGNUM *BN_CTX_get(BN_CTX *ctx);
+
+ void BN_CTX_end(BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+These functions are used to obtain temporary B<BIGNUM> variables from
+a B<BN_CTX> in order to save the overhead of repeatedly creating and
+freeing B<BIGNUM>s in functions that are called from inside a loop.
+
+A function must call BN_CTX_start() first. Then, BN_CTX_get() may be
+called repeatedly to obtain temporary B<BIGNUM>s. All BN_CTX_get()
+calls must be made before calling any other functions that use the
+B<ctx> as an argument.
+
+Finally, BN_CTX_end() must be called before returning from the function.
+When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
+BN_CTX_get() become invalid.
+
+=head1 RETURN VALUES
+
+BN_CTX_start() and BN_CTX_end() return no values.
+
+BN_CTX_get() returns a pointer to the B<BIGNUM>, or B<NULL> on error.
+Once BN_CTX_get() has failed, the subsequent calls will return B<NULL>
+as well, so it is sufficient to check the return value of the last
+BN_CTX_get() call. In case of an error, an error code is set, which
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+
+=head1 SEE ALSO
+
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+BN_CTX_start(), BN_CTX_get() and BN_CTX_end() were added in OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_add.pod b/src/lib/libssl/src/doc/crypto/BN_add.pod
new file mode 100644
index 0000000000..0541d45643
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_add.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+BN_add, BN_sub, BN_mul, BN_div, BN_sqr, BN_mod, BN_mod_mul, BN_exp,
+BN_mod_exp, BN_gcd - arithmetic operations on BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+
+ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+
+ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
+         BN_CTX *ctx);
+
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+
+ int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+         const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_add() adds B<a> and B<b> and places the result in B<r> (C<r=a+b>).
+B<r> may be the same B<BIGNUM> as B<a> or B<b>.
+
+BN_sub() subtracts B<b> from B<a> and places the result in B<r> (C<r=a-b>).
+
+BN_mul() multiplies B<a> and B<b> and places the result in B<r> (C<r=a*b>).
+B<r> may be the same B<BIGNUM> as B<a> or B<b>.
+For multiplication by powers of 2, use L<BN_lshift(3)|BN_lshift(3)>.
+
+BN_div() divides B<a> by B<d> and places the result in B<dv> and the
+remainder in B<rem> (C<dv=a/d, rem=a%d>). Either of B<dv> and B<rem> may
+be NULL, in which case the respective value is not returned.
+For division by powers of 2, use BN_rshift(3).
+
+BN_sqr() takes the square of B<a> and places the result in B<r>
+(C<r=a^2>). B<r> and B<a> may be the same B<BIGNUM>.
+This function is faster than BN_mul(r,a,a).
+
+BN_mod() find the remainder of B<a> divided by B<m> and places it in
+B<rem> (C<rem=a%m>).
+
+BN_mod_mul() multiplies B<a> by B<b> and finds the remainder when
+divided by B<m> (C<r=(a*b)%m>). B<r> may be the same B<BIGNUM> as B<a>
+or B<b>. For a more efficient algorithm, see
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>; for repeated
+computations using the same modulus, see L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>.
+
+BN_exp() raises B<a> to the B<p>-th power and places the result in B<r>
+(C<r=a^p>). This function is faster than repeated applications of
+BN_mul().
+
+BN_mod_exp() computes B<a> to the B<p>-th power modulo B<m> (C<r=a^p %
+m>). This function uses less time and space than BN_exp().
+
+BN_gcd() computes the greatest common divisor of B<a> and B<b> and
+places the result in B<r>. B<r> may be the same B<BIGNUM> as B<a> or
+B<b>.
+
+For all functions, B<ctx> is a previously allocated B<BN_CTX> used for
+temporary variables; see L<BN_CTX_new(3)|BN_CTX_new(3)>.
+
+Unless noted otherwise, the result B<BIGNUM> must be different from
+the arguments.
+
+=head1 RETURN VALUES
+
+For all functions, 1 is returned for success, 0 on error. The return
+value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
+
+=head1 HISTORY
+
+BN_add(), BN_sub(), BN_div(), BN_sqr(), BN_mod(), BN_mod_mul(),
+BN_mod_exp() and BN_gcd() are available in all versions of SSLeay and
+OpenSSL. The B<ctx> argument to BN_mul() was added in SSLeay
+0.9.1b. BN_exp() appeared in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_add_word.pod b/src/lib/libssl/src/doc/crypto/BN_add_word.pod
new file mode 100644
index 0000000000..66bedfb924
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_add_word.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word - arithmetic
+functions on BIGNUMs with integers
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_add_word(BIGNUM *a, BN_ULONG w);
+
+ int BN_sub_word(BIGNUM *a, BN_ULONG w);
+
+ int BN_mul_word(BIGNUM *a, BN_ULONG w);
+
+ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+
+ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+
+=head1 DESCRIPTION
+
+These functions perform arithmetic operations on BIGNUMs with unsigned
+integers. They are much more efficient than the normal BIGNUM
+arithmetic operations.
+
+BN_add_word() adds B<w> to B<a> (C<a+=w>).
+
+BN_sub_word() subtracts B<w> from B<a> (C<a-=w>).
+
+BN_mul_word() multiplies B<a> and B<w> (C<a*=b>).
+
+BN_div_word() divides B<a> by B<w> (C<a/=w>) and returns the remainder.
+
+BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%m>).
+
+For BN_div_word() and BN_mod_word(), B<w> must not be 0.
+
+=head1 RETURN VALUES
+
+BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
+on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_mod_word() and BN_div_word() return B<a>%B<w>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_add_word() and BN_mod_word() are available in all versions of
+SSLeay and OpenSSL. BN_div_word() was added in SSLeay 0.8, and
+BN_sub_word() and BN_mul_word() in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_bn2bin.pod b/src/lib/libssl/src/doc/crypto/BN_bn2bin.pod
new file mode 100644
index 0000000000..05f9e628cc
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_bn2bin.pod
@@ -0,0 +1,95 @@
+=pod
+
+=head1 NAME
+
+BN_bn2bin, BN_bin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn,
+BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn - format conversions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+
+ char *BN_bn2hex(const BIGNUM *a);
+ char *BN_bn2dec(const BIGNUM *a);
+ int BN_hex2bn(BIGNUM **a, const char *str);
+ int BN_dec2bn(BIGNUM **a, const char *str);
+
+ int BN_print(BIO *fp, const BIGNUM *a);
+ int BN_print_fp(FILE *fp, const BIGNUM *a);
+
+ int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
+
+=head1 DESCRIPTION
+
+BN_bn2bin() converts the absolute value of B<a> into big-endian form
+and stores it at B<to>. B<to> must point to BN_num_bytes(B<a>) bytes of
+memory.
+
+BN_bin2bn() converts the positive integer in big-endian form of length
+B<len> at B<s> into a B<BIGNUM> and places it in B<ret>. If B<ret> is
+NULL, a new B<BIGNUM> is created.
+
+BN_bn2hex() and BN_bn2dec() return printable strings containing the
+hexadecimal and decimal encoding of B<a> respectively. For negative
+numbers, the string is prefaced with a leading '-'. The string must be
+Free()d later.
+
+BN_hex2bn() converts the string B<str> containing a hexadecimal number
+to a B<BIGNUM> and stores it in **B<bn>. If *B<bn> is NULL, a new
+B<BIGNUM> is created. If B<bn> is NULL, it only computes the number's
+length in hexadecimal digits. If the string starts with '-', the
+number is negative. BN_dec2bn() is the same using the decimal system.
+
+BN_print() and BN_print_fp() write the hexadecimal encoding of B<a>,
+with a leading '-' for negative numbers, to the B<BIO> or B<FILE>
+B<fp>.
+
+BN_bn2mpi() and BN_mpi2bn() convert B<BIGNUM>s from and to a format
+that consists of the number's length in bytes represented as a 3-byte
+big-endian number, and the number itself in big-endian format, where
+the most significant bit signals a negative number (the representation
+of numbers with the MSB set is prefixed with null byte).
+
+BN_bn2mpi() stores the representation of B<a> at B<to>, where B<to>
+must be large enough to hold the result. The size can be determined by
+calling BN_bn2mpi(B<a>, NULL).
+
+BN_mpi2bn() converts the B<len> bytes long representation at B<s> to
+a B<BIGNUM> and stores it at B<ret>, or in a newly allocated B<BIGNUM>
+if B<ret> is NULL.
+
+=head1 RETURN VALUES
+
+BN_bn2bin() returns the length of the big-endian number placed at B<to>.
+BN_bin2bn() returns the B<BIGNUM>, NULL on error.
+
+BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL
+on error. BN_hex2bn() and BN_dec2bn() return the number's length in
+hexadecimal or decimal digits, and 0 on error.
+
+BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
+
+BN_bn2mpi() returns the length of the representation. BN_mpi2bn()
+returns the B<BIGNUM>, and NULL on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_zero(3)|BN_zero(3)>,
+L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
+L<BN_num_bytes(3)|BN_num_bytes(3)>
+
+=head1 HISTORY
+
+BN_bn2bin(), BN_bin2bn(), BN_print_fp() and BN_print() are available
+in all versions of SSLeay and OpenSSL.
+
+BN_bn2hex(), BN_bn2dec(), BN_hex2bn(), BN_dec2bn(), BN_bn2mpi() and
+BN_mpi2bn() were added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_cmp.pod b/src/lib/libssl/src/doc/crypto/BN_cmp.pod
new file mode 100644
index 0000000000..23e9ed0b4f
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_cmp.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_cmp(BIGNUM *a, BIGNUM *b);
+ int BN_ucmp(BIGNUM *a, BIGNUM *b);
+
+ int BN_is_zero(BIGNUM *a);
+ int BN_is_one(BIGNUM *a);
+ int BN_is_word(BIGNUM *a, BN_ULONG w);
+ int BN_is_odd(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_cmp() compares the numbers B<a> and B<b>. BN_ucmp() compares their
+absolute values.
+
+BN_is_zero(), BN_is_one() and BN_is_word() test if B<a> equals 0, 1,
+or B<w> respectively. BN_is_odd() tests if a is odd.
+
+BN_is_zero(), BN_is_one(), BN_is_word() and BN_is_odd() are macros.
+
+=head1 RETURN VALUES
+
+BN_cmp() returns -1 if B<a> E<lt> B<b>, 0 if B<a> == B<b> and 1 if
+B<a> E<gt> B<b>. BN_ucmp() is the same using the absolute values
+of B<a> and B<b>.
+
+BN_is_zero(), BN_is_one() BN_is_word() and BN_is_odd() return 1 if
+the condition is true, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_cmp(), BN_ucmp(), BN_is_zero(), BN_is_one() and BN_is_word() are
+available in all versions of SSLeay and OpenSSL.
+BN_is_odd() was added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_copy.pod b/src/lib/libssl/src/doc/crypto/BN_copy.pod
new file mode 100644
index 0000000000..8ad25e7834
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_copy.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+BN_copy, BN_dup - copy BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_copy(BIGNUM *to, const BIGNUM *from);
+
+ BIGNUM *BN_dup(const BIGNUM *from);
+
+=head1 DESCRIPTION
+
+BN_copy() copies B<from> to B<to>. BN_dup() creates a new B<BIGNUM>
+containing the value B<from>.
+
+=head1 RETURN VALUES
+
+BN_copy() returns B<to> on success, NULL on error. BN_dup() returns
+the new B<BIGNUM>, and NULL on error. The error codes can be obtained
+by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+BN_copy() and BN_dup() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
new file mode 100644
index 0000000000..638f6514ee
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
@@ -0,0 +1,102 @@
+=pod
+
+=head1 NAME
+
+BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - generate primes and test for primality
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
+     BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
+
+ int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, 
+     void *), BN_CTX *ctx, void *cb_arg);
+
+ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
+     void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg,
+     int do_trial_division);
+
+=head1 DESCRIPTION
+
+BN_generate_prime() generates a pseudo-random prime number of B<num>
+bits.
+If B<ret> is not B<NULL>, it will be used to store the number.
+
+If B<callback> is not B<NULL>, it is called as follows:
+
+=over 4
+
+=item *
+
+B<callback(0, i, cb_arg)> is called after generating the i-th
+potential prime number.
+
+=item *
+
+While the number is being tested for primality, B<callback(1, j,
+cb_arg)> is called as described below.
+
+=item *
+
+When a prime has been found, B<callback(2, i, cb_arg)> is called.
+
+=back
+
+The prime may have to fulfill additional requirements for use in
+Diffie-Hellman key exchange:
+
+If B<add> is not B<NULL>, the prime will fulfill the condition p % B<add>
+== B<rem> (p % B<add> == 1 if B<rem> == B<NULL>) in order to suit a given
+generator.
+
+If B<safe> is true, it will be a safe prime (i.e. a prime p so
+that (p-1)/2 is also prime).
+
+The PRNG must be seeded prior to calling BN_generate_prime().
+The prime number generation has a negligible error probability.
+
+BN_is_prime() and BN_is_prime_fasttest() test if the number B<a> is
+prime.  The following tests are performed until one of them shows that
+B<a> is composite; if B<a> passes all these tests, it is considered
+prime.
+
+BN_is_prime_fasttest(), when called with B<do_trial_division == 1>,
+first attempts trial division by a number of small primes;
+if no divisors are found by this test and B<callback> is not B<NULL>,
+B<callback(1, -1, cb_arg)> is called.
+If B<do_trial_division == 0>, this test is skipped.
+
+Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin
+probabilistic primality test with B<checks> iterations. If
+B<checks == BN_prime_check>, a number of iterations is used that
+yields a false positive rate of at most 2^-80 for random input.
+
+If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called
+after the j-th iteration (j = 0, 1, ...). B<ctx> is a
+pre-allocated B<BN_CTX> (to save the overhead of allocating and
+freeing the structure in a loop), or B<NULL>.
+
+=head1 RETURN VALUES
+
+BN_generate_prime() returns the prime number on success, B<NULL> otherwise.
+
+BN_is_prime() returns 0 if the number is composite, 1 if it is
+prime with an error probability of less than 0.25^B<checks>, and
+-1 on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+The B<cb_arg> arguments to BN_generate_prime() and to BN_is_prime()
+were added in SSLeay 0.9.0. The B<ret> argument to BN_generate_prime()
+was added in SSLeay 0.9.1.
+BN_is_prime_fasttest() was added in OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod b/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod
new file mode 100644
index 0000000000..49e62daf9f
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+BN_mod_inverse - compute inverse modulo n
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
+           BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_mod_inverse() computes the inverse of B<a> modulo B<n>
+places the result in B<r> (C<(a*r)%n==1>). If B<r> is NULL,
+a new B<BIGNUM> is created.
+
+B<ctx> is a previously allocated B<BN_CTX> used for temporary
+variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
+
+=head1 RETURN VALUES
+
+BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and
+NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_mod_inverse() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_mod_mul_montgomery.pod b/src/lib/libssl/src/doc/crypto/BN_mod_mul_montgomery.pod
new file mode 100644
index 0000000000..0f0c1375af
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_mod_mul_montgomery.pod
@@ -0,0 +1,95 @@
+=pod
+
+=head1 NAME
+
+BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_init,
+BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy,
+BN_from_montgomery, BN_to_montgomery - Montgomery multiplication
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_MONT_CTX *BN_MONT_CTX_new(void);
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+
+ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
+ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+
+ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+         BN_MONT_CTX *mont, BN_CTX *ctx);
+
+ int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+ int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+These functions implement Montgomery multiplication. They are used
+automatically when L<BN_mod_exp(3)|BN_mod_exp(3)> is called with suitable input,
+but they may be useful when several operations are to be performed
+using the same modulus.
+
+BN_MONT_CTX_new() allocates and initializes a B<BN_MONT_CTX> structure.
+BN_MONT_CTX_init() initializes an existing uninitialized B<BN_MONT_CTX>.
+
+BN_MONT_CTX_set() sets up the B<mont> structure from the modulus B<m>
+by precomputing its inverse and a value R.
+
+BN_MONT_CTX_copy() copies the B<N_MONT_CTX> B<from> to B<to>.
+
+BN_MONT_CTX_free() frees the components of the B<BN_MONT_CTX>, and, if
+it was created by BN_MONT_CTX_new(), also the structure itself.
+
+BN_mod_mul_montgomery() computes Mont(B<a>,B<b>):=B<a>*B<b>*R^-1 and places
+the result in B<r>.
+
+BN_from_montgomery() performs the Montgomery reduction B<r> = B<a>*R^-1.
+
+BN_to_montgomery() computes Mont(B<a>,R^2).
+
+For all functions, B<ctx> is a previously allocated B<BN_CTX> used for
+temporary variables.
+
+The B<BN_MONT_CTX> structure is defined as follows:
+
+ typedef struct bn_mont_ctx_st
+        {
+        int ri;         /* number of bits in R */
+        BIGNUM RR;      /* R^2 (used to convert to Montgomery form) */
+        BIGNUM N;       /* The modulus */
+        BIGNUM Ni;      /* R*(1/R mod N) - N*Ni = 1
+                         * (Ni is only stored for bignum algorithm) */
+        BN_ULONG n0;    /* least significant word of Ni */
+        int flags;
+        } BN_MONT_CTX;
+
+BN_to_montgomery() is a macro.
+
+=head1 RETURN VALUES
+
+BN_MONT_CTX_new() returns the newly allocated B<BN_MONT_CTX>, and NULL
+on error.
+
+BN_MONT_CTX_init() and BN_MONT_CTX_free() have no return values.
+
+For the other functions, 1 is returned for success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+BN_MONT_CTX_new(), BN_MONT_CTX_free(), BN_MONT_CTX_set(),
+BN_mod_mul_montgomery(), BN_from_montgomery() and BN_to_montgomery()
+are available in all versions of SSLeay and OpenSSL.
+
+BN_MONT_CTX_init() and BN_MONT_CTX_copy() were added in SSLeay 0.9.1b.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_mod_mul_reciprocal.pod b/src/lib/libssl/src/doc/crypto/BN_mod_mul_reciprocal.pod
new file mode 100644
index 0000000000..32432ce4e6
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_mod_mul_reciprocal.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+BN_mod_mul_reciprocal, BN_RECP_CTX_new, BN_RECP_CTX_init,
+BN_RECP_CTX_free, BN_RECP_CTX_set - modular multiplication using
+reciprocal
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_RECP_CTX *BN_RECP_CTX_new(void);
+ void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+ void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+
+ int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
+
+ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp,
+        BN_CTX *ctx);
+
+ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
+
+=head1 DESCRIPTION
+
+BN_mod_mul_reciprocal() can be used to perform an efficient
+L<BN_mod_mul(3)|BN_mod_mul(3)> operation when the operation will be performed
+repeatedly with the same modulus. It computes B<r>=(B<a>*B<b>)%B<m>
+using B<recp>=1/B<m>, which is set as described below.  B<ctx> is a
+previously allocated B<BN_CTX> used for temporary variables.
+
+BN_RECP_CTX_new() allocates and initializes a B<BN_RECP> structure.
+BN_RECP_CTX_init() initializes an existing uninitialized B<BN_RECP>.
+
+BN_RECP_CTX_free() frees the components of the B<BN_RECP>, and, if it
+was created by BN_RECP_CTX_new(), also the structure itself.
+
+BN_RECP_CTX_set() stores B<m> in B<recp> and sets it up for computing
+1/B<m> and shifting it left by BN_num_bits(B<m>)+1 to make it an
+integer. The result and the number of bits it was shifted left will
+later be stored in B<recp>.
+
+BN_div_recp() divides B<a> by B<m> using B<recp>. It places the quotient
+in B<dv> and the remainder in B<rem>.
+
+The B<BN_RECP_CTX> structure is defined as follows:
+
+ typedef struct bn_recp_ctx_st
+        {
+        BIGNUM N;       /* the divisor */
+        BIGNUM Nr;      /* the reciprocal */
+        int num_bits;
+        int shift;
+        int flags;
+        } BN_RECP_CTX;
+
+It cannot be shared between threads.
+
+=head1 RETURN VALUES
+
+BN_RECP_CTX_new() returns the newly allocated B<BN_RECP_CTX>, and NULL
+on error.
+
+BN_RECP_CTX_init() and BN_RECP_CTX_free() have no return values.
+
+For the other functions, 1 is returned for success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>
+
+=head1 HISTORY
+
+B<BN_RECP_CTX> was added in SSLeay 0.9.0. Before that, the function
+BN_reciprocal() was used instead, and the BN_mod_mul_reciprocal()
+arguments were different.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_new.pod b/src/lib/libssl/src/doc/crypto/BN_new.pod
new file mode 100644
index 0000000000..c1394ff2a3
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_new.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_new(void);
+
+ void BN_init(BIGNUM *);
+
+ void BN_clear(BIGNUM *a);
+
+ void BN_free(BIGNUM *a);
+
+ void BN_clear_free(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_new() allocated and initializes a B<BIGNUM> structure. BN_init()
+initializes an existing uninitialized B<BIGNUM>.
+
+BN_clear() is used to destroy sensitive data such as keys when they
+are no longer needed. It erases the memory used by B<a> and sets it
+to the value 0.
+
+BN_free() frees the components of the B<BIGNUM>, and if it was created
+by BN_new(), also the structure itself. BN_clear_free() additionally
+overwrites the data before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+BN_new() returns a pointer to the B<BIGNUM>. If the allocation fails,
+it returns B<NULL> and sets an error code that can be obtained
+by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+BN_init(), BN_clear(), BN_free() and BN_clear_free() have no return
+values.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+BN_new(), BN_clear(), BN_free() and BN_clear_free() are available in
+all versions on SSLeay and OpenSSL.  BN_init() was added in SSLeay
+0.9.1b.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod b/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod
new file mode 100644
index 0000000000..61589fb9ac
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_num_bytes.pod
@@ -0,0 +1,37 @@
+=pod
+
+=head1 NAME
+
+BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_num_bytes(const BIGNUM *a);
+
+ int BN_num_bits(const BIGNUM *a);
+
+ int BN_num_bits_word(BN_ULONG w);
+
+=head1 DESCRIPTION
+
+These functions return the size of a B<BIGNUM> in bytes or bits,
+and the size of an unsigned integer in bits.
+
+BN_num_bytes() is a macro.
+
+=head1 RETURN VALUES
+
+The size.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_num_bytes(), BN_num_bits() and BN_num_bits_word() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_rand.pod b/src/lib/libssl/src/doc/crypto/BN_rand.pod
new file mode 100644
index 0000000000..33363c981f
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_rand.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+BN_rand, BN_pseudo_rand - generate pseudo-random number
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+=head1 DESCRIPTION
+
+BN_rand() generates a cryptographically strong pseudo-random number of
+B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
+two most significant bits of the number will be set to 1, so that the
+product of two such random numbers will always have 2*B<bits> length.
+If B<bottom> is true, the number will be odd.
+
+BN_pseudo_rand() does the same, but pseudo-random numbers generated by
+this function are not necessarily unpredictable. They can be used for
+non-cryptographic purposes and for certain purposes in cryptographic
+protocols, but usually not for key generation etc.
+
+The PRNG must be seeded prior to calling BN_rand().
+
+=head1 RETURN VALUES
+
+BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
+
+=head1 HISTORY
+
+BN_rand() is available in all versions of SSLeay and OpenSSL.
+BN_pseudo_rand() was added in OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_set_bit.pod b/src/lib/libssl/src/doc/crypto/BN_set_bit.pod
new file mode 100644
index 0000000000..b7c47b9b01
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_set_bit.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift,
+BN_lshift1, BN_rshift, BN_rshift1 - bit operations on BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_set_bit(BIGNUM *a, int n);
+ int BN_clear_bit(BIGNUM *a, int n);
+
+ int BN_is_bit_set(const BIGNUM *a, int n);
+
+ int BN_mask_bits(BIGNUM *a, int n);
+
+ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+ int BN_lshift1(BIGNUM *r, BIGNUM *a);
+
+ int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+ int BN_rshift1(BIGNUM *r, BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_set_bit() sets bit B<n> in B<a> to 1 (C<a|=(1E<lt>E<lt>n)>). The
+number is expanded if necessary.
+
+BN_clear_bit() sets bit B<n> in B<a> to 0 (C<a&=~(1E<lt>E<lt>n)>). An
+error occurs if B<a> is shorter than B<n> bits.
+
+BN_is_bit_set() tests if bit B<n> in B<a> is set.
+
+BN_mask_bits() truncates B<a> to an B<n> bit number
+(C<a&=~((~0)E<gt>E<gt>n)>).  An error occurs if B<a> already is
+shorter than B<n> bits.
+
+BN_lshift() shifts B<a> left by B<n> bits and places the result in
+B<r> (C<r=a*2^n>). BN_lshift1() shifts B<a> left by one and places
+the result in B<r> (C<r=2*a>).
+
+BN_rshift() shifts B<a> right by B<n> bits and places the result in
+B<r> (C<r=a/2^n>). BN_rshift1() shifts B<a> right by one and places
+the result in B<r> (C<r=a/2>).
+
+For the shift functions, B<r> and B<a> may be the same variable.
+
+=head1 RETURN VALUES
+
+BN_is_bit_set() returns 1 if the bit is set, 0 otherwise.
+
+All other functions return 1 for success, 0 on error. The error codes
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>, L<BN_add(3)|BN_add(3)>
+
+=head1 HISTORY
+
+BN_set_bit(), BN_clear_bit(), BN_is_bit_set(), BN_mask_bits(),
+BN_lshift(), BN_lshift1(), BN_rshift(), and BN_rshift1() are available
+in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_swap.pod b/src/lib/libssl/src/doc/crypto/BN_swap.pod
new file mode 100644
index 0000000000..79efaa1446
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_swap.pod
@@ -0,0 +1,23 @@
+=pod
+
+=head1 NAME
+
+BN_swap - exchange BIGNUMs
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ void BN_swap(BIGNUM *a, BIGNUM *b);
+
+=head1 DESCRIPTION
+
+BN_swap() exchanges the values of I<a> and I<b>.
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_swap was added in OpenSSL 0.9.7.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/BN_zero.pod b/src/lib/libssl/src/doc/crypto/BN_zero.pod
new file mode 100644
index 0000000000..165fd9a228
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/BN_zero.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+BN_zero, BN_one, BN_set_word, BN_get_word - BIGNUM assignment operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ int BN_zero(BIGNUM *a);
+ int BN_one(BIGNUM *a);
+
+ BIGNUM *BN_value_one(void);
+
+ int BN_set_word(BIGNUM *a, unsigned long w);
+ unsigned long BN_get_word(BIGNUM *a);
+
+=head1 DESCRIPTION
+
+BN_zero(), BN_one() and BN_set_word() set B<a> to the values 0, 1 and
+B<w> respectively.  BN_zero() and BN_one() are macros.
+
+BN_value_one() returns a B<BIGNUM> constant of value 1. This constant
+is useful for use in comparisons and assignment.
+
+BN_get_word() returns B<a>, if it can be represented as an unsigned
+long.
+
+=head1 RETURN VALUES
+
+BN_get_word() returns the value B<a>, and 0xffffffffL if B<a> cannot
+be represented as an unsigned long.
+
+BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise.
+BN_value_one() returns the constant.
+
+=head1 BUGS
+
+Someone might change the constant.
+
+If a B<BIGNUM> is equal to 0xffffffffL it can be represented as an
+unsigned long but this value is also returned on error.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+
+=head1 HISTORY
+
+BN_zero(), BN_one() and BN_set_word() are available in all versions of
+SSLeay and OpenSSL. BN_value_one() and BN_get_word() were added in
+SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod b/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod
new file mode 100644
index 0000000000..1bd5bed67d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+CRYPTO_set_ex_data, CRYPTO_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg);
+
+ void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+These functions should only be used by applications to manipulate
+B<CRYPTO_EX_DATA> structures passed to the B<new_func()>, B<free_func()> and
+B<dup_func()> callbacks: as passed to B<RSA_get_ex_new_index()> for example.
+
+B<CRYPTO_set_ex_data()> is used to set application specific data, the data is
+supplied in the B<arg> parameter and its precise meaning is up to the
+application.
+
+B<CRYPTO_get_ex_data()> is used to retrieve application specific data. The data
+is returned to the application, this will be the same value as supplied to
+a previous B<CRYPTO_set_ex_data()> call.
+
+=head1 RETURN VALUES
+
+B<CRYPTO_set_ex_data()> returns 1 on success or 0 on failure.
+
+B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may also
+be valid application data but currently it can only fail if given an invalid B<idx>
+parameter.
+
+On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
+L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>
+
+=head1 HISTORY
+
+CRYPTO_set_ex_data() and CRYPTO_get_ex_data() have been available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_generate_key.pod b/src/lib/libssl/src/doc/crypto/DH_generate_key.pod
new file mode 100644
index 0000000000..920995b2e5
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_generate_key.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_generate_key(DH *dh);
+
+ int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+=head1 DESCRIPTION
+
+DH_generate_key() performs the first step of a Diffie-Hellman key
+exchange by generating private and public DH values. By calling
+DH_compute_key(), these are combined with the other party's public
+value to compute the shared key.
+
+DH_generate_key() expects B<dh> to contain the shared parameters
+B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
+unless B<dh-E<gt>priv_key> is already set, and computes the
+corresponding public value B<dh-E<gt>pub_key>, which can then be
+published.
+
+DH_compute_key() computes the shared secret from the private DH value
+in B<dh> and the other party's public value in B<pub_key> and stores
+it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
+
+=head1 RETURN VALUES
+
+DH_generate_key() returns 1 on success, 0 otherwise.
+
+DH_compute_key() returns the size of the shared secret on success, -1
+on error.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+
+=head1 HISTORY
+
+DH_generate_key() and DH_compute_key() are available in all versions
+of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
new file mode 100644
index 0000000000..a7d0c75f0c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+DH_generate_parameters, DH_check - generate and check Diffie-Hellman parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *DH_generate_parameters(int prime_len, int generator,
+     void (*callback)(int, int, void *), void *cb_arg);
+
+ int DH_check(DH *dh, int *codes);
+
+=head1 DESCRIPTION
+
+DH_generate_parameters() generates Diffie-Hellman parameters that can
+be shared among a group of users, and returns them in a newly
+allocated B<DH> structure. The pseudo-random number generator must be
+seeded prior to calling DH_generate_parameters().
+
+B<prime_len> is the length in bits of the safe prime to be generated.
+B<generator> is a small number E<gt> 1, typically 2 or 5. 
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+number is generated, and when a prime has been found, B<callback(3,
+0, cb_arg)> is called.
+
+DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
+a safe prime, and that B<g> is a suitable generator. In the case of an
+error, the bit flags DH_CHECK_P_NOT_SAFE_PRIME or
+DH_NOT_SUITABLE_GENERATOR are set in B<*codes>.
+DH_UNABLE_TO_CHECK_GENERATOR is set if the generator cannot be
+checked, i.e. it does not equal 2 or 5.
+
+=head1 RETURN VALUES
+
+DH_generate_parameters() returns a pointer to the DH structure, or
+NULL if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+DH_check() returns 1 if the check could be performed, 0 otherwise.
+
+=head1 NOTES
+
+DH_generate_parameters() may run for several hours before finding a
+suitable prime.
+
+The parameters generated by DH_generate_parameters() are not to be
+used in signature schemes.
+
+=head1 BUGS
+
+If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not
+a usable generator.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+
+=head1 HISTORY
+
+DH_check() is available in all versions of SSLeay and OpenSSL.
+The B<cb_arg> argument to DH_generate_parameters() was added in SSLeay 0.9.0.
+
+In versions before OpenSSL 0.9.5, DH_CHECK_P_NOT_STRONG_PRIME is used
+instead of DH_CHECK_P_NOT_SAFE_PRIME.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod
new file mode 100644
index 0000000000..82e2548bcd
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int DH_set_ex_data(DH *d, int idx, void *arg);
+
+ char *DH_get_ex_data(DH *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DH
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
+
+=head1 HISTORY
+
+DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_new.pod b/src/lib/libssl/src/doc/crypto/DH_new.pod
new file mode 100644
index 0000000000..64624b9d15
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_new.pod
@@ -0,0 +1,40 @@
+=pod
+
+=head1 NAME
+
+DH_new, DH_free - allocate and free DH objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH* DH_new(void);
+
+ void DH_free(DH *dh);
+
+=head1 DESCRIPTION
+
+DH_new() allocates and initializes a B<DH> structure.
+
+DH_free() frees the B<DH> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DH_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+DH_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<err(3)|err(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_new() and DH_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_set_method.pod b/src/lib/libssl/src/doc/crypto/DH_set_method.pod
new file mode 100644
index 0000000000..dca41d8dbc
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_set_method.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+DH_set_default_method, DH_get_default_method, DH_set_method,
+DH_new_method, DH_OpenSSL - select DH method
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ void DH_set_default_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_get_default_method(void);
+
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+
+ DH *DH_new_method(DH_METHOD *meth);
+
+ DH_METHOD *DH_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DH_OpenSSL() returns a pointer to that method.
+
+DH_set_default_method() makes B<meth> the default method for all B<DH>
+structures created later.
+
+DH_get_default_method() returns a pointer to the current default
+method.
+
+DH_set_method() selects B<meth> for all operations using the structure B<dh>.
+
+DH_get_method() returns a pointer to the method currently selected
+for B<dh>.
+
+DH_new_method() allocates and initializes a B<DH> structure so that
+B<method> will be used for the DH operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DH_METHOD STRUCTURE
+
+ typedef struct dh_meth_st
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* generate private and public DH values for key agreement */
+        int (*generate_key)(DH *dh);
+
+     /* compute shared secret */
+        int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+                                const BIGNUM *m, BN_CTX *ctx,
+                                BN_MONT_CTX *m_ctx);
+
+     /* called at DH_new */
+        int (*init)(DH *dh);
+
+     /* called at DH_free */
+        int (*finish)(DH *dh);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DH_METHOD;
+
+=head1 RETURN VALUES
+
+DH_OpenSSL(), DH_get_default_method() and DH_get_method() return
+pointers to the respective B<DH_METHOD>s.
+
+DH_set_default_method() returns no value.
+
+DH_set_method() returns a pointer to the B<DH_METHOD> previously
+associated with B<dh>.
+
+DH_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
+
+=head1 HISTORY
+
+DH_set_default_method(), DH_get_default_method(), DH_set_method(),
+DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_size.pod b/src/lib/libssl/src/doc/crypto/DH_size.pod
new file mode 100644
index 0000000000..97f26fda78
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DH_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DH_size - get Diffie-Hellman prime size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ int DH_size(DH *dh);
+
+=head1 DESCRIPTION
+
+This function returns the Diffie-Hellman size in bytes. It can be used
+to determine how much memory must be allocated for the shared secret
+computed by DH_compute_key().
+
+B<dh-E<gt>p> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>
+
+=head1 HISTORY
+
+DH_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod b/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod
new file mode 100644
index 0000000000..671655554a
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_SIG_new.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_SIG_new(void);
+
+ void   DSA_SIG_free(DSA_SIG *a);
+
+=head1 DESCRIPTION
+
+DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure.
+
+DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
+values are erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
+error code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_SIG_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_do_sign.pod b/src/lib/libssl/src/doc/crypto/DSA_do_sign.pod
new file mode 100644
index 0000000000..a24fd5714e
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_do_sign.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+DSA_do_sign, DSA_do_verify - raw DSA signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+
+ int DSA_do_verify(const unsigned char *dgst, int dgst_len,
+             DSA_SIG *sig, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_do_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and returns it in a
+newly allocated B<DSA_SIG> structure.
+
+L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
+of the signing operation in case signature generation is
+time-critical.
+
+DSA_do_verify() verifies that the signature B<sig> matches a given
+message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
+key.
+
+=head1 RETURN VALUES
+
+DSA_do_sign() returns the signature, NULL on error.  DSA_do_verify()
+returns 1 for a valid signature, 0 for an incorrect signature and -1
+on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
+L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_dup_DH.pod b/src/lib/libssl/src/doc/crypto/DSA_dup_DH.pod
new file mode 100644
index 0000000000..29cb1075d1
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_dup_DH.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_dup_DH - create a DH structure out of DSA structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DH * DSA_dup_DH(DSA *r);
+
+=head1 DESCRIPTION
+
+DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q
+is lost during that conversion, but the resulting DH parameters
+contain its length.
+
+=head1 RETURN VALUE
+
+DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTE
+
+Be careful to avoid small subgroup attacks when using this.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+DSA_dup_DH() was added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod b/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod
new file mode 100644
index 0000000000..52890db5be
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_generate_key.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_key - generate DSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_generate_key(DSA *a);
+
+=head1 DESCRIPTION
+
+DSA_generate_key() expects B<a> to contain DSA parameters. It generates
+a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
+
+The PRNG must be seeded prior to calling DSA_generate_key().
+
+=head1 RETURN VALUE
+
+DSA_generate_key() returns 1 on success, 0 otherwise.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+
+=head1 HISTORY
+
+DSA_generate_key() is available since SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_generate_parameters.pod b/src/lib/libssl/src/doc/crypto/DSA_generate_parameters.pod
new file mode 100644
index 0000000000..43f60b0eb9
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_generate_parameters.pod
@@ -0,0 +1,105 @@
+=pod
+
+=head1 NAME
+
+DSA_generate_parameters - generate DSA parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+                void (*callback)(int, int, void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+DSA_generate_parameters() generates primes p and q and a generator g
+for use in the DSA.
+
+B<bits> is the length of the prime to be generated; the DSS allows a
+maximum of 1024 bits.
+
+If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
+generated at random. Otherwise, the seed is used to generate
+them. If the given seed does not yield a prime q, a new random
+seed is chosen and placed at B<seed>.
+
+DSA_generate_parameters() places the iteration count in
+*B<counter_ret> and a counter used for finding a generator in
+*B<h_ret>, unless these are B<NULL>.
+
+A callback function may be used to provide feedback about the progress
+of the key generation. If B<callback> is not B<NULL>, it will be
+called as follows:
+
+=over 4
+
+=item *
+
+When a candidate for q is generated, B<callback(0, m++, cb_arg)> is called
+(m is 0 for the first candidate).
+
+=item *
+
+When a candidate for q has passed a test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While a candidate for q is tested by Miller-Rabin primality tests,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime);
+i is the loop counter (starting at 0).
+
+=item *
+
+When a prime q has been found, B<callback(2, 0, cb_arg)> and
+B<callback(3, 0, cb_arg)> are called.
+
+=item *
+
+Before a candidate for p (other than the first) is generated and tested,
+B<callback(0, counter, cb_arg)> is called.
+
+=item *
+
+When a candidate for p has passed the test by trial division,
+B<callback(1, -1, cb_arg)> is called.
+While it is tested by the Miller-Rabin primality test,
+B<callback(1, i, cb_arg)> is called in the outer loop
+(once for each witness that confirms that the candidate may be prime).
+i is the loop counter (starting at 0).
+
+=item *
+
+When p has been found, B<callback(2, 1, cb_arg)> is called.
+
+=item *
+
+When the generator has been found, B<callback(3, 1, cb_arg)> is called.
+
+=back
+
+=head1 RETURN VALUE
+
+DSA_generate_parameters() returns a pointer to the DSA structure, or
+B<NULL> if the parameter generation fails. The error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Seed lengths E<gt> 20 are not supported.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_free(3)|DSA_free(3)>
+
+=head1 HISTORY
+
+DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg>
+argument was added in SSLeay 0.9.0.
+In versions up to OpenSSL 0.9.4, B<callback(1, ...)> was called
+in the inner loop of the Miller-Rabin test whenever it reached the
+squaring step (the parameters to B<callback> did not reveal how many
+witnesses had been tested); since OpenSSL 0.9.5, B<callback(1, ...)>
+is called as in BN_is_prime(3), i.e. once for each witness.
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod
new file mode 100644
index 0000000000..4612e708ec
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ int DSA_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int DSA_set_ex_data(DSA *d, int idx, void *arg);
+
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+=head1 DESCRIPTION
+
+These functions handle application specific data in DSA
+structures. Their usage is identical to that of
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
+as described in L<RSA_get_ex_new_index(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
+
+=head1 HISTORY
+
+DSA_get_ex_new_index(), DSA_set_ex_data() and DSA_get_ex_data() are
+available since OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_new.pod b/src/lib/libssl/src/doc/crypto/DSA_new.pod
new file mode 100644
index 0000000000..7dde54445b
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_new.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+DSA_new, DSA_free - allocate and free DSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA* DSA_new(void);
+
+ void DSA_free(DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_new() allocates and initializes a B<DSA> structure.
+
+DSA_free() frees the B<DSA> structure and its components. The values are
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, DSA_new() returns B<NULL> and sets an error
+code that can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+to the newly allocated structure.
+
+DSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>
+
+=head1 HISTORY
+
+DSA_new() and DSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_set_method.pod b/src/lib/libssl/src/doc/crypto/DSA_set_method.pod
new file mode 100644
index 0000000000..0b13ec9237
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_set_method.pod
@@ -0,0 +1,111 @@
+=pod
+
+=head1 NAME
+
+DSA_set_default_method, DSA_get_default_method, DSA_set_method,
+DSA_new_method, DSA_OpenSSL - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/DSA.h>
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_get_default_method(void);
+
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+
+ DSA *DSA_new_method(DSA_METHOD *meth);
+
+ DSA_METHOD *DSA_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation.
+DSA_OpenSSL() returns a pointer to that method.
+
+DSA_set_default_method() makes B<meth> the default method for all B<DSA>
+structures created later.
+
+DSA_get_default_method() returns a pointer to the current default
+method.
+
+DSA_set_method() selects B<meth> for all operations using the structure B<DSA>.
+
+DSA_get_method() returns a pointer to the method currently selected
+for B<DSA>.
+
+DSA_new_method() allocates and initializes a B<DSA> structure so that
+B<method> will be used for the DSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE DSA_METHOD STRUCTURE
+
+struct
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* sign */
+        DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
+                                 DSA *dsa);
+
+     /* pre-compute k^-1 and r */
+        int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+                                 BIGNUM **rp);
+
+     /* verify */
+        int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
+                                 DSA_SIG *sig, DSA *dsa);
+
+     /* compute rr = a1^p1 * a2^p2 mod m. May be NULL */
+        int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
+                                 BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                                 const BIGNUM *p, const BIGNUM *m,
+                                 BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at DSA_new */
+        int (*init)(DSA *DSA);
+
+     /* called at DSA_free */
+        int (*finish)(DSA *DSA);
+
+        int flags;
+
+        char *app_data; /* ?? */
+
+ } DSA_METHOD;
+
+=head1 RETURN VALUES
+
+DSA_OpenSSL(), DSA_get_default_method() and DSA_get_method() return
+pointers to the respective B<DSA_METHOD>s.
+
+DSA_set_default_method() returns no value.
+
+DSA_set_method() returns a pointer to the B<DSA_METHOD> previously
+associated with B<dsa>.
+
+DSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
+fails. Otherwise it returns a pointer to the newly allocated
+structure.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
+
+=head1 HISTORY
+
+DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
+DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_sign.pod b/src/lib/libssl/src/doc/crypto/DSA_sign.pod
new file mode 100644
index 0000000000..f6e60a8ca3
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_sign.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int    DSA_sign(int type, const unsigned char *dgst, int len,
+                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+
+ int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+
+ int    DSA_verify(int type, const unsigned char *dgst, int len,
+                unsigned char *sigbuf, int siglen, DSA *dsa);
+
+=head1 DESCRIPTION
+
+DSA_sign() computes a digital signature on the B<len> byte message
+digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
+encoding at B<sigret>. The length of the signature is places in
+*B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory.
+
+DSA_sign_setup() may be used to precompute part of the signing
+operation in case signature generation is time-critical. It expects
+B<dsa> to contain DSA parameters. It places the precomputed values
+in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
+the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
+be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
+B<ctx> is a pre-allocated B<BN_CTX> or NULL.
+
+DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<dgst> of size B<len>.
+B<dsa> is the signer's public key.
+
+The B<type> parameter is ignored.
+
+The PRNG must be seeded before DSA_sign() (or DSA_sign_setup())
+is called.
+
+=head1 RETURN VALUES
+
+DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
+DSA_verify() returns 1 for a valid signature, 0 for an incorrect
+signature and -1 on error. The error codes can be obtained by
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
+
+=head1 HISTORY
+
+DSA_sign() and DSA_verify() are available in all versions of SSLeay.
+DSA_sign_setup() was added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/DSA_size.pod b/src/lib/libssl/src/doc/crypto/DSA_size.pod
new file mode 100644
index 0000000000..23b6320a4d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/DSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+DSA_size - get DSA signature size
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ int DSA_size(DSA *dsa);
+
+=head1 DESCRIPTION
+
+This function returns the size of an ASN.1 encoded DSA signature in
+bytes. It can be used to determine how much memory must be allocated
+for a DSA signature.
+
+B<dsa-E<gt>q> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
+
+=head1 HISTORY
+
+DSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_GET_LIB.pod b/src/lib/libssl/src/doc/crypto/ERR_GET_LIB.pod
new file mode 100644
index 0000000000..2a129da036
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_GET_LIB.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON - get library, function and
+reason code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ int ERR_GET_LIB(unsigned long e);
+
+ int ERR_GET_FUNC(unsigned long e);
+
+ int ERR_GET_REASON(unsigned long e);
+
+=head1 DESCRIPTION
+
+The error code returned by ERR_get_error() consists of a library
+number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC()
+and ERR_GET_REASON() can be used to extract these.
+
+The library number and function code describe where the error
+occurred, the reason code is the information about what went wrong.
+
+Each sub-library of OpenSSL has a unique library number; function and
+reason codes are unique within each sub-library.  Note that different
+libraries may use the same value to signal different functions and
+reasons.
+
+B<ERR_R_...> reason codes such as B<ERR_R_MALLOC_FAILURE> are globally
+unique. However, when checking for sub-library specific reason codes,
+be sure to also compare the library number.
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are macros.
+
+=head1 RETURN VALUES
+
+The library number, function code and reason code respectively.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_clear_error.pod b/src/lib/libssl/src/doc/crypto/ERR_clear_error.pod
new file mode 100644
index 0000000000..566e1f4e31
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_clear_error.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+ERR_clear_error - clear the error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_clear_error(void);
+
+=head1 DESCRIPTION
+
+ERR_clear_error() empties the current thread's error queue.
+
+=head1 RETURN VALUES
+
+ERR_clear_error() has no return value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ERR_clear_error() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_error_string.pod b/src/lib/libssl/src/doc/crypto/ERR_error_string.pod
new file mode 100644
index 0000000000..0d2417599c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_error_string.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+ERR_error_string - obtain human-readable error message
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ char *ERR_error_string(unsigned long e, char *buf);
+
+ const char *ERR_lib_error_string(unsigned long e);
+ const char *ERR_func_error_string(unsigned long e);
+ const char *ERR_reason_error_string(unsigned long e);
+
+=head1 DESCRIPTION
+
+ERR_error_string() generates a human-readable string representing the
+error code B<e>, and places it at B<buf>. B<buf> must be at least 120
+bytes long. If B<buf> is B<NULL>, the error string is placed in a
+static buffer.
+
+The string will have the following format:
+
+ error:[error code]:[library name]:[function name]:[reason string]
+
+I<error code> is an 8 digit hexadecimal number, I<library name>,
+I<function name> and I<reason string> are ASCII text.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the library name, function
+name and reason string respectively.
+
+The OpenSSL error strings should be loaded by calling
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
+applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+first.
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
+all error codes currently in the queue.
+
+=head1 RETURN VALUES
+
+ERR_error_string() returns a pointer to a static buffer containing the
+string if B<buf == NULL>, B<buf> otherwise.
+
+ERR_lib_error_string(), ERR_func_error_string() and
+ERR_reason_error_string() return the strings, and B<NULL> if
+none is registered for the error code.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<ERR_print_errors(3)|ERR_print_errors(3)>
+
+=head1 HISTORY
+
+ERR_error_string() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_get_error.pod b/src/lib/libssl/src/doc/crypto/ERR_get_error.pod
new file mode 100644
index 0000000000..75ece00d97
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_get_error.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+ERR_get_error, ERR_peek_error - obtain error code
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ unsigned long ERR_get_error(void);
+ unsigned long ERR_peek_error(void);
+
+ unsigned long ERR_get_error_line(const char **file, int *line);
+ unsigned long ERR_peek_error_line(const char **file, int *line);
+
+ unsigned long ERR_get_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+ unsigned long ERR_peek_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+
+=head1 DESCRIPTION
+
+ERR_get_error() returns the last error code from the thread's error
+queue and removes the entry. This function can be called repeatedly
+until there are no more error codes to return.
+
+ERR_peek_error() returns the last error code from the thread's
+error queue without modifying it.
+
+See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
+location and reason of the error, and
+L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
+messages.
+
+ERR_get_error_line() and ERR_peek_error_line() are the same as the
+above, but they additionally store the file name and line number where
+the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
+
+ERR_get_error_line_data() and ERR_peek_error_line_data() store
+additional data and flags associated with the error code in *B<data>
+and *B<flags>, unless these are B<NULL>. *B<data> contains a string
+if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by Malloc(),
+*B<flags>&B<ERR_TXT_MALLOCED> is true.
+
+=head1 RETURN VALUES
+
+The error code, or 0 if there is no error in the queue.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
+
+=head1 HISTORY
+
+ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
+ERR_peek_error_line() are available in all versions of SSLeay and
+OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
+were added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_load_crypto_strings.pod b/src/lib/libssl/src/doc/crypto/ERR_load_crypto_strings.pod
new file mode 100644
index 0000000000..9bdec75a46
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_load_crypto_strings.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings -
+load and free error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_crypto_strings(void);
+ void ERR_free_strings(void);
+
+ #include <openssl/ssl.h>
+
+ void SSL_load_error_strings(void);
+
+=head1 DESCRIPTION
+
+ERR_load_crypto_strings() registers the error strings for all
+B<libcrypto> functions. SSL_load_error_strings() does the same,
+but also registers the B<libssl> error strings.
+
+One of these functions should be called before generating
+textual error messages. However, this is not required when memory
+usage is an issue.
+
+ERR_free_strings() frees all previously loaded error strings.
+
+=head1 RETURN VALUES
+
+ERR_load_crypto_strings(), SSL_load_error_strings() and
+ERR_free_strings() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings(), SSL_load_error_strings() and
+ERR_free_strings() are available in all versions of SSLeay and
+OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_load_strings.pod b/src/lib/libssl/src/doc/crypto/ERR_load_strings.pod
new file mode 100644
index 0000000000..5acdd0edbc
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_load_strings.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+ERR_load_strings, ERR_PACK, ERR_get_next_error_library - load
+arbitrary error strings
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
+
+ int ERR_get_next_error_library(void);
+
+ unsigned long ERR_PACK(int lib, int func, int reason);
+
+=head1 DESCRIPTION
+
+ERR_load_strings() registers error strings for library number B<lib>.
+
+B<str> is an array of error string data:
+
+ typedef struct ERR_string_data_st
+ {
+        unsigned long error;
+        char *string;
+ } ERR_STRING_DATA;
+
+The error code is generated from the library number and a function and
+reason code: B<error> = ERR_PACK(B<lib>, B<func>, B<reason>).
+ERR_PACK() is a macro.
+
+The last entry in the array is {0,0}.
+
+ERR_get_next_error_library() can be used to assign library numbers
+to user libraries at runtime.
+
+=head1 RETURN VALUE
+
+ERR_load_strings() returns no value. ERR_PACK() return the error code.
+ERR_get_next_error_library() returns a new library number.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_load_error_strings() and ERR_PACK() are available in all versions
+of SSLeay and OpenSSL. ERR_get_next_error_library() was added in
+SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_print_errors.pod b/src/lib/libssl/src/doc/crypto/ERR_print_errors.pod
new file mode 100644
index 0000000000..b100a5fa2b
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_print_errors.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ERR_print_errors, ERR_print_errors_fp - print error messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_print_errors(BIO *bp);
+ void ERR_print_errors_fp(FILE *fp);
+
+=head1 DESCRIPTION
+
+ERR_print_errors() is a convenience function that prints the error
+strings for all errors that OpenSSL has recorded to B<bp>, thus
+emptying the error queue.
+
+ERR_print_errors_fp() is the same, except that the output goes to a
+B<FILE>.
+
+
+The error strings will have the following format:
+
+ [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
+
+I<error code> is an 8 digit hexadecimal number. I<library name>,
+I<function name> and I<reason string> are ASCII text, as is I<optional
+text message> if one was set for the respective error code.
+
+If there is no text string registered for the given error code,
+the error string will contain the numeric code.
+
+=head1 RETURN VALUES
+
+ERR_print_errors() and ERR_print_errors_fp() return no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+
+=head1 HISTORY
+
+ERR_print_errors() and ERR_print_errors_fp()
+are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_put_error.pod b/src/lib/libssl/src/doc/crypto/ERR_put_error.pod
new file mode 100644
index 0000000000..acd241fbe4
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_put_error.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+ERR_put_error, ERR_add_error_data - record an error
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_put_error(int lib, int func, int reason, const char *file,
+         int line);
+
+ void ERR_add_error_data(int num, ...);
+
+=head1 DESCRIPTION
+
+ERR_put_error() adds an error code to the thread's error queue. It
+signals that the error of reason code B<reason> occurred in function
+B<func> of library B<lib>, in line number B<line> of B<file>.
+This function is usually called by a macro.
+
+ERR_add_error_data() associates the concatenation of its B<num> string
+arguments with the error code added last.
+
+L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
+error strings so that the application can a generate human-readable
+error messages for the error code.
+
+=head1 RETURN VALUES
+
+ERR_put_error() and ERR_add_error_data() return
+no values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+
+=head1 HISTORY
+
+ERR_put_error() is available in all versions of SSLeay and OpenSSL.
+ERR_add_error_data() was added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ERR_remove_state.pod b/src/lib/libssl/src/doc/crypto/ERR_remove_state.pod
new file mode 100644
index 0000000000..ebcdc0f5a5
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ERR_remove_state.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+ERR_remove_state - free a thread's error queue
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ void ERR_remove_state(unsigned long pid);
+
+=head1 DESCRIPTION
+
+ERR_remove_state() frees the error queue associated with thread B<pid>.
+If B<pid> == 0, the current thread will have its error queue removed.
+
+Since error queue data structures are allocated automatically for new
+threads, they must be freed when threads are terminated in oder to
+avoid memory leaks.
+
+=head1 RETURN VALUE
+
+ERR_remove_state() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>
+
+=head1 HISTORY
+
+ERR_remove_state() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod b/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
new file mode 100644
index 0000000000..5ce4add082
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+ EVP_BytesToKey - password based encryption routine
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
+                       const unsigned char *salt,
+                       const unsigned char *data, int datal, int count,
+                       unsigned char *key,unsigned char *iv);
+
+=head1 DESCRIPTION
+
+EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
+the cipher to derive the key and IV for. B<md> is the message digest to use.
+The B<salt> paramter is used as a salt in the derivation: it should point to
+an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
+B<datal> bytes which is used to derive the keying data. B<count> is the
+iteration count to use. The derived key and IV will be written to B<key>
+and B<iv> respectively.
+
+=head1 NOTES
+
+A typical application of this function is to derive keying material for an
+encryption algorithm from a password in the B<data> parameter.
+
+Increasing the B<count> parameter slows down the algorithm which makes it
+harder for an attacker to peform a brute force attack using a large number
+of candidate passwords.
+
+If the total key and IV length is less than the digest length and
+B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
+otherwise a non standard extension is used to derive the extra data.
+
+Newer applications should use more standard algorithms such as PKCS#5
+v2.0 for key derivation.
+
+=head1 KEY DERIVATION ALGORITHM
+
+The key and IV is derived by concatenating D_1, D_2, etc until
+enough data is available for the key and IV. D_i is defined as:
+
+        D_i = HASH^count(D_(i-1) || data || salt)
+
+where || denotes concatentaion, D_0 is empty, HASH is the digest
+algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
+is HASH(HASH(data)) and so on.
+
+The initial bytes are used for the key and the subsequent bytes for
+the IV.
+
+=head1 RETURN VALUES
+
+EVP_BytesToKey() returns the size of the derived key in bytes.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
new file mode 100644
index 0000000000..345b1ddfa7
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
@@ -0,0 +1,197 @@
+=pod
+
+=head1 NAME
+
+EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal - EVP digest routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
+        unsigned int *s);
+
+ #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+
+ #define EVP_MD_type(e)                 ((e)->type)
+ #define EVP_MD_pkey_type(e)            ((e)->pkey_type)
+ #define EVP_MD_size(e)                 ((e)->md_size)
+ #define EVP_MD_block_size(e)           ((e)->block_size)
+
+ #define EVP_MD_CTX_md(e)               (e)->digest)
+ #define EVP_MD_CTX_size(e)             EVP_MD_size((e)->digest)
+ #define EVP_MD_CTX_block_size(e)       EVP_MD_block_size((e)->digest)
+ #define EVP_MD_CTX_type(e)             EVP_MD_type((e)->digest)
+
+ EVP_MD *EVP_md_null(void);
+ EVP_MD *EVP_md2(void);
+ EVP_MD *EVP_md5(void);
+ EVP_MD *EVP_sha(void);
+ EVP_MD *EVP_sha1(void);
+ EVP_MD *EVP_dss(void);
+ EVP_MD *EVP_dss1(void);
+ EVP_MD *EVP_mdc2(void);
+ EVP_MD *EVP_ripemd160(void);
+
+ const EVP_MD *EVP_get_digestbyname(const char *name);
+ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
+ #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
+
+=head1 DESCRIPTION
+
+The EVP digest routines are a high level interface to message digests.
+
+EVP_DigestInit() initialises a digest context B<ctx> to use a digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
+digest context B<ctx>. This funtion can be called several times on the
+same B<ctx> to hash additional data.
+
+EVP_DigestFinal() retrieves the digest value from B<ctx> and places
+it in B<md>. If the B<s> parameter is not NULL then the number of
+bytes of data written (i.e. the length of the digest) will be written
+to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
+After calling EVP_DigestFinal() no additional calls to EVP_DigestUpdate()
+can be made, but EVP_DigestInit() can be called to initialiase a new
+digest operation.
+
+EVP_MD_CTX_copy() can be used to copy the message digest state from
+B<in> to B<out>. This is useful if large amounts of data are to be
+hashed which only differ in the last few bytes.
+
+EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
+when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
+hash.
+
+EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the
+message digest when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure.
+
+EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER
+representing the given message digest when passed an B<EVP_MD> structure.
+For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is
+normally used when setting ASN1 OIDs.
+
+EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
+B<EVP_MD_CTX>.
+
+EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
+with this digest. For example EVP_sha1() is associated with RSA so this will
+return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
+algorithms may not be retained in future versions of OpenSSL.
+
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
+algorithms respectively. The associated signature algorithm is RSA in each case.
+
+EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
+algorithms but using DSS (DSA) for the signature algorithm.
+
+EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
+returns is of zero length.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return an B<EVP_MD> structure when passed a digest name, a digest NID or
+an ASN1_OBJECT structure respectively. The digest table must be initialised
+using, for example, OpenSSL_add_all_digests() for these functions to work.
+
+=head1 RETURN VALUES
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() do not return values.
+
+EVP_MD_CTX_copy() returns 1 if successful or 0 for failure.
+
+EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
+corresponding OBJECT IDENTIFIER or NID_undef if none exists.
+
+EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
+EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
+size in bytes.
+
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
+EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
+corresponding EVP_MD structures.
+
+EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
+return either an B<EVP_MD> structure or NULL if an error occurs.
+
+=head1 NOTES
+
+The B<EVP> interface to message digests should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the digest used and much more flexible.
+
+SHA1 is the digest of choice for new applications. The other digest algorithms
+are still in common use.
+
+=head1 EXAMPLE
+
+This example digests the data "Test Message\n" and "Hello World\n", using the
+digest name passed on the command line.
+
+ #include <stdio.h>
+ #include <openssl/evp.h>
+
+ main(int argc, char *argv[])
+ {
+ EVP_MD_CTX mdctx;
+ const EVP_MD *md;
+ char mess1[] = "Test Message\n";
+ char mess2[] = "Hello World\n";
+ unsigned char md_value[EVP_MAX_MD_SIZE];
+ int md_len, i;
+
+ OpenSSL_add_all_digests();
+
+ if(!argv[1]) {
+        printf("Usage: mdtest digestname\n");
+        exit(1);
+ }
+
+ md = EVP_get_digestbyname(argv[1]);
+
+ if(!md) {
+        printf("Unknown message digest %s\n", argv[1]);
+        exit(1);
+ }
+
+ EVP_DigestInit(&mdctx, md);
+ EVP_DigestUpdate(&mdctx, mess1, strlen(mess1));
+ EVP_DigestUpdate(&mdctx, mess2, strlen(mess2));
+ EVP_DigestFinal(&mdctx, md_value, &md_len);
+
+ printf("Digest is: ");
+ for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
+ printf("\n");
+ }
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+The link between digests and signing algorithms results in a situation where
+EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS
+even though they are identical digests.
+
+The size of an B<EVP_MD_CTX> structure is determined at compile time: this results
+in code that must be recompiled if the size of B<EVP_MD_CTX> increases.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
new file mode 100644
index 0000000000..77ed4ccdba
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
@@ -0,0 +1,224 @@
+=pod
+
+=head1 NAME
+
+EVP_EncryptInit, EVP_EncryptUpdate, EVP_EncryptFinal - EVP cipher routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+ void EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
+ void EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv, int enc);
+ void EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
+
+ const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
+ #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
+ #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
+
+ #define EVP_CIPHER_nid(e)              ((e)->nid)
+ #define EVP_CIPHER_block_size(e)       ((e)->block_size)
+ #define EVP_CIPHER_key_length(e)       ((e)->key_len)
+ #define EVP_CIPHER_iv_length(e)        ((e)->iv_len)
+
+ int EVP_CIPHER_type(const EVP_CIPHER *ctx);
+ #define EVP_CIPHER_CTX_cipher(e)       ((e)->cipher)
+ #define EVP_CIPHER_CTX_nid(e)          ((e)->cipher->nid)
+ #define EVP_CIPHER_CTX_block_size(e)   ((e)->cipher->block_size)
+ #define EVP_CIPHER_CTX_key_length(e)   ((e)->cipher->key_len)
+ #define EVP_CIPHER_CTX_iv_length(e)    ((e)->cipher->iv_len)
+ #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
+
+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
+
+=head1 DESCRIPTION
+
+The EVP cipher routines are a high level interface to certain
+symmetric ciphers.
+
+EVP_EncryptInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type>. B<type> is normally supplied by a function such
+as EVP_des_cbc() . B<key> is the symmetric key to use and B<iv> is the
+IV to use (if necessary), the actual number of bytes used for the
+key and IV depends on the cipher. It is possible to set all parameters
+to NULL except B<type> in an initial call and supply the remaining
+parameters in subsequent calls. This is normally done when the 
+EVP_CIPHER_asn1_to_param() function is called to set the cipher
+parameters from an ASN1 AlgorithmIdentifier and the key from a
+different source.
+
+EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
+writes the encrypted version to B<out>. This function can be called
+multiple times to encrypt successive blocks of data. The amount
+of data written depends on the block alignment of the encrypted data:
+as a result the amount of data written may be anything from zero bytes
+to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
+room.  The actual number of bytes written is placed in B<outl>.
+
+EVP_EncryptFinal() encrypts the "final" data, that is any data that
+remains in a partial block. It uses L<standard block padding|/NOTES> (aka PKCS
+padding). The encrypted final data is written to B<out> which should
+have sufficient space for one cipher block. The number of bytes written
+is placed in B<outl>. After this function is called the encryption operation
+is finished and no further calls to EVP_EncryptUpdate() should be made.
+
+EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the
+corresponding decryption operations. EVP_DecryptFinal() will return an
+error code if the final block is not correctly formatted. The parameters
+and restrictions are identical to the encryption operations except that
+the decrypted data buffer B<out> passed to EVP_DecryptUpdate() should
+have sufficient room for (B<inl> + cipher_block_size) bytes unless the
+cipher block size is 1 in which case B<inl> bytes is sufficient.
+
+EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal() are functions
+that can be used for decryption or encryption. The operation performed
+depends on the value of the B<enc> parameter. It should be set to 1 for
+encryption and 0 for decryption.
+
+EVP_CIPHER_CTX_cleanup() clears all information from a cipher context.
+It should be called after all operations using a cipher are complete
+so sensitive information does not remain in memory.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an EVP_CIPHER structure when passed a cipher name, a NID or an
+ASN1_OBJECT structure.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
+passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure.  The actual NID
+value is an internal value which may not have a corresponding OBJECT
+IDENTIFIER.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
+for all ciphers.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
+It will return zero if the cipher does not use an IV.  The constant
+B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
+structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
+length for all ciphers.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
+cipher or context. This "type" is the actual NID of the cipher OBJECT
+IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
+128 bit RC2 have the same NID. If the cipher does not have an object
+identifier or does not have ASN1 support this function will return
+B<NID_undef>.
+
+EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
+an B<EVP_CIPHER_CTX> structure.
+
+EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
+on the passed cipher. This will typically include any parameters and an
+IV. The cipher IV (if any) must be set when this call is made. This call
+should be made before the cipher is actually "used" (before any
+EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
+may fail if the cipher does not have any ASN1 support.
+
+EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
+AlgorithmIdentifier "parameter". The precise effect depends on the cipher
+In the case of RC2, for example, it will set the IV and effective key length.
+This function should be called after the base cipher type is set but before
+the key is set. For example EVP_CipherInit() will be called with the IV and
+key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
+EVP_CipherInit() again with all parameters except the key set to NULL. It is
+possible for this function to fail if the cipher does not have any ASN1 support
+or the parameters cannot be set (for example the RC2 effective key length
+does not have an B<EVP_CIPHER> structure).
+
+=head1 RETURN VALUES
+
+EVP_EncryptInit(), EVP_EncryptUpdate() and EVP_EncryptFinal() do not return
+values.
+
+EVP_DecryptInit() and EVP_DecryptUpdate() do not return values.
+EVP_DecryptFinal() returns 0 if the decrypt failed or 1 for success.
+
+EVP_CipherInit() and EVP_CipherUpdate() do not return values.
+EVP_CipherFinal() returns 1 for a decryption failure or 1 for success, if
+the operation is encryption then it always returns 1.
+
+EVP_CIPHER_CTX_cleanup() does not return a value.
+
+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
+return an B<EVP_CIPHER> structure or NULL on error.
+
+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
+
+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
+size.
+
+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
+length.
+
+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
+length or zero if the cipher does not use an IV.
+
+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
+OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
+
+EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
+
+EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for 
+success or zero for failure.
+
+=head1 NOTES
+
+Where possible the B<EVP> interface to symmetric ciphers should be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the cipher used and much more flexible.
+
+PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 
+length of the encrypted data a multiple of the block size. Padding is always
+added so if the data is already a multiple of the block size B<n> will equal
+the block size. For example if the block size is 8 and 11 bytes are to be
+encrypted then 5 padding bytes of value 5 will be added.
+
+When decrypting the final block is checked to see if it has the correct form.
+
+Although the decryption operation can produce an error, it is not a strong
+test that the input data or key is correct. A random block has better than
+1 in 256 chance of being of the correct format and problems with the
+input data earlier on will not produce a final decrypt error.
+
+=head1 BUGS
+
+The current B<EVP> cipher interface is not as flexible as it should be. Only
+certain "spot" encryption algorithms can be used for ciphers which have various
+parameters associated with them (RC2, RC5 for example) this is inadequate.
+
+Several of the functions do not return error codes because the software versions
+can never fail. This is not true of hardware versions.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_OpenInit.pod b/src/lib/libssl/src/doc/crypto/EVP_OpenInit.pod
new file mode 100644
index 0000000000..9707a4b399
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_OpenInit.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal - EVP envelope decryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+                int ekl,unsigned char *iv,EVP_PKEY *priv);
+ void EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+decryption. They decrypt a public key encrypted symmetric key and
+then decrypt data using it.
+
+EVP_OpenInit() initialises a cipher context B<ctx> for decryption
+with cipher B<type>. It decrypts the encrypted symmetric key of length
+B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>.
+The IV is supplied in the B<iv> parameter.
+
+EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
+as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_OpenInit() returns -1 on error or an non zero integer (actually the
+recovered secret key size) if successful.
+
+EVP_SealUpdate() does not return a value.
+
+EVP_SealFinal() returns 0 if the decrypt failed or 1 for success.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_SealInit(3)|EVP_SealInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
new file mode 100644
index 0000000000..1579d110fa
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_SealInit.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+                int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ void EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+=head1 DESCRIPTION
+
+The EVP envelope routines are a high level interface to envelope
+encryption. They generate a random key and then "envelope" it by
+using public key encryption. Data can then be encrypted using this
+key.
+
+EVP_SealInit() initialises a cipher context B<ctx> for encryption
+with cipher B<type> using a random secret key and IV supplied in
+the B<iv> parameter. B<type> is normally supplied by a function such
+as EVP_des_cbc(). The secret key is encrypted using one or more public
+keys, this allows the same encrypted data to be decrypted using any
+of the corresponding private keys. B<ek> is an array of buffers where
+the public key encrypted secret key will be written, each buffer must
+contain enough room for the corresponding encrypted key: that is
+B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
+size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
+an array of B<npubk> public keys.
+
+EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
+as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
+documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+page. 
+
+=head1 RETURN VALUES
+
+EVP_SealInit() returns -1 on error or B<npubk> if successful.
+
+EVP_SealUpdate() and EVP_SealFinal() do not return values.
+
+=head1 NOTES
+
+Because a random secret key is generated the random number generator
+must be seeded before calling EVP_SealInit().
+
+The public key must be RSA because it is the only OpenSSL public key
+algorithm that supports key transport.
+
+Envelope encryption is the usual method of using public key encryption
+on large amounts of data, this is because public key encryption is slow
+but symmetric encryption is fast. So symmetric encryption is used for
+bulk encryption and the small random symmetric key used is transferred
+using public key encryption.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>,L<rand(3)|rand(3)>
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)|EVP_OpenInit(3)>
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod b/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod
new file mode 100644
index 0000000000..bbc9203c9c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_SignInit.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
+
+ int EVP_PKEY_size(EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature routines are a high level interface to digital
+signatures.
+
+EVP_SignInit() initialises a signing context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as
+EVP_sha1().
+
+EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
+signature context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
+and places the signature in B<sig>. If the B<s> parameter is not NULL
+then the number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+will be written.  After calling EVP_SignFinal() no additional calls to
+EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialiase
+a new signature operation.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
+signature returned by EVP_SignFinal() may be smaller.
+
+=head1 RETURN VALUES
+
+EVP_SignInit() and EVP_SignUpdate() do not return values.
+
+EVP_SignFinal() returns 1 for success and 0 for failure.
+
+EVP_PKEY_size() returns the maximum size of a signature in bytes.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+When signing with DSA private keys the random number generator must be seeded
+or the operation will fail. The random number generator does not need to be
+seeded for RSA signatures.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod b/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod
new file mode 100644
index 0000000000..3b5e07f4ad
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ void EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
+
+=head1 DESCRIPTION
+
+The EVP signature verification routines are a high level interface to digital
+signatures.
+
+EVP_VerifyInit() initialises a verification context B<ctx> to using digest
+B<type>: this will typically be supplied by a function such as EVP_sha1().
+
+EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
+verification context B<ctx>. This funtion can be called several times on the
+same B<ctx> to include additional data.
+
+EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
+and against the B<siglen> bytes at B<sigbuf>. After calling EVP_VerifyFinal()
+no additional calls to EVP_VerifyUpdate() can be made, but EVP_VerifyInit()
+can be called to initialiase a new verification operation.
+
+=head1 RETURN VALUES
+
+EVP_VerifyInit() and EVP_VerifyUpdate() do not return values.
+
+EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
+other error occurred.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should almost always be used in
+preference to the low level interfaces. This is because the code then becomes
+transparent to the algorithm used and much more flexible.
+
+Due to the link between message digests and public key algorithms the correct
+digest algorithm must be used with the correct public key type. A list of
+algorithms and associated public key algorithms appears in 
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+
+=head1 BUGS
+
+Several of the functions do not return values: maybe they should. Although the
+internal digest operations will never fail some future hardware based operations
+might.
+
+=head1 SEE ALSO
+
+L<EVP_SignInit(3)|EVP_SignInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
+
+=head1 HISTORY
+
+EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
+available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod
new file mode 100644
index 0000000000..b0b1058d19
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_VERSION_NUMBER, SSLeay - get OpenSSL version number
+
+=head1 SYNOPSIS
+
+ #include <openssl/opensslv.h>
+ #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
+
+ #include <openssl/crypto.h>
+ long SSLeay(void);
+
+=head1 DESCRIPTION
+
+OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+
+ MMNNFFRBB major minor fix final beta/patch
+
+for example
+
+ 0x000904100 == 0.9.4 release
+ 0x000905000 == 0.9.5 dev
+
+Versions prior to 0.9.3 have identifiers E<lt> 0x0930.
+For backward compatibility, SSLEAY_VERSION_NUMBER is also defined.
+
+SSLeay() returns this number. The return value can be compared to the
+macro to make sure that the correct version of the library has been
+loaded, especially when using DLLs on Windows systems.
+
+=head1 RETURN VALUE
+
+The version number.
+
+=head1 SEE ALSO
+
+L<crypto(3)|crypto(3)>
+
+=head1 HISTORY
+
+SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
+OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
new file mode 100644
index 0000000000..1300fe190c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+OpenSSL_add_all_algorithms() - add algorithms to internal table
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ void OpenSSL_add_all_algorithms(void);
+ void OpenSSL_add_all_ciphers(void);
+ void OpenSSL_add_all_digests(void);
+
+ void EVP_cleanup(void);
+
+=head1 DESCRIPTION
+
+OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
+this table to lookup ciphers via functions such as EVP_get_cipher_byname().
+
+OpenSSL_add_all_digests() adds all digest algorithms to the table.
+
+OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and
+ciphers).
+
+OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including
+password based encryption algorithms.
+
+EVP_cleanup() removes all ciphers and digests from the table.
+
+=head1 RETURN VALUES
+
+None of the functions return a value.
+
+=head1 NOTES
+
+A typical application will will call OpenSSL_add_all_algorithms() initially and
+EVP_cleanup() before exiting.
+
+An application does not need to add algorithms to use them explicitly, for example
+by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
+needs to lookup algorithms.
+
+The cipher and digest lookup functions are used in many parts of the library. If
+the table is not initialised several functions will misbehave and complain they
+cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
+This is a common query in the OpenSSL mailing lists.
+
+Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
+statically linked executable can be quite large. If this is important it is possible
+to just add the required ciphers and digests.
+
+=head1 BUGS
+
+Although the functions do not return error codes it is possible for them to fail.
+This will only happen as a result of a memory allocation failure so this is not
+too much of a problem in practice.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_add.pod b/src/lib/libssl/src/doc/crypto/RAND_add.pod
new file mode 100644
index 0000000000..0a13ec2a92
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_add.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+RAND_add, RAND_seed, RAND_screen - add entropy to the PRNG
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_seed(const void *buf, int num);
+
+ void RAND_add(const void *buf, int num, double entropy);
+
+ int  RAND_status(void);
+
+ void RAND_screen(void);
+
+=head1 DESCRIPTION
+
+RAND_add() mixes the B<num> bytes at B<buf> into the PRNG state. Thus,
+if the data at B<buf> are unpredictable to an adversary, this
+increases the uncertainty about the state and makes the PRNG output
+less predictable. Suitable input comes from user interaction (random
+key presses, mouse movements) and certain hardware events. The
+B<entropy> argument is (the lower bound of) an estimate of how much
+randomness is contained in B<buf>, measured in bytes. Details about
+sources of randomness and how to estimate their entropy can be found
+in the literature, e.g. RFC 1750.
+
+RAND_add() may be called with sensitive data such as user entered
+passwords. The seed values cannot be recovered from the PRNG output.
+
+OpenSSL makes sure that the PRNG state is unique for each thread. On
+systems that provide C</dev/urandom>, the randomness device is used
+to seed the PRNG transparently. However, on all other systems, the
+application is responsible for seeding the PRNG by calling RAND_add(),
+L<RAND_egd(3)|RAND_egd(3)>
+or L<RAND_load_file(3)|RAND_load_file(3)>.
+
+RAND_seed() is equivalent to RAND_add() when B<num == entropy>.
+
+The RAND_screen() function is available for the convenience of Windows
+programmers. It adds the current contents of the screen to the PRNG.
+For applications that can catch Windows events, seeding the PRNG with
+the parameters of B<WM_MOUSEMOVE> events is a significantly better
+source of randomness. It should be noted that both methods cannot be
+used on servers that run without user interaction.
+
+=head1 RETURN VALUES
+
+RAND_status() returns 1 if the PRNG has been seeded with enough data,
+0 otherwise.
+
+The other functions do not return values.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_egd(3)|RAND_egd(3)>,
+L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_seed() and RAND_screen() are available in all versions of SSLeay
+and OpenSSL. RAND_add() and RAND_status() have been added in OpenSSL
+0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_bytes.pod b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
new file mode 100644
index 0000000000..b6ebd50527
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+RAND_bytes, RAND_pseudo_bytes - generate random data
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int RAND_bytes(unsigned char *buf, int num);
+
+ int RAND_pseudo_bytes(unsigned char *buf, int num);
+
+=head1 DESCRIPTION
+
+RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
+into B<buf>. An error occurs if the PRNG has not been seeded with
+enough randomness to ensure an unpredictable byte sequence.
+
+RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
+Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
+unique if they are of sufficient length, but are not necessarily
+unpredictable. They can be used for non-cryptographic purposes and for
+certain purposes in cryptographic protocols, but usually not for key
+generation etc.
+
+=head1 RETURN VALUES
+
+RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+bytes generated are cryptographically strong, 0 otherwise. Both
+functions return -1 if they are not supported by the current RAND
+method.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)>
+
+=head1 HISTORY
+
+RAND_bytes() is available in all versions of SSLeay and OpenSSL.  It
+has a return value since OpenSSL 0.9.5. RAND_pseudo_bytes() was added
+in OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_cleanup.pod b/src/lib/libssl/src/doc/crypto/RAND_cleanup.pod
new file mode 100644
index 0000000000..3a8f0749a8
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_cleanup.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+RAND_cleanup - erase the PRNG state
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_cleanup(void);
+
+=head1 DESCRIPTION
+
+RAND_cleanup() erases the memory used by the PRNG.
+
+=head1 RETURN VALUE
+
+RAND_cleanup() returns no value.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_cleanup() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_egd.pod b/src/lib/libssl/src/doc/crypto/RAND_egd.pod
new file mode 100644
index 0000000000..a40bd96198
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_egd.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+RAND_egd - query entropy gathering daemon
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int RAND_egd(const char *path);
+
+=head1 DESCRIPTION
+
+RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
+
+EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
+Makefile.PL; make; make install> to install). It is run as B<egd>
+I<path>, where I<path> is an absolute path designating a socket. When
+RAND_egd() is called with that path as an argument, it tries to read
+random bytes that EGD has collected. The read is performed in
+non-blocking mode.
+
+=head1 RETURN VALUE
+
+RAND_egd() returns the number of bytes read from the daemon on
+success, and -1 if the connection failed or the daemon did not return
+enough data to fully seed the PRNG.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_egd() is available since OpenSSL 0.9.5.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_load_file.pod b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod
new file mode 100644
index 0000000000..8dd700ca3d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ const char *RAND_file_name(char *buf, int num);
+
+ int RAND_load_file(const char *filename, long max_bytes);
+
+ int RAND_write_file(const char *filename);
+
+=head1 DESCRIPTION
+
+RAND_file_name() generates a default path for the random seed
+file. B<buf> points to a buffer of size B<num> in which to store the
+filename. The seed file is $RANDFILE if that environment variable is
+set, $HOME/.rnd otherwise. If $HOME is not set either, or B<num> is
+too small for the path name, an error occurs.
+
+RAND_load_file() reads a number of bytes from file B<filename> and
+adds them to the PRNG. If B<max_bytes> is non-negative,
+up to to B<max_bytes> are read; starting with OpenSSL 0.9.5,
+if B<max_bytes> is -1, the complete file is read.
+
+RAND_write_file() writes a number of random bytes (currently 1024) to
+file B<filename> which can be used to initialize the PRNG by calling
+RAND_load_file() in a later session.
+
+=head1 RETURN VALUES
+
+RAND_load_file() returns the number of bytes read.
+
+RAND_write_file() returns the number of bytes written, and -1 if the
+bytes written were generated without appropriate seed.
+
+RAND_file_name() returns a pointer to B<buf> on success, and NULL on
+error.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+
+=head1 HISTORY
+
+RAND_load_file(), RAND_write_file() and RAND_file_name() are available in
+all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RAND_set_rand_method.pod b/src/lib/libssl/src/doc/crypto/RAND_set_rand_method.pod
new file mode 100644
index 0000000000..466e9b8767
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RAND_set_rand_method.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ void RAND_set_rand_method(RAND_METHOD *meth);
+
+ RAND_METHOD *RAND_get_rand_method(void);
+
+ RAND_METHOD *RAND_SSLeay(void);
+
+=head1 DESCRIPTION
+
+A B<RAND_METHOD> specifies the functions that OpenSSL uses for random
+number generation. By modifying the method, alternative
+implementations such as hardware RNGs may be used.  Initially, the
+default is to use the OpenSSL internal implementation. RAND_SSLeay()
+returns a pointer to that method.
+
+RAND_set_rand_method() sets the RAND method to B<meth>.
+RAND_get_rand_method() returns a pointer to the current method.
+
+=head1 THE RAND_METHOD STRUCTURE
+
+ typedef struct rand_meth_st
+ {
+        void (*seed)(const void *buf, int num);
+        int (*bytes)(unsigned char *buf, int num);
+        void (*cleanup)(void);
+        void (*add)(const void *buf, int num, int entropy);
+        int (*pseudorand)(unsigned char *buf, int num);
+ } RAND_METHOD;
+
+The components point to the implementation of RAND_seed(),
+RAND_bytes(), RAND_cleanup(), RAND_add() and RAND_pseudo_rand().
+Each component may be NULL if the function is not implemented.
+
+=head1 RETURN VALUES
+
+RAND_set_rand_method() returns no value. RAND_get_rand_method() and
+RAND_SSLeay() return pointers to the respective methods.
+
+=head1 SEE ALSO
+
+L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
+available in all versions of OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod b/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod
new file mode 100644
index 0000000000..fd2c69abd8
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+
+ void RSA_blinding_off(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA is vulnerable to timing attacks. In a setup where attackers can
+measure the time of RSA decryption or signature operations, blinding
+must be used to protect the RSA operation from that attack.
+
+RSA_blinding_on() turns blinding on for key B<rsa> and generates a
+random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
+initialized B<BN_CTX>. The random number generator must be seeded
+prior to calling RSA_blinding_on().
+
+RSA_blinding_off() turns blinding off and frees the memory used for
+the blinding factor.
+
+=head1 RETURN VALUES
+
+RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
+
+RSA_blinding_off() returns no value.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+RSA_blinding_on() and RSA_blinding_off() appeared in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_check_key.pod b/src/lib/libssl/src/doc/crypto/RSA_check_key.pod
new file mode 100644
index 0000000000..79fed753ad
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_check_key.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+RSA_check_key - validate private RSA keys
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_check_key(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function validates RSA keys. It checks that B<p> and B<q> are
+in fact prime, and that B<n = p*q>.
+
+It also checks that B<d*e = 1 mod (p-1*q-1)>,
+and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
+
+The key's public components may not be B<NULL>.
+
+=head1 RETURN VALUE
+
+RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
+-1 is returned if an error occurs while checking the key.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+RSA_check() appeared in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod b/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod
new file mode 100644
index 0000000000..fdaddbcb13
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_generate_key.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+RSA_generate_key - generate RSA key pair
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+=head1 DESCRIPTION
+
+RSA_generate_key() generates a key pair and returns it in a newly
+allocated B<RSA> structure. The pseudo-random number generator must
+be seeded prior to calling RSA_generate_key().
+
+The modulus size will be B<num> bits, and the public exponent will be
+B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
+The exponent is an odd number, typically 3 or 65535.
+
+A callback function may be used to provide feedback about the
+progress of the key generation. If B<callback> is not B<NULL>, it
+will be called as follows:
+
+=over 4
+
+=item *
+
+While a random prime number is generated, it is called as
+described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
+
+=item *
+
+When the n-th randomly generated prime is rejected as not
+suitable for the key, B<callback(2, n, cb_arg)> is called.
+
+=item *
+
+When a random p has been found with p-1 relatively prime to B<e>,
+it is called as B<callback(3, 0, cb_arg)>.
+
+=back
+
+The process is then repeated for prime q with B<callback(3, 1, cb_arg)>.
+
+=head1 RETURN VALUE
+
+If key generation fails, RSA_generate_key() returns B<NULL>; the
+error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<callback(2, x, cb_arg)> is used with two different meanings.
+
+RSA_generate_key() goes into an infinite loop for illegal input values.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+
+=head1 HISTORY
+
+The B<cb_arg> argument was added in SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod
new file mode 100644
index 0000000000..920dc76325
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod
@@ -0,0 +1,122 @@
+=pod
+
+=head1 NAME
+
+RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int RSA_set_ex_data(RSA *r, int idx, void *arg);
+
+ void *RSA_get_ex_data(RSA *r, int idx);
+
+ int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                                        int idx, long argl, void *argp);
+
+ void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                                        int idx, long argl, void *argp);
+
+ int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, 
+                                        int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+This has several potential uses, it can be used to cache data associated with
+a structure (for example the hash of some part of the structure) or some
+additional data (for example a handle to the data in an external library).
+
+Since the application data can be anything at all it is passed and retrieved
+as a B<void *> type.
+
+The B<RSA_get_ex_new_index()> function is initially called to "register" some
+new application specific data. It takes three optional function pointers which
+are called when the parent structure (in this case an RSA structure) is
+initially created, when it is copied and when it is freed up. If any or all of
+these function pointer arguments are not used they should be set to NULL. The
+precise manner in which these function pointers are called is described in more
+detail below. B<RSA_get_ex_new_index()> also takes additional long and pointer
+parameters which will be passed to the supplied functions but which otherwise
+have no special meaning. It returns an B<index> which should be stored
+(typically in a static variable) and passed used in the B<idx> parameter in
+the remaining functions. Each successful call to B<RSA_get_ex_new_index()>
+will return an index greater than any previously returned, this is important
+because the optional functions are called in order of increasing index value.
+
+B<RSA_set_ex_data()> is used to set application specific data, the data is
+supplied in the B<arg> parameter and its precise meaning is up to the
+application.
+
+B<RSA_get_ex_data()> is used to retrieve application specific data. The data
+is returned to the application, this will be the same value as supplied to
+a previous B<RSA_set_ex_data()> call.
+
+B<new_func()> is called when a structure is initially allocated (for example
+with B<RSA_new()>. The parent structure members will not have any meaningful
+values at this point. This function will typically be used to allocate any
+application specific structure.
+
+B<free_func()> is called when a structure is being freed up. The dynamic parent
+structure members should not be accessed because they will be freed up when
+this function is called.
+
+B<new_func()> and B<free_func()> take the same parameters. B<parent> is a
+pointer to the parent RSA structure. B<ptr> is a the application specific data
+(this wont be of much use in B<new_func()>. B<ad> is a pointer to the
+B<CRYPTO_EX_DATA> structure from the parent RSA structure: the functions
+B<CRYPTO_get_ex_data()> and B<CRYPTO_set_ex_data()> can be called to manipulate
+it. The B<idx> parameter is the index: this will be the same value returned by
+B<RSA_get_ex_new_index()> when the functions were initially registered. Finally
+the B<argl> and B<argp> parameters are the values originally passed to the same
+corresponding parameters when B<RSA_get_ex_new_index()> was called.
+
+B<dup_func()> is called when a structure is being copied. Pointers to the
+destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
+B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
+the source application data when the function is called, when the function returns
+the value is copied to the destination: the application can thus modify the data
+pointed to by B<from_d> and have different values in the source and destination.
+The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
+and B<free_func()>.
+
+=head1 RETURN VALUES
+
+B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
+index value).
+
+B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
+
+B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
+be valid application data but currently it can only fail if given an invalid B<idx>
+parameter.
+
+B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
+
+On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+B<dup_func()> is currently never called.
+
+The return value of B<new_func()> is ignored.
+
+The B<new_func()> function isn't very useful because no meaningful values are
+present in the parent RSA structure when it is called.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=head1 HISTORY
+
+RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_new.pod b/src/lib/libssl/src/doc/crypto/RSA_new.pod
new file mode 100644
index 0000000000..f16490ea6a
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_new.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+RSA_new, RSA_free - allocate and free RSA objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+
+ void RSA_free(RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_new() allocates and initializes an B<RSA> structure.
+
+RSA_free() frees the B<RSA> structure and its components. The key is
+erased before the memory is returned to the system.
+
+=head1 RETURN VALUES
+
+If the allocation fails, RSA_new() returns B<NULL> and sets an error
+code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+a pointer to the newly allocated structure.
+
+RSA_free() returns no value.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_generate_key(3)|RSA_generate_key(3)>
+
+=head1 HISTORY
+
+RSA_new() and RSA_free() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/src/lib/libssl/src/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
new file mode 100644
index 0000000000..b8f678fe72
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -0,0 +1,124 @@
+=pod
+
+=head1 NAME
+
+RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
+RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
+RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
+RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
+padding
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, unsigned char *p, int pl);
+
+ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl);
+
+ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+ int RSA_padding_add_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl);
+
+ int RSA_padding_check_none(unsigned char *to, int tlen,
+    unsigned char *f, int fl, int rsa_len);
+
+=head1 DESCRIPTION
+
+The RSA_padding_xxx_xxx() functions are called from the RSA encrypt,
+decrypt, sign and verify functions. Normally they should not be called
+from application programs.
+
+However, they can also be called directly to implement padding for other
+asymmetric ciphers. RSA_padding_add_PKCS1_OAEP() and
+RSA_padding_check_PKCS1_OAEP() may be used in an application combined
+with B<RSA_NO_PADDING> in order to implement OAEP with an encoding
+parameter.
+
+RSA_padding_add_xxx() encodes B<fl> bytes from B<f> so as to fit into
+B<tlen> bytes and stores the result at B<to>. An error occurs if B<fl>
+does not meet the size requirements of the encoding method.
+
+The following encoding methods are implemented:
+
+=over 4
+
+=item PKCS1_type_1
+
+PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
+
+=item PKCS1_type_2
+
+PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
+
+=item PKCS1_OAEP
+
+PKCS #1 v2.0 EME-OAEP
+
+=item SSLv23
+
+PKCS #1 EME-PKCS1-v1_5 with SSL-specific modification
+
+=item none
+
+simply copy the data
+
+=back
+
+The random number generator must be seeded prior to calling
+RSA_padding_add_xxx().
+
+RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain
+a valid encoding for a B<rsa_len> byte RSA key in the respective
+encoding method and stores the recovered data of at most B<tlen> bytes
+(for B<RSA_NO_PADDING>: of size B<tlen>)
+at B<to>.
+
+For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
+of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
+
+=head1 RETURN VALUES
+
+The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
+The RSA_padding_check_xxx() functions return the length of the
+recovered data, -1 on error. Error codes can be obtained by calling
+L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_padding_add_PKCS1_type_1(), RSA_padding_check_PKCS1_type_1(),
+RSA_padding_add_PKCS1_type_2(), RSA_padding_check_PKCS1_type_2(),
+RSA_padding_add_SSLv23(), RSA_padding_check_SSLv23(),
+RSA_padding_add_none() and RSA_padding_check_none() appeared in
+SSLeay 0.9.0.
+
+RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() were
+added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_print.pod b/src/lib/libssl/src/doc/crypto/RSA_print.pod
new file mode 100644
index 0000000000..dd968a5274
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_print.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp - print
+cryptographic parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ #include <openssl/dsa.h>
+
+ int DSAparams_print(BIO *bp, DSA *x);
+ int DSAparams_print_fp(FILE *fp, DSA *x);
+ int DSA_print(BIO *bp, DSA *x, int offset);
+ int DSA_print_fp(FILE *fp, DSA *x, int offset);
+
+ #include <openssl/dh.h>
+
+ int DHparams_print(BIO *bp, DH *x);
+ int DHparams_print_fp(FILE *fp, DH *x);
+
+=head1 DESCRIPTION
+
+A human-readable hexadecimal output of the components of the RSA
+key, DSA parameters or key or DH parameters is printed to B<bp> or B<fp>.
+
+The output lines are indented by B<offset> spaces.
+
+=head1 RETURN VALUES
+
+These functions return 1 on success, 0 on error.
+
+=head1 SEE ALSO
+
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+
+=head1 HISTORY
+
+RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
+DH_print_fp() are available in all versions of SSLeay and OpenSSL.
+DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
new file mode 100644
index 0000000000..6861a98a10
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+RSA_private_encrypt, RSA_public_decrypt - low level signature operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+These functions handle RSA signatures at a low level.
+
+RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
+message digest with an algorithm identifier) using the private key
+B<rsa> and stores the signature in B<to>. B<to> must point to
+B<RSA_size(rsa)> bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This function does not handle the
+B<algorithmIdentifier> specified in PKCS #1. When generating or
+verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+used.
+
+=item RSA_NO_PADDING
+
+Raw RSA signature. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Signing user data directly with RSA is insecure.
+
+=back
+
+RSA_public_decrypt() recovers the message digest from the B<flen>
+bytes long signature at B<from> using the signer's public key
+B<rsa>. B<to> must point to a memory section large enough to hold the
+message digest (which is smaller than B<RSA_size(rsa) -
+11>). B<padding> is the padding mode that was used to sign the data.
+
+=head1 RETURN VALUES
+
+RSA_private_encrypt() returns the size of the signature (i.e.,
+RSA_size(rsa)). RSA_public_decrypt() returns the size of the
+recovered message digest.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
new file mode 100644
index 0000000000..910c4752b8
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod
@@ -0,0 +1,86 @@
+=pod
+
+=head1 NAME
+
+RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_private_decrypt(int flen, unsigned char *from,
+     unsigned char *to, RSA *rsa, int padding);
+
+=head1 DESCRIPTION
+
+RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
+session key) using the public key B<rsa> and stores the ciphertext in
+B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory.
+
+B<padding> denotes one of the following modes:
+
+=over 4
+
+=item RSA_PKCS1_PADDING
+
+PKCS #1 v1.5 padding. This currently is the most widely used mode.
+
+=item RSA_PKCS1_OAEP_PADDING
+
+EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
+encoding parameter. This mode is recommended for all new applications.
+
+=item RSA_SSLV23_PADDING
+
+PKCS #1 v1.5 padding with an SSL-specific modification that denotes
+that the server is SSL3 capable.
+
+=item RSA_NO_PADDING
+
+Raw RSA encryption. This mode should I<only> be used to implement
+cryptographically sound padding modes in the application code.
+Encrypting user data directly with RSA is insecure.
+
+=back
+
+B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+based padding modes, and less than RSA_size(B<rsa>) - 21 for
+RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
+prior to calling RSA_public_encrypt().
+
+RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
+private key B<rsa> and stores the plaintext in B<to>. B<to> must point
+to a memory section large enough to hold the decrypted data (which is
+smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
+was used to encrypt the data.
+
+=head1 RETURN VALUES
+
+RSA_public_encrypt() returns the size of the encrypted data (i.e.,
+RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
+recovered plaintext.
+
+On error, -1 is returned; the error codes can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+
+=head1 NOTES
+
+The L<RSA_PKCS1_RSAref(3)|RSA_PKCS1_RSAref(3)> method supports only the RSA_PKCS1_PADDING mode.
+
+=head1 HISTORY
+
+The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
+available since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_set_method.pod b/src/lib/libssl/src/doc/crypto/RSA_set_method.pod
new file mode 100644
index 0000000000..deb1183a23
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_set_method.pod
@@ -0,0 +1,153 @@
+=pod
+
+=head1 NAME
+
+RSA_set_default_method, RSA_get_default_method, RSA_set_method,
+RSA_get_method, RSA_PKCS1_SSLeay, RSA_PKCS1_RSAref,
+RSA_PKCS1_null_method, RSA_flags, RSA_new_method - select RSA method
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_default_method(void);
+
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+
+ RSA_METHOD *RSA_null_method(void);
+
+ int RSA_flags(RSA *rsa);
+
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+=head1 DESCRIPTION
+
+An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
+operations. By modifying the method, alternative implementations
+such as hardware accelerators may be used.
+
+Initially, the default is to use the OpenSSL internal implementation,
+unless OpenSSL was configured with the C<rsaref> or C<-DRSA_NULL>
+options. RSA_PKCS1_SSLeay() returns a pointer to that method.
+
+RSA_PKCS1_RSAref() returns a pointer to a method that uses the RSAref
+library. This is the default method in the C<rsaref> configuration;
+the function is not available in other configurations.
+RSA_null_method() returns a pointer to a method that does not support
+the RSA transformation. It is the default if OpenSSL is compiled with
+C<-DRSA_NULL>. These methods may be useful in the USA because of a
+patent on the RSA cryptosystem.
+
+RSA_set_default_method() makes B<meth> the default method for all B<RSA>
+structures created later.
+
+RSA_get_default_method() returns a pointer to the current default
+method.
+
+RSA_set_method() selects B<meth> for all operations using the key
+B<rsa>.
+
+RSA_get_method() returns a pointer to the method currently selected
+for B<rsa>.
+
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+
+RSA_new_method() allocates and initializes an B<RSA> structure so that
+B<method> will be used for the RSA operations. If B<method> is B<NULL>,
+the default method is used.
+
+=head1 THE RSA_METHOD STRUCTURE
+
+ typedef struct rsa_meth_st
+ {
+     /* name of the implementation */
+        const char *name;
+
+     /* encrypt */
+        int (*rsa_pub_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* verify arbitrary data */
+        int (*rsa_pub_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* sign arbitrary data */
+        int (*rsa_priv_enc)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* decrypt */
+        int (*rsa_priv_dec)(int flen, unsigned char *from,
+          unsigned char *to, RSA *rsa, int padding);
+
+     /* compute r0 = r0 ^ I mod rsa->n. May be NULL */
+        int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+
+     /* compute r = a ^ p mod m. May be NULL */
+        int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+     /* called at RSA_new */
+        int (*init)(RSA *rsa);
+
+     /* called at RSA_free */
+        int (*finish)(RSA *rsa);
+
+     /* RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
+      *                            operations, even if p,q,dmp1,dmq1,iqmp
+      *                            are NULL
+      * RSA_FLAG_SIGN_VER        - enable rsa_sign and rsa_verify
+      * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
+      */
+        int flags;
+
+        char *app_data; /* ?? */
+
+     /* sign. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+        int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+     /* verify. For backward compatibility, this is used only
+      * if (flags & RSA_FLAG_SIGN_VER)
+      */
+        int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
+           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ } RSA_METHOD;
+
+=head1 RETURN VALUES
+
+RSA_PKCS1_SSLeay(), RSA_PKCS1_RSAref(), RSA_PKCS1_null_method(),
+RSA_get_default_method() and RSA_get_method() return pointers to the
+respective B<RSA_METHOD>s.
+
+RSA_set_default_method() returns no value.
+
+RSA_set_method() returns a pointer to the B<RSA_METHOD> previously
+associated with B<rsa>.
+
+RSA_new_method() returns B<NULL> and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+returns a pointer to the newly allocated structure.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
+
+=head1 HISTORY
+
+RSA_new_method() and RSA_set_default_method() appeared in SSLeay 0.8.
+RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
+well as the rsa_sign and rsa_verify components of RSA_METHOD were
+added in OpenSSL 0.9.4.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_sign.pod b/src/lib/libssl/src/doc/crypto/RSA_sign.pod
new file mode 100644
index 0000000000..f0bf6eea1b
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_sign.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+RSA_sign, RSA_verify - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign() signs the message digest B<m> of size B<m_len> using the
+private key B<rsa> as specified in PKCS #1 v2.0. It stores the
+signature in B<sigret> and the signature size in B<siglen>. B<sigret>
+must point to RSA_size(B<rsa>) bytes of memory.
+
+B<type> denotes the message digest algorithm that was used to generate
+B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
+see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
+an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
+and no algorithm identifier) is created.
+
+RSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
+matches a given message digest B<m> of size B<m_len>. B<type> denotes
+the message digest algorithm that was used to generate the signature.
+B<rsa> is the signer's public key.
+
+=head1 RETURN VALUES
+
+RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
+on successful verification, 0 otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+Certain signatures with an improper algorithm identifier are accepted
+for compatibility with SSLeay 0.4.5 :-)
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> 
+
+=head1 HISTORY
+
+RSA_sign() and RSA_verify() are available in all versions of SSLeay
+and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
new file mode 100644
index 0000000000..df9ceb339a
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+RSA_sign_ASN1_OCTET_STRING() signs the octet string B<m> of size
+B<m_len> using the private key B<rsa> represented in DER using PKCS #1
+padding. It stores the signature in B<sigret> and the signature size
+in B<siglen>. B<sigret> must point to B<RSA_size(rsa)> bytes of
+memory.
+
+B<dummy> is ignored.
+
+The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
+
+RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
+of size B<siglen> is the DER representation of a given octet string
+B<m> of size B<m_len>. B<dummy> is ignored. B<rsa> is the signer's
+public key.
+
+=head1 RETURN VALUES
+
+RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
+RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
+otherwise.
+
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 BUGS
+
+These functions serve no recognizable purpose.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<RSA_verify(3)|RSA_verify(3)>
+
+=head1 HISTORY
+
+RSA_sign_ASN1_OCTET_STRING() and RSA_verify_ASN1_OCTET_STRING() were
+added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/RSA_size.pod b/src/lib/libssl/src/doc/crypto/RSA_size.pod
new file mode 100644
index 0000000000..b36b4d58d5
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/RSA_size.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+RSA_size - get RSA modulus size
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ int RSA_size(RSA *rsa);
+
+=head1 DESCRIPTION
+
+This function returns the RSA modulus size in bytes. It can be used to
+determine how much memory must be allocated for an RSA encrypted
+value.
+
+B<rsa-E<gt>n> must not be B<NULL>.
+
+=head1 RETURN VALUE
+
+The size in bytes.
+
+=head1 SEE ALSO
+
+L<rsa(3)|rsa(3)>
+
+=head1 HISTORY
+
+RSA_size() is available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/bio.pod b/src/lib/libssl/src/doc/crypto/bio.pod
new file mode 100644
index 0000000000..24f61dfb56
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/bio.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+bio - I/O abstraction
+
+=head1 SYNOPSIS
+
+ #include <openssl/bio.h>
+
+TBA
+
+
+=head1 DESCRIPTION
+
+A BIO is an I/O abstraction, it hides many of the underlying I/O
+details from an application. If an application uses a BIO for its
+I/O it can transparently handle SSL connections, unencrypted network
+connections and file I/O.
+
+There are two type of BIO, a source/sink BIO and a filter BIO.
+
+As its name implies a source/sink BIO is a source and/or sink of data,
+examples include a socket BIO and a file BIO.
+
+A filter BIO takes data from one BIO and passes it through to
+another, or the application. The data may be left unmodified (for
+example a message digest BIO) or translated (for example an
+encryption BIO). The effect of a filter BIO may change according
+to the I/O operation it is performing: for example an encryption
+BIO will encrypt data if it is being written to and decrypt data
+if it is being read from.
+
+BIOs can be joined together to form a chain (a single BIO is a chain
+with one component). A chain normally consist of one source/sink
+BIO and one or more filter BIOs. Data read from or written to the
+first BIO then traverses the chain to the end (normally a source/sink
+BIO).
+
+=head1 SEE ALSO
+
+L<BIO_ctrl(3)|BIO_ctrl(3)>,
+L<BIO_f_base64(3)|BIO_f_base64(3)>,
+L<BIO_f_cipher(3)|BIO_f_cipher(3)>, L<BIO_f_md(3)|BIO_f_md(3)>,
+L<BIO_f_null(3)|BIO_f_null(3)>, L<BIO_f_ssl(3)|BIO_f_ssl(3)>,
+L<BIO_find_type(3)|BIO_find_type(3)>, L<BIO_new(3)|BIO_new(3)>,
+L<BIO_new_bio_pair(3)|BIO_new_bio_pair(3)>,
+L<BIO_push(3)|BIO_push(3)>, L<BIO_read(3)|BIO_read(3)>,
+L<BIO_s_accept(3)|BIO_s_accept(3)>, L<BIO_s_bio(3)|BIO_s_bio(3)>,
+L<BIO_s_connect(3)|BIO_s_connect(3)>, L<BIO_s_fd(3)|BIO_s_fd(3)>,
+L<BIO_s_file(3)|BIO_s_file(3)>, L<BIO_s_mem(3)|BIO_s_mem(3)>,
+L<BIO_s_null(3)|BIO_s_null(3)>, L<BIO_s_socket(3)|BIO_s_socket(3)>,
+L<BIO_set_callback(3)|BIO_set_callback(3)>,
+L<BIO_should_retry(3)|BIO_should_retry(3)>
diff --git a/src/lib/libssl/src/doc/crypto/blowfish.pod b/src/lib/libssl/src/doc/crypto/blowfish.pod
new file mode 100644
index 0000000000..e8c7114311
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/blowfish.pod
@@ -0,0 +1,106 @@
+=pod
+
+=head1 NAME
+
+blowfish, BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt,
+BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/blowfish.h>
+
+ void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+
+ void BF_encrypt(BF_LONG *data,const BF_KEY *key);
+ void BF_decrypt(BF_LONG *data,const BF_KEY *key);
+ 
+ void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
+         BF_KEY *key, int enc);
+ void BF_cbc_encrypt(const unsigned char *in, unsigned char *out,
+         long length, BF_KEY *schedule, unsigned char *ivec, int enc);
+ void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+         long length, BF_KEY *schedule, unsigned char *ivec, int *num,
+         int enc);
+ void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+         long length, BF_KEY *schedule, unsigned char *ivec, int *num);
+ const char *BF_options(void);
+
+=head1 DESCRIPTION
+
+This library implements the Blowfish cipher, which is invented and described
+by Counterpane (see http://www.counterpane.com/blowfish/ ).
+
+Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
+It uses a variable size key, but typically, 128 bit (16 byte) keys are
+a considered good for strong encryption.  Blowfish can be used in the same
+modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
+of the faster block ciphers.  It is quite a bit faster than DES, and much
+faster than IDEA or RC2.
+
+Blowfish consists of a key setup phase and the actual encryption or decryption
+phase.
+
+BF_set_key() sets up the B<BF_KEY> B<key> using the B<len> bytes long key
+at B<data>.
+
+BF_encrypt() and BF_decrypt() are the lowest level functions for Blowfish
+encryption.  They encrypt/decrypt the first 64 bits of the vector pointed by
+B<data>, using the key B<key>.  These functions should not be used unless you
+implement 'modes' of Blowfish.
+
+BF_ecb_encrypt() is the basic Blowfish encryption and decryption function.
+It encrypts or decrypts the first 64 bits of B<in> using the key B<key>,
+putting the result in B<out>.  B<enc> decides if encryption (B<BF_ENCRYPT>)
+or decryption (B<BF_DECRYPT>) shall be performed.  The vector pointed at by
+B<in> and B<out> must be 64 bits in length, no less.  If they are larger,
+everything after the first 64 bits is ignored.
+
+The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt()
+all operate on variable length data.  They all take an initialisation vector
+B<ivec> which must be initially filled with zeros, but then just need to be
+passed along into the next call of the same function for the same message. 
+BF_cbc_encrypt() operates of data that is a multiple of 8 bytes long, while
+BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt an variable
+number of bytes (the amount does not have to be an exact multiple of 8).  The
+purpose of the latter two is to simulate stream ciphers, and therefore, they
+need the parameter B<num>, which is a pointer to an integer where the current
+offset in B<ivec> is stored between calls.  This integer must be initialised
+to zero when B<ivec> is filled with zeros.
+
+BF_cbc_encrypt() is the Cipher Block Chaining function for Blowfish.  It
+encrypts or decrypts the 64 bits chunks of B<in> using the key B<schedule>,
+putting the result in B<out>.  B<enc> decides if encryption (BF_ENCRYPT) or
+decryption (BF_DECRYPT) shall be performed.  B<ivec> must point at an 8 byte
+long initialisation vector, which must be initially filled with zeros.
+
+BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback.
+It encrypts or decrypts the bytes in B<in> using the key B<schedule>,
+putting the result in B<out>.  B<enc> decides if encryption (B<BF_ENCRYPT>)
+or decryption (B<BF_DECRYPT>) shall be performed.  B<ivec> must point at an
+8 byte long initialisation vector, which must be initially filled with zeros.
+B<num> must point at an integer which must be initially zero.
+
+BF_ofb64_encrypt() is the OFB mode for Blowfish with 64 bit feedback.
+It uses the same parameters as BF_cfb64_encrypt(), which must be initialised
+the same way.
+
+=head1 RETURN VALUES
+
+None of the functions presented here return any value.
+
+=head1 NOTE
+
+Applications should use the higher level functions
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> etc. instead of calling the
+blowfish functions directly.
+
+=head1 SEE ALSO
+
+L<des_modes(7)|des_modes(7)>
+
+=head1 HISTORY
+
+The Blowfish functions are available in all versions of SSLeay and OpenSSL.
+
+=cut
+
diff --git a/src/lib/libssl/src/doc/crypto/bn.pod b/src/lib/libssl/src/doc/crypto/bn.pod
new file mode 100644
index 0000000000..1504a1c92d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/bn.pod
@@ -0,0 +1,148 @@
+=pod
+
+=head1 NAME
+
+bn - multiprecision integer arithmetics
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BIGNUM *BN_new(void);
+ void BN_free(BIGNUM *a);
+ void BN_init(BIGNUM *);
+ void BN_clear(BIGNUM *a);
+ void BN_clear_free(BIGNUM *a);
+
+ BN_CTX *BN_CTX_new(void);
+ void BN_CTX_init(BN_CTX *c);
+ void BN_CTX_free(BN_CTX *c);
+
+ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+ BIGNUM *BN_dup(const BIGNUM *a);
+
+ int BN_num_bytes(const BIGNUM *a);
+ int BN_num_bits(const BIGNUM *a);
+ int BN_num_bits_word(BN_ULONG w);
+
+ int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
+         BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+ int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+         const BIGNUM *m, BN_CTX *ctx);
+ int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
+ int BN_add_word(BIGNUM *a, BN_ULONG w);
+ int BN_sub_word(BIGNUM *a, BN_ULONG w);
+ int BN_mul_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+
+ int BN_cmp(BIGNUM *a, BIGNUM *b);
+ int BN_ucmp(BIGNUM *a, BIGNUM *b);
+ int BN_is_zero(BIGNUM *a);
+ int BN_is_one(BIGNUM *a);
+ int BN_is_word(BIGNUM *a, BN_ULONG w);
+ int BN_is_odd(BIGNUM *a);
+
+ int BN_zero(BIGNUM *a);
+ int BN_one(BIGNUM *a);
+ BIGNUM *BN_value_one(void);
+ int BN_set_word(BIGNUM *a, unsigned long w);
+ unsigned long BN_get_word(BIGNUM *a);
+
+ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
+         BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
+ int BN_is_prime(const BIGNUM *p, int nchecks,
+         void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
+
+ int BN_set_bit(BIGNUM *a, int n);
+ int BN_clear_bit(BIGNUM *a, int n);
+ int BN_is_bit_set(const BIGNUM *a, int n);
+ int BN_mask_bits(BIGNUM *a, int n);
+ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+ int BN_lshift1(BIGNUM *r, BIGNUM *a);
+ int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+ int BN_rshift1(BIGNUM *r, BIGNUM *a);
+
+ int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+ char *BN_bn2hex(const BIGNUM *a);
+ char *BN_bn2dec(const BIGNUM *a);
+ int BN_hex2bn(BIGNUM **a, const char *str);
+ int BN_dec2bn(BIGNUM **a, const char *str);
+ int BN_print(BIO *fp, const BIGNUM *a);
+ int BN_print_fp(FILE *fp, const BIGNUM *a);
+ int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+ BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
+
+ BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
+     BN_CTX *ctx);
+
+ BN_RECP_CTX *BN_RECP_CTX_new(void);
+ void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+ void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+ int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
+
+ BN_MONT_CTX *BN_MONT_CTX_new(void);
+ void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+ void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
+ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+         BN_MONT_CTX *mont, BN_CTX *ctx);
+ int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+ int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
+         BN_CTX *ctx);
+
+
+=head1 DESCRIPTION
+
+This library performs arithmetic operations on integers of arbitrary
+size. It was written for use in public key cryptography, such as RSA
+and Diffie-Hellman.
+
+It uses dynamic memory allocation for storing its data structures.
+That means that there is no limit on the size of the numbers
+manipulated by these functions, but return values must always be
+checked in case a memory allocation error has occurred.
+
+The basic object in this library is a B<BIGNUM>. It is used to hold a
+single large integer. This type should be considered opaque and fields
+should not be modified or accessed directly.
+
+The creation of B<BIGNUM> objects is described in L<BN_new(3)|BN_new(3)>;
+L<BN_add(3)|BN_add(3)> describes most of the arithmetic operations.
+Comparison is described in L<BN_cmp(3)|BN_cmp(3)>; L<BN_zero(3)|BN_zero(3)>
+describes certain assignments, L<BN_rand(3)|BN_rand(3)> the generation of
+random numbers, L<BN_generate_prime(3)|BN_generate_prime(3)> deals with prime
+numbers and L<BN_set_bit(3)|BN_set_bit(3)> with bit operations. The conversion
+of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
+
+=head1 SEE ALSO
+
+L<bn_internal(3)|bn_internal(3)>,
+L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_copy(3)|BN_copy(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
+L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
+L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
+L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
+L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/bn_internal.pod b/src/lib/libssl/src/doc/crypto/bn_internal.pod
new file mode 100644
index 0000000000..5af0c791c8
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/bn_internal.pod
@@ -0,0 +1,225 @@
+=pod
+
+=head1 NAME
+
+bn_mul_words, bn_mul_add_words, bn_sqr_words, bn_div_words,
+bn_add_words, bn_sub_words, bn_mul_comba4, bn_mul_comba8,
+bn_sqr_comba4, bn_sqr_comba8, bn_cmp_words, bn_mul_normal,
+bn_mul_low_normal, bn_mul_recursive, bn_mul_part_recursive,
+bn_mul_low_recursive, bn_mul_high, bn_sqr_normal, bn_sqr_recursive,
+bn_expand, bn_wexpand, bn_expand2, bn_fix_top, bn_check_top,
+bn_print, bn_dump, bn_set_max, bn_set_high, bn_set_low - BIGNUM
+library internal functions
+
+=head1 SYNOPSIS
+
+ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
+ BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num,
+   BN_ULONG w);
+ void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+ BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
+   int num);
+ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,
+   int num);
+
+ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+ void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+ void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a);
+ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a);
+
+ int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n);
+
+ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b,
+   int nb);
+ void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n);
+ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+   BN_ULONG *tmp);
+ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+   int tn, int n, BN_ULONG *tmp);
+ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b,
+   int n2, BN_ULONG *tmp);
+ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l,
+   int n2, BN_ULONG *tmp);
+
+ void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp);
+ void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *tmp);
+
+ void mul(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
+ void mul_add(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c);
+ void sqr(BN_ULONG r0, BN_ULONG r1, BN_ULONG a);
+
+ BIGNUM *bn_expand(BIGNUM *a, int bits);
+ BIGNUM *bn_wexpand(BIGNUM *a, int n);
+ BIGNUM *bn_expand2(BIGNUM *a, int n);
+ void bn_fix_top(BIGNUM *a);
+
+ void bn_check_top(BIGNUM *a);
+ void bn_print(BIGNUM *a);
+ void bn_dump(BN_ULONG *d, int n);
+ void bn_set_max(BIGNUM *a);
+ void bn_set_high(BIGNUM *r, BIGNUM *a, int n);
+ void bn_set_low(BIGNUM *r, BIGNUM *a, int n);
+
+=head1 DESCRIPTION
+
+This page documents the internal functions used by the OpenSSL
+B<BIGNUM> implementation. They are described here to facilitate
+debugging and extending the library. They are I<not> to be used by
+applications.
+
+=head2 The BIGNUM structure
+
+ typedef struct bignum_st
+        {
+        int top;      /* index of last used d (most significant word) */
+        BN_ULONG *d;  /* pointer to an array of 'BITS2' bit chunks */
+        int max;      /* size of the d array */
+        int neg;      /* sign */
+        } BIGNUM;
+
+The big number is stored in B<d>, a malloc()ed array of B<BN_ULONG>s,
+least significant first. A B<BN_ULONG> can be either 16, 32 or 64 bits
+in size (B<BITS2>), depending on the 'number of bits' specified in
+C<openssl/bn.h>.
+
+B<max> is the size of the B<d> array that has been allocated.  B<top>
+is the 'last' entry being used, so for a value of 4, bn.d[0]=4 and
+bn.top=1.  B<neg> is 1 if the number is negative.  When a B<BIGNUM> is
+B<0>, the B<d> field can be B<NULL> and B<top> == B<0>.
+
+Various routines in this library require the use of temporary
+B<BIGNUM> variables during their execution.  Since dynamic memory
+allocation to create B<BIGNUM>s is rather expensive when used in
+conjunction with repeated subroutine calls, the B<BN_CTX> structure is
+used.  This structure contains B<BN_CTX_NUM> B<BIGNUM>s, see
+L<BN_CTX_start(3)|BN_CTX_start(3)>.
+
+=head2 Low-level arithmetic operations
+
+These functions are implemented in C and for several platforms in
+assembly language:
+
+bn_mul_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num> word
+arrays B<rp> and B<ap>.  It computes B<ap> * B<w>, places the result
+in B<rp>, and returns the high word (carry).
+
+bn_mul_add_words(B<rp>, B<ap>, B<num>, B<w>) operates on the B<num>
+word arrays B<rp> and B<ap>.  It computes B<ap> * B<w> + B<rp>, places
+the result in B<rp>, and returns the high word (carry).
+
+bn_sqr_words(B<rp>, B<ap>, B<n>) operates on the B<num> word array
+B<ap> and the 2*B<num> word array B<ap>.  It computes B<ap> * B<ap>
+word-wise, and places the low and high bytes of the result in B<rp>.
+
+bn_div_words(B<h>, B<l>, B<d>) divides the two word number (B<h>,B<l>)
+by B<d> and returns the result.
+
+bn_add_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
+arrays B<ap>, B<bp> and B<rp>.  It computes B<ap> + B<bp>, places the
+result in B<rp>, and returns the high word (carry).
+
+bn_sub_words(B<rp>, B<ap>, B<bp>, B<num>) operates on the B<num> word
+arrays B<ap>, B<bp> and B<rp>.  It computes B<ap> - B<bp>, places the
+result in B<rp>, and returns the carry (1 if B<bp> E<gt> B<ap>, 0
+otherwise).
+
+bn_mul_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
+B<b> and the 8 word array B<r>.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_mul_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
+B<b> and the 16 word array B<r>.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_sqr_comba4(B<r>, B<a>, B<b>) operates on the 4 word arrays B<a> and
+B<b> and the 8 word array B<r>.
+
+bn_sqr_comba8(B<r>, B<a>, B<b>) operates on the 8 word arrays B<a> and
+B<b> and the 16 word array B<r>.
+
+The following functions are implemented in C:
+
+bn_cmp_words(B<a>, B<b>, B<n>) operates on the B<n> word arrays B<a>
+and B<b>.  It returns 1, 0 and -1 if B<a> is greater than, equal and
+less than B<b>.
+
+bn_mul_normal(B<r>, B<a>, B<na>, B<b>, B<nb>) operates on the B<na>
+word array B<a>, the B<nb> word array B<b> and the B<na>+B<nb> word
+array B<r>.  It computes B<a>*B<b> and places the result in B<r>.
+
+bn_mul_low_normal(B<r>, B<a>, B<b>, B<n>) operates on the B<n> word
+arrays B<r>, B<a> und B<b>.  It computes the B<n> low words of
+B<a>*B<b> and places the result in B<r>.
+
+bn_mul_recursive(B<r>, B<a>, B<b>, B<n2>, B<t>) operates on the B<n2>
+word arrays B<a> and B<b> and the 2*B<n2> word arrays B<r> and B<t>.
+B<n2> must be a power of 2.  It computes B<a>*B<b> and places the
+result in B<r>.
+
+bn_mul_part_recursive(B<r>, B<a>, B<b>, B<tn>, B<n>, B<tmp>) operates
+on the B<n>+B<tn> word arrays B<a> and B<b> and the 4*B<n> word arrays
+B<r> and B<tmp>.
+
+bn_mul_low_recursive(B<r>, B<a>, B<b>, B<n2>, B<tmp>) operates on the
+B<n2> word arrays B<r> and B<tmp> and the B<n2>/2 word arrays B<a>
+and B<b>.
+
+bn_mul_high(B<r>, B<a>, B<b>, B<l>, B<n2>, B<tmp>) operates on the
+B<n2> word arrays B<r>, B<a>, B<b> and B<l> (?) and the 3*B<n2> word
+array B<tmp>.
+
+BN_mul() calls bn_mul_normal(), or an optimized implementation if the
+factors have the same size: bn_mul_comba8() is used if they are 8
+words long, bn_mul_recursive() if they are larger than
+B<BN_MULL_SIZE_NORMAL> and the size is an exact multiple of the word
+size, and bn_mul_part_recursive() for others that are larger than
+B<BN_MULL_SIZE_NORMAL>.
+
+bn_sqr_normal(B<r>, B<a>, B<n>, B<tmp>) operates on the B<n> word array
+B<a> and the 2*B<n> word arrays B<tmp> and B<r>.
+
+The implementations use the following macros which, depending on the
+architecture, may use "long long" C operations or inline assembler.
+They are defined in C<bn_lcl.h>.
+
+mul(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<c> and places the
+low word of the result in B<r> and the high word in B<c>.
+
+mul_add(B<r>, B<a>, B<w>, B<c>) computes B<w>*B<a>+B<r>+B<c> and
+places the low word of the result in B<r> and the high word in B<c>.
+
+sqr(B<r0>, B<r1>, B<a>) computes B<a>*B<a> and places the low word
+of the result in B<r0> and the high word in B<r1>.
+
+=head2 Size changes
+
+bn_expand() ensures that B<b> has enough space for a B<bits> bit
+number.  bn_wexpand() ensures that B<b> has enough space for an
+B<n> word number.  If the number has to be expanded, both macros
+call bn_expand2(), which allocates a new B<d> array and copies the
+data.  They return B<NULL> on error, B<b> otherwise.
+
+The bn_fix_top() macro reduces B<a-E<gt>top> to point to the most
+significant non-zero word when B<a> has shrunk.
+
+=head2 Debugging
+
+bn_check_top() verifies that C<((a)-E<gt>top E<gt>= 0 && (a)-E<gt>top
+E<lt>= (a)-E<gt>max)>.  A violation will cause the program to abort.
+
+bn_print() prints B<a> to stderr. bn_dump() prints B<n> words at B<d>
+(in reverse order, i.e. most significant word first) to stderr.
+
+bn_set_max() makes B<a> a static number with a B<max> of its current size.
+This is used by bn_set_low() and bn_set_high() to make B<r> a read-only
+B<BIGNUM> that contains the B<n> low or high words of B<a>.
+
+If B<BN_DEBUG> is not defined, bn_check_top(), bn_print(), bn_dump()
+and bn_set_max() are defined as empty macros.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/buffer.pod b/src/lib/libssl/src/doc/crypto/buffer.pod
new file mode 100644
index 0000000000..7088f51bc4
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/buffer.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+BUF_MEM_new, BUF_MEM_free, BUF_MEM_grow, BUF_strdup - simple
+character arrays structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/buffer.h>
+
+ BUF_MEM *BUF_MEM_new(void);
+
+ void   BUF_MEM_free(BUF_MEM *a);
+
+ int    BUF_MEM_grow(BUF_MEM *str, int len);
+
+ char * BUF_strdup(const char *str);
+
+=head1 DESCRIPTION
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
+
+The library uses the BUF_MEM structure defined in buffer.h:
+
+ typedef struct buf_mem_st
+ {
+        int length;     /* current number of bytes */
+        char *data;
+        int max;        /* size of buffer */
+ } BUF_MEM;
+
+B<length> is the current size of the buffer in bytes, B<max> is the amount of
+memory allocated to the buffer. There are three functions which handle these
+and one "miscellaneous" function.
+
+BUF_MEM_new() allocates a new buffer of zero size.
+
+BUF_MEM_free() frees up an already existing buffer. The data is zeroed
+before freeing up in case the buffer contains sensitive data.
+
+BUF_MEM_grow() changes the size of an already existing buffer to
+B<len>. Any data already in the buffer is preserved if it increases in
+size.
+
+BUF_strdup() copies a null terminated string into a block of allocated
+memory and returns a pointer to the allocated block.
+Unlike the standard C library strdup() this function uses Malloc() and so
+should be used in preference to the standard library strdup() because it can
+be used for memory leak checking or replacing the malloc() function.
+
+The memory allocated from BUF_strdup() should be freed up using the Free()
+function.
+
+=head1 RETURN VALUES
+
+BUF_MEM_new() returns the buffer or NULL on error.
+
+BUF_MEM_free() has no return value.
+
+BUF_MEM_grow() returns zero on error or the new size (i.e. B<len>).
+
+=head1 SEE ALSO
+
+L<bio(3)|bio(3)>
+
+=head1 HISTORY
+
+BUF_MEM_new(), BUF_MEM_free() and BUF_MEM_grow() are available in all
+versions of SSLeay and OpenSSL. BUF_strdup() was addded in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/crypto.pod b/src/lib/libssl/src/doc/crypto/crypto.pod
new file mode 100644
index 0000000000..4b9ceacd91
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/crypto.pod
@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+crypto - OpenSSL cryptographic library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<crypto> library implements a wide range of cryptographic
+algorithms used in various Internet standards. The services provided
+by this library are used by the OpenSSL implementations of SSL, TLS
+and S/MIME, and they have also been used to implement SSH, OpenPGP, and
+other cryptographic standards.
+
+=head1 OVERVIEW
+
+B<libcrypto> consists of a number of sub-libraries that implement the
+individual algorithms.
+
+The functionality includes symmetric encryption, public key
+cryptography and key agreement, certificate handling, cryptographic
+hash functions and a cryptographic pseudo-random number generator.
+
+=over 4
+
+=item SYMMETRIC CIPHERS
+
+L<blowfish(3)|blowfish(3)>, L<cast(3)|cast(3)>, L<des(3)|des(3)>,
+L<idea(3)|idea(3)>, L<rc2(3)|rc2(3)>, L<rc4(3)|rc4(3)>, L<rc5(3)|rc5(3)> 
+
+=item PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT
+
+L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rsa(3)|rsa(3)>
+
+=item CERTIFICATES
+
+L<x509(3)|x509(3)>, L<x509v3(3)|x509v3(3)>
+
+=item AUTHENTICATION CODES, HASH FUNCTIONS
+
+L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>,
+L<ripemd(3)|ripemd(3)>, L<sha(3)|sha(3)> 
+
+=item AUXILIARY FUNCTIONS
+
+L<err(3)|err(3)>, L<threads(3)|threads(3)>, L<rand(3)|rand(3)>
+
+=item INPUT/OUTPUT, DATA ENCODING
+
+L<asn1(3)|asn1(3)>, L<bio(3)|bio(3)>, L<evp(3)|evp(3)>, L<pem(3)|pem(3)>,
+L<pkcs7(3)|pkcs7(3)>, L<pkcs12(3)|pkcs12(3)> 
+
+=item INTERNAL FUNCTIONS
+
+L<bn(3)|bn(3)>, L<buffer(3)|buffer(3)>, L<lhash(3)|lhash(3)>,
+L<objects(3)|objects(3)>, L<stack(3)|stack(3)>,
+L<txt_db(3)|txt_db(3)> 
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)|openssl(1)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod b/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod
new file mode 100644
index 0000000000..a6d1743d39
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/d2i_DHparams.pod
@@ -0,0 +1,30 @@
+=pod
+
+=head1 NAME
+
+d2i_DHparams, i2d_DHparams - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int i2d_DHparams(DH *a, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
new file mode 100644
index 0000000000..ff4d0d57db
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ...
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
+
+ RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
+
+ int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
+
+ int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+
+ RSA * d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+=head1 DESCRIPTION
+
+...
+
+=head1 RETURN VALUES
+
+...
+
+=head1 SEE ALSO
+
+...
+
+=head1 HISTORY
+
+...
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/des.pod b/src/lib/libssl/src/doc/crypto/des.pod
new file mode 100644
index 0000000000..c553210ef2
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/des.pod
@@ -0,0 +1,376 @@
+=pod
+
+=head1 NAME
+
+des_random_key, des_set_key, des_key_sched, des_set_key_checked,
+des_set_key_unchecked, des_set_odd_parity, des_is_weak_key,
+des_ecb_encrypt, des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt,
+des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt, des_cfb64_encrypt,
+des_ofb64_encrypt, des_xcbc_encrypt, des_ede2_cbc_encrypt,
+des_ede2_cfb64_encrypt, des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt,
+des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt, des_ede3_ofb64_encrypt,
+des_read_password, des_read_2passwords, des_read_pw_string,
+des_cbc_cksum, des_quad_cksum, des_string_to_key, des_string_to_2keys,
+des_fcrypt, des_crypt, des_enc_read, des_enc_write - DES encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/des.h>
+
+ void des_random_key(des_cblock *ret);
+
+ int des_set_key(const_des_cblock *key, des_key_schedule schedule);
+ int des_key_sched(const_des_cblock *key, des_key_schedule schedule);
+ int des_set_key_checked(const_des_cblock *key,
+        des_key_schedule schedule);
+ void des_set_key_unchecked(const_des_cblock *key,
+        des_key_schedule schedule);
+
+ void des_set_odd_parity(des_cblock *key);
+ int des_is_weak_key(const_des_cblock *key);
+
+ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks, int enc);
+ void des_ecb2_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks1, des_key_schedule ks2, int enc);
+ void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output, 
+        des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, int enc);
+
+ void des_ncbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        int enc);
+ void des_cfb_encrypt(const unsigned char *in, unsigned char *out,
+        int numbits, long length, des_key_schedule schedule,
+        des_cblock *ivec, int enc);
+ void des_ofb_encrypt(const unsigned char *in, unsigned char *out,
+        int numbits, long length, des_key_schedule schedule,
+        des_cblock *ivec);
+ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        int enc);
+ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+        long length, des_key_schedule schedule, des_cblock *ivec,
+        int *num, int enc);
+ void des_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+        long length, des_key_schedule schedule, des_cblock *ivec,
+        int *num);
+
+ void des_xcbc_encrypt(const unsigned char *input, unsigned char *output, 
+        long length, des_key_schedule schedule, des_cblock *ivec, 
+        const_des_cblock *inw, const_des_cblock *outw, int enc);
+
+ void des_ede2_cbc_encrypt(const unsigned char *input,
+        unsigned char *output, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int enc);
+ void des_ede2_cfb64_encrypt(const unsigned char *in,
+        unsigned char *out, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int *num, int enc);
+ void des_ede2_ofb64_encrypt(const unsigned char *in,
+        unsigned char *out, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_cblock *ivec, int *num);
+
+ void des_ede3_cbc_encrypt(const unsigned char *input,
+        unsigned char *output, long length, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3, des_cblock *ivec,
+        int enc);
+ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2, 
+        int enc);
+ void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, des_cblock *ivec, int *num, int enc);
+ void des_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, 
+        long length, des_key_schedule ks1, 
+        des_key_schedule ks2, des_key_schedule ks3, 
+        des_cblock *ivec, int *num);
+
+ int des_read_password(des_cblock *key, const char *prompt, int verify);
+ int des_read_2passwords(des_cblock *key1, des_cblock *key2, 
+        const char *prompt, int verify);
+ int des_read_pw_string(char *buf, int length, const char *prompt,
+        int verify);
+
+ DES_LONG des_cbc_cksum(const unsigned char *input, des_cblock *output, 
+        long length, des_key_schedule schedule, 
+        const_des_cblock *ivec);
+ DES_LONG des_quad_cksum(const unsigned char *input, des_cblock output[], 
+        long length, int out_count, des_cblock *seed);
+ void des_string_to_key(const char *str, des_cblock *key);
+ void des_string_to_2keys(const char *str, des_cblock *key1,
+        des_cblock *key2);
+
+ char *des_fcrypt(const char *buf, const char *salt, char *ret);
+ char *des_crypt(const char *buf, const char *salt);
+ char *crypt(const char *buf, const char *salt);
+
+ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
+        des_cblock *iv);
+ int des_enc_write(int fd, const void *buf, int len,
+        des_key_schedule sched, des_cblock *iv);
+
+=head1 DESCRIPTION
+
+This library contains a fast implementation of the DES encryption
+algorithm.
+
+There are two phases to the use of DES encryption.  The first is the
+generation of a I<des_key_schedule> from a key, the second is the
+actual encryption.  A DES key is of type I<des_cblock>. This type is
+consists of 8 bytes with odd parity.  The least significant bit in
+each byte is the parity bit.  The key schedule is an expanded form of
+the key; it is used to speed the encryption process.
+
+des_random_key() generates a random key.  The PRNG must be seeded
+prior to using this function (see L<rand(3)|rand(3)>; for backward
+compatibility the function des_random_seed() is available as well).
+If the PRNG could not generate a secure key, 0 is returned.  In
+earlier versions of the library, des_random_key() did not generate
+secure keys.
+
+Before a DES key can be used, it must be converted into the
+architecture dependant I<des_key_schedule> via the
+des_set_key_checked() or des_set_key_unchecked() function.
+
+des_set_key_checked() will check that the key passed is of odd parity
+and is not a week or semi-weak key.  If the parity is wrong, then -1
+is returned.  If the key is a weak key, then -2 is returned.  If an
+error is returned, the key schedule is not generated.
+
+des_set_key() (called des_key_sched() in the MIT library) works like
+des_set_key_checked() if the I<des_check_key> flag is non-zero,
+otherwise like des_set_key_unchecked().  These functions are available
+for compatibility; it is recommended to use a function that does not
+depend on a global variable.
+
+des_set_odd_parity() (called des_fixup_key_parity() in the MIT
+library) sets the parity of the passed I<key> to odd.
+
+des_is_weak_key() returns 1 is the passed key is a weak key, 0 if it
+is ok.  The probability that a randomly generated key is weak is
+1/2^52, so it is not really worth checking for them.
+
+The following routines mostly operate on an input and output stream of
+I<des_cblock>s.
+
+des_ecb_encrypt() is the basic DES encryption routine that encrypts or
+decrypts a single 8-byte I<des_cblock> in I<electronic code book>
+(ECB) mode.  It always transforms the input data, pointed to by
+I<input>, into the output data, pointed to by the I<output> argument.
+If the I<encrypt> argument is non-zero (DES_ENCRYPT), the I<input>
+(cleartext) is encrypted in to the I<output> (ciphertext) using the
+key_schedule specified by the I<schedule> argument, previously set via
+I<des_set_key>. If I<encrypt> is zero (DES_DECRYPT), the I<input> (now
+ciphertext) is decrypted into the I<output> (now cleartext).  Input
+and output may overlap.  des_ecb_encrypt() does not return a value.
+
+des_ecb3_encrypt() encrypts/decrypts the I<input> block by using
+three-key Triple-DES encryption in ECB mode.  This involves encrypting
+the input with I<ks1>, decrypting with the key schedule I<ks2>, and
+then encrypting with I<ks3>.  This routine greatly reduces the chances
+of brute force breaking of DES and has the advantage of if I<ks1>,
+I<ks2> and I<ks3> are the same, it is equivalent to just encryption
+using ECB mode and I<ks1> as the key.
+
+The macro des_ecb2_encrypt() is provided to perform two-key Triple-DES
+encryption by using I<ks1> for the final encryption.
+
+des_ncbc_encrypt() encrypts/decrypts using the I<cipher-block-chaining>
+(CBC) mode of DES.  If the I<encrypt> argument is non-zero, the
+routine cipher-block-chain encrypts the cleartext data pointed to by
+the I<input> argument into the ciphertext pointed to by the I<output>
+argument, using the key schedule provided by the I<schedule> argument,
+and initialization vector provided by the I<ivec> argument.  If the
+I<length> argument is not an integral multiple of eight bytes, the
+last block is copied to a temporary area and zero filled.  The output
+is always an integral multiple of eight bytes.
+
+des_xcbc_encrypt() is RSA's DESX mode of DES.  It uses I<inw> and
+I<outw> to 'whiten' the encryption.  I<inw> and I<outw> are secret
+(unlike the iv) and are as such, part of the key.  So the key is sort
+of 24 bytes.  This is much better than CBC DES.
+
+des_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
+three keys. This means that each DES operation inside the CBC mode is
+really an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
+
+The des_ede2_cbc_encrypt() macro implements two-key Triple-DES by
+reusing I<ks1> for the final encryption.  C<C=E(ks1,D(ks2,E(ks1,M)))>.
+This form of Triple-DES is used by the RSAREF library.
+
+des_pcbc_encrypt() encrypt/decrypts using the propagating cipher block
+chaing mode used by Kerberos v4. Its parameters are the same as
+des_ncbc_encrypt().
+
+des_cfb_encrypt() encrypt/decrypts using cipher feedback mode.  This
+method takes an array of characters as input and outputs and array of
+characters.  It does not require any padding to 8 character groups.
+Note: the I<ivec> variable is changed and the new changed value needs to
+be passed to the next call to this function.  Since this function runs
+a complete DES ECB encryption per I<numbits>, this function is only
+suggested for use when sending small numbers of characters.
+
+des_cfb64_encrypt()
+implements CFB mode of DES with 64bit feedback.  Why is this
+useful you ask?  Because this routine will allow you to encrypt an
+arbitrary number of bytes, no 8 byte padding.  Each call to this
+routine will encrypt the input bytes to output and then update ivec
+and num.  num contains 'how far' we are though ivec.  If this does
+not make much sense, read more about cfb mode of DES :-).
+
+des_ede3_cfb64_encrypt() and des_ede2_cfb64_encrypt() is the same as
+des_cfb64_encrypt() except that Triple-DES is used.
+
+des_ofb_encrypt() encrypts using output feedback mode.  This method
+takes an array of characters as input and outputs and array of
+characters.  It does not require any padding to 8 character groups.
+Note: the I<ivec> variable is changed and the new changed value needs to
+be passed to the next call to this function.  Since this function runs
+a complete DES ECB encryption per numbits, this function is only
+suggested for use when sending small numbers of characters.
+
+des_ofb64_encrypt() is the same as des_cfb64_encrypt() using Output
+Feed Back mode.
+
+des_ede3_ofb64_encrypt() and des_ede2_ofb64_encrypt() is the same as
+des_ofb64_encrypt(), using Triple-DES.
+
+The following functions are included in the DES library for
+compatibility with the MIT Kerberos library. des_read_pw_string()
+is also available under the name EVP_read_pw_string().
+
+des_read_pw_string() writes the string specified by I<prompt> to
+standarf output, turns echo off and reads in input string from the
+terminal.  The string is returned in I<buf>, which must have space for
+at least I<length> bytes.  If I<verify> is set, the user is asked for
+the password twice and unless the two copies match, an error is
+returned.  A return code of -1 indicates a system error, 1 failure due
+to use interaction, and 0 is success.
+
+des_read_password() does the same and converts the password to a DES
+key by calling des_string_to_key(); des_read_2password() operates in
+the same way as des_read_password() except that it generates two keys
+by using the des_string_to_2key() function.  des_string_to_key() is
+available for backward compatibility with the MIT library.  New
+applications should use a cryptographic hash function.  The same
+applies for des_string_to_2key().
+
+des_cbc_cksum() produces an 8 byte checksum based on the input stream
+(via CBC encryption).  The last 4 bytes of the checksum are returned
+and the complete 8 bytes are placed in I<output>. This function is
+used by Kerberos v4.  Other applications should use
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead.
+
+des_quad_cksum() is a Kerberos v4 function.  It returns a 4 byte
+checksum from the input bytes.  The algorithm can be iterated over the
+input, depending on I<out_count>, 1, 2, 3 or 4 times.  If I<output> is
+non-NULL, the 8 bytes generated by each pass are written into
+I<output>.
+
+The following are DES-based tranformations:
+
+des_fcrypt() is a fast version of the unix crypt(3) function.  This
+version takes only a small amount of space relative to other fast
+crypt() implementations.  This is different to the normal crypt in
+that the third parameter is the buffer that the return value is
+written into.  It needs to be at least 14 bytes long.  This function
+is thread safe, unlike the normal crypt.
+
+des_crypt() is a faster replacement for the normal system crypt().
+This function calls des_fcrypt() with a static array passed as the
+third parameter.  This emulates the normal non-thread safe semantics
+of crypt(3).
+
+des_enc_write() writes I<len> bytes to file descriptor I<fd> from
+buffer I<buf>. The data is encrypted via I<pcbc_encrypt> (default)
+using I<sched> for the key and I<iv> as a starting vector.  The actual
+data send down I<fd> consists of 4 bytes (in network byte order)
+containing the length of the following encrypted data.  The encrypted
+data then follows, padded with random data out to a multiple of 8
+bytes.
+
+des_enc_read() is used to read I<len> bytes from file descriptor
+I<fd> into buffer I<buf>. The data being read from I<fd> is assumed to
+have come from des_enc_write() and is decrypted using I<sched> for
+the key schedule and I<iv> for the initial vector.
+
+B<Warning:> The data format used by des_enc_write() and des_enc_read()
+has a cryptographic weakness: When asked to write more than MAXWRITE
+bytes, des_enc_write() will split the data into several chunks that
+are all encrypted using the same IV.  So don't use these functions
+unless you are sure you know what you do (in which case you might not
+want to use them anyway).  They cannot handle non-blocking sockets.
+des_enc_read() uses an internal state and thus cannot be used on
+multiple files.
+
+I<des_rw_mode> is used to specify the encryption mode to use with
+des_enc_read() and des_end_write().  If set to I<DES_PCBC_MODE> (the
+default), des_pcbc_encrypt is used.  If set to I<DES_CBC_MODE>
+des_cbc_encrypt is used.
+
+=head1 NOTES
+
+Single-key DES is insecure due to its short key size.  ECB mode is
+not suitable for most applications; see L<des_modes(7)|des_modes(7)>.
+
+The L<evp(3)|evp(3)> library provides higher-level encryption functions.
+
+=head1 BUGS
+
+des_3cbc_encrypt() is flawed and must not be used in applications.
+
+des_cbc_encrypt() does not modify B<ivec>; use des_ncbc_encrypt()
+instead.
+
+des_cfb_encrypt() and des_ofb_encrypt() operates on input of 8 bits.
+What this means is that if you set numbits to 12, and length to 2, the
+first 12 bits will come from the 1st input byte and the low half of
+the second input byte.  The second 12 bits will have the low 8 bits
+taken from the 3rd input byte and the top 4 bits taken from the 4th
+input byte.  The same holds for output.  This function has been
+implemented this way because most people will be using a multiple of 8
+and because once you get into pulling bytes input bytes apart things
+get ugly!
+
+des_read_pw_string() is the most machine/OS dependent function and
+normally generates the most problems when porting this code.
+
+=head1 CONFORMING TO
+
+ANSI X3.106
+
+The B<des> library was written to be source code compatible with
+the MIT Kerberos library.
+
+=head1 SEE ALSO
+
+crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
+
+=head1 HISTORY
+
+des_cbc_cksum(), des_cbc_encrypt(), des_ecb_encrypt(),
+des_is_weak_key(), des_key_sched(), des_pcbc_encrypt(),
+des_quad_cksum(), des_random_key(), des_read_password() and
+des_string_to_key() are available in the MIT Kerberos library;
+des_check_key_parity(), des_fixup_key_parity() and des_is_weak_key()
+are available in newer versions of that library.
+
+des_set_key_checked() and des_set_key_unchecked() were added in
+OpenSSL 0.9.5.
+
+des_generate_random_block(), des_init_random_number_generator(),
+des_new_random_key(), des_set_random_generator_seed() and
+des_set_sequence_number() and des_rand_data() are used in newer
+versions of Kerberos but are not implemented here.
+
+des_random_key() generated cryptographically weak random data in
+SSLeay and in OpenSSL prior version 0.9.5, as well as in the original
+MIT library.
+
+=head1 AUTHOR
+
+Eric Young (eay@cryptsoft.com). Modified for the OpenSSL project
+(http://www.openssl.org).
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/des_modes.pod b/src/lib/libssl/src/doc/crypto/des_modes.pod
new file mode 100644
index 0000000000..d8148c86fc
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/des_modes.pod
@@ -0,0 +1,250 @@
+=pod
+
+=head1 NAME
+
+Modes of DES - the variants of DES and other crypto algorithms of OpenSSL
+
+=head1 DESCRIPTION
+
+Several crypto algorithms fo OpenSSL can be used in a number of modes.  Those
+are used for using block ciphers in a way similar to stream ciphers, among
+other things.
+
+=head1 OVERVIEW
+
+=head2 Electronic Codebook Mode (ECB)
+
+Normally, this is found as the function I<algorithm>_ecb_encrypt().
+
+=over 2
+
+=item *
+
+64 bits are enciphered at a time.
+
+=item *
+
+The order of the blocks can be rearranged without detection.
+
+=item *
+
+The same plaintext block always produces the same ciphertext block
+(for the same key) making it vulnerable to a 'dictionary attack'.
+
+=item *
+
+An error will only affect one ciphertext block.
+
+=back
+
+=head2 Cipher Block Chaining Mode (CBC)
+
+Normally, this is found as the function I<algorithm>_cbc_encrypt().
+Be aware that des_cbc_encrypt() is not really DES CBC (it does
+not update the IV); use des_ncbc_encrypt() instead.
+
+=over 2
+
+=item *
+
+a multiple of 64 bits are enciphered at a time.
+
+=item *
+
+The CBC mode produces the same ciphertext whenever the same
+plaintext is encrypted using the same key and starting variable.
+
+=item *
+
+The chaining operation makes the ciphertext blocks dependent on the
+current and all preceding plaintext blocks and therefore blocks can not
+be rearranged.
+
+=item *
+
+The use of different starting variables prevents the same plaintext
+enciphering to the same ciphertext.
+
+=item *
+
+An error will affect the current and the following ciphertext blocks.
+
+=back
+
+=head2 Cipher Feedback Mode (CFB)
+
+Normally, this is found as the function I<algorithm>_cfb_encrypt().
+
+=over 2
+
+=item *
+
+a number of bits (j) <= 64 are enciphered at a time.
+
+=item *
+
+The CFB mode produces the same ciphertext whenever the same
+plaintext is encrypted using the same key and starting variable.
+
+=item *
+
+The chaining operation makes the ciphertext variables dependent on the
+current and all preceding variables and therefore j-bit variables are
+chained together and can not be rearranged.
+
+=item *
+
+The use of different starting variables prevents the same plaintext
+enciphering to the same ciphertext.
+
+=item *
+
+The strength of the CFB mode depends on the size of k (maximal if
+j == k).  In my implementation this is always the case.
+
+=item *
+
+Selection of a small value for j will require more cycles through
+the encipherment algorithm per unit of plaintext and thus cause
+greater processing overheads.
+
+=item *
+
+Only multiples of j bits can be enciphered.
+
+=item *
+
+An error will affect the current and the following ciphertext variables.
+
+=back
+
+=head2 Output Feedback Mode (OFB)
+
+Normally, this is found as the function I<algorithm>_ofb_encrypt().
+
+=over 2
+
+
+=item *
+
+a number of bits (j) <= 64 are enciphered at a time.
+
+=item *
+
+The OFB mode produces the same ciphertext whenever the same
+plaintext enciphered using the same key and starting variable.  More
+over, in the OFB mode the same key stream is produced when the same
+key and start variable are used.  Consequently, for security reasons
+a specific start variable should be used only once for a given key.
+
+=item *
+
+The absence of chaining makes the OFB more vulnerable to specific attacks.
+
+=item *
+
+The use of different start variables values prevents the same
+plaintext enciphering to the same ciphertext, by producing different
+key streams.
+
+=item *
+
+Selection of a small value for j will require more cycles through
+the encipherment algorithm per unit of plaintext and thus cause
+greater processing overheads.
+
+=item *
+
+Only multiples of j bits can be enciphered.
+
+=item *
+
+OFB mode of operation does not extend ciphertext errors in the
+resultant plaintext output.  Every bit error in the ciphertext causes
+only one bit to be in error in the deciphered plaintext.
+
+=item *
+
+OFB mode is not self-synchronising.  If the two operation of
+encipherment and decipherment get out of synchronism, the system needs
+to be re-initialised.
+
+=item *
+
+Each re-initialisation should use a value of the start variable
+different from the start variable values used before with the same
+key.  The reason for this is that an identical bit stream would be
+produced each time from the same parameters.  This would be
+susceptible to a 'known plaintext' attack.
+
+=back
+
+=head2 Triple ECB Mode
+
+Normally, this is found as the function I<algorithm>_ecb3_encrypt().
+
+=over 2
+
+=item *
+
+Encrypt with key1, decrypt with key2 and encrypt with key3 again.
+
+=item *
+
+As for ECB encryption but increases the key length to 168 bits.
+There are theoretic attacks that can be used that make the effective
+key length 112 bits, but this attack also requires 2^56 blocks of
+memory, not very likely, even for the NSA.
+
+=item *
+
+If both keys are the same it is equivalent to encrypting once with
+just one key.
+
+=item *
+
+If the first and last key are the same, the key length is 112 bits.
+There are attacks that could reduce the key space to 55 bit's but it
+requires 2^56 blocks of memory.
+
+=item *
+
+If all 3 keys are the same, this is effectively the same as normal
+ecb mode.
+
+=back
+
+=head2 Triple CBC Mode
+
+Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt().
+
+=over 2
+
+
+=item *
+
+Encrypt with key1, decrypt with key2 and then encrypt with key3.
+
+=item *
+
+As for CBC encryption but increases the key length to 168 bits with
+the same restrictions as for triple ecb mode.
+
+=back
+
+=head1 NOTES
+
+This text was been written in large parts by Eric Young in his original
+documentation for SSLeay, the predecessor of OpenSSL.  In turn, he attributed
+it to:
+
+        AS 2805.5.2
+        Australian Standard
+        Electronic funds transfer - Requirements for interfaces,
+        Part 5.2: Modes of operation for an n-bit block cipher algorithm
+        Appendix A
+
+=head1 SEE ALSO
+
+L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>,
+L<rc2(3)|rc2(3)>
diff --git a/src/lib/libssl/src/doc/crypto/dh.pod b/src/lib/libssl/src/doc/crypto/dh.pod
new file mode 100644
index 0000000000..0a9b7c03a2
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/dh.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+dh - Diffie-Hellman key agreement
+
+=head1 SYNOPSIS
+
+ #include <openssl/dh.h>
+
+ DH *   DH_new(void);
+ void   DH_free(DH *dh);
+
+ int    DH_size(DH *dh);
+
+ DH *   DH_generate_parameters(int prime_len, int generator,
+                void (*callback)(int, int, void *), void *cb_arg);
+ int    DH_check(DH *dh, int *codes);
+
+ int    DH_generate_key(DH *dh);
+ int    DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
+
+ void DH_set_default_method(DH_METHOD *meth);
+ DH_METHOD *DH_get_default_method(void);
+ DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+ DH *DH_new_method(DH_METHOD *meth);
+ DH_METHOD *DH_OpenSSL(void);
+
+ int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+             int (*dup_func)(), void (*free_func)());
+ int DH_set_ex_data(DH *d, int idx, char *arg);
+ char *DH_get_ex_data(DH *d, int idx);
+
+ DH *   d2i_DHparams(DH **a, unsigned char **pp, long length);
+ int    i2d_DHparams(DH *a, unsigned char **pp);
+
+ int    DHparams_print_fp(FILE *fp, DH *x);
+ int    DHparams_print(BIO *bp, DH *x);
+
+=head1 DESCRIPTION
+
+These functions implement the Diffie-Hellman key agreement protocol.
+The generation of shared DH parameters is described in
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+to perform a key agreement.
+
+The B<DH> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;              // prime number (shared)
+        BIGNUM *g;              // generator of Z_p (shared)
+        BIGNUM *priv_key;       // private DH value x
+        BIGNUM *pub_key;        // public DH value g^x
+        // ...
+        };
+ DH
+
+=head1 SEE ALSO
+
+L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<DH_set_method(3)|DH_set_method(3)>,
+L<DH_new(3)|DH_new(3)>, L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
+L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
+L<RSA_print(3)|RSA_print(3)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/dsa.pod b/src/lib/libssl/src/doc/crypto/dsa.pod
new file mode 100644
index 0000000000..2c09244899
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/dsa.pod
@@ -0,0 +1,104 @@
+=pod
+
+=head1 NAME
+
+dsa - Digital Signature Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/dsa.h>
+
+ DSA *  DSA_new(void);
+ void   DSA_free(DSA *dsa);
+
+ int    DSA_size(DSA *dsa);
+
+ DSA *  DSA_generate_parameters(int bits, unsigned char *seed,
+                int seed_len, int *counter_ret, unsigned long *h_ret,
+                void (*callback)(int, int, void *), void *cb_arg);
+
+ DH *   DSA_dup_DH(DSA *r);
+
+ int    DSA_generate_key(DSA *dsa);
+
+ int    DSA_sign(int dummy, const unsigned char *dgst, int len,
+                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
+ int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
+                BIGNUM **rp);
+ int    DSA_verify(int dummy, const unsigned char *dgst, int len,
+                unsigned char *sigbuf, int siglen, DSA *dsa);
+
+ void DSA_set_default_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_get_default_method(void);
+ DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+ DSA *DSA_new_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_OpenSSL(void);
+
+ int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+             int (*dup_func)(), void (*free_func)());
+ int DSA_set_ex_data(DSA *d, int idx, char *arg);
+ char *DSA_get_ex_data(DSA *d, int idx);
+
+ DSA_SIG *DSA_SIG_new(void);
+ void   DSA_SIG_free(DSA_SIG *a);
+ int    i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
+ DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
+
+ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ int    DSA_do_verify(const unsigned char *dgst, int dgst_len,
+             DSA_SIG *sig, DSA *dsa);
+
+ DSA *  d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
+ DSA *  d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
+ DSA *  d2i_DSAparams(DSA **a, unsigned char **pp, long length);
+ int    i2d_DSAPublicKey(DSA *a, unsigned char **pp);
+ int    i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
+ int    i2d_DSAparams(DSA *a,unsigned char **pp);
+
+ int    DSAparams_print(BIO *bp, DSA *x);
+ int    DSAparams_print_fp(FILE *fp, DSA *x);
+ int    DSA_print(BIO *bp, DSA *x, int off);
+ int    DSA_print_fp(FILE *bp, DSA *x, int off);
+
+=head1 DESCRIPTION
+
+These functions implement the Digital Signature Algorithm (DSA).  The
+generation of shared DSA parameters is described in
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>;
+L<DSA_generate_key(3)|DSA_generate_key(3)> describes how to
+generate a signature key. Signature generation and verification are
+described in L<DSA_sign(3)|DSA_sign(3)>.
+
+The B<DSA> structure consists of several BIGNUM components.
+
+ struct
+        {
+        BIGNUM *p;              // prime number (public)
+        BIGNUM *q;              // 160-bit subprime, q | p-1 (public)
+        BIGNUM *g;              // generator of subgroup (public)
+        BIGNUM *priv_key;       // private key x
+        BIGNUM *pub_key;        // public key y = g^x
+        // ...
+        }
+ DSA;
+
+In public keys, B<priv_key> is NULL.
+
+=head1 CONFORMING TO
+
+US Federal Information Processing Standard FIPS 186 (Digital Signature
+Standard, DSS), ANSI X9.30
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<rsa(3)|rsa(3)>, L<sha(3)|sha(3)>, L<DSA_new(3)|DSA_new(3)>,
+L<DSA_size(3)|DSA_size(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
+L<DSA_dup_DH(3)|DSA_dup_DH(3)>,
+L<DSA_generate_key(3)|DSA_generate_key(3)>,
+L<DSA_sign(3)|DSA_sign(3)>, L<DSA_set_method(3)|DSA_set_method(3)>,
+L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
+L<RSA_print(3)|RSA_print(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/err.pod b/src/lib/libssl/src/doc/crypto/err.pod
new file mode 100644
index 0000000000..b824c92b57
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/err.pod
@@ -0,0 +1,187 @@
+=pod
+
+=head1 NAME
+
+err - error codes
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ unsigned long ERR_get_error(void);
+ unsigned long ERR_peek_error(void);
+ unsigned long ERR_get_error_line(const char **file, int *line);
+ unsigned long ERR_peek_error_line(const char **file, int *line);
+ unsigned long ERR_get_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+ unsigned long ERR_peek_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
+
+ int ERR_GET_LIB(unsigned long e);
+ int ERR_GET_FUNC(unsigned long e);
+ int ERR_GET_REASON(unsigned long e);
+
+ void ERR_clear_error(void);
+
+ char *ERR_error_string(unsigned long e, char *buf);
+ const char *ERR_lib_error_string(unsigned long e);
+ const char *ERR_func_error_string(unsigned long e);
+ const char *ERR_reason_error_string(unsigned long e);
+
+ void ERR_print_errors(BIO *bp);
+ void ERR_print_errors_fp(FILE *fp);
+
+ void ERR_load_crypto_strings(void);
+ void ERR_free_strings(void);
+
+ void ERR_remove_state(unsigned long pid);
+
+ void ERR_put_error(int lib, int func, int reason, const char *file,
+         int line);
+ void ERR_add_error_data(int num, ...);
+
+ void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
+ unsigned long ERR_PACK(int lib, int func, int reason);
+ int ERR_get_next_error_library(void);
+
+=head1 DESCRIPTION
+
+When a call to the OpenSSL library fails, this is usually signalled
+by the return value, and an error code is stored in an error queue
+associated with the current thread. The B<err> library provides
+functions to obtain these error codes and textual error messages.
+
+The L<ERR_get_error(3)|ERR_get_error(3)> manpage describes how to
+access error codes.
+
+Error codes contain information about where the error occurred, and
+what went wrong. L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> describes how to
+extract this information. A method to obtain human-readable error
+messages is described in L<ERR_error_string(3)|ERR_error_string(3)>.
+
+L<ERR_clear_error(3)|ERR_clear_error(3)> can be used to clear the
+error queue.
+
+Note that L<ERR_remove_state(3)|ERR_remove_state(3)> should be used to
+avoid memory leaks when threads are terminated.
+
+=head1 ADDING NEW ERROR CODES TO OPENSSL
+
+See L<ERR_put_error(3)> if you want to record error codes in the
+OpenSSL error system from within your application.
+
+The remainder of this section is of interest only if you want to add
+new error codes to OpenSSL or add error codes from external libraries.
+
+=head2 Reporting errors
+
+Each sub-library has a specific macro XXXerr() that is used to report
+errors. Its first argument is a function code B<XXX_F_...>, the second
+argument is a reason code B<XXX_R_...>. Function codes are derived
+from the function names; reason codes consist of textual error
+descriptions. For example, the function ssl23_read() reports a
+"handshake failure" as follows:
+
+ SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
+
+Function and reason codes should consist of upper case characters,
+numbers and underscores only. The error file generation script translates
+function codes into function names by looking in the header files
+for an appropriate function name, if none is found it just uses
+the capitalized form such as "SSL23_READ" in the above example.
+
+The trailing section of a reason code (after the "_R_") is translated
+into lower case and underscores changed to spaces.
+
+When you are using new function or reason codes, run B<make errors>.
+The necessary B<#define>s will then automatically be added to the
+sub-library's header file.
+
+Although a library will normally report errors using its own specific
+XXXerr macro, another library's macro can be used. This is normally
+only done when a library wants to include ASN1 code which must use
+the ASN1err() macro.
+
+=head2 Adding new libraries
+
+When adding a new sub-library to OpenSSL, assign it a library number
+B<ERR_LIB_XXX>, define a macro XXXerr() (both in B<err.h>), add its
+name to B<ERR_str_libraries[]> (in B<crypto/err/err.c>), and add
+C<ERR_load_XXX_strings()> to the ERR_load_crypto_strings() function
+(in B<crypto/err/err_all.c>). Finally, add an entry
+
+ L      XXX     xxx.h   xxx_err.c
+
+to B<crypto/err/openssl.ec>, and add B<xxx_err.c> to the Makefile.
+Running B<make errors> will then generate a file B<xxx_err.c>, and
+add all error codes used in the library to B<xxx.h>.
+
+Additionally the library include file must have a certain form.
+Typically it will initially look like this:
+
+ #ifndef HEADER_XXX_H
+ #define HEADER_XXX_H
+
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+
+ /* Include files */
+
+ #include <openssl/bio.h>
+ #include <openssl/x509.h>
+
+ /* Macros, structures and function prototypes */
+
+
+ /* BEGIN ERROR CODES */
+
+The B<BEGIN ERROR CODES> sequence is used by the error code
+generation script as the point to place new error codes, any text
+after this point will be overwritten when B<make errors> is run.
+The closing #endif etc will be automatically added by the script.
+
+The generated C error code file B<xxx_err.c> will load the header
+files B<stdio.h>, B<openssl/err.h> and B<openssl/xxx.h> so the
+header file must load any additional header files containg any
+definitions it uses.
+
+=head1 USING ERROR CODES IN EXTERNAL LIBRARIES
+
+It is also possible to use OpenSSL's error code scheme in external
+libraries. The library needs to load its own codes and call the OpenSSL
+error code insertion script B<mkerr.pl> explicitly to add codes to
+the header file and generate the C error code file. This will normally
+be done if the external library needs to generate new ASN1 structures
+but it can also be used to add more general purpose error code handling.
+
+TBA more details
+
+=head1 INTERNALS
+
+The error queues are stored in a hash table with one B<ERR_STATE>
+entry for each pid. ERR_get_state() returns the current thread's
+B<ERR_STATE>. An B<ERR_STATE> can hold up to B<ERR_NUM_ERRORS> error
+codes. When more error codes are added, the old ones are overwritten,
+on the assumption that the most recent errors are most important.
+
+Error strings are also stored in hash table. The hash tables can
+be obtained by calling ERR_get_err_state_table(void) and
+ERR_get_string_table(void) respectively.
+
+=head1 SEE ALSO
+
+L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
+L<CRYPTO_set_locking_callback(3)|<CRYPTO_set_locking_callback(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>,
+L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
+L<ERR_clear_error(3)|ERR_clear_error(3)>,
+L<ERR_error_string(3)|ERR_error_string(3)>,
+L<ERR_print_errors(3)|ERR_print_errors(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<ERR_remove_state(3)|ERR_remove_state(3)>,
+L<ERR_put_error(3)|ERR_put_error(3)>,
+L<ERR_load_strings(3)|ERR_load_strings(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/evp.pod b/src/lib/libssl/src/doc/crypto/evp.pod
new file mode 100644
index 0000000000..f089dd49a2
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/evp.pod
@@ -0,0 +1,37 @@
+=pod
+
+=head1 NAME
+
+evp - high-level cryptographic functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+=head1 DESCRIPTION
+
+The EVP library provided a high-level interface to cryptographic
+functions.
+
+B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption
+and decryption to implement digital "envelopes".
+
+The B<EVP_Sign>I<...> and B<EVP_Verify>I<...> functions implement
+digital signatures.
+
+Symmetric encryption is available with the B<EVP_Encrypt>I<...>
+functions.  The B<EVP_Digest>I<...> functions provide message digests.
+
+Algorithms are loaded with OpenSSL_add_all_algorithms(3).
+
+=head1 SEE ALSO
+
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
+L<EVP_SealInit(3)|EVP_SealInit(3)>,
+L<EVP_SignInit(3)|EVP_SignInit(3)>,
+L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
+L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/hmac.pod b/src/lib/libssl/src/doc/crypto/hmac.pod
new file mode 100644
index 0000000000..45b6108c39
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/hmac.pod
@@ -0,0 +1,75 @@
+=pod
+
+=head1 NAME
+
+HMAC, HMAC_Init, HMAC_Update, HMAC_Final - HMAC message authentication code
+
+=head1 SYNOPSIS
+
+ #include <openssl/hmac.h>
+
+ unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
+               int key_len, const unsigned char *d, int n,
+               unsigned char *md, unsigned int *md_len);
+
+ void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
+               const EVP_MD *md);
+ void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+ void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
+
+ void HMAC_cleanup(HMAC_CTX *ctx);
+
+=head1 DESCRIPTION
+
+HMAC is a MAC (message authentication code), i.e. a keyed hash
+function used for message authentication, which is based on a hash
+function.
+
+HMAC() computes the message authentication code of the B<n> bytes at
+B<d> using the hash function B<evp_md> and the key B<key> which is
+B<key_len> bytes long.
+
+It places the result in B<md> (which must have space for the output of
+the hash function, which is no more than B<EVP_MAX_MD_SIZE> bytes).
+If B<md> is NULL, the digest is placed in a static array.  The size of
+the output is placed in B<md_len>, unless it is B<NULL>.
+
+B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
+B<key> and B<evp_md> may be B<NULL> if a key and hash function have
+been set in a previous call to HMAC_Init() for that B<HMAC_CTX>.
+
+HMAC_cleanup() erases the key and other data from the B<HMAC_CTX>.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+HMAC_Init() initializes a B<HMAC_CTX> structure to use the hash
+function B<evp_md> and the key B<key> which is B<key_len> bytes long.
+
+HMAC_Update() can be called repeatedly with chunks of the message to
+be authenticated (B<len> bytes at B<data>).
+
+HMAC_Final() places the message authentication code in B<md>, which
+must have space for the hash function output.
+
+=head1 RETURN VALUES
+
+HMAC() returns a pointer to the message authentication code.
+
+HMAC_Init(), HMAC_Update(), HMAC_Final() and HMAC_cleanup() do not
+return values.
+
+=head1 CONFORMING TO
+
+RFC 2104
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<evp(3)|evp(3)>
+
+=head1 HISTORY
+
+HMAC(), HMAC_Init(), HMAC_Update(), HMAC_Final() and HMAC_cleanup()
+are available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/lh_stats.pod b/src/lib/libssl/src/doc/crypto/lh_stats.pod
new file mode 100644
index 0000000000..3eeaa72e52
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/lh_stats.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+lh_stats, lh_node_stats, lh_node_usage_stats, lh_stats_bio,
+lh_node_stats_bio, lh_node_usage_stats_bio - LHASH statistics
+
+=head1 SYNOPSIS
+
+ #include <openssl/lhash.h>
+
+ void lh_stats(LHASH *table, FILE *out);
+ void lh_node_stats(LHASH *table, FILE *out);
+ void lh_node_usage_stats(LHASH *table, FILE *out);
+
+ void lh_stats_bio(LHASH *table, BIO *out);
+ void lh_node_stats_bio(LHASH *table, BIO *out);
+ void lh_node_usage_stats_bio(LHASH *table, BIO *out);
+
+=head1 DESCRIPTION
+
+The B<LHASH> structure records statistics about most aspects of
+accessing the hash table.  This is mostly a legacy of Eric Young
+writing this library for the reasons of implementing what looked like
+a nice algorithm rather than for a particular software product.
+
+lh_stats() prints out statistics on the size of the hash table, how
+many entries are in it, and the number and result of calls to the
+routines in this library.
+
+lh_node_stats() prints the number of entries for each 'bucket' in the
+hash table.
+
+lh_node_usage_stats() prints out a short summary of the state of the
+hash table.  It prints the 'load' and the 'actual load'.  The load is
+the average number of data items per 'bucket' in the hash table.  The
+'actual load' is the average number of items per 'bucket', but only
+for buckets which contain entries.  So the 'actual load' is the
+average number of searches that will need to find an item in the hash
+table, while the 'load' is the average number that will be done to
+record a miss.
+
+lh_stats_bio(), lh_node_stats_bio() and lh_node_usage_stats_bio()
+are the same as the above, except that the output goes to a B<BIO>.
+
+=head1 RETURN VALUES
+
+These functions do not return values.
+
+=head1 SEE ALSO
+
+L<bio(3)|bio(3)>, L<lhash(3)|lhash(3)>
+
+=head1 HISTORY
+
+These functions are available in all versions of SSLeay and OpenSSL.
+
+This manpage is derived from the SSLeay documentation.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/lhash.pod b/src/lib/libssl/src/doc/crypto/lhash.pod
new file mode 100644
index 0000000000..af2c9a7102
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/lhash.pod
@@ -0,0 +1,155 @@
+=pod
+
+=head1 NAME
+
+lh_new, lh_free, lh_insert, lh_delete, lh_retrieve, lh_doall,
+lh_doall_arg, lh_error - dynamic hash table
+
+=head1 SYNOPSIS
+
+ #include <openssl/lhash.h>
+
+ LHASH *lh_new(unsigned long (*hash)(/*void *a*/),
+          int (*compare)(/*void *a,void *b*/));
+ void lh_free(LHASH *table);
+
+ void *lh_insert(LHASH *table, void *data);
+ void *lh_delete(LHASH *table, void *data);
+ void *lh_retrieve(LHASH *table, void *data);
+
+ void lh_doall(LHASH *table, void (*func)(/*void *b*/));
+ void lh_doall_arg(LHASH *table, void (*func)(/*void *a,void *b*/),
+          void *arg);
+
+ int lh_error(LHASH *table);
+
+=head1 DESCRIPTION
+
+This library implements dynamic hash tables. The hash table entries
+can be arbitrary structures. Usually they consist of key and value
+fields.
+
+lh_new() creates a new B<LHASH> structure. B<hash> takes a pointer to
+the structure and returns an unsigned long hash value of its key
+field. The hash value is normally truncated to a power of 2, so make
+sure that your hash function returns well mixed low order
+bits. B<compare> takes two arguments, and returns 0 if their keys are
+equal, non-zero otherwise.
+
+lh_free() frees the B<LHASH> structure B<table>. Allocated hash table
+entries will not be freed; consider using lh_doall() to deallocate any
+remaining entries in the hash table.
+
+lh_insert() inserts the structure pointed to by B<data> into B<table>.
+If there already is an entry with the same key, the old value is
+replaced. Note that lh_insert() stores pointers, the data are not
+copied.
+
+lh_delete() deletes an entry from B<table>.
+
+lh_retrieve() looks up an entry in B<table>. Normally, B<data> is
+a structure with the key field(s) set; the function will return a
+pointer to a fully populated structure.
+
+lh_doall() will, for every entry in the hash table, call B<func> with
+the data item as parameters.
+This function can be quite useful when used as follows:
+ void cleanup(STUFF *a)
+  { STUFF_free(a); }
+ lh_doall(hash,cleanup);
+ lh_free(hash);
+This can be used to free all the entries. lh_free() then cleans up the
+'buckets' that point to nothing. When doing this, be careful if you
+delete entries from the hash table in B<func>: the table may decrease
+in size, moving item that you are currently on down lower in the hash
+table.  This could cause some entries to be skipped.  The best
+solution to this problem is to set hash-E<gt>down_load=0 before you
+start.  This will stop the hash table ever being decreased in size.
+
+lh_doall_arg() is the same as lh_doall() except that B<func> will
+be called with B<arg> as the second argument.
+
+lh_error() can be used to determine if an error occurred in the last
+operation. lh_error() is a macro.
+
+=head1 RETURN VALUES
+
+lh_new() returns B<NULL> on error, otherwise a pointer to the new
+B<LHASH> structure.
+
+When a hash table entry is replaced, lh_insert() returns the value
+being replaced. B<NULL> is returned on normal operation and on error.
+
+lh_delete() returns the entry being deleted.  B<NULL> is returned if
+there is no such value in the hash table.
+
+lh_retrieve() returns the hash table entry if it has been found,
+B<NULL> otherwise.
+
+lh_error() returns 1 if an error occurred in the last operation, 0
+otherwise.
+
+lh_free(), lh_doall() and lh_doall_arg() return no values.
+
+=head1 BUGS
+
+lh_insert() returns B<NULL> both for success and error.
+
+=head1 INTERNALS
+
+The following description is based on the SSLeay documentation:
+
+The B<lhash> library implements a hash table described in the
+I<Communications of the ACM> in 1991.  What makes this hash table
+different is that as the table fills, the hash table is increased (or
+decreased) in size via Realloc().  When a 'resize' is done, instead of
+all hashes being redistributed over twice as many 'buckets', one
+bucket is split.  So when an 'expand' is done, there is only a minimal
+cost to redistribute some values.  Subsequent inserts will cause more
+single 'bucket' redistributions but there will never be a sudden large
+cost due to redistributing all the 'buckets'.
+
+The state for a particular hash table is kept in the B<LHASH> structure.
+The decision to increase or decrease the hash table size is made
+depending on the 'load' of the hash table.  The load is the number of
+items in the hash table divided by the size of the hash table.  The
+default values are as follows.  If (hash->up_load E<lt> load) =E<gt>
+expand.  if (hash-E<gt>down_load E<gt> load) =E<gt> contract.  The
+B<up_load> has a default value of 1 and B<down_load> has a default value
+of 2.  These numbers can be modified by the application by just
+playing with the B<up_load> and B<down_load> variables.  The 'load' is
+kept in a form which is multiplied by 256.  So
+hash-E<gt>up_load=8*256; will cause a load of 8 to be set.
+
+If you are interested in performance the field to watch is
+num_comp_calls.  The hash library keeps track of the 'hash' value for
+each item so when a lookup is done, the 'hashes' are compared, if
+there is a match, then a full compare is done, and
+hash-E<gt>num_comp_calls is incremented.  If num_comp_calls is not equal
+to num_delete plus num_retrieve it means that your hash function is
+generating hashes that are the same for different values.  It is
+probably worth changing your hash function if this is the case because
+even if your hash table has 10 items in a 'bucket', it can be searched
+with 10 B<unsigned long> compares and 10 linked list traverses.  This
+will be much less expensive that 10 calls to you compare function.
+
+lh_strhash() is a demo string hashing function:
+
+ unsigned long lh_strhash(const char *c);
+
+Since the B<LHASH> routines would normally be passed structures, this
+routine would not normally be passed to lh_new(), rather it would be
+used in the function passed to lh_new().
+
+=head1 SEE ALSO
+
+L<lh_stats(3)|lh_stats(3)>
+
+=head1 HISTORY
+
+The B<lhash> library is available in all versions of SSLeay and OpenSSL.
+lh_error() was added in SSLeay 0.9.1b.
+
+This manpage is derived from the SSLeay documentation.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/md5.pod b/src/lib/libssl/src/doc/crypto/md5.pod
new file mode 100644
index 0000000000..d7c120023d
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/md5.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+MD2, MD5, MD2_Init, MD2_Update, MD2_Final, MD5_Init, MD5_Update,
+MD5_Final - MD2 and MD5 hash functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/md2.h>
+
+ unsigned char *MD2(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MD2_Init(MD2_CTX *c);
+ void MD2_Update(MD2_CTX *c, const unsigned char *data,
+                  unsigned long len);
+ void MD2_Final(unsigned char *md, MD2_CTX *c);
+
+
+ #include <openssl/md5.h>
+
+ unsigned char *MD5(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MD5_Init(MD5_CTX *c);
+ void MD5_Update(MD5_CTX *c, const void *data,
+                  unsigned long len);
+ void MD5_Final(unsigned char *md, MD5_CTX *c);
+
+=head1 DESCRIPTION
+
+MD2 and MD5 are cryptographic hash functions with a 128 bit output.
+
+MD2() and MD5() compute the MD2 and MD5 message digest of the B<n>
+bytes at B<d> and place it in B<md> (which must have space for
+MD2_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16 bytes of output). If
+B<md> is NULL, the digest is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+MD2_Init() initializes a B<MD2_CTX> structure.
+
+MD2_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+MD2_Final() places the message digest in B<md>, which must have space
+for MD2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MD2_CTX>.
+
+MD5_Init(), MD5_Update() and MD5_Final() are analogous using an
+B<MD5_CTX> structure.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+etc. instead of calling the hash functions directly.
+
+=head1 NOTE
+
+MD2 and MD5 are recommended only for compatibility with existing
+applications. In new applications, SHA-1 or RIPEMD-160 should be
+preferred.
+
+=head1 RETURN VALUES
+
+MD2() and MD5() return pointers to the hash value. 
+
+MD2_Init(), MD2_Update() MD2_Final(), MD5_Init(), MD5_Update() and
+MD5_Final() do not return values.
+
+=head1 CONFORMING TO
+
+RFC 1319, RFC 1321
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<ripemd(3)|ripemd(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+MD2(), MD2_Init(), MD2_Update() MD2_Final(), MD5(), MD5_Init(),
+MD5_Update() and MD5_Final() are available in all versions of SSLeay
+and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/mdc2.pod b/src/lib/libssl/src/doc/crypto/mdc2.pod
new file mode 100644
index 0000000000..11dc303e04
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/mdc2.pod
@@ -0,0 +1,64 @@
+=pod
+
+=head1 NAME
+
+MDC2, MDC2_Init, MDC2_Update, MDC2_Final - MDC2 hash function
+
+=head1 SYNOPSIS
+
+ #include <openssl/mdc2.h>
+
+ unsigned char *MDC2(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MDC2_Init(MDC2_CTX *c);
+ void MDC2_Update(MDC2_CTX *c, const unsigned char *data,
+                  unsigned long len);
+ void MDC2_Final(unsigned char *md, MDC2_CTX *c);
+
+=head1 DESCRIPTION
+
+MDC2 is a method to construct hash functions with 128 bit output from
+block ciphers.  These functions are an implementation of MDC2 with
+DES.
+
+MDC2() computes the MDC2 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+MDC2_DIGEST_LENGTH == 16 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+MDC2_Init() initializes a B<MDC2_CTX> structure.
+
+MDC2_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+MDC2_Final() places the message digest in B<md>, which must have space
+for MDC2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MDC2_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
+hash functions directly.
+
+=head1 RETURN VALUES
+
+MDC2() returns a pointer to the hash value. 
+
+MDC2_Init(), MDC2_Update() and MDC2_Final() do not return values.
+
+=head1 CONFORMING TO
+
+ISO/IEC 10118-2, with DES
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+MDC2(), MDC2_Init(), MDC2_Update() and MDC2_Final() are available since
+SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/pem.pod b/src/lib/libssl/src/doc/crypto/pem.pod
new file mode 100644
index 0000000000..a4f8cc3337
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/pem.pod
@@ -0,0 +1,476 @@
+=pod
+
+=head1 NAME
+
+PEM - PEM routines
+
+=head1 SYNOPSIS
+
+ #include <openssl/pem.h>
+
+ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
+                                        pem_password_cb *cb, void *u);
+
+ EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                        char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                        char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+                                        char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+                                        char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
+                                        pem_password_cb *cb, void *u);
+
+ EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
+ int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
+
+ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
+
+ int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
+
+ RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
+
+ int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
+
+ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                        unsigned char *kstr, int klen,
+                                        pem_password_cb *cb, void *u);
+
+ DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
+
+ int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
+
+ DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
+
+ DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
+
+ int PEM_write_DSAparams(FILE *fp, DSA *x);
+
+ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
+
+ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_DHparams(BIO *bp, DH *x);
+
+ int PEM_write_DHparams(FILE *fp, DH *x);
+
+ X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
+
+ X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_X509(BIO *bp, X509 *x);
+
+ int PEM_write_X509(FILE *fp, X509 *x);
+
+ X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
+
+ X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
+
+ int PEM_write_X509_AUX(FILE *fp, X509 *x);
+
+ X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
+                                        pem_password_cb *cb, void *u);
+
+ X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
+                                        pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
+
+ int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
+
+ int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
+
+ int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
+
+ X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
+                                        pem_password_cb *cb, void *u);
+ X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
+                                        pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
+ int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
+
+ PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
+
+ PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
+
+ int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
+
+ NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,
+                                                NETSCAPE_CERT_SEQUENCE **x,
+                                                pem_password_cb *cb, void *u);
+
+ NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,
+                                                NETSCAPE_CERT_SEQUENCE **x,
+                                                pem_password_cb *cb, void *u);
+
+ int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x);
+
+ int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x);
+
+=head1 DESCRIPTION
+
+The PEM functions read or write structures in PEM format. In
+this sense PEM format is simply base64 encoded data surrounded
+by header lines.
+
+For more details about the meaning of arguments see the
+B<PEM FUNCTION ARGUMENTS> section.
+
+Each operation has four functions associated with it. For
+clarity the term "B<foobar> functions" will be used to collectively
+refer to the PEM_read_bio_foobar(), PEM_read_foobar(),
+PEM_write_bio_foobar() and PEM_write_foobar() functions.
+
+The B<PrivateKey> functions read or write a private key in
+PEM format using an EVP_PKEY structure. The write routines use
+"traditional" private key format and can handle both RSA and DSA
+private keys. The read functions can additionally transparently
+handle PKCS#8 format encrypted and unencrypted keys too.
+
+PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
+write a private key in an EVP_PKEY structure in PKCS#8
+EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
+algorithms. The B<cipher> argument specifies the encryption algoritm to
+use: unlike all other PEM routines the encryption is applied at the
+PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
+encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
+
+PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
+also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
+it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
+to use is specified in the B<nid> parameter and should be the NID of the
+corresponding OBJECT IDENTIFIER (see NOTES section).
+
+The B<PUBKEY> functions process a public key using an EVP_PKEY
+structure. The public key is encoded as a SubjectPublicKeyInfo
+structure.
+
+The B<RSAPrivateKey> functions process an RSA private key using an
+RSA structure. It handles the same formats as the B<PrivateKey>
+functions but an error occurs if the private key is not RSA.
+
+The B<RSAPublicKey> functions process an RSA public key using an
+RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
+structure.
+
+The B<RSA_PUBKEY> functions also process an RSA public key using
+an RSA structure. However the public key is encoded using a
+SubjectPublicKeyInfo structure and an error occurs if the public
+key is not RSA.
+
+The B<DSAPrivateKey> functions process a DSA private key using a
+DSA structure. It handles the same formats as the B<PrivateKey>
+functions but an error occurs if the private key is not DSA.
+
+The B<DSA_PUBKEY> functions process a DSA public key using
+a DSA structure. The public key is encoded using a
+SubjectPublicKeyInfo structure and an error occurs if the public
+key is not DSA.
+
+The B<DSAparams> functions process DSA parameters using a DSA
+structure. The parameters are encoded using a foobar structure.
+
+The B<DHparams> functions process DH parameters using a DH
+structure. The parameters are encoded using a PKCS#3 DHparameter
+structure.
+
+The B<X509> functions process an X509 certificate using an X509
+structure. They will also process a trusted X509 certificate but
+any trust settings are discarded.
+
+The B<X509_AUX> functions process a trusted X509 certificate using
+an X509 structure. 
+
+The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10
+certificate request using an X509_REQ structure. The B<X509_REQ>
+write functions use B<CERTIFICATE REQUEST> in the header whereas
+the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST>
+(as required by some CAs). The B<X509_REQ> read functions will
+handle either form so there are no B<X509_REQ_NEW> read functions.
+
+The B<X509_CRL> functions process an X509 CRL using an X509_CRL
+structure.
+
+The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7
+structure.
+
+The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate
+Sequence using a NETSCAPE_CERT_SEQUENCE structure.
+
+=head1 PEM FUNCTION ARGUMENTS
+
+The PEM functions have many common arguments.
+
+The B<bp> BIO parameter (if present) specifies the BIO to read from
+or write to.
+
+The B<fp> FILE parameter (if present) specifies the FILE pointer to
+read from or write to.
+
+The PEM read functions all take an argument B<TYPE **x> and return
+a B<TYPE *> pointer. Where B<TYPE> is whatever structure the function
+uses. If B<x> is NULL then the parameter is ignored. If B<x> is not
+NULL but B<*x> is NULL then the structure returned will be written
+to B<*x>. If neither B<x> nor B<*x> is NULL then an attempt is made
+to reuse the structure at B<*x> (but see BUGS and EXAMPLES sections).
+Irrespective of the value of B<x> a pointer to the structure is always
+returned (or NULL if an error occurred).
+
+The PEM functions which write private keys take an B<enc> parameter
+which specifies the encryption algorithm to use, encryption is done
+at the PEM level. If this parameter is set to NULL then the private
+key is written in unencrypted form.
+
+The B<cb> argument is the callback to use when querying for the pass
+phrase used for encrypted PEM structures (normally only private keys).
+
+For the PEM write routines if the B<kstr> parameter is not NULL then
+B<klen> bytes at B<kstr> are used as the passphrase and B<cb> is
+ignored.
+
+If the B<cb> parameters is set to NULL and the B<u> parameter is not
+NULL then the B<u> parameter is interpreted as a null terminated string
+to use as the passphrase. If both B<cb> and B<u> are NULL then the
+default callback routine is used which will typically prompt for the
+passphrase on the current terminal with echoing turned off.
+
+The default passphrase callback is sometimes inappropriate (for example
+in a GUI application) so an alternative can be supplied. The callback
+routine has the following form:
+
+ int cb(char *buf, int size, int rwflag, void *u);
+
+B<buf> is the buffer to write the passphrase to. B<size> is the maximum
+length of the passphrase (i.e. the size of buf). B<rwflag> is a flag
+which is set to 0 when reading and 1 when writing. A typical routine
+will ask the user to verify the passphrase (for example by prompting
+for it twice) if B<rwflag> is 1. The B<u> parameter has the same
+value as the B<u> parameter passed to the PEM routine. It allows
+arbitrary data to be passed to the callback by the application
+(for example a window handle in a GUI application). The callback
+B<must> return the number of characters in the passphrase or 0 if
+an error occurred.
+
+=head1 EXAMPLES
+
+Although the PEM routines take several arguments in almost all applications
+most of them are set to 0 or NULL.
+
+Read a certificate in PEM format from a BIO:
+
+ X509 *x;
+ x = PEM_read_bio(bp, NULL, 0, NULL);
+ if (x == NULL)
+        {
+        /* Error */
+        }
+
+Alternative method:
+
+ X509 *x = NULL;
+ if (!PEM_read_bio_X509(bp, &x, 0, NULL))
+        {
+        /* Error */
+        }
+
+Write a certificate to a BIO:
+
+ if (!PEM_write_bio_X509(bp, x))
+        {
+        /* Error */
+        }
+
+Write an unencrypted private key to a FILE pointer:
+
+ if (!PEM_write_PrivateKey(fp, key, NULL, NULL, 0, 0, NULL))
+        {
+        /* Error */
+        }
+
+Write a private key (using traditional format) to a BIO using
+triple DES encryption, the pass phrase is prompted for:
+
+ if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
+        {
+        /* Error */
+        }
+
+Write a private key (using PKCS#8 format) to a BIO using triple
+DES encryption, using the pass phrase "hello":
+
+ if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello"))
+        {
+        /* Error */
+        }
+
+Read a private key from a BIO using the pass phrase "hello":
+
+ key = PEM_read_bio_PrivateKey(bp, NULL, 0, "hello");
+ if (key == NULL)
+        {
+        /* Error */
+        }
+
+Read a private key from a BIO using a pass phrase callback:
+
+ key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
+ if (key == NULL)
+        {
+        /* Error */
+        }
+
+Skeleton pass phrase callback:
+
+ int pass_cb(char *buf, int size, int rwflag, void *u);
+        {
+        int len;
+        char *tmp;
+        /* We'd probably do something else if 'rwflag' is 1 */
+        printf("Enter pass phrase for \"%s\"\n", u);
+
+        /* get pass phrase, length 'len' into 'tmp' */
+        tmp = "hello";
+        len = strlen(tmp);
+
+        if (len <= 0) return 0;
+        /* if too long, truncate */
+        if (len > size) len = size;
+        memcpy(buf, tmp, len);
+        return len;
+        }
+
+=head1 NOTES
+
+The old B<PrivateKey> write routines are retained for compatibility.
+New applications should write private keys using the
+PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines
+because they are more secure (they use an iteration count of 2048 whereas
+the traditional routines use a count of 1) unless compatibility with older
+versions of OpenSSL is important.
+
+The B<PrivateKey> read routines can be used in all applications because
+they handle all formats transparently.
+
+A frequent cause of problems is attempting to use the PEM routines like
+this:
+
+ X509 *x;
+ PEM_read_bio_X509(bp, &x, 0, NULL);
+
+this is a bug because an attempt will be made to reuse the data at B<x>
+which is an uninitialised pointer.
+
+=head1 PEM ENCRYPTION FORMAT
+
+This old B<PrivateKey> routines use a non standard technique for encryption.
+
+The private key (or other data) takes the following form: 
+
+ -----BEGIN RSA PRIVATE KEY-----
+ Proc-Type: 4,ENCRYPTED
+ DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89
+
+ ...base64 encoded data...
+ -----END RSA PRIVATE KEY-----
+
+The line beginning DEK-Info contains two comma separated pieces of information:
+the encryption algorithm name as used by EVP_get_cipherbyname() and an 8
+byte B<salt> encoded as a set of hexadecimal digits.
+
+After this is the base64 encoded encrypted data.
+
+The encryption key is determined using EVP_bytestokey(), using B<salt> and an
+iteration count of 1. The IV used is the value of B<salt> and *not* the IV
+returned by EVP_bytestokey().
+
+=head1 BUGS
+
+The PEM read routines in some versions of OpenSSL will not correctly reuse
+an existing structure. Therefore the following:
+
+ PEM_read_bio(bp, &x, 0, NULL);
+
+where B<x> already contains a valid certificate, may not work, whereas: 
+
+ X509_free(x);
+ x = PEM_read_bio(bp, NULL, 0, NULL);
+
+is guaranteed to work.
+
+=head1 RETURN CODES
+
+The read routines return either a pointer to the structure read or NULL
+is an error occurred.
+
+The write routines return 1 for success or 0 for failure.
diff --git a/src/lib/libssl/src/doc/crypto/rand.pod b/src/lib/libssl/src/doc/crypto/rand.pod
new file mode 100644
index 0000000000..295b681050
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/rand.pod
@@ -0,0 +1,158 @@
+=pod
+
+=head1 NAME
+
+rand - pseudo-random number generator
+
+=head1 SYNOPSIS
+
+ #include <openssl/rand.h>
+
+ int  RAND_bytes(unsigned char *buf,int num);
+ int  RAND_pseudo_bytes(unsigned char *buf,int num);
+
+ void RAND_seed(const void *buf,int num);
+ void RAND_add(const void *buf,int num,int entropy);
+ int  RAND_status(void);
+ void RAND_screen(void);
+
+ int  RAND_load_file(const char *file,long max_bytes);
+ int  RAND_write_file(const char *file);
+ const char *RAND_file_name(char *file,int num);
+
+ int  RAND_egd(const char *path);
+
+ void RAND_set_rand_method(RAND_METHOD *meth);
+ RAND_METHOD *RAND_get_rand_method(void);
+ RAND_METHOD *RAND_SSLeay(void);
+
+ void RAND_cleanup(void);
+
+=head1 DESCRIPTION
+
+These functions implement a cryptographically secure pseudo-random
+number generator (PRNG). It is used by other library functions for
+example to generate random keys, and applications can use it when they
+need randomness.
+
+A cryptographic PRNG must be seeded with unpredictable data such as
+mouse movements or keys pressed at random by the user. This is
+described in L<RAND_add(3)|RAND_add(3)>. Its state can be saved in a seed file
+(see L<RAND_load_file(3)|RAND_load_file(3)>) to avoid having to go through the
+seeding process whenever the application is started.
+
+L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the
+PRNG. 
+
+=head1 INTERNALS
+
+The RAND_SSLeay() method implements a PRNG based on a cryptographic
+hash function.
+
+The following description of its design is based on the SSLeay
+documentation:
+
+First up I will state the things I believe I need for a good RNG.
+
+=over 4
+
+=item 1
+
+A good hashing algorithm to mix things up and to convert the RNG 'state'
+to random numbers.
+
+=item 2
+
+An initial source of random 'state'.
+
+=item 3
+
+The state should be very large.  If the RNG is being used to generate
+4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
+If your RNG state only has 128 bits, you are obviously limiting the
+search space to 128 bits, not 2048.  I'm probably getting a little
+carried away on this last point but it does indicate that it may not be
+a bad idea to keep quite a lot of RNG state.  It should be easier to
+break a cipher than guess the RNG seed data.
+
+=item 4
+
+Any RNG seed data should influence all subsequent random numbers
+generated.  This implies that any random seed data entered will have
+an influence on all subsequent random numbers generated.
+
+=item 5
+
+When using data to seed the RNG state, the data used should not be
+extractable from the RNG state.  I believe this should be a
+requirement because one possible source of 'secret' semi random
+data would be a private key or a password.  This data must
+not be disclosed by either subsequent random numbers or a
+'core' dump left by a program crash.
+
+=item 6
+
+Given the same initial 'state', 2 systems should deviate in their RNG state
+(and hence the random numbers generated) over time if at all possible.
+
+=item 7
+
+Given the random number output stream, it should not be possible to determine
+the RNG state or the next random number.
+
+=back
+
+The algorithm is as follows.
+
+There is global state made up of a 1023 byte buffer (the 'state'), a
+working hash value ('md'), and a counter ('count').
+
+Whenever seed data is added, it is inserted into the 'state' as
+follows.
+
+The input is chopped up into units of 20 bytes (or less for
+the last block).  Each of these blocks is run through the hash
+function as follows:  The data passed to the hash function
+is the current 'md', the same number of bytes from the 'state'
+(the location determined by in incremented looping index) as
+the current 'block', the new key data 'block', and 'count'
+(which is incremented after each use).
+The result of this is kept in 'md' and also xored into the
+'state' at the same locations that were used as input into the
+hash function. I
+believe this system addresses points 1 (hash function; currently
+SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
+function and xor).
+
+When bytes are extracted from the RNG, the following process is used.
+For each group of 10 bytes (or less), we do the following:
+
+Input into the hash function the top 10 bytes from the local 'md'
+(which is initialized from the global 'md' before any bytes are
+generated), the bytes that are to be overwritten by the random bytes,
+and bytes from the 'state' (incrementing looping index). From this
+digest output (which is kept in 'md'), the top (up to) 10 bytes are
+returned to the caller and the bottom (up to) 10 bytes are xored into
+the 'state'.
+
+Finally, after we have finished 'num' random bytes for the caller,
+'count' (which is incremented) and the local and global 'md' are fed
+into the hash function and the results are kept in the global 'md'.
+
+I believe the above addressed points 1 (use of SHA-1), 6 (by hashing
+into the 'state' the 'old' data from the caller that is about to be
+overwritten) and 7 (by not using the 10 bytes given to the caller to
+update the 'state', but they are used to update 'md').
+
+So of the points raised, only 2 is not addressed (but see
+L<RAND_add(3)|RAND_add(3)>).
+
+=head1 SEE ALSO
+
+L<BN_rand(3)|BN_rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_egd(3)|RAND_egd(3)>,
+L<RAND_bytes(3)|RAND_bytes(3)>,
+L<RAND_set_rand_method(3)|RAND_set_rand_method(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/rc4.pod b/src/lib/libssl/src/doc/crypto/rc4.pod
new file mode 100644
index 0000000000..b6d3a4342c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/rc4.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+RC4_set_key, RC4 - RC4 encryption
+
+=head1 SYNOPSIS
+
+ #include <openssl/rc4.h>
+
+ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+
+ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
+          unsigned char *outdata);
+
+=head1 DESCRIPTION
+
+This library implements the Alleged RC4 cipher, which is described for
+example in I<Applied Cryptography>.  It is believed to be compatible
+with RC4[TM], a proprietary cipher of RSA Security Inc.
+
+RC4 is a stream cipher with variable key length.  Typically, 128 bit
+(16 byte) keys are used for strong encryption, but shorter insecure
+key sizes have been widely used due to export restrictions.
+
+RC4 consists of a key setup phase and the actual encryption or
+decryption phase.
+
+RC4_set_key() sets up the B<RC4_KEY> B<key> using the B<len> bytes long
+key at B<data>.
+
+RC4() encrypts or decrypts the B<len> bytes of data at B<indata> using
+B<key> and places the result at B<outdata>.  Repeated RC4() calls with
+the same B<key> yield a continuous key stream.
+
+Since RC4 is a stream cipher (the input is XORed with a pseudo-random
+key stream to produce the output), decryption uses the same function
+calls as encryption.
+
+Applications should use the higher level functions
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+etc. instead of calling the RC4 functions directly.
+
+=head1 RETURN VALUES
+
+RC4_set_key() and RC4() do not return values.
+
+=head1 NOTE
+
+Certain conditions have to be observed to securely use stream ciphers.
+It is not permissible to perform multiple encryptions using the same
+key stream.
+
+=head1 SEE ALSO
+
+L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<rc2(3)|rc2(3)>
+
+=head1 HISTORY
+
+RC4_set_key() and RC4() are available in all versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ripemd.pod b/src/lib/libssl/src/doc/crypto/ripemd.pod
new file mode 100644
index 0000000000..31054b6a8c
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ripemd.pod
@@ -0,0 +1,66 @@
+=pod
+
+=head1 NAME
+
+RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final -
+RIPEMD-160 hash function
+
+=head1 SYNOPSIS
+
+ #include <openssl/ripemd.h>
+
+ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void RIPEMD160_Init(RIPEMD160_CTX *c);
+ void RIPEMD160_Update(RIPEMD_CTX *c, const void *data,
+                  unsigned long len);
+ void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
+
+=head1 DESCRIPTION
+
+RIPEMD-160 is a cryptographic hash function with a
+160 bit output.
+
+RIPEMD160() computes the RIPEMD-160 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+RIPEMD160_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+RIPEMD160_Init() initializes a B<RIPEMD160_CTX> structure.
+
+RIPEMD160_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+RIPEMD160_Final() places the message digest in B<md>, which must have
+space for RIPEMD160_DIGEST_LENGTH == 20 bytes of output, and erases
+the B<RIPEMD160_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
+hash functions directly.
+
+=head1 RETURN VALUES
+
+RIPEMD160() returns a pointer to the hash value. 
+
+RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() do not
+return values.
+
+=head1 CONFORMING TO
+
+ISO/IEC 10118-3 (draft) (??)
+
+=head1 SEE ALSO
+
+L<sha(3)|sha(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update() and
+RIPEMD160_Final() are available since SSLeay 0.9.0.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/rsa.pod b/src/lib/libssl/src/doc/crypto/rsa.pod
new file mode 100644
index 0000000000..0486c044a6
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/rsa.pod
@@ -0,0 +1,115 @@
+=pod
+
+=head1 NAME
+
+rsa - RSA public key cryptosystem
+
+=head1 SYNOPSIS
+
+ #include <openssl/rsa.h>
+
+ RSA * RSA_new(void);
+ void RSA_free(RSA *rsa);
+
+ int RSA_public_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+ int RSA_private_decrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa, int padding);
+
+ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+ int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+
+ int RSA_size(RSA *rsa);
+
+ RSA *RSA_generate_key(int num, unsigned long e,
+    void (*callback)(int,int,void *), void *cb_arg);
+
+ int RSA_check_key(RSA *rsa);
+
+ int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+ void RSA_blinding_off(RSA *rsa);
+
+ void RSA_set_default_method(RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_default_method(void);
+ RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_method(RSA *rsa);
+ RSA_METHOD *RSA_PKCS1_SSLeay(void);
+ RSA_METHOD *RSA_PKCS1_RSAref(void);
+ RSA_METHOD *RSA_null_method(void);
+ int RSA_flags(RSA *rsa);
+ RSA *RSA_new_method(RSA_METHOD *method);
+
+ int RSA_print(BIO *bp, RSA *x, int offset);
+ int RSA_print_fp(FILE *fp, RSA *x, int offset);
+
+ int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
+    int (*dup_func)(), void (*free_func)());
+ int RSA_set_ex_data(RSA *r,int idx,char *arg);
+ char *RSA_get_ex_data(RSA *r, int idx);
+
+ int RSA_private_encrypt(int flen, unsigned char *from,
+    unsigned char *to, RSA *rsa,int padding);
+ int RSA_public_decrypt(int flen, unsigned char *from, 
+    unsigned char *to, RSA *rsa,int padding);
+
+ int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
+    RSA *rsa);
+ int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
+    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+    RSA *rsa);
+
+=head1 DESCRIPTION
+
+These functions implement RSA public key encryption and signatures
+as defined in PKCS #1 v2.0 [RFC 2437].
+
+The B<RSA> structure consists of several BIGNUM components. It can
+contain public as well as private RSA keys:
+
+ struct
+        {
+        BIGNUM *n;              // public modulus
+        BIGNUM *e;              // public exponent
+        BIGNUM *d;              // private exponent
+        BIGNUM *p;              // secret prime factor
+        BIGNUM *q;              // secret prime factor
+        BIGNUM *dmp1;           // d mod (p-1)
+        BIGNUM *dmq1;           // d mod (q-1)
+        BIGNUM *iqmp;           // q^-1 mod p
+        // ...
+        };
+ RSA
+
+In public keys, the private exponent and the related secret values are
+B<NULL>.
+
+B<dmp1>, B<dmq1> and B<iqmp> may be B<NULL> in private keys, but the
+RSA operations are much faster when these values are available.
+
+=head1 CONFORMING TO
+
+SSL, PKCS #1 v2.0
+
+=head1 PATENTS
+
+RSA is covered by a US patent which expires in September 2000.
+
+=head1 SEE ALSO
+
+L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
+L<rand(3)|rand(3)>, L<RSA_new(3)|RSA_new(3)>,
+L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
+L<RSA_generate_key(3)|RSA_generate_key(3)>,
+L<RSA_check_key(3)|RSA_check_key(3)>,
+L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
+L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<RSA_sign_ASN_OCTET_STRING(3)|RSA_sign_ASN_OCTET_STRING(3)>,
+L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/sha.pod b/src/lib/libssl/src/doc/crypto/sha.pod
new file mode 100644
index 0000000000..0ba315d6d7
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/sha.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SHA1, SHA1_Init, SHA1_Update, SHA1_Final - Secure Hash Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/sha.h>
+
+ unsigned char *SHA1(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void SHA1_Init(SHA_CTX *c);
+ void SHA1_Update(SHA_CTX *c, const void *data,
+                  unsigned long len);
+ void SHA1_Final(unsigned char *md, SHA_CTX *c);
+
+=head1 DESCRIPTION
+
+SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
+160 bit output.
+
+SHA1() computes the SHA-1 message digest of the B<n>
+bytes at B<d> and places it in B<md> (which must have space for
+SHA_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
+is placed in a static array.
+
+The following functions may be used if the message is not completely
+stored in memory:
+
+SHA1_Init() initializes a B<SHA_CTX> structure.
+
+SHA1_Update() can be called repeatedly with chunks of the message to
+be hashed (B<len> bytes at B<data>).
+
+SHA1_Final() places the message digest in B<md>, which must have space
+for SHA_DIGEST_LENGTH == 20 bytes of output, and erases the B<SHA_CTX>.
+
+Applications should use the higher level functions
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+etc. instead of calling the hash functions directly.
+
+The predecessor of SHA-1, SHA, is also implemented, but it should be
+used only when backward compatibility is required.
+
+=head1 RETURN VALUES
+
+SHA1() returns a pointer to the hash value. 
+
+SHA1_Init(), SHA1_Update() and SHA1_Final() do not return values.
+
+=head1 CONFORMING TO
+
+SHA: US Federal Information Processing Standard FIPS PUB 180 (Secure Hash
+Standard),
+SHA-1: US Federal Information Processing Standard FIPS PUB 180-1 (Secure Hash
+Standard),
+ANSI X9.30
+
+=head1 SEE ALSO
+
+L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+
+=head1 HISTORY
+
+SHA1(), SHA1_Init(), SHA1_Update() and SHA1_Final() are available in all
+versions of SSLeay and OpenSSL.
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/threads.pod b/src/lib/libssl/src/doc/crypto/threads.pod
new file mode 100644
index 0000000000..5da056f3f8
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/threads.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+CRYPTO_set_locking_callback, CRYPTO_set_id_callback - OpenSSL thread support
+
+=head1 SYNOPSIS
+
+ #include <openssl/crypto.h>
+
+ void CRYPTO_set_locking_callback(void (*locking_function)(int mode,
+        int n, const char *file, int line));
+
+ void CRYPTO_set_id_callback(unsigned long (*id_function)(void));
+
+ int CRYPTO_num_locks(void);
+
+=head1 DESCRIPTION
+
+OpenSSL can safely be used in multi-threaded applications provided
+that two callback functions are set.
+
+locking_function(int mode, int n, const char *file, int line) is
+needed to perform locking on shared data stuctures. Multi-threaded
+applications will crash at random if it is not set.
+
+locking_function() must be able to handle up to CRYPTO_num_locks()
+different mutex locks. It sets the B<n>-th lock if B<mode> &
+B<CRYPTO_LOCK>, and releases it otherwise.
+
+B<file> and B<line> are the file number of the function setting the
+lock. They can be useful for debugging.
+
+id_function(void) is a function that returns a thread ID. It is not
+needed on Windows nor on platforms where getpid() returns a different
+ID for each thread (most notably Linux).
+
+=head1 RETURN VALUES
+
+CRYPTO_num_locks() returns the required number of locks.
+The other functions return no values.
+
+=head1 NOTE
+
+You can find out if OpenSSL was configured with thread support:
+
+ #define OPENSSL_THREAD_DEFINES
+ #include <openssl/opensslconf.h>
+ #if defined(THREADS)
+   // thread support enabled
+ #else
+   // no thread support
+ #endif
+
+=head1 EXAMPLES
+
+B<crypto/threads/mttest.c> shows examples of the callback functions on
+Solaris, Irix and Win32.
+
+=head1 HISTORY
+
+CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() are
+available in all versions of SSLeay and OpenSSL.
+CRYPTO_num_locks() was added in OpenSSL 0.9.4.
+
+=head1 SEE ALSO
+
+L<crypto(3)|crypto(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ui.pod b/src/lib/libssl/src/doc/crypto/ui.pod
new file mode 100644
index 0000000000..2b3535a746
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ui.pod
@@ -0,0 +1,194 @@
+=pod
+
+=head1 NAME
+
+UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string,
+UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean,
+UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string,
+UI_add_error_string, UI_dup_error_string, UI_construct_prompt
+UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process,
+UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method,
+UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface
+
+=head1 SYNOPSIS
+
+ #include <openssl/ui.h>
+
+ typedef struct ui_st UI;
+ typedef struct ui_method_st UI_METHOD;
+
+ UI *UI_new(void);
+ UI *UI_new_method(const UI_METHOD *method);
+ void UI_free(UI *ui);
+
+ int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+ int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+ int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+ int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+ int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+ int UI_add_info_string(UI *ui, const char *text);
+ int UI_dup_info_string(UI *ui, const char *text);
+ int UI_add_error_string(UI *ui, const char *text);
+ int UI_dup_error_string(UI *ui, const char *text);
+
+ /* These are the possible flags.  They can be or'ed together. */
+ #define UI_INPUT_FLAG_ECHO             0x01
+ #define UI_INPUT_FLAG_DEFAULT_PWD      0x02
+
+ char *UI_construct_prompt(UI *ui_method,
+        const char *object_desc, const char *object_name);
+
+ void *UI_add_user_data(UI *ui, void *user_data);
+ void *UI_get0_user_data(UI *ui);
+
+ const char *UI_get0_result(UI *ui, int i);
+
+ int UI_process(UI *ui);
+
+ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
+ #define UI_CTRL_PRINT_ERRORS           1
+ #define UI_CTRL_IS_REDOABLE            2
+
+ void UI_set_default_method(const UI_METHOD *meth);
+ const UI_METHOD *UI_get_default_method(void);
+ const UI_METHOD *UI_get_method(UI *ui);
+ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth);
+
+ UI_METHOD *UI_OpenSSL(void);
+
+=head1 DESCRIPTION
+
+UI stands for User Interface, and is general purpose set of routines to
+prompt the user for text-based information.  Through user-written methods
+(see L<ui_create(3)|ui_create(3)>), prompting can be done in any way
+imaginable, be it plain text prompting, through dialog boxes or from a
+cell phone.
+
+All the functions work through a context of the type UI.  This context
+contains all the information needed to prompt correctly as well as a
+reference to a UI_METHOD, which is an ordered vector of functions that
+carry out the actual prompting.
+
+The first thing to do is to create a UI with UI_new() or UI_new_method(),
+then add information to it with the UI_add or UI_dup functions.  Also,
+user-defined random data can be passed down to the underlying method
+through calls to UI_add_user_data.  The default UI method doesn't care
+about these data, but other methods might.  Finally, use UI_process()
+to actually perform the prompting and UI_get0_result() to find the result
+to the prompt.
+
+A UI can contain more than one prompt, which are performed in the given
+sequence.  Each prompt gets an index number which is returned by the
+UI_add and UI_dup functions, and has to be used to get the corresponding
+result with UI_get0_result().
+
+The functions are as follows:
+
+UI_new() creates a new UI using the default UI method.  When done with
+this UI, it should be freed using UI_free().
+
+UI_new_method() creates a new UI using the given UI method.  When done with
+this UI, it should be freed using UI_free().
+
+UI_OpenSSL() returns the built-in UI method (note: not the default one,
+since the default can be changed.  See further on).  This method is the
+most machine/OS dependent part of OpenSSL and normally generates the
+most problems when porting.
+
+UI_free() removes a UI from memory, along with all other pieces of memory
+that's connected to it, like duplicated input strings, results and others.
+
+UI_add_input_string() and UI_add_verify_string() add a prompt to the UI,
+as well as flags and a result buffer and the desired minimum and maximum
+sizes of the result.  The given information is used to prompt for
+information, for example a password, and to verify a password (i.e. having
+the user enter it twice and check that the same string was entered twice).
+UI_add_verify_string() takes and extra argument that should be a pointer
+to the result buffer of the input string that it's supposed to verify, or
+verification will fail.
+
+UI_add_input_boolean() adds a prompt to the UI that's supposed to be answered
+in a boolean way, with a single character for yes and a different character
+for no.  A set of characters that can be used to cancel the prompt is given
+as well.  The prompt itself is really divided in two, one part being the
+descriptive text (given through the I<prompt> argument) and one describing
+the possible answers (given through the I<action_desc> argument).
+
+UI_add_info_string() and UI_add_error_string() add strings that are shown at
+the same time as the prompt for extra information or to show an error string.
+The difference between the two is only conceptual.  With the builtin method,
+there's no technical difference between them.  Other methods may make a
+difference between them, however.
+
+The flags currently supported are UI_INPUT_FLAG_ECHO, which is relevant for
+UI_add_input_string() and will have the users response be echoed (when
+prompting for a password, this flag should obviously not be used, and
+UI_INPUT_FLAG_DEFAULT_PWD, which means that a default password of some
+sort will be used (completely depending on the application and the UI
+method).
+
+UI_dup_input_string(), UI_dup_verify_string(), UI_dup_input_boolean(),
+UI_dup_info_string() and UI_dup_error_string() are basically the same
+as their UI_add counterparts, except that they make their own copies
+of all strings.
+
+UI_construct_prompt() is a helper function that can be used to create
+a prompt from two pieces of information: an description and a name.
+The default constructor (if there is none provided by the method used)
+creates a string "Enter I<description> for I<name>:".  With the
+description "pass phrase" and the file name "foo.key", that becomes
+"Enter pass phrase for foo.key:".  Other methods may create whatever
+string and may include encodings that will be processed by the other
+method functions.
+
+UI_add_user_data() adds a piece of memory for the method to use at any
+time.  The builtin UI method doesn't care about this info.  Note that several
+calls to this function doesn't add data, it replaces the previous blob
+with the one given as argument.
+
+UI_get0_user_data() retrieves the data that has last been given to the
+UI with UI_add_user_data().
+
+UI_get0_result() returns a pointer to the result buffer associated with
+the information indexed by I<i>.
+
+UI_process() goes through the information given so far, does all the printing
+and prompting and returns.
+
+UI_ctrl() adds extra control for the application author.  For now, it
+understands two commands: UI_CTRL_PRINT_ERRORS, which makes UI_process()
+print the OpenSSL error stack as part of processing the UI, and
+UI_CTRL_IS_REDOABLE, which returns a flag saying if the used UI can
+be used again or not.
+
+UI_set_default_method() changes the default UI method to the one given.
+
+UI_get_default_method() returns a pointer to the current default UI method.
+
+UI_get_method() returns the UI method associated with a given UI.
+
+UI_set_method() changes the UI method associated with a given UI.
+
+=head1 SEE ALSO
+
+L<ui_create(3)|ui_create(3)>, L<ui_compat(3)|ui_compat(3)>
+
+=head1 HISTORY
+
+The UI section was first introduced in OpenSSL 0.9.7.
+
+=head1 AUTHOR
+
+Richard Levitte (richard@levitte.org) for the OpenSSL project
+(http://www.openssl.org).
+
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/ui_compat.pod b/src/lib/libssl/src/doc/crypto/ui_compat.pod
new file mode 100644
index 0000000000..9ab3c69bf2
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/ui_compat.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+des_read_password, des_read_2passwords, des_read_pw_string, des_read_pw -
+Compatibility user interface functions
+
+=head1 SYNOPSIS
+
+ int des_read_password(DES_cblock *key,const char *prompt,int verify);
+ int des_read_2passwords(DES_cblock *key1,DES_cblock *key2,
+        const char *prompt,int verify);
+
+ int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+ int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+=head1 DESCRIPTION
+
+The DES library contained a few routines to prompt for passwords.  These
+aren't necessarely dependent on DES, and have therefore become part of the
+UI compatibility library.
+
+des_read_pw() writes the string specified by I<prompt> to standard output
+turns echo off and reads an input string from the terminal.  The string is
+returned in I<buf>, which must have spac for at least I<size> bytes.
+If I<verify> is set, the user is asked for the password twice and unless
+the two copies match, an error is returned.  The second password is stored
+in I<buff>, which must therefore also be at least I<size> bytes.  A return
+code of -1 indicates a system error, 1 failure due to use interaction, and
+0 is success.  All other functions described here use des_read_pw() to do
+the work.
+
+des_read_pw_string() is a variant of des_read_pw() that provides a buffer
+for you if I<verify> is set.
+
+des_read_password() calls des_read_pw() and converts the password to a
+DES key by calling DES_string_to_key(); des_read_2password() operates in
+the same way as des_read_password() except that it generates two keys
+by using the DES_string_to_2key() function.
+
+=head1 NOTES
+
+des_read_pw_string() is available in the MIT Kerberos library as well, and
+is also available under the name EVP_read_pw_string().
+
+=head1 SEE ALSO
+
+L<ui(3)|ui(3)>, L<ui_create(3)|ui_create(3)>
+
+=head1 AUTHOR
+
+Richard Levitte (richard@levitte.org) for the OpenSSL project
+(http://www.openssl.org).
+
+=cut
diff --git a/src/lib/libssl/src/doc/openssl.txt b/src/lib/libssl/src/doc/openssl.txt
new file mode 100644
index 0000000000..91b85e5f14
--- /dev/null
+++ b/src/lib/libssl/src/doc/openssl.txt
@@ -0,0 +1,1174 @@
+
+This is some preliminary documentation for OpenSSL.
+
+==============================================================================
+                            BUFFER Library
+==============================================================================
+
+The buffer library handles simple character arrays. Buffers are used for
+various purposes in the library, most notably memory BIOs.
+
+The library uses the BUF_MEM structure defined in buffer.h:
+
+typedef struct buf_mem_st
+{
+        int length;     /* current number of bytes */
+        char *data;
+        int max;        /* size of buffer */
+} BUF_MEM;
+
+'length' is the current size of the buffer in bytes, 'max' is the amount of
+memory allocated to the buffer. There are three functions which handle these
+and one "miscellaneous" function.
+
+BUF_MEM *BUF_MEM_new()
+
+This allocates a new buffer of zero size. Returns the buffer or NULL on error.
+
+void BUF_MEM_free(BUF_MEM *a)
+
+This frees up an already existing buffer. The data is zeroed before freeing
+up in case the buffer contains sensitive data.
+
+int BUF_MEM_grow(BUF_MEM *str, int len)
+
+This changes the size of an already existing buffer. It returns zero on error
+or the new size (i.e. 'len'). Any data already in the buffer is preserved if
+it increases in size.
+
+char * BUF_strdup(char *str)
+
+This is the previously mentioned strdup function: like the standard library
+strdup() it copies a null terminated string into a block of allocated memory
+and returns a pointer to the allocated block.
+
+Unlike the standard C library strdup() this function uses Malloc() and so
+should be used in preference to the standard library strdup() because it can
+be used for memory leak checking or replacing the malloc() function.
+
+The memory allocated from BUF_strdup() should be freed up using the Free()
+function.
+
+==============================================================================
+               OpenSSL X509V3 extension configuration
+==============================================================================
+
+OpenSSL X509V3 extension configuration: preliminary documentation.
+
+INTRODUCTION.
+
+For OpenSSL 0.9.2 the extension code has be considerably enhanced. It is now
+possible to add and print out common X509 V3 certificate and CRL extensions.
+
+BEGINNERS NOTE
+
+For most simple applications you don't need to know too much about extensions:
+the default openssl.cnf values will usually do sensible things.
+
+If you want to know more you can initially quickly look through the sections
+describing how the standard OpenSSL utilities display and add extensions and
+then the list of supported extensions.
+
+For more technical information about the meaning of extensions see:
+
+http://www.imc.org/ietf-pkix/
+http://home.netscape.com/eng/security/certs.html
+
+PRINTING EXTENSIONS.
+
+Extension values are automatically printed out for supported extensions.
+
+openssl x509 -in cert.pem -text
+openssl crl -in crl.pem -text
+
+will give information in the extension printout, for example:
+
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15
+            X509v3 Authority Key Identifier: 
+                keyid:73:FE:F7:59:A7:E1:26:84:44:D6:44:36:EE:79:1A:95:7C:B1:4B:15, DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/Email=email@1.address/Email=email@2.address, serial:00
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Subject Alternative Name: 
+                email:email@1.address, email:email@2.address
+
+CONFIGURATION FILES.
+
+The OpenSSL utilities 'ca' and 'req' can now have extension sections listing
+which certificate extensions to include. In each case a line:
+
+x509_extensions = extension_section
+
+indicates which section contains the extensions. In the case of 'req' the
+extension section is used when the -x509 option is present to create a
+self signed root certificate.
+
+The 'x509' utility also supports extensions when it signs a certificate.
+The -extfile option is used to set the configuration file containing the
+extensions. In this case a line with:
+
+extensions = extension_section
+
+in the nameless (default) section is used. If no such line is included then
+it uses the default section.
+
+You can also add extensions to CRLs: a line
+
+crl_extensions = crl_extension_section
+
+will include extensions when the -gencrl option is used with the 'ca' utility.
+You can add any extension to a CRL but of the supported extensions only
+issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
+CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
+CRL entry extensions can be displayed.
+
+NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
+you should not include a crl_extensions line in the configuration file.
+
+As with all configuration files you can use the inbuilt environment expansion
+to allow the values to be passed in the environment. Therefore if you have
+several extension sections used for different purposes you can have a line:
+
+x509_extensions = $ENV::ENV_EXT
+
+and set the ENV_EXT environment variable before calling the relevant utility.
+
+EXTENSION SYNTAX.
+
+Extensions have the basic form:
+
+extension_name=[critical,] extension_options
+
+the use of the critical option makes the extension critical. Extreme caution
+should be made when using the critical flag. If an extension is marked
+as critical then any client that does not understand the extension should
+reject it as invalid. Some broken software will reject certificates which
+have *any* critical extensions (these violates PKIX but we have to live
+with it).
+
+There are three main types of extension: string extensions, multi-valued
+extensions, and raw extensions.
+
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+
+For example:
+
+nsComment="This is a Comment"
+
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+
+basicConstraints=critical,CA:true,pathlen:1
+
+The long form allows the values to be placed in a separate section:
+
+basicConstraints=critical,@bs_section
+
+[bs_section]
+
+CA=true
+pathlen=1
+
+Both forms are equivalent. However it should be noted that in some cases the
+same name can appear multiple times, for example,
+
+subjectAltName=email:steve@here,email:steve@there
+
+in this case an equivalent long form is:
+
+subjectAltName=@alt_section
+
+[alt_section]
+
+email.1=steve@here
+email.2=steve@there
+
+This is because the configuration file code cannot handle the same name
+occurring twice in the same extension.
+
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+
+In addition it is also possible to use the word DER to include arbitrary
+data in any extension.
+
+1.2.3.4=critical,DER:01:02:03:04
+1.2.3.4=DER:01020304
+
+The value following DER is a hex dump of the DER encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+
+basicConstraints=critical,DER:00:01:02:03
+
+WARNING: DER should be used with caution. It is possible to create totally
+invalid extensions unless care is taken.
+
+CURRENTLY SUPPORTED EXTENSIONS.
+
+If you aren't sure about extensions then they can be largely ignored: its only
+when you want to do things like restrict certificate usage when you need to
+worry about them. 
+
+The only extension that a beginner might want to look at is Basic Constraints.
+If in addition you want to try Netscape object signing the you should also
+look at Netscape Certificate Type.
+
+Literal String extensions.
+
+In each case the 'value' of the extension is placed directly in the
+extension. Currently supported extensions in this category are: nsBaseUrl,
+nsRevocationUrl, nsCaRevocationUrl, nsRenewalUrl, nsCaPolicyUrl,
+nsSslServerName and nsComment.
+
+For example:
+
+nsComment="This is a test comment"
+
+Bit Strings.
+
+Bit string extensions just consist of a list of supported bits, currently
+two extensions are in this category: PKIX keyUsage and the Netscape specific
+nsCertType.
+
+nsCertType (netscape certificate type) takes the flags: client, server, email,
+objsign, reserved, sslCA, emailCA, objCA.
+
+keyUsage (PKIX key usage) takes the flags: digitalSignature, nonRepudiation,
+keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
+encipherOnly, decipherOnly.
+
+For example:
+
+nsCertType=server
+
+keyUsage=digitalSignature, nonRepudiation
+
+Hints on Netscape Certificate Type.
+
+Other than Basic Constraints this is the only extension a beginner might
+want to use, if you want to try Netscape object signing, otherwise it can
+be ignored.
+
+If you want a certificate that can be used just for object signing then:
+
+nsCertType=objsign
+
+will do the job. If you want to use it as a normal end user and server
+certificate as well then
+
+nsCertType=objsign,email,server
+
+is more appropriate. You cannot use a self signed certificate for object
+signing (well Netscape signtool can but it cheats!) so you need to create
+a CA certificate and sign an end user certificate with it.
+
+Side note: If you want to conform to the Netscape specifications then you
+should really also set:
+
+nsCertType=objCA
+
+in the *CA* certificate for just an object signing CA and
+
+nsCertType=objCA,emailCA,sslCA
+
+for everything. Current Netscape software doesn't enforce this so it can
+be omitted.
+
+Basic Constraints.
+
+This is generally the only extension you need to worry about for simple
+applications. If you want your certificate to be usable as a CA certificate
+(in addition to an end user certificate) then you set this to:
+
+basicConstraints=CA:TRUE
+
+if you want to be certain the certificate cannot be used as a CA then do:
+
+basicConstraints=CA:FALSE
+
+The rest of this section describes more advanced usage.
+
+Basic constraints is a multi-valued extension that supports a CA and an
+optional pathlen option. The CA option takes the values true and false and
+pathlen takes an integer. Note if the CA option is false the pathlen option
+should be omitted. 
+
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a CA with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs. This all
+assumes that the software correctly interprets this extension of course.
+
+Examples:
+
+basicConstraints=CA:TRUE
+basicConstraints=critical,CA:TRUE, pathlen:0
+
+NOTE: for a CA to be considered valid it must have the CA option set to
+TRUE. An end user certificate MUST NOT have the CA value set to true.
+According to PKIX recommendations it should exclude the extension entirely,
+however some software may require CA set to FALSE for end entity certificates.
+
+Subject Key Identifier.
+
+This is really a string extension and can take two possible values. Either
+a hex string giving details of the extension value to include or the word
+'hash' which then automatically follow PKIX guidelines in selecting and
+appropriate key identifier. The use of the hex string is strongly discouraged.
+
+Example: subjectKeyIdentifier=hash
+
+Authority Key Identifier.
+
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value "always".
+
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value "always" is present
+then an error is returned if the option fails.
+
+The issuer option copies the issuer and serial number from the issuer
+certificate. Normally this will only be done if the keyid option fails or
+is not included: the "always" flag will always include the value.
+
+Subject Alternative Name.
+
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include "email" (an email address)
+"URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
+registered ID: OBJECT IDENTIFIER) and IP (and IP address).
+
+Also the email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+
+Examples:
+
+subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/
+subjectAltName=email:my@other.address,RID:1.2.3.4
+
+Issuer Alternative Name.
+
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does *not* support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+
+CRL distribution points.
+
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortunately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all. IE5 does partially
+support this extension: but it needs the 'ia5org' option because it will
+only correctly support a broken encoding. Of the options below only the
+policy OID, explicitText and CPS options are displayed with IE5.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must BOTH be present. If you use the userNotice option with IE5
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+
+Example:
+
+certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
+TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
+according to PKIX it should be of type DisplayText but Verisign uses an 
+IA5STRING and IE5 needs this too.
+
+Display only extensions.
+
+Some extensions are only partially supported and currently are only displayed
+but cannot be set. These include private key usage period, CRL number, and
+CRL reason.
+
+==============================================================================
+                X509V3 Extension code: programmers guide
+==============================================================================
+
+The purpose of the extension code is twofold. It allows an extension to be
+created from a string or structure describing its contents and it prints out an
+extension in a human or machine readable form.
+
+1. Initialisation and cleanup.
+
+X509V3_add_standard_extensions();
+
+This function should be called before any other extension code. It adds support
+for some common PKIX and Netscape extensions. Additional custom extensions can
+be added as well (see later).
+
+void X509V3_EXT_cleanup(void);
+
+This function should be called last to cleanup the extension code. After this
+call no other extension calls should be made.
+
+2. Printing and parsing extensions.
+
+The simplest way to print out extensions is via the standard X509 printing
+routines: if you use the standard X509_print() function, the supported
+extensions will be printed out automatically.
+
+The following functions allow finer control over extension display:
+
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
+int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
+
+These two functions print out an individual extension to a BIO or FILE pointer.
+Currently the flag argument is unused and should be set to 0. The 'indent'
+argument is the number of spaces to indent each line.
+
+void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+
+This function parses an extension and returns its internal structure. The
+precise structure you get back depends on the extension being parsed. If the
+extension if basicConstraints you will get back a pointer to a
+BASIC_CONSTRAINTS structure. Check out the source in crypto/x509v3 for more
+details about the structures returned. The returned structure should be freed
+after use using the relevant free function, BASIC_CONSTRAINTS_free() for 
+example.
+
+3. Generating extensions.
+
+An extension will typically be generated from a configuration file, or some
+other kind of configuration database.
+
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+                                                                 X509 *cert);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+                                                                 X509_CRL *crl);
+
+These functions add all the extensions in the given section to the given
+certificate or CRL. They will normally be called just before the certificate
+or CRL is due to be signed. Both return 0 on error on non zero for success.
+
+In each case 'conf' is the LHASH pointer of the configuration file to use
+and 'section' is the section containing the extension details.
+
+See the 'context functions' section for a description of the ctx paramater.
+
+
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+                                                                 char *value);
+
+This function returns an extension based on a name and value pair, if the
+pair will not need to access other sections in a config file (or there is no
+config file) then the 'conf' parameter can be set to NULL.
+
+X509_EXTENSION *X509V3_EXT_conf_nid(char *conf, X509V3_CTX *ctx, int nid,
+                                                                 char *value);
+
+This function creates an extension in the same way as X509V3_EXT_conf() but
+takes the NID of the extension rather than its name.
+
+For example to produce basicConstraints with the CA flag and a path length of
+10:
+
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+
+This function sets up an extension from its internal structure. The ext_nid
+parameter is the NID of the extension and 'crit' is the critical flag.
+
+4. Context functions.
+
+The following functions set and manipulate an extension context structure.
+The purpose of the extension context is to allow the extension code to
+access various structures relating to the "environment" of the certificate:
+for example the issuers certificate or the certificate request.
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+                                 X509_REQ *req, X509_CRL *crl, int flags);
+
+This function sets up an X509V3_CTX structure with details of the certificate
+environment: specifically the issuers certificate, the subject certificate,
+the certificate request and the CRL: if these are not relevant or not
+available then they can be set to NULL. The 'flags' parameter should be set
+to zero.
+
+X509V3_set_ctx_test(ctx)
+
+This macro is used to set the 'ctx' structure to a 'test' value: this is to
+allow the syntax of an extension (or configuration file) to be tested.
+
+X509V3_set_ctx_nodb(ctx)
+
+This macro is used when no configuration database is present.
+
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
+
+This function is used to set the configuration database when it is an LHASH
+structure: typically a configuration file.
+
+The following functions are used to access a configuration database: they
+should only be used in RAW extensions.
+
+char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
+
+This function returns the value of the parameter "name" in "section", or NULL
+if there has been an error.
+
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+
+This function frees up the string returned by the above function.
+
+STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
+
+This function returns a whole section as a STACK_OF(CONF_VALUE) .
+
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
+
+This function frees up the STACK returned by the above function.
+
+Note: it is possible to use the extension code with a custom configuration
+database. To do this the "db_meth" element of the X509V3_CTX structure should
+be set to an X509V3_CTX_METHOD structure. This structure contains the following
+function pointers:
+
+char * (*get_string)(void *db, char *section, char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+void (*free_string)(void *db, char * string);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
+
+these will be called and passed the 'db' element in the X509V3_CTX structure
+to access the database. If a given function is not implemented or not required
+it can be set to NULL.
+
+5. String helper functions.
+
+There are several "i2s" and "s2i" functions that convert structures to and
+from ASCII strings. In all the "i2s" cases the returned string should be
+freed using Free() after use. Since some of these are part of other extension
+code they may take a 'method' parameter. Unless otherwise stated it can be
+safely set to NULL.
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct);
+
+This returns a hex string from an ASN1_OCTET_STRING.
+
+char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint);
+char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint);
+
+These return a string decimal representations of an ASN1_INTEGER and an
+ASN1_ENUMERATED type, respectively.
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+                                                   X509V3_CTX *ctx, char *str);
+
+This converts an ASCII hex string to an ASN1_OCTET_STRING.
+
+ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value);
+
+This converts a decimal ASCII string into an ASN1_INTEGER.
+
+6. Multi valued extension helper functions.
+
+The following functions can be used to manipulate STACKs of CONF_VALUE
+structures, as used by multi valued extensions.
+
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
+
+This function expects a boolean value in 'value' and sets 'asn1_bool' to
+it. That is it sets it to 0 for FALSE or 0xff for TRUE. The following
+strings are acceptable: "TRUE", "true", "Y", "y", "YES", "yes", "FALSE"
+"false", "N", "n", "NO" or "no".
+
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
+
+This accepts a decimal integer of arbitrary length and sets an ASN1_INTEGER.
+
+int X509V3_add_value(const char *name, const char *value,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This simply adds a string name and value pair.
+
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+The same as above but for an unsigned character value.
+
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool'
+
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This is the same as above except it adds nothing if asn1_bool is FALSE.
+
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
+                                                STACK_OF(CONF_VALUE) **extlist);
+
+This function adds the value of the ASN1_INTEGER in decimal form.
+
+7. Other helper functions.
+
+<to be added>
+
+ADDING CUSTOM EXTENSIONS.
+
+Currently there are three types of supported extensions. 
+
+String extensions are simple strings where the value is placed directly in the
+extensions, and the string returned is printed out.
+
+Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
+or return a STACK_OF(CONF_VALUE).
+
+Raw extensions are just passed a BIO or a value and it is the extensions
+responsiblity to handle all the necessary printing.
+
+There are two ways to add an extension. One is simply as an alias to an already
+existing extension. An alias is an extension that is identical in ASN1 structure
+to an existing extension but has a different OBJECT IDENTIFIER. This can be
+done by calling:
+
+int X509V3_EXT_add_alias(int nid_to, int nid_from);
+
+'nid_to' is the new extension NID and 'nid_from' is the already existing
+extension NID.
+
+Alternatively an extension can be written from scratch. This involves writing
+the ASN1 code to encode and decode the extension and functions to print out and
+generate the extension from strings. The relevant functions are then placed in
+a X509V3_EXT_METHOD structure and int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+called.
+
+The X509V3_EXT_METHOD structure is described below.
+
+strut {
+int ext_nid;
+int ext_flags;
+X509V3_EXT_NEW ext_new;
+X509V3_EXT_FREE ext_free;
+X509V3_EXT_D2I d2i;
+X509V3_EXT_I2D i2d;
+X509V3_EXT_I2S i2s;
+X509V3_EXT_S2I s2i;
+X509V3_EXT_I2V i2v;
+X509V3_EXT_V2I v2i;
+X509V3_EXT_R2I r2i;
+X509V3_EXT_I2R i2r;
+
+void *usr_data;
+};
+
+The elements have the following meanings.
+
+ext_nid         is the NID of the object identifier of the extension.
+
+ext_flags       is set of flags. Currently the only external flag is
+                X509V3_EXT_MULTILINE which means a multi valued extensions
+                should be printed on separate lines.
+
+usr_data        is an extension specific pointer to any relevant data. This
+                allows extensions to share identical code but have different
+                uses. An example of this is the bit string extension which uses
+                usr_data to contain a list of the bit names.
+
+All the remaining elements are function pointers.
+
+ext_new         is a pointer to a function that allocates memory for the
+                extension ASN1 structure: for example ASN1_OBJECT_new().
+
+ext_free        is a pointer to a function that free up memory of the extension
+                ASN1 structure: for example ASN1_OBJECT_free().
+
+d2i             is the standard ASN1 function that converts a DER buffer into
+                the internal ASN1 structure: for example d2i_ASN1_IA5STRING().
+
+i2d             is the standard ASN1 function that converts the internal
+                structure into the DER representation: for example
+                i2d_ASN1_IA5STRING().
+
+The remaining functions are depend on the type of extension. One i2X and
+one X2i should be set and the rest set to NULL. The types set do not need
+to match up, for example the extension could be set using the multi valued
+v2i function and printed out using the raw i2r.
+
+All functions have the X509V3_EXT_METHOD passed to them in the 'method'
+parameter and an X509V3_CTX structure. Extension code can then access the
+parent structure via the 'method' parameter to for example make use of the value
+of usr_data. If the code needs to use detail relating to the request it can
+use the 'ctx' parameter.
+
+A note should be given here about the 'flags' member of the 'ctx' parameter.
+If it has the value CTX_TEST then the configuration syntax is being checked
+and no actual certificate or CRL exists. Therefore any attempt in the config
+file to access such information should silently succeed. If the syntax is OK
+then it should simply return a (possibly bogus) extension, otherwise it
+should return NULL.
+
+char *i2s(struct v3_ext_method *method, void *ext);
+
+This function takes the internal structure in the ext parameter and returns
+a Malloc'ed string representing its value.
+
+void * s2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This function takes the string representation in the ext parameter and returns
+an allocated internal structure: ext_free() will be used on this internal
+structure after use.
+
+i2v and v2i handle a STACK_OF(CONF_VALUE):
+
+typedef struct
+{
+        char *section;
+        char *name;
+        char *value;
+} CONF_VALUE;
+
+Only the name and value members are currently used.
+
+STACK_OF(CONF_VALUE) * i2v(struct v3_ext_method *method, void *ext);
+
+This function is passed the internal structure in the ext parameter and
+returns a STACK of CONF_VALUE structures. The values of name, value,
+section and the structure itself will be freed up with Free after use.
+Several helper functions are available to add values to this STACK.
+
+void * v2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx,
+                                                STACK_OF(CONF_VALUE) *values);
+
+This function takes a STACK_OF(CONF_VALUE) structures and should set the
+values of the external structure. This typically uses the name element to
+determine which structure element to set and the value element to determine
+what to set it to. Several helper functions are available for this
+purpose (see above).
+
+int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
+
+This function is passed the internal extension structure in the ext parameter
+and sends out a human readable version of the extension to out. The 'indent'
+paremeter should be noted to determine the necessary amount of indentation
+needed on the output.
+
+void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
+
+This is just passed the string representation of the extension. It is intended
+to be used for more elaborate extensions where the standard single and multi
+valued options are insufficient. They can use the 'ctx' parameter to parse the
+configuration database themselves. See the context functions section for details
+of how to do this.
+
+Note: although this type takes the same parameters as the "r2s" function there
+is a subtle difference. Whereas an "r2i" function can access a configuration
+database an "s2i" function MUST NOT. This is so the internal code can safely
+assume that an "s2i" function will work without a configuration database.
+
+==============================================================================
+                            PKCS#12 Library
+==============================================================================
+
+This section describes the internal PKCS#12 support. There are very few
+differences between the old external library and the new internal code at
+present. This may well change because the external library will not be updated
+much in future.
+
+This version now includes a couple of high level PKCS#12 functions which
+generally "do the right thing" and should make it much easier to handle PKCS#12
+structures.
+
+HIGH LEVEL FUNCTIONS.
+
+For most applications you only need concern yourself with the high level
+functions. They can parse and generate simple PKCS#12 files as produced by
+Netscape and MSIE or indeed any compliant PKCS#12 file containing a single
+private key and certificate pair.
+
+1. Initialisation and cleanup.
+
+No special initialisation is needed for the internal PKCS#12 library: the 
+standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
+add all algorithms (you should at least add SHA1 though) then you can manually
+initialise the PKCS#12 library with:
+
+PKCS12_PBE_add();
+
+The memory allocated by the PKCS#12 library is freed up when EVP_cleanup() is
+called or it can be directly freed with:
+
+EVP_PBE_cleanup();
+
+after this call (or EVP_cleanup() ) no more PKCS#12 library functions should
+be called.
+
+2. I/O functions.
+
+i2d_PKCS12_bio(bp, p12)
+
+This writes out a PKCS12 structure to a BIO.
+
+i2d_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+d2i_PKCS12_bio(bp, p12)
+
+This reads in a PKCS12 structure from a BIO.
+
+d2i_PKCS12_fp(fp, p12)
+
+This is the same but for a FILE pointer.
+
+3. Parsing and creation functions.
+
+3.1 Parsing with PKCS12_parse().
+
+int PKCS12_parse(PKCS12 *p12, char *pass, EVP_PKEY **pkey, X509 **cert,
+                                                                 STACK **ca);
+
+This function takes a PKCS12 structure and a password (ASCII, null terminated)
+and returns the private key, the corresponding certificate and any CA
+certificates. If any of these is not required it can be passed as a NULL.
+The 'ca' parameter should be either NULL, a pointer to NULL or a valid STACK
+structure. Typically to read in a PKCS#12 file you might do:
+
+p12 = d2i_PKCS12_fp(fp, NULL);
+PKCS12_parse(p12, password, &pkey, &cert, NULL);        /* CAs not wanted */
+PKCS12_free(p12);
+
+3.2 PKCS#12 creation with PKCS12_create().
+
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
+                        STACK *ca, int nid_key, int nid_cert, int iter,
+                                                 int mac_iter, int keytype);
+
+This function will create a PKCS12 structure from a given password, name,
+private key, certificate and optional STACK of CA certificates. The remaining
+5 parameters can be set to 0 and sensible defaults will be used.
+
+The parameters nid_key and nid_cert are the key and certificate encryption
+algorithms, iter is the encryption iteration count, mac_iter is the MAC
+iteration count and keytype is the type of private key. If you really want
+to know what these last 5 parameters do then read the low level section.
+
+Typically to create a PKCS#12 file the following could be used:
+
+p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
+i2d_PKCS12_fp(fp, p12);
+PKCS12_free(p12);
+
+LOW LEVEL FUNCTIONS.
+
+In some cases the high level functions do not provide the necessary
+functionality. For example if you want to generate or parse more complex
+PKCS#12 files. The sample pkcs12 application uses the low level functions
+to display details about the internal structure of a PKCS#12 file.
+
+Introduction.
+
+This is a brief description of how a PKCS#12 file is represented internally:
+some knowledge of PKCS#12 is assumed.
+
+A PKCS#12 object contains several levels.
+
+At the lowest level is a PKCS12_SAFEBAG. This can contain a certificate, a
+CRL, a private key, encrypted or unencrypted, a set of safebags (so the
+structure can be nested) or other secrets (not documented at present). 
+A safebag can optionally have attributes, currently these are: a unicode
+friendlyName (a Unicode string) or a localKeyID (a string of bytes).
+
+At the next level is an authSafe which is a set of safebags collected into
+a PKCS#7 ContentInfo. This can be just plain data, or encrypted itself.
+
+At the top level is the PKCS12 structure itself which contains a set of
+authSafes in an embedded PKCS#7 Contentinfo of type data. In addition it
+contains a MAC which is a kind of password protected digest to preserve
+integrity (so any unencrypted stuff below can't be tampered with).
+
+The reason for these levels is so various objects can be encrypted in various
+ways. For example you might want to encrypt a set of private keys with
+triple-DES and then include the related certificates either unencrypted or
+with lower encryption. Yes it's the dreaded crypto laws at work again which
+allow strong encryption on private keys and only weak encryption on other
+stuff.
+
+To build one of these things you turn all certificates and keys into safebags
+(with optional attributes). You collect the safebags into (one or more) STACKS
+and convert these into authsafes (encrypted or unencrypted).  The authsafes
+are collected into a STACK and added to a PKCS12 structure.  Finally a MAC
+inserted.
+
+Pulling one apart is basically the reverse process. The MAC is verified against
+the given password. The authsafes are extracted and each authsafe split into
+a set of safebags (possibly involving decryption). Finally the safebags are
+decomposed into the original keys and certificates and the attributes used to
+match up private key and certificate pairs.
+
+Anyway here are the functions that do the dirty work.
+
+1. Construction functions.
+
+1.1 Safebag functions.
+
+M_PKCS12_x5092certbag(x509)
+
+This macro takes an X509 structure and returns a certificate bag. The
+X509 structure can be freed up after calling this function.
+
+M_PKCS12_x509crl2certbag(crl)
+
+As above but for a CRL.
+
+PKCS8_PRIV_KEY_INFO *PKEY2PKCS8(EVP_PKEY *pkey)
+
+Take a private key and convert it into a PKCS#8 PrivateKeyInfo structure.
+Works for both RSA and DSA private keys. NB since the PKCS#8 PrivateKeyInfo
+structure contains a private key data in plain text form it should be free'd
+up as soon as it has been encrypted for security reasons (freeing up the
+structure zeros out the sensitive data). This can be done with
+PKCS8_PRIV_KEY_INFO_free().
+
+PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
+
+This sets the key type when a key is imported into MSIE or Outlook 98. Two
+values are currently supported: KEY_EX and KEY_SIG. KEY_EX is an exchange type
+key that can also be used for signing but its size is limited in the export
+versions of MS software to 512 bits, it is also the default. KEY_SIG is a
+signing only key but the keysize is unlimited (well 16K is supposed to work).
+If you are using the domestic version of MSIE then you can ignore this because
+KEY_EX is not limited and can be used for both.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS8 private key structure into a keybag. This routine embeds the
+p8 structure in the keybag so p8 should not be freed up or used after it is
+called.  The p8 structure will be freed up when the safebag is freed.
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8)
+
+Convert a PKCS#8 structure into a shrouded key bag (encrypted). p8 is not
+embedded and can be freed up after use.
+
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+int PKCS12_add_friendlyname(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen)
+
+Add a local key id or a friendlyname to a safebag.
+
+1.2 Authsafe functions.
+
+PKCS7 *PKCS12_pack_p7data(STACK *sk)
+Take a stack of safebags and convert them into an unencrypted authsafe. The
+stack of safebags can be freed up after calling this function.
+
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, STACK *bags);
+
+As above but encrypted.
+
+1.3 PKCS12 functions.
+
+PKCS12 *PKCS12_init(int mode)
+
+Initialise a PKCS12 structure (currently mode should be NID_pkcs7_data).
+
+M_PKCS12_pack_authsafes(p12, safes)
+
+This macro takes a STACK of authsafes and adds them to a PKCS#12 structure.
+
+int PKCS12_set_mac(PKCS12 *p12, unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int iter, EVP_MD *md_type);
+
+Add a MAC to a PKCS12 structure. If EVP_MD is NULL use SHA-1, the spec suggests
+that SHA-1 should be used.
+
+2. Extraction Functions.
+
+2.1 Safebags.
+
+M_PKCS12_bag_type(bag)
+
+Return the type of "bag". Returns one of the following
+
+NID_keyBag
+NID_pkcs8ShroudedKeyBag                 7
+NID_certBag                             8
+NID_crlBag                              9
+NID_secretBag                           10
+NID_safeContentsBag                     11
+
+M_PKCS12_cert_bag_type(bag)
+
+Returns type of certificate bag, following are understood.
+
+NID_x509Certificate                     14
+NID_sdsiCertificate                     15
+
+M_PKCS12_crl_bag_type(bag)
+
+Returns crl bag type, currently only NID_crlBag is recognised.
+
+M_PKCS12_certbag2x509(bag)
+
+This macro extracts an X509 certificate from a certificate bag.
+
+M_PKCS12_certbag2x509crl(bag)
+
+As above but for a CRL.
+
+EVP_PKEY * PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
+
+Extract a private key from a PKCS8 private key info structure.
+
+M_PKCS12_decrypt_skey(bag, pass, passlen) 
+
+Decrypt a shrouded key bag and return a PKCS8 private key info structure.
+Works with both RSA and DSA keys
+
+char *PKCS12_get_friendlyname(bag)
+
+Returns the friendlyName of a bag if present or NULL if none. The returned
+string is a null terminated ASCII string allocated with Malloc(). It should 
+thus be freed up with Free() after use.
+
+2.2 AuthSafe functions.
+
+M_PKCS12_unpack_p7data(p7)
+
+Extract a STACK of safe bags from a PKCS#7 data ContentInfo.
+
+#define M_PKCS12_unpack_p7encdata(p7, pass, passlen)
+
+As above but for an encrypted content info.
+
+2.3 PKCS12 functions.
+
+M_PKCS12_unpack_authsafes(p12)
+
+Extract a STACK of authsafes from a PKCS12 structure.
+
+M_PKCS12_mac_present(p12)
+
+Check to see if a MAC is present.
+
+int PKCS12_verify_mac(PKCS12 *p12, unsigned char *pass, int passlen)
+
+Verify a MAC on a PKCS12 structure. Returns an error if MAC not present.
+
+
+Notes.
+
+1. All the function return 0 or NULL on error.
+2. Encryption based functions take a common set of parameters. These are
+described below.
+
+pass, passlen
+ASCII password and length. The password on the MAC is called the "integrity
+password" the encryption password is called the "privacy password" in the
+PKCS#12 documentation. The passwords do not have to be the same. If -1 is
+passed for the length it is worked out by the function itself (currently
+this is sometimes done whatever is passed as the length but that may change).
+
+salt, saltlen
+A 'salt' if salt is NULL a random salt is used. If saltlen is also zero a
+default length is used.
+
+iter
+Iteration count. This is a measure of how many times an internal function is
+called to encrypt the data. The larger this value is the longer it takes, it
+makes dictionary attacks on passwords harder. NOTE: Some implementations do
+not support an iteration count on the MAC. If the password for the MAC and
+encryption is the same then there is no point in having a high iteration
+count for encryption if the MAC has no count. The MAC could be attacked
+and the password used for the main decryption.
+
+pbe_nid
+This is the NID of the password based encryption method used. The following are
+supported.
+NID_pbe_WithSHA1And128BitRC4
+NID_pbe_WithSHA1And40BitRC4
+NID_pbe_WithSHA1And3_Key_TripleDES_CBC
+NID_pbe_WithSHA1And2_Key_TripleDES_CBC
+NID_pbe_WithSHA1And128BitRC2_CBC
+NID_pbe_WithSHA1And40BitRC2_CBC
+
+Which you use depends on the implementation you are exporting to. "Export
+grade" (i.e. cryptographically challenged) products cannot support all
+algorithms. Typically you may be able to use any encryption on shrouded key
+bags but they must then be placed in an unencrypted authsafe. Other authsafes
+may only support 40bit encryption. Of course if you are using SSLeay
+throughout you can strongly encrypt everything and have high iteration counts
+on everything.
+
+3. For decryption routines only the password and length are needed.
+
+4. Unlike the external version the nid's of objects are the values of the
+constants: that is NID_certBag is the real nid, therefore there is no 
+PKCS12_obj_offset() function.  Note the object constants are not the same as
+those of the external version. If you use these constants then you will need
+to recompile your code.
+
+5. With the exception of PKCS12_MAKE_KEYBAG(), after calling any function or 
+macro of the form PKCS12_MAKE_SOMETHING(other) the "other" structure can be
+reused or freed up safely.
+
diff --git a/src/lib/libssl/src/doc/openssl_button.gif b/src/lib/libssl/src/doc/openssl_button.gif
new file mode 100644
index 0000000000..3d3c90c9f8
--- /dev/null
+++ b/src/lib/libssl/src/doc/openssl_button.gif
diff --git a/src/lib/libssl/src/doc/openssl_button.html b/src/lib/libssl/src/doc/openssl_button.html
new file mode 100644
index 0000000000..44c91bd3d0
--- /dev/null
+++ b/src/lib/libssl/src/doc/openssl_button.html
@@ -0,0 +1,7 @@
+
+<!-- the `Includes OpenSSL Cryptogaphy Software' button      -->
+<!-- freely usable by any application linked against OpenSSL -->
+<a   href="http://www.openssl.org/">
+<img src="openssl_button.gif" 
+     width=102 height=47 border=0></a>
+
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
new file mode 100644
index 0000000000..7fea14ee68
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version,
+SSL_CIPHER_description - get SSL_CIPHER properties
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);
+ int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);
+ char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);
+ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
+
+=head1 DESCRIPTION
+
+SSL_CIPHER_get_name() returns a pointer to the name of B<cipher>. If the
+argument is the NULL pointer, a pointer to the constant value "NONE" is
+returned.
+
+SSL_CIPHER_get_bits() returns the number of secret bits used for B<cipher>. If
+B<alg_bits> is not NULL, it contains the number of bits processed by the
+chosen algorithm. If B<cipher> is NULL, 0 is returned.
+
+SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
+"SSLv2", "SSLv3", or "TLSv1". If B<cipher> is NULL, "(NONE)" is returned.
+
+SSL_CIPHER_description() returns a textual description of the cipher used
+into the buffer B<buf> of length B<len> provided. B<len> must be at least
+128 bytes, otherwise the string "Buffer too small" is returned. If B<buf>
+is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the
+allocation fails, the string "OPENSSL_malloc Error" is returned.
+
+=head1 NOTES
+
+The number of bits processed can be different from the secret bits. An
+export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm
+does use the full 128 bits (which would be returned for B<alg_bits>), of
+which however 88bits are fixed. The search space is hence only 40 bits.
+
+=head1 BUGS
+
+If SSL_CIPHER_description() is called with B<cipher> being NULL, the
+library crashes.
+
+=head1 RETURN VALUES
+
+See DESCRIPTION
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
+L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod b/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
new file mode 100644
index 0000000000..2a98739114
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SSL_COMP_add_compression_method - handle SSL/TLS integrated compression methods
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
+
+=head1 DESCRIPTION
+
+SSL_COMP_add_compression_method() adds the compression method B<cm> with
+the identifier B<id> to the list of available compression methods. This
+list is globally maintained for all SSL operations within this application.
+It cannot be set for specific SSL_CTX or SSL objects.
+
+=head1 NOTES
+
+The TLS standard (or SSLv3) allows the integration of compression methods
+into the communication. The TLS RFC does however not specify compression
+methods or their corresponding identifiers, so there is currently no compatible
+way to integrate compression with unknown peers. It is therefore currently not
+recommended to integrate compression into applications. Applications for
+non-public use may agree on certain compression methods. Using different
+compression methods with the same identifier will lead to connection failure.
+
+An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1)
+will unconditionally send the list of all compression methods enabled with
+SSL_COMP_add_compression_method() to the server during the handshake.
+Unlike the mechanisms to set a cipher list, there is no method available to
+restrict the list of compression method on a per connection basis.
+
+An OpenSSL server will match the identifiers listed by a client against
+its own compression methods and will unconditionally activate compression
+when a matching identifier is found. There is no way to restrict the list
+of compression methods supported on a per connection basis.
+
+The OpenSSL library has the compression methods B<COMP_rle()> and (when
+especially enabled during compilation) B<COMP_zlib()> available.
+
+=head1 WARNINGS
+
+Once the identities of the compression methods for the TLS protocol have
+been standardized, the compression API will most likely be changed. Using
+it in the current state is not recommended.
+
+=head1 RETURN VALUES
+
+SSL_COMP_add_compression_method() may return the following values:
+
+=over 4
+
+=item 1
+
+The operation succeeded.
+
+=item 0
+
+The operation failed. Check the error queue to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
new file mode 100644
index 0000000000..21a9db0e2a
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_add_extra_chain_cert - add certificate to chain
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+
+=head1 DESCRIPTION
+
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
+chain presented together with the certificate. Several certificates
+can be added one after the other.
+
+=head1 NOTES
+
+When constructing the certificate chain, the chain will be formed from
+these certificates explicitly specified. If no chain is specified,
+the library will try to complete the chain from the available CA
+certificates in the trusted CA storage, see
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+
+=head1 RETURN VALUES
+
+SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
+error stack to find out the reason for failure otherwise.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod
new file mode 100644
index 0000000000..af326c2f73
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_add_session.pod
@@ -0,0 +1,65 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session - manipulate session cache
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);
+ int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c);
+
+ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
+ int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
+
+=head1 DESCRIPTION
+
+SSL_CTX_add_session() adds the session B<c> to the context B<ctx>. The
+reference count for session B<c> is incremented by 1. If a session with
+the same session id already exists, the old session is removed by calling
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
+
+SSL_CTX_remove_session() removes the session B<c> from the context B<ctx>.
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> is called once for B<c>.
+
+SSL_add_session() and SSL_remove_session() are synonyms for their
+SSL_CTX_*() counterparts.
+
+=head1 NOTES
+
+When adding a new session to the internal session cache, it is examined
+whether a session with the same session id already exists. In this case
+it is assumed that both sessions are identical. If the same session is
+stored in a different SSL_SESSION object, The old session is
+removed and replaced by the new session. If the session is actually
+identical (the SSL_SESSION object is identical), SSL_CTX_add_session()
+is a no-op, and the return value is 0.
+
+
+=head1 RETURN VALUES
+
+The following values are returned by all functions:
+
+=over 4
+
+=item 0
+
+ The operation failed. In case of the add operation, it was tried to add
+ the same (identical) session twice. In case of the remove operation, the
+ session was not found in the cache.
+
+=item 1
+ 
+ The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_ctrl.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_ctrl.pod
new file mode 100644
index 0000000000..fb6adcf50c
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_ctrl.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl - internal handling functions for SSL_CTX and SSL objects
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
+ long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)());
+
+ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
+ long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
+
+=head1 DESCRIPTION
+
+The SSL_*_ctrl() family of functions is used to manipulate settings of
+the SSL_CTX and SSL objects. Depending on the command B<cmd> the arguments
+B<larg>, B<parg>, or B<fp> are evaluated. These functions should never
+be called directly. All functionalities needed are made available via
+other functions or macros.
+
+=head1 RETURN VALUES
+
+The return values of the SSL*_ctrl() functions depend on the command
+supplied via the B<cmd> parameter.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod
new file mode 100644
index 0000000000..148c36c871
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_flush_sessions.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_flush_sessions, SSL_flush_sessions - remove expired sessions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
+ void SSL_flush_sessions(SSL_CTX *ctx, long tm);
+
+=head1 DESCRIPTION
+
+SSL_CTX_flush_sessions() causes a run through the session cache of
+B<ctx> to remove sessions expired at time B<tm>.
+
+SSL_flush_sessions() is a synonym for SSL_CTX_flush_sessions().
+
+=head1 NOTES
+
+If enabled, the internal session cache will collect all sessions established
+up to the specified maximum number (see SSL_CTX_sess_set_cache_size()).
+As sessions will not be reused ones they are expired, they should be
+removed from the cache to save resources. This can either be done
+ automatically whenever 255 new sessions were established (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+or manually by calling SSL_CTX_flush_sessions(). 
+
+The parameter B<tm> specifies the time which should be used for the
+expiration test, in most cases the actual time given by time(0)
+will be used.
+
+SSL_CTX_flush_sessions() will only check sessions stored in the internal
+cache. When a session is found and removed, the remove_session_cb is however
+called to synchronize with the external cache (see
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
+
+=head1 RETURN VALUES
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod
new file mode 100644
index 0000000000..de69672422
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_free.pod
@@ -0,0 +1,29 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_free - free an allocated SSL_CTX object
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_free(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_free() decrements the reference count of B<ctx>, and removes the
+SSL_CTX object pointed to by B<ctx> and frees up the allocated memory if the
+the reference count has reached 0.
+
+It also calls the free()ing procedures for indirectly affected items, if
+applicable: the session cacahe, the list of ciphers, the list of Client CAs,
+the certificates and keys.
+
+=head1 RETURN VALUES
+
+SSL_CTX_free() does not provide diagnostic information.
+
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod
new file mode 100644
index 0000000000..15067438c8
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -0,0 +1,53 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
+
+ void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+                int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_CTX_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_CTX_set_ex_data() is used to store application data at B<arg> for B<idx>
+into the B<ctx> object.
+
+SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from
+B<ctx>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod
new file mode 100644
index 0000000000..7f10c6e945
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback - get currently set verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
+ int SSL_get_verify_mode(SSL *ssl);
+ int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
+ int SSL_get_verify_depth(SSL *ssl);
+ int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *);
+ int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *);
+
+=head1 DESCRIPTION
+
+SSL_CTX_get_verify_mode() returns the verification mode currently set in
+B<ctx>.
+
+SSL_get_verify_mode() returns the verification mode currently set in
+B<ssl>.
+
+SSL_CTX_get_verify_depth() returns the verification depth limit currently set
+in B<ctx>. If no limit has been explicitly set, -1 is returned and the
+default value will be used.
+
+SSL_get_verify_depth() returns the verification depth limit currently set
+in B<ssl>. If no limit has been explicitly set, -1 is returned and the
+default value will be used.
+
+SSL_CTX_get_verify_callback() returns a function pointer to the verification
+callback currently set in B<ctx>. If no callback was explicitly set, the
+NULL pointer is returned and the default callback will be used.
+
+SSL_get_verify_callback() returns a function pointer to the verification
+callback currently set in B<ssl>. If no callback was explicitly set, the
+NULL pointer is returned and the default callback will be used.
+
+=head1 RETURN VALUES
+
+See DESCRIPTION
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod
new file mode 100644
index 0000000000..88f18bd5ff
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -0,0 +1,124 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_load_verify_locations - set default locations for trusted CA
+certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                                   const char *CApath);
+
+=head1 DESCRIPTION
+
+SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at
+which CA certificates for verification purposes are located. The certificates
+available via B<CAfile> and B<CApath> are trusted.
+
+=head1 NOTES
+
+If B<CAfile> is not NULL, it points to a file of CA certificates in PEM
+format. The file can contain several CA certificates identified by
+
+ -----BEGIN CERTIFICATE-----
+ ... (CA certificate in base64 encoding) ...
+ -----END CERTIFICATE-----
+
+sequences. Before, between, and after the certificates text is allowed
+which can be used e.g. for descriptions of the certificates.
+
+The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
+function.
+
+If on an TLS/SSL server no special setting is performed using *client_CA_list()
+functions, the certificates contained in B<CAfile> are listed to the client
+as available CAs during the TLS/SSL handshake.
+
+If B<CApath> is not NULL, it points to a directory containing CA certificates
+in PEM format. The files each contain one CA certificate. The files are
+looked up by the CA subject name hash value, which must hence be available.
+If more than one CA certificate with the same name hash value exist, the
+extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
+is performed in the ordering of the extension number, regardless of other
+properties of the certificates.
+Use the B<c_rehash> utility to create the necessary links.
+
+The certificates in B<CApath> are only looked up when required, e.g. when
+building the certificate chain or when actually performing the verification
+of a peer certificate.
+
+On a server, the certificates in B<CApath> are not listed as available
+CA certificates to a client during a TLS/SSL handshake.
+
+When looking up CA certificates, the OpenSSL library will first search the
+certificates in B<CAfile>, then those in B<CApath>. Certificate matching
+is done based on the subject name, the key identifier (if present), and the
+serial number as taken from the certificate to be verified. If these data
+do not match, the next certificate will be tried. If a first certificate
+matching the parameters is found, the verification process will be performed;
+no other certificates for the same parameters will be searched in case of
+failure.
+
+When building its own certificate chain, an OpenSSL client/server will
+try to fill in missing certificates from B<CAfile>/B<CApath>, if the
+certificate chain was not explicitly specified (see
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>.
+
+=head1 WARNINGS
+
+If several CA certificates matching the name, key identifier, and serial
+number condition are available, only the first one will be examined. This
+may lead to unexpected results if the same CA certificate is available
+with different expiration dates. If a "certificate expired" verification
+error occurs, no other certificate will be searched. Make sure to not
+have expired certificates mixed with valid ones.
+
+=head1 EXAMPLES
+
+Generate a CA certificate file with descriptive text from the CA certificates
+ca1.pem ca2.pem ca3.pem:
+
+ #!/bin/sh
+ rm CAfile.pem
+ for i in ca1.pem ca2.pem ca3.pem ; do
+   openssl x509 -in $i -text >> CAfile.pem
+ done
+
+Prepare the directory /some/where/certs containing several CA certificates
+for use as B<CApath>:
+
+ cd /some/where/certs
+ c_rehash .
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+The operation failed because B<CAfile> and B<CApath> are NULL or the
+processing at one of the locations specified failed. Check the error
+stack to find out the reason.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod
new file mode 100644
index 0000000000..e166c692c3
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_new.pod
@@ -0,0 +1,93 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_new - create a new SSL_CTX object as framework for TLS/SSL enabled functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_CTX *SSL_CTX_new(SSL_METHOD *method);
+
+=head1 DESCRIPTION
+
+SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish
+TLS/SSL enabled connections.
+
+=head1 NOTES
+
+The SSL_CTX object uses B<method> as connection method. The methods exist
+in a generic type (for client and server use), a server only type, and a
+client only type. B<method> can be of the following types:
+
+=over 4
+
+=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
+
+A TLS/SSL connection established with these methods will only understand
+the SSLv2 protocol. A client will send out SSLv2 client hello messages
+and will also indicate that it only understand SSLv2. A server will only
+understand SSLv2 client hello messages.
+
+=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+
+A TLS/SSL connection established with these methods will only understand the
+SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages
+and will indicate that it also understands TLSv1. A server will only understand
+SSLv3 and TLSv1 client hello messages. This especially means, that it will
+not understand SSLv2 client hello messages which are widely used for
+compatibility reasons, see SSLv23_*_method().
+
+=item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
+
+A TLS/SSL connection established with these methods will only understand the
+TLSv1 protocol. A client will send out TLSv1 client hello messages
+and will indicate that it only understands TLSv1. A server will only understand
+TLSv1 client hello messages. This especially means, that it will
+not understand SSLv2 client hello messages which are widely used for
+compatibility reasons, see SSLv23_*_method().
+
+=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+
+A TLS/SSL connection established with these methods will understand the SSLv2,
+SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages
+and will indicate that it also understands SSLv3 and TLSv1. A server will
+understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
+choice when compatibility is a concern.
+
+=back
+
+The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
+SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
+B<SSL_set_options()> functions. Using these options it is possible to choose
+e.g. SSLv23_server_method() and be able to negotiate with all possible
+clients, but to only allow newer protocols like SSLv3 or TLSv1.
+
+SSL_CTX_new() initializes the list of ciphers, the session cache setting,
+the callbacks, the keys and certificates, and the options to its default
+values.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+The creation of a new SSL_CTX object failed. Check the error stack to
+find out the reason.
+
+=item Pointer to an SSL_CTX object
+
+The return value points to an allocated SSL_CTX object.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod
new file mode 100644
index 0000000000..19aa4e2902
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_number.pod
@@ -0,0 +1,76 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full - obtain session cache statistics
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_sess_number(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect_good(SSL_CTX *ctx);
+ long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept_good(SSL_CTX *ctx);
+ long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);
+ long SSL_CTX_sess_hits(SSL_CTX *ctx);
+ long SSL_CTX_sess_cb_hits(SSL_CTX *ctx);
+ long SSL_CTX_sess_misses(SSL_CTX *ctx);
+ long SSL_CTX_sess_timeouts(SSL_CTX *ctx);
+ long SSL_CTX_sess_cache_full(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_number() returns the current number of sessions in the internal
+session cache.
+
+SSL_CTX_sess_connect() returns the number of started SSL/TLS handshakes in
+client mode.
+
+SSL_CTX_sess_connect_good() returns the number of successfully established
+SSL/TLS sessions in client mode.
+
+SSL_CTX_sess_connect_renegotiate() returns the number of start renegotiations
+in client mode.
+
+SSL_CTX_sess_accept() returns the number of started SSL/TLS handshakes in
+server mode.
+
+SSL_CTX_sess_accept_good() returns the number of successfully established
+SSL/TLS sessions in server mode.
+
+SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations
+in server mode.
+
+SSL_CTX_sess_hits() returns the number of successfully reused sessions.
+In client mode a session set with L<SSL_set_session(3)|SSL_set_session(3)>
+successfully reused is counted as a hit. In server mode a session successfully
+retrieved from internal or external cache is counted as a hit.
+
+SSL_CTX_sess_cb_hits() returns the number of successfully retrieved sessions
+from the external session cache in server mode.
+
+SSL_CTX_sess_misses() returns the number of sessions proposed by clients
+that were not found in the internal session cache in server mode.
+
+SSL_CTX_sess_timeouts() returns the number of sessions proposed by clients
+and either found in the internal or external session cache in server mode,
+ but that were invalid due to timeout. These sessions are not included in
+the SSL_CTX_sess_hits() count.
+
+SSL_CTX_sess_cache_full() returns the number of sessions that were removed
+because the maximum session cache size was exceeded.
+
+=head1 RETURN VALUES
+
+The functions return the values indicated in the DESCRIPTION section.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod
new file mode 100644
index 0000000000..d59a7db636
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_cache_size.pod
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size - manipulate session cache size
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t);
+ long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_set_cache_size() sets the size of the internal session cache
+of context B<ctx> to B<t>.
+
+SSL_CTX_sess_get_cache_size() returns the currently valid session cache size.
+
+=head1 NOTES
+
+The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,
+currently 1024*20, so that up to 20000 sessions can be held. This size
+can be modified using the SSL_CTX_sess_set_cache_size() call. A special
+case is the size 0, which is used for unlimited size.
+
+When the maximum number of sessions is reached, no more new sessions are
+added to the cache. New space may be added by calling
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> to remove
+expired sessions.
+
+If the size of the session cache is reduced and more sessions are already
+in the session cache, old session will be removed at the next time a
+session shall be added. This removal is not synchronized with the
+expiration of sessions.
+
+=head1 RETURN VALUES
+
+SSL_CTX_sess_set_cache_size() returns the previously valid size.
+
+SSL_CTX_sess_get_cache_size() returns the currently valid size.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod
new file mode 100644
index 0000000000..b6f15b4404
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -0,0 +1,81 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
+                              int (*new_session_cb)(SSL *, SSL_SESSION *));
+ void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
+           void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *));
+ void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
+           SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *));
+
+ int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
+ void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+ SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy);
+
+ int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
+ void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+ SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
+               int len, int *copy);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically
+called whenever a new session was negotiated.
+
+SSL_CTX_sess_set_remove_cb() sets the callback function, which is
+automatically called whenever a session is removed by the SSL engine,
+because it is considered faulty or the session has become obsolete because
+of exceeding the timeout value.
+
+SSL_CTX_sess_set_get_cb() sets the callback function which is called,
+whenever a SSL/TLS client proposed to resume a session but the session
+could not be found in the internal session cache (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+(SSL/TLS server only.)
+
+SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and
+SSL_CTX_sess_get_get_cb() allow to retrieve the function pointers of the
+provided callback functions. If a callback function has not been set,
+the NULL pointer is returned.
+
+=head1 NOTES
+
+In order to allow external session caching, synchronization with the internal
+session cache is realized via callback functions. Inside these callback
+functions, session can be saved to disk or put into a database using the
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> interface.
+
+The new_session_cb() is called, whenever a new session has been negotiated
+and session caching is enabled (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+The new_session_cb() is passed the B<ssl> connection and the ssl session
+B<sess>. If the callback returns B<0>, the session will be immediately
+removed again.
+
+The remove_session_cb() is called, whenever the SSL engine removes a session
+from the internal cache. This happens if the session is removed because
+it is expired or when a connection was not shutdown cleanly. The
+remove_session_cb() is passed the B<ctx> and the ssl session B<sess>.
+It does not provide any feedback.
+
+The get_session_cb() is only called on SSL/TLS servers with the session id
+proposed by the client. The get_session_cb() is always called, also when
+session caching was disabled. The get_session_cb() is passed the
+B<ssl> connection, the session id of length B<length> at the memory location
+B<data>. With the parameter B<copy> the callback can require the
+SSL engine to increment the reference count of the SSL_SESSION object.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod
new file mode 100644
index 0000000000..e05aab3c1b
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_sessions.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_sessions - access internal session cache
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_sessions() returns a pointer to the lhash databases containing the
+internal session cache for B<ctx>.
+
+=head1 NOTES
+
+The sessions in the internal session cache are kept in an
+L<lhash(3)|lhash(3)> type database. It is possible to directly
+access this database e.g. for searching. In parallel, the sessions
+form a linked list which is maintained separately from the
+L<lhash(3)|lhash(3)> operations, so that the database must not be
+modified directly but by using the
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)> family of functions.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<lhash(3)|lhash(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod
new file mode 100644
index 0000000000..81286ee650
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
+ X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
+of B<ctx> to/with B<store>. If another X505_STORE object is currently
+set in B<ctx>, it will be X509_STORE_free()ed.
+
+SSL_CTX_get_cert_store() returns a pointer to the current certificate
+verification storage.
+
+=head1 NOTES
+
+In order to verify the certificates presented by the peer, trusted CA
+certificates must be accessed. These CA certificates are made available
+via lookup methods, handled inside the X509_STORE. From the X509_STORE
+the X509_STORE_CTX used when verifying certificates is created.
+
+Typically the trusted certificate store is handled indirectly via using
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
+it is possible to manipulate the X509_STORE object beyond the
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+call.
+
+Currently no detailed documentation on how to use the X509_STORE
+object is available. Not all members of the X509_STORE are used when
+the verification takes place. So will e.g. the verify_callback() be
+overridden with the verify_callback() set via the
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> family of functions.
+This document must therefore be updated when documentation about the
+X509_STORE object and its handling becomes available.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_cert_store() does not return diagnostic output.
+
+SSL_CTX_get_cert_store() returns the current setting.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
new file mode 100644
index 0000000000..c0f4f85708
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
@@ -0,0 +1,75 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_cert_verify_callback() sets the verification callback function for
+I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
+the time when L<SSL_new(3)|SSL_new(3)> is called.
+
+=head1 NOTES
+
+Whenever a certificate is verified during a SSL/TLS handshake, a verification
+function is called. If the application does not explicitly specify a
+verification callback function, the built-in verification function is used.
+If a verification callback I<callback> is specified via
+SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
+instead. By setting I<callback> to NULL, the default behaviour is restored.
+
+When the verification must be performed, I<callback> will be called with
+the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 
+argument I<arg> is specified by the application when setting I<callback>.
+
+I<callback> should return 1 to indicate verification success and 0 to
+indicate verification failure. If SSL_VERIFY_PEER is set and I<callback>
+returns 0, the handshake will fail. As the verification procedure may
+allow to continue the connection in case of failure (by always returning 1)
+the verification result must be set in any case using the B<error>
+member of I<x509_store_ctx> so that the calling application will be informed
+about the detailed result of the verification procedure! 
+
+Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
+function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
+
+=head1 WARNINGS
+
+Do not mix the verification callback described in this function with the
+B<verify_callback> function called during the verification process. The
+latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+family of functions.
+
+Providing a complete verification procedure including certificate purpose
+settings etc is a complex task. The built-in procedure is quite powerful
+and in most cases it should be sufficient to modify its behaviour using
+the B<verify_callback> function.
+
+=head1 BUGS
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+
+=head1 HISTORY
+
+Previous to OpenSSL 0.9.7, the I<arg> argument to B<SSL_CTX_set_cert_verify_callback>
+was ignored, and I<callback> was called simply as
+ int (*callback)(X509_STORE_CTX *)
+To compile software written for previous versions of OpenSSL, a dummy
+argument will have to be added to I<callback>.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod
new file mode 100644
index 0000000000..272d6b3de2
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_cipher_list, SSL_set_cipher_list 
+- choose list of available SSL_CIPHERs
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
+ int SSL_set_cipher_list(SSL *ssl, const char *str);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx>
+using the control string B<str>. The format of the string is described
+in L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all
+B<ssl> objects created from B<ctx>.
+
+SSL_set_cipher_list() sets the list of ciphers only for B<ssl>.
+
+=head1 NOTES
+
+The control string B<str> should be universally usable and not depend
+on details of the library configuration (ciphers compiled in). Thus no
+syntax checking takes place. Items that are not recognized, because the
+corresponding ciphers are not compiled in or because they are mistyped,
+are simply ignored. Failure is only flagged if no ciphers could be collected
+at all.
+
+It should be noted, that inclusion of a cipher to be used into the list is
+a necessary condition. On the client side, the inclusion into the list is
+also sufficient. On the server side, additional restrictions apply. All ciphers
+have additional requirements. ADH ciphers don't need a certificate, but
+DH-parameters must have been set. All other ciphers need a corresponding
+certificate and key. A RSA cipher can only be chosen, when a RSA certificate is
+available, the respective is valid for DSA ciphers. Ciphers using EDH need
+a certificate and key and DH-parameters.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
+could be selected and 0 on complete failure.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
+L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod
new file mode 100644
index 0000000000..81e312761e
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
+SSL_add_client_CA - set list of CAs sent to the client when requesting a
+client certificate
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+ 
+ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
+ void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
+ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
+ int SSL_add_client_CA(SSL *ssl, X509 *cacert);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
+requesting a client certificate for B<ctx>.
+
+SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
+requesting a client certificate for the chosen B<ssl>, overriding the
+setting valid for B<ssl>'s SSL_CTX object.
+
+SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
+list of CAs sent to the client when requesting a client certificate for
+B<ctx>.
+
+SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
+list of CAs sent to the client when requesting a client certificate for
+the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
+
+=head1 NOTES
+
+When a TLS/SSL server requests a client certificate (see
+B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
+it will accept certificates, to the client. If no special list is provided,
+the CAs available using the B<CAfile> option in
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+are sent.
+
+This list can be explicitly set using the SSL_CTX_set_client_CA_list() for
+B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
+specified overrides the previous setting. The CAs listed do not become
+trusted (B<list> only contains the names, not the complete certificates); use
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 
+to additionally load them for verification.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
+items the list of client CAs. If no list was specified before using
+SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client
+CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly
+specified using
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+are no longer used automatically.
+
+These functions are only useful for TLS/SSL servers.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return
+diagnostic information.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return
+values:
+
+=over 4
+
+=item 1
+
+The operation succeeded.
+
+=item 0
+
+A failure while manipulating the STACK_OF(X509_NAME) object occurred or
+the X509_NAME could not be extracted from B<cacert>. Check the error stack
+to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_cert_cb.pod
new file mode 100644
index 0000000000..53e1827713
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_client_cert_cb.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+ int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_client_cert_cb() sets the B<client_cert_cb()> callback, that is
+called when a client certificate is requested by a server.
+When B<client_cert_cb()> is NULL, not callback function is used.
+
+SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback
+function.
+
+client_cert_cb() is the application defined callback. If it wants to
+set a certificate, a certificate/private key combination must be set
+using the B<x509> and B<pkey> arguments and "1" must be returned. The
+certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
+If no certificate should be set, "0" has to be returned and the default
+certificate will be sent. A fatal error can be indicated by returning
+a negative value, in which case the handshake will be canceled.
+
+=head1 NOTES
+
+During a handshake (or renegotiation) a server may request a certificate
+from the client. A client certificate must only be sent, when the server
+did send the request.
+
+When no callback function is set, an OpenSSL client will send the certificate
+that was set using the
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions.
+The TLS standard requires that only a certificate is sent, if it matches
+the list of acceptable CAs sent by the server. This constraint is
+violated by the default behavior of the OpenSSL library. Using the
+callback function it is possible to implement a proper selection routine
+or to allow a user interaction to choose the certificate to be sent.
+The callback function can obtain the list of acceptable CAs using the
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> function.
+
+If a callback function is defined, the callback function will be called.
+If the callback function returns a certificate, the OpenSSL library
+will try to load the private key and certificate data into the SSL
+object using SSL_use_certificate() and SSL_use_private_key() functions.
+Thus it will permanently override the certificate and key previously
+installed and will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>.
+If the callback returns no certificate, the OpenSSL library will send
+the certificate previously installed for the SSL_CTX object or the specific
+certificate of the SSL object, if available.
+
+=head1 BUGS
+
+The client_cert_cb() cannot return a complete certificate chain, it can
+only return one client certificate. If the chain only has a length of 2,
+the root CA certificate may be omitted according to the TLS standard and
+thus a standard conforming answer can be sent to the server. For a
+longer chain, the client must send the complete chain (with the option
+to leave out the root CA certificate). This can only be accomplished by
+either adding the intermediate CA certificates into the trusted
+certificate store for the SSL_CTX object (resulting in having to add
+CA certificates that otherwise maybe would not be trusted), or by adding
+the chain certificates using the
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+function, which is only available for the SSL_CTX object as a whole and that
+therefore probably can only apply for one client certificate, making
+the concept of the callback function (to allow the choice from several
+certificates) questionable.
+
+Once the SSL object has been used in conjunction with the callback function,
+the certificate will be set for the SSL object and will not be cleared
+even when L<SSL_clear(3)|SSL_clear(3)> is being called. It is therefore
+mandatory to destroy the SSL object using L<SSL_free(3)|SSL_free(3)>
+and create a new one to return to the previous state.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
new file mode 100644
index 0000000000..a5343a1cf3
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
+ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+
+ int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_default_passwd_cb() sets the default password callback called
+when loading/storing a PEM certificate with encryption.
+
+SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
+will be provided to the password callback on invocation.
+
+The pem_passwd_cb(), which must be provided by the application, hands back the
+password to be used during decryption. On invocation a pointer to B<userdata>
+is provided. The pem_passwd_cb must write the password into the provided buffer
+B<buf> which is of size B<size>. The actual length of the password must
+be returned to the calling function. B<rwflag> indicates whether the
+callback is used for reading/decryption (rwflag=0) or writing/encryption
+(rwflag=1).
+
+=head1 NOTES
+
+When loading or storing private keys, a password might be supplied to
+protect the private key. The way this password can be supplied may depend
+on the application. If only one private key is handled, it can be practical
+to have pem_passwd_cb() handle the password dialog interactively. If several
+keys have to be handled, it can be practical to ask for the password once,
+then keep it in memory and use it several times. In the last case, the
+password could be stored into the B<userdata> storage and the
+pem_passwd_cb() only returns the password already stored.
+
+Other items in PEM formatting (certificates) can also be encrypted, it is
+however not usual, as certificate information is considered public.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
+do not provide diagnostic information.
+
+=head1 EXAMPLES
+
+The following example returns the password provided as B<userdata> to the
+calling function. The password is considered to be a '\0' terminated
+string. If the password does not fit into the buffer, the password is
+truncated.
+
+ int pem_passwd_cb(char *buf, int size, int rwflag, void *password)
+ {
+  strncpy(buf, (char *)(password), size);
+  buf[size - 1] = '\0';
+  return(strlen(buf));
+ }
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_generate_session_id.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_generate_session_id.pod
new file mode 100644
index 0000000000..798e8443a7
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_generate_session_id.pod
@@ -0,0 +1,150 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id - manipulate generation of SSL session IDs (server only)
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
+                               unsigned int *id_len);
+
+ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
+ int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb);
+ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+                                 unsigned int id_len);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_generate_session_id() sets the callback function for generating
+new session ids for SSL/TLS sessions for B<ctx> to be B<cb>.
+
+SSL_set_generate_session_id() sets the callback function for generating
+new session ids for SSL/TLS sessions for B<ssl> to be B<cb>.
+
+SSL_has_matching_session_id() checks, whether a session with id B<id>
+(of length B<id_len>) is already contained in the internal session cache
+of the parent context of B<ssl>.
+
+=head1 NOTES
+
+When a new session is established between client and server, the server
+generates a session id. The session id is an arbitrary sequence of bytes.
+The length of the session id is 16 bytes for SSLv2 sessions and between
+1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
+but must be unique for the server. Additionally, the session id is
+transmitted in the clear when reusing the session so it must not contain
+sensitive information.
+
+Without a callback being set, an OpenSSL server will generate a unique
+session id from pseudo random numbers of the maximum possible length.
+Using the callback function, the session id can be changed to contain
+additional information like e.g. a host id in order to improve load balancing
+or external caching techniques.
+
+The callback function receives a pointer to the memory location to put
+B<id> into and a pointer to the maximum allowed length B<id_len>. The
+buffer at location B<id> is only guaranteed to have the size B<id_len>.
+The callback is only allowed to generate a shorter id and reduce B<id_len>;
+the callback B<must never> increase B<id_len> or write to the location
+B<id> exceeding the given limit.
+
+If a SSLv2 session id is generated and B<id_len> is reduced, it will be
+restored after the callback has finished and the session id will be padded
+with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions.
+The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function
+to check, whether the session is of type SSLv2.
+
+The location B<id> is filled with 0x00 before the callback is called, so the
+callback may only fill part of the possible length and leave B<id_len>
+untouched while maintaining reproducibility.
+
+Since the sessions must be distinguished, session ids must be unique.
+Without the callback a random number is used, so that the probability
+of generating the same session id is extremely small (2^128 possible ids
+for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
+uniqueness of the generated session id, the callback must call
+SSL_has_matching_session_id() and generate another id if a conflict occurs.
+If an id conflict is not resolved, the handshake will fail.
+If the application codes e.g. a unique host id, a unique process number, and
+a unique sequence number into the session id, uniqueness could easily be
+achieved without randomness added (it should however be taken care that
+no confidential information is leaked this way). If the application can not
+guarantee uniqueness, it is recommended to use the maximum B<id_len> and
+fill in the bytes not used to code special information with random data
+to avoid collisions.
+
+SSL_has_matching_session_id() will only query the internal session cache,
+not the external one. Since the session id is generated before the
+handshake is completed, it is not immediately added to the cache. If
+another thread is using the same internal session cache, a race condition
+can occur in that another thread generates the same session id.
+Collisions can also occur when using an external session cache, since
+the external cache is not tested with SSL_has_matching_session_id()
+and the same race condition applies.
+
+When calling SSL_has_matching_session_id() for an SSLv2 session with
+reduced B<id_len>, the match operation will be performed using the
+fixed length required and with a 0x00 padded id.
+
+The callback must return 0 if it cannot generate a session id for whatever
+reason and return 1 on success.
+
+=head1 EXAMPLES
+
+The callback function listed will generate a session id with the
+server id given, and will fill the rest with pseudo random bytes:
+
+ const char session_id_prefix = "www-18";
+
+ #define MAX_SESSION_ID_ATTEMPTS 10
+ static int generate_session_id(const SSL *ssl, unsigned char *id,
+                              unsigned int *id_len)
+      {
+      unsigned int count = 0;
+      const char *version;
+
+      version = SSL_get_version(ssl);
+      if (!strcmp(version, "SSLv2"))
+          /* we must not change id_len */;
+
+      do      {
+              RAND_pseudo_bytes(id, *id_len);
+              /* Prefix the session_id with the required prefix. NB: If our
+               * prefix is too long, clip it - but there will be worse effects
+               * anyway, eg. the server could only possibly create 1 session
+               * ID (ie. the prefix!) so all future session negotiations will
+               * fail due to conflicts. */
+              memcpy(id, session_id_prefix,
+                      (strlen(session_id_prefix) < *id_len) ?
+                      strlen(session_id_prefix) : *id_len);
+              }
+      while(SSL_has_matching_session_id(ssl, id, *id_len) &&
+              (++count < MAX_SESSION_ID_ATTEMPTS));
+      if(count >= MAX_SESSION_ID_ATTEMPTS)
+              return 0;
+      return 1;
+      }
+
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_generate_session_id() and SSL_set_generate_session_id()
+always return 1.
+
+SSL_has_matching_session_id() returns 1 if another session with the
+same id is already in the cache.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_version(3)|SSL_get_version(3)>
+
+=head1 HISTORY
+
+SSL_CTX_set_generate_session_id(), SSL_set_generate_session_id()
+and SSL_has_matching_session_id() have been introduced in
+OpenSSL 0.9.7.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod
new file mode 100644
index 0000000000..63d0b8d33f
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -0,0 +1,153 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback - handle information callback for SSL connections
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
+ void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
+
+ void SSL_set_info_callback(SSL *ssl, void (*callback)());
+ void (*SSL_get_info_callback(SSL *ssl))();
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_info_callback() sets the B<callback> function, that can be used to
+obtain state information for SSL objects created from B<ctx> during connection
+setup and use. The setting for B<ctx> is overridden from the setting for
+a specific SSL object, if specified.
+When B<callback> is NULL, not callback function is used.
+
+SSL_set_info_callback() sets the B<callback> function, that can be used to
+obtain state information for B<ssl> during connection setup and use.
+When B<callback> is NULL, the callback setting currently valid for
+B<ctx> is used.
+
+SSL_CTX_get_info_callback() returns a pointer to the currently set information
+callback function for B<ctx>.
+
+SSL_get_info_callback() returns a pointer to the currently set information
+callback function for B<ssl>.
+
+=head1 NOTES
+
+When setting up a connection and during use, it is possible to obtain state
+information from the SSL/TLS engine. When set, an information callback function
+is called whenever the state changes, an alert appears, or an error occurs.
+
+The callback function is called as B<callback(SSL *ssl, int where, int ret)>.
+The B<where> argument specifies information about where (in which context)
+the callback function was called. If B<ret> is 0, an error condition occurred.
+If an alert is handled, SSL_CB_ALERT is set and B<ret> specifies the alert
+information.
+
+B<where> is a bitmask made up of the following bits:
+
+=over 4
+
+=item SSL_CB_LOOP
+
+Callback has been called to indicate state change inside a loop.
+
+=item SSL_CB_EXIT
+
+Callback has been called to indicate error exit of a handshake function.
+(May be soft error with retry option for non-blocking setups.)
+
+=item SSL_CB_READ
+
+Callback has been called during read operation.
+
+=item SSL_CB_WRITE
+
+Callback has been called during write operation.
+
+=item SSL_CB_ALERT
+
+Callback has been called due to an alert being sent or received.
+
+=item SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)
+
+=item SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)
+
+=item SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)
+
+=item SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)
+
+=item SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)
+
+=item SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)
+
+=item SSL_CB_HANDSHAKE_START
+
+Callback has been called because a new handshake is started.
+
+=item SSL_CB_HANDSHAKE_DONE           0x20
+
+Callback has been called because a handshake is finished.
+
+=back
+
+The current state information can be obtained using the
+L<SSL_state_string(3)|SSL_state_string(3)> family of functions.
+
+The B<ret> information can be evaluated using the
+L<SSL_alert_type_string(3)|SSL_alert_type_string(3)> family of functions.
+
+=head1 RETURN VALUES
+
+SSL_set_info_callback() does not provide diagnostic information.
+
+SSL_get_info_callback() returns the current setting.
+
+=head1 EXAMPLES
+
+The following example callback function prints state strings, information
+about alerts being handled and error messages to the B<bio_err> BIO.
+
+ void apps_ssl_info_callback(SSL *s, int where, int ret)
+        {
+        const char *str;
+        int w;
+
+        w=where& ~SSL_ST_MASK;
+
+        if (w & SSL_ST_CONNECT) str="SSL_connect";
+        else if (w & SSL_ST_ACCEPT) str="SSL_accept";
+        else str="undefined";
+
+        if (where & SSL_CB_LOOP)
+                {
+                BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
+                }
+        else if (where & SSL_CB_ALERT)
+                {
+                str=(where & SSL_CB_READ)?"read":"write";
+                BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
+                        str,
+                        SSL_alert_type_string_long(ret),
+                        SSL_alert_desc_string_long(ret));
+                }
+        else if (where & SSL_CB_EXIT)
+                {
+                if (ret == 0)
+                        BIO_printf(bio_err,"%s:failed in %s\n",
+                                str,SSL_state_string_long(s));
+                else if (ret < 0)
+                        {
+                        BIO_printf(bio_err,"%s:error in %s\n",
+                                str,SSL_state_string_long(s));
+                        }
+                }
+        }
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_state_string(3)|SSL_state_string(3)>,
+L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_max_cert_list.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_max_cert_list.pod
new file mode 100644
index 0000000000..da68cb9fc2
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_max_cert_list.pod
@@ -0,0 +1,77 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
+ long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
+
+ long SSL_set_max_cert_list(SSL *ssl, long size);
+ long SSL_get_max_cert_list(SSL *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's
+certificate chain for all SSL objects created from B<ctx> to be <size> bytes.
+The SSL objects inherit the setting valid for B<ctx> at the time
+L<SSL_new(3)|SSL_new(3)> is being called.
+
+SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>.
+
+SSL_set_max_cert_list() sets the maximum size allowed for the peer's
+certificate chain for B<ssl> to be <size> bytes. This setting stays valid
+until a new value is set.
+
+SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>.
+
+=head1 NOTES
+
+During the handshake process, the peer may send a certificate chain.
+The TLS/SSL standard does not give any maximum size of the certificate chain.
+The OpenSSL library handles incoming data by a dynamically allocated buffer.
+In order to prevent this buffer from growing without bounds due to data
+received from a faulty or malicious peer, a maximum size for the certificate
+chain is set.
+
+The default value for the maximum certificate chain size is 100kB (30kB
+on the 16bit DOS platform). This should be sufficient for usual certificate
+chains (OpenSSL's default maximum chain length is 10, see
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates
+without special extensions have a typical size of 1-2kB).
+
+For special applications it can be necessary to extend the maximum certificate
+chain size allowed to be sent by the peer, see e.g. the work on
+"Internet X.509 Public Key Infrastructure Proxy Certificate Profile"
+and "TLS Delegation Protocol" at http://www.ietf.org/ and
+http://www.globus.org/ .
+
+Under normal conditions it should never be necessary to set a value smaller
+than the default, as the buffer is handled dynamically and only uses the
+memory actually required by the data sent by the peer.
+
+If the maximum certificate chain size allowed is exceeded, the handshake will
+fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously
+set value.
+
+SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently
+set value.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=head1 HISTORY
+
+SSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod
new file mode 100644
index 0000000000..9a035bb4d1
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod
@@ -0,0 +1,78 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
+ long SSL_set_mode(SSL *ssl, long mode);
+
+ long SSL_CTX_get_mode(SSL_CTX *ctx);
+ long SSL_get_mode(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
+Options already set before are not cleared.
+
+SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
+Options already set before are not cleared.
+
+SSL_CTX_get_mode() returns the mode set for B<ctx>.
+
+SSL_get_mode() returns the mode set for B<ssl>.
+
+=head1 NOTES
+
+The following mode changes are available:
+
+=over 4
+
+=item SSL_MODE_ENABLE_PARTIAL_WRITE
+
+Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
+when just a single record has been written). When not set (the default),
+SSL_write() will only report success once the complete chunk was written.
+
+=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
+
+Make it possible to retry SSL_write() with changed buffer location
+(the buffer contents must stay the same). This is not the default to avoid
+the misconception that non-blocking SSL_write() behaves like
+non-blocking write().
+
+=item SSL_MODE_AUTO_RETRY
+
+Never bother the application with retries if the transport is blocking.
+If a renegotiation take place during normal operation, a
+L<SSL_read(3)|SSL_read(3)> or L<SSL_write(3)|SSL_write(3)> would return
+with -1 and indicate the need to retry with SSL_ERROR_WANT_READ.
+In a non-blocking environment applications must be prepared to handle
+incomplete read/write operations.
+In a blocking environment, applications are not always prepared to
+deal with read/write operations returning without success report. The
+flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
+return after the handshake and successful completion.
+
+=back
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
+after adding B<mode>.
+
+SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_write(3)|SSL_write(3)>
+
+=head1 HISTORY
+
+SSL_MODE_AUTO_RETRY as been added in OpenSSL 0.9.6.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_msg_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_msg_callback.pod
new file mode 100644
index 0000000000..a423932d0a
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_msg_callback.pod
@@ -0,0 +1,97 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SSL_get_msg_callback_arg - install callback for observing protocol messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+
+ void SSL_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_msg_callback() or SSL_set_msg_callback() can be used to
+define a message callback function I<cb> for observing all SSL/TLS
+protocol messages (such as handshake messages) that are received or
+sent.  SSL_CTX_set_msg_callback_arg() and SSL_set_msg_callback_arg()
+can be used to set argument I<arg> to the callback function, which is
+available for arbitrary application use.
+
+SSL_CTX_set_msg_callback() and SSL_CTX_set_msg_callback_arg() specify
+default settings that will be copied to new B<SSL> objects by
+L<SSL_new(3)|SSL_new(3)>. SSL_set_msg_callback() and
+SSL_set_msg_callback_arg() modify the actual settings of an B<SSL>
+object. Using a B<0> pointer for I<cb> disables the message callback.
+
+When I<cb> is called by the SSL/TLS library for a protocol message,
+the function arguments have the following meaning:
+
+=over 4
+
+=item I<write_p>
+
+This flag is B<0> when a protocol message has been received and B<1>
+when a protocol message has been sent.
+
+=item I<version>
+
+The protocol version according to which the protocol message is
+interpreted by the library. Currently, this is one of
+B<SSL2_VERSION>, B<SSL3_VERSION> and B<TLS1_VERSION> (for SSL 2.0, SSL
+3.0 and TLS 1.0, respectively).
+
+=item I<content_type>
+
+In the case of SSL 2.0, this is always B<0>.  In the case of SSL 3.0
+or TLS 1.0, this is one of the B<ContentType> values defined in the
+protocol specification (B<change_cipher_spec(20)>, B<alert(21)>,
+B<handshake(22)>; but never B<application_data(23)> because the
+callback will only be called for protocol messages).
+
+=item I<buf>, I<len>
+
+I<buf> points to a buffer containing the protocol message, which
+consists of I<len> bytes. The buffer is no longer valid after the
+callback function has returned.
+
+=item I<ssl>
+
+The B<SSL> object that received or sent the message.
+
+=item I<arg>
+
+The user-defined argument optionally defined by
+SSL_CTX_set_msg_callback_arg() or SSL_set_msg_callback_arg().
+
+=head1 NOTES
+
+Protocol messages are passed to the callback function after decryption
+and fragment collection where applicable. (Thus record boundaries are
+not visible.)
+
+If processing a received protocol message results in an error,
+the callback function may not be called.  For example, the callback
+function will never see messages that are considered too large to be
+processed.
+
+Due to automatic protocol version negotiation, I<version> is not
+necessarily the protocol version used by the sender of the message: If
+a TLS 1.0 ClientHello message is received by an SSL 3.0-only server,
+I<version> will be B<SSL3_VERSION>.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>
+
+=head1 HISTORY
+
+SSL_CTX_set_msg_callback(), SSL_CTX_set_msg_callback_arg(),
+SSL_set_msg_callback() and SSL_get_msg_callback_arg() were added in OpenSSL 0.9.7.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
new file mode 100644
index 0000000000..3dc7cc74ad
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -0,0 +1,183 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_options(SSL_CTX *ctx, long options);
+ long SSL_set_options(SSL *ssl, long options);
+
+ long SSL_CTX_get_options(SSL_CTX *ctx);
+ long SSL_get_options(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
+Options already set before are not cleared.
+
+SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
+Options already set before are not cleared.
+
+SSL_CTX_get_options() returns the options set for B<ctx>.
+
+SSL_get_options() returns the options set for B<ssl>.
+
+=head1 NOTES
+
+The behaviour of the SSL library can be changed by setting several options.
+The options are coded as bitmasks and can be combined by a logical B<or>
+operation (|). Options can only be added but can never be reset.
+
+During a handshake, the option settings of the SSL object used. When
+a new SSL object is created from a context using SSL_new(), the current
+option setting is copied. Changes to B<ctx> do not affect already created
+SSL objects. SSL_clear() does not affect the settings.
+
+The following B<bug workaround> options are available:
+
+=over 4
+
+=item SSL_OP_MICROSOFT_SESS_ID_BUG
+
+www.microsoft.com - when talking SSLv2, if session-id reuse is
+performed, the session-id passed back in the server-finished message
+is different from the one decided upon.
+
+=item SSL_OP_NETSCAPE_CHALLENGE_BUG
+
+Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+challenge but then appears to only use 16 bytes when generating the
+encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
+According to the SSLv3 spec, one should use 32 bytes for the challenge
+when operating in SSLv2/v3 compatibility mode, but as mentioned above,
+this breaks this server so 16 bytes is the way to go.
+
+=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+ssl3.netscape.com:443, first a connection is established with RC4-MD5.
+If it is then resumed, we end up using DES-CBC3-SHA.  It should be
+RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
+
+Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
+It only really shows up when connecting via SSLv2/v3 then reconnecting
+via SSLv3. The cipher list changes....
+
+NEW INFORMATION.  Try connecting with a cipher list of just
+DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
+RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
+doing a re-connect, always takes the first cipher in the cipher list.
+
+=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+
+...
+
+=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+
+...
+
+=item SSL_OP_MSIE_SSLV2_RSA_PADDING
+
+...
+
+=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+
+...
+
+=item SSL_OP_TLS_D5_BUG
+
+...
+
+=item SSL_OP_TLS_BLOCK_PADDING_BUG
+
+...
+
+=item SSL_OP_TLS_ROLLBACK_BUG
+
+Disable version rollback attack detection.
+
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
+
+=item SSL_OP_ALL
+
+All of the above bug workarounds.
+
+=back
+
+It is save and recommended to use SSL_OP_ALL to enable the bug workaround
+options.
+
+The following B<modifying> options are available:
+
+=over 4
+
+=item SSL_OP_SINGLE_DH_USE
+
+Always create a new key when using temporary DH parameters.
+
+=item SSL_OP_EPHEMERAL_RSA
+
+Also use the temporary RSA key when doing RSA operations.
+
+=item SSL_OP_PKCS1_CHECK_1
+
+...
+
+=item SSL_OP_PKCS1_CHECK_2
+
+...
+
+=item SSL_OP_NETSCAPE_CA_DN_BUG
+
+If we accept a netscape connection, demand a client cert, have a
+non-self-sighed CA which does not have it's CA in netscape, and the
+browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta 
+
+=item SSL_OP_NON_EXPORT_FIRST
+
+On servers try to use non-export (stronger) ciphers first. This option does
+not work under all circumstances (in the code it is declared "broken").
+
+=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+
+...
+
+=item SSL_OP_NO_SSLv2
+
+Do not use the SSLv2 protocol.
+
+=item SSL_OP_NO_SSLv3
+
+Do not use the SSLv3 protocol.
+
+=item SSL_OP_NO_TLSv1
+
+Do not use the TLSv1 protocol.
+
+=back
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
+after adding B<options>.
+
+SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>
+
+=head1 HISTORY
+
+SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
new file mode 100644
index 0000000000..1d0526d59a
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
@@ -0,0 +1,63 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown, SSL_get_quiet_shutdown - manipulate shutdown behaviour
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
+ int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+
+ void SSL_set_quiet_shutdown(SSL *ssl, int mode);
+ int SSL_get_quiet_shutdown(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ctx> to be
+B<mode>. SSL objects created from B<ctx> inherit the B<mode> valid at the time
+L<SSL_new(3)|SSL_new(3)> is called. B<mode> may be 0 or 1.
+
+SSL_CTX_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ctx>.
+
+SSL_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ssl> to be
+B<mode>. The setting stays valid until B<ssl> is removed with
+L<SSL_free(3)|SSL_free(3)> or SSL_set_quiet_shutdown() is called again.
+It is not changed when L<SSL_clear(3)|SSL_clear(3)> is called.
+B<mode> may be 0 or 1.
+
+SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
+
+=head1 NOTES
+
+Normally when a SSL connection is finished, the parties must send out
+"close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
+for a clean shutdown.
+
+When setting the "quiet shutdown" flag to 1, L<SSL_shutdown(3)|SSL_shutdown(3)>
+will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
+(L<SSL_shutdown(3)|SSL_shutdown(3)> then behaves like
+L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> called with
+SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
+The session is thus considered to be shutdown, but no "close notify" alert
+is sent to the peer. This behaviour violates the TLS standard.
+
+The default is normal shutdown behaviour as described by the TLS standard.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_quiet_shutdown() and SSL_set_quiet_shutdown() do not return
+diagnostic information.
+
+SSL_CTX_get_quiet_shutdown() and SSL_get_quiet_shutdown return the current
+setting.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
+L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod
new file mode 100644
index 0000000000..083766f8d0
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -0,0 +1,107 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode - enable/disable session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode);
+ long SSL_CTX_get_session_cache_mode(SSL_CTX ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_session_cache_mode() enables/disables session caching
+by setting the operational mode for B<ctx> to <mode>.
+
+SSL_CTX_get_session_cache_mode() returns the currently used cache mode.
+
+=head1 NOTES
+
+The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse.
+The sessions can be held in memory for each B<ctx>, if more than one
+SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
+object.
+
+In order to reuse a session, a client must send the session's id to the
+server. It can only send exactly one id.  The server then decides whether it
+agrees in reusing the session or starts the handshake for a new session.
+
+A server will lookup up the session in its internal session storage. If
+the session is not found in internal storage or internal storage is
+deactivated, the server will try the external storage if available.
+
+Since a client may try to reuse a session intended for use in a different
+context, the session id context must be set by the server (see
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>).
+
+The following session cache modes and modifiers are available:
+
+=over 4
+
+=item SSL_SESS_CACHE_OFF
+
+No session caching for client or server takes place.
+
+=item SSL_SESS_CACHE_CLIENT
+
+Client sessions are added to the session cache. As there is no reliable way
+for the OpenSSL library to know whether a session should be reused or which
+session to choose (due to the abstract BIO layer the SSL engine does not
+have details about the connection), the application must select the session
+to be reused by using the L<SSL_set_session(3)|SSL_set_session(3)>
+function. This option is not activated by default.
+
+=item SSL_SESS_CACHE_SERVER
+
+Server sessions are added to the session cache. When a client proposes a
+session to be reused, the session is looked up in the internal session cache.
+If the session is found, the server will try to reuse the session.
+This is the default.
+
+=item SSL_SESS_CACHE_BOTH
+
+Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time.
+
+=item SSL_SESS_CACHE_NO_AUTO_CLEAR
+
+Normally the session cache is checked for expired sessions every
+255 connections using the
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> function. Since
+this may lead to a delay which cannot be controlled, the automatic
+flushing may be disabled and
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> can be called
+explicitly by the application.
+
+=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
+
+By setting this flag sessions are cached in the internal storage but
+they are not looked up automatically. If an external session cache
+is enabled, sessions are looked up in the external cache. As automatic
+lookup only applies for SSL/TLS servers, the flag has no effect on
+clients.
+
+=back
+
+The default mode is SSL_SESS_CACHE_SERVER.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_session_cache_mode() returns the previously set cache mode.
+
+SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
+
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
+L<SSL_CTX_set_timeout.pod(3)|SSL_CTX_set_timeout.pod(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod
new file mode 100644
index 0000000000..5949395159
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -0,0 +1,82 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only)
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
+                                    unsigned int sid_ctx_len);
+ int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
+                                unsigned int sid_ctx_len);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_session_id_context() sets the context B<sid_ctx> of length
+B<sid_ctx_len> within which a session can be reused for the B<ctx> object.
+
+SSL_set_session_id_context() sets the context B<sid_ctx> of length
+B<sid_ctx_len> within which a session can be reused for the B<ssl> object.
+
+=head1 NOTES
+
+Sessions are generated within a certain context. When exporting/importing
+sessions with B<i2d_SSL_SESSION>/B<d2i_SSL_SESSION> it would be possible,
+to re-import a session generated from another context (e.g. another
+application), which might lead to malfunctions. Therefore each application
+must set its own session id context B<sid_ctx> which is used to distinguish
+the contexts and is stored in exported sessions. The B<sid_ctx> can be
+any kind of binary data with a given length, it is therefore possible
+to use e.g. the name of the application and/or the hostname and/or service
+name ...
+
+The session id context becomes part of the session. The session id context
+is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and
+SSL_set_session_id_context() functions are therefore only useful on the
+server side.
+
+OpenSSL clients will check the session id context returned by the server
+when reusing a session.
+
+The maximum length of the B<sid_ctx> is limited to
+B<SSL_MAX_SSL_SESSION_ID_LENGTH>.
+
+=head1 WARNINGS
+
+If the session id context is not set on an SSL/TLS server, stored sessions
+will not be reused but a fatal error will be flagged and the handshake
+will fail.
+
+If a server returns a different session id context to an OpenSSL client
+when reusing a session, an error will be flagged and the handshake will
+fail. OpenSSL servers will always return the correct session id context,
+as an OpenSSL server checks the session id context itself before reusing
+a session as described above.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_session_id_context() and SSL_set_session_id_context()
+return the following values:
+
+=over 4
+
+=item 0
+
+The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
+the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
+is logged to the error stack.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod
new file mode 100644
index 0000000000..3091bd6895
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -0,0 +1,60 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
+- choose a new TLS/SSL method
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, SSL_METHOD *method);
+ int SSL_set_ssl_method(SSL *s, SSL_METHOD *method);
+ SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
+newly created from this B<ctx>. SSL objects already created with
+L<SSL_new(3)|SSL_new(3)> are not affected, except when SSL_clear() is
+being called.
+
+SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
+object. It may be reset, when SSL_clear() is called.
+
+SSL_get_ssl_method() returns a function pointer to the TLS/SSL method
+set in B<ssl>.
+
+=head1 NOTES
+
+The available B<method> choices are described in
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>.
+
+When SSL_clear() is called and no session is connected to an SSL object,
+the method of the SSL object is reset to the method currently set in
+the corresponding SSL_CTX object.
+
+=head1 RETURN VALUES
+
+The following return values can occur for SSL_CTX_set_ssl_version()
+and SSL_set_ssl_method():
+
+=over 4
+
+=item 0
+
+The new choice failed, check the error stack to find out the reason.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod
new file mode 100644
index 0000000000..21faed12d4
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_timeout, SSL_CTX_get_timeout - manipulate timeout values for session caching
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
+ long SSL_CTX_get_timeout(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_timeout() sets the timeout for newly created sessions for
+B<ctx> to B<t>. The timeout value B<t> must be given in seconds.
+
+SSL_CTX_get_timeout() returns the currently set timeout value for B<ctx>.
+
+=head1 NOTES
+
+Whenever a new session is created, it is assigned a maximum lifetime. This
+lifetime is specified by storing the creation time of the session and the
+timeout value valid at this time. If the actual time is later than creation
+time plus timeout, the session is not reused.
+
+Due to this realization, all sessions behave according to the timeout value
+valid at the time of the session negotiation. Changes of the timeout value
+do not affect already established sessions.
+
+The expiration time of a single session can be modified using the
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)> family of functions.
+
+Expired sessions are removed from the internal session cache, whenever
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either
+directly by the application or automatically (see
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+
+The default value for session timeout is 300 seconds.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_timeout() returns the previously set timeout value.
+
+SSL_CTX_get_timeout() returns the currently set timeout value.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
new file mode 100644
index 0000000000..29d1f8a6fb
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
@@ -0,0 +1,170 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_set_tmp_dh - handle DH keys for ephemeral key exchange
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
+            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
+ long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
+
+ void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
+            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
+ long SSL_set_tmp_dh(SSL *ssl, DH *dh)
+
+ DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tmp_dh_callback() sets the callback function for B<ctx> to be
+used when a DH parameters are required to B<tmp_dh_callback>.
+The callback is inherited by all B<ssl> objects created from B<ctx>.
+
+SSL_CTX_set_tmp_dh() sets DH parameters to be used to be B<dh>.
+The key is inherited by all B<ssl> objects created from B<ctx>.
+
+SSL_set_tmp_dh_callback() sets the callback only for B<ssl>.
+
+SSL_set_tmp_dh() sets the parameters only for B<ssl>.
+
+These functions apply to SSL/TLS servers only.
+
+=head1 NOTES
+
+When using a cipher with RSA authentication, an ephemeral DH key exchange
+can take place. Ciphers with DSA keys always use ephemeral DH keys as well.
+In these cases, the session data are negotiated using the
+ephemeral/temporary DH key and the key supplied and certified
+by the certificate chain is only used for signing.
+Anonymous ciphers (without a permanent server key) also use ephemeral DH keys.
+
+Using ephemeral DH key exchange yields forward secrecy, as the connection
+can only be decrypted, when the DH key is known. By generating a temporary
+DH key inside the server application that is lost when the application
+is left, it becomes impossible for an attacker to decrypt past sessions,
+even if he gets hold of the normal (certified) key, as this key was
+only used for signing.
+
+In order to perform a DH key exchange the server must use a DH group
+(DH parameters) and generate a DH key. The server will always generate a new
+DH key during the negotiation, when the DH parameters are supplied via
+callback and/or when the SSL_OP_SINGLE_DH_USE option of
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
+immediately create a DH key, when DH parameters are supplied via
+SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
+it may happen that a key is generated on initialization without later
+being needed, while on the other hand the computer time during the
+negotiation is being saved.
+
+If "strong" primes were used to generate the DH parameters, it is not strictly
+necessary to generate a new key for each handshake but it does improve forward
+secrecy. If it is not assured, that "strong" primes were used (see especially
+the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used
+in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
+has an impact on the computer time needed during negotiation, but it is not
+very large, so application authors/users should consider to always enable
+this option.
+
+As generating DH parameters is extremely time consuming, an application
+should not generate the parameters on the fly but supply the parameters.
+DH parameters can be reused, as the actual key is newly generated during
+the negotiation. The risk in reusing DH parameters is that an attacker
+may specialize on a very often used DH group. Applications should therefore
+generate their own DH parameters during the installation process using the
+openssl L<dhparam(1)|dhparam(1)> application. In order to reduce the computer
+time needed for this generation, it is possible to use DSA parameters
+instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
+is mandatory.
+
+Application authors may compile in DH parameters. Files dh512.pem,
+dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
+version of the OpenSSL distribution contain the 'SKIP' DH parameters,
+which use safe primes and were generated verifiably pseudo-randomly.
+These files can be converted into C code using the B<-C> option of the
+L<dhparam(1)|dhparam(1)> application.
+Authors may also generate their own set of parameters using
+L<dhparam(1)|dhparam(1)>, but a user may not be sure how the parameters were
+generated. The generation of DH parameters during installation is therefore
+recommended.
+
+An application may either directly specify the DH parameters or
+can supply the DH parameters via a callback function. The callback approach
+has the advantage, that the callback may supply DH parameters for different
+key lengths.
+
+The B<tmp_dh_callback> is called with the B<keylength> needed and
+the B<is_export> information. The B<is_export> flag is set, when the
+ephemeral DH key exchange is performed with an export cipher.
+
+=head1 EXAMPLES
+
+Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling
+partly left out.)
+
+ ...
+ /* Set up ephemeral DH stuff */
+ DH *dh_512 = NULL;
+ DH *dh_1024 = NULL;
+ FILE *paramfile;
+
+ ...
+ /* "openssl dhparam -out dh_param_512.pem -2 512" */
+ paramfile = fopen("dh_param_512.pem", "r");
+ if (paramfile) {
+   dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+   fclose(paramfile);
+ }
+ /* "openssl dhparam -out dh_param_1024.pem -2 1024" */
+ paramfile = fopen("dh_param_1024.pem", "r");
+ if (paramfile) {
+   dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+   fclose(paramfile);
+ }
+ ...
+
+ /* "openssl dhparam -C -2 512" etc... */
+ DH *get_dh512() { ... }
+ DH *get_dh1024() { ... }
+
+ DH *tmp_dh_callback(SSL *s, int is_export, int keylength)
+ {
+    DH *dh_tmp=NULL;
+
+    switch (keylength) {
+    case 512:
+      if (!dh_512)
+        dh_512 = get_dh512();
+      dh_tmp = dh_512;
+      break;
+    case 1024:
+      if (!dh_1024) 
+        dh_1024 = get_dh1024();
+      dh_tmp = dh_1024;
+      break;
+    default:
+      /* Generating a key on the fly is very costly, so use what is there */
+      setup_dh_parameters_like_above();
+    }
+    return(dh_tmp);
+ }
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_tmp_dh_callback() and SSL_set_tmp_dh_callback() do not return
+diagnostic output.
+
+SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do return 1 on success and 0
+on failure. Check the error queue to find out the reason of failure.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
+L<ciphers(1)|ciphers(1)>, L<dhparam(1)|dhparam(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
new file mode 100644
index 0000000000..f85775927d
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
@@ -0,0 +1,166 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa - handle RSA keys for ephemeral key exchange
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
+            RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
+ long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);
+ long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx);
+
+ void SSL_set_tmp_rsa_callback(SSL_CTX *ctx,
+            RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
+ long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa)
+ long SSL_need_tmp_rsa(SSL *ssl)
+
+ RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tmp_rsa_callback() sets the callback function for B<ctx> to be
+used when a temporary/ephemeral RSA key is required to B<tmp_rsa_callback>.
+The callback is inherited by all SSL objects newly created from B<ctx>
+with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
+
+SSL_CTX_set_tmp_rsa() sets the temporary/ephemeral RSA key to be used to be
+B<rsa>. The key is inherited by all SSL objects newly created from B<ctx>
+with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
+
+SSL_CTX_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed
+for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
+with a keysize larger than 512 bits is installed.
+
+SSL_set_tmp_rsa_callback() sets the callback only for B<ssl>.
+
+SSL_set_tmp_rsa() sets the key only for B<ssl>.
+
+SSL_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed,
+for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
+with a keysize larger than 512 bits is installed.
+
+These functions apply to SSL/TLS servers only.
+
+=head1 NOTES
+
+When using a cipher with RSA authentication, an ephemeral RSA key exchange
+can take place. In this case the session data are negotiated using the
+ephemeral/temporary RSA key and the RSA key supplied and certified
+by the certificate chain is only used for signing.
+
+Under previous export restrictions, ciphers with RSA keys shorter (512 bits)
+than the usual key length of 1024 bits were created. To use these ciphers
+with RSA keys of usual length, an ephemeral key exchange must be performed,
+as the normal (certified) key cannot be directly used.
+
+Using ephemeral RSA key exchange yields forward secrecy, as the connection
+can only be decrypted, when the RSA key is known. By generating a temporary
+RSA key inside the server application that is lost when the application
+is left, it becomes impossible for an attacker to decrypt past sessions,
+even if he gets hold of the normal (certified) RSA key, as this key was
+used for signing only. The downside is that creating a RSA key is
+computationally expensive.
+
+Additionally, the use of ephemeral RSA key exchange is only allowed in
+the TLS standard, when the RSA key can be used for signing only, that is
+for export ciphers. Using ephemeral RSA key exchange for other purposes
+violates the standard and can break interoperability with clients.
+It is therefore strongly recommended to not use ephemeral RSA key
+exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
+in order to achieve forward secrecy (see
+L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+
+On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
+and must be explicitly enabled  using the SSL_OP_EPHEMERAL_RSA option of
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
+standard. When ephemeral RSA key exchange is required for export ciphers,
+it will automatically be used without this option!
+
+An application may either directly specify the key or can supply the key via
+a callback function. The callback approach has the advantage, that the
+callback may generate the key only in case it is actually needed. As the
+generation of a RSA key is however costly, it will lead to a significant
+delay in the handshake procedure.  Another advantage of the callback function
+is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
+usage) while the explicit setting of the key is only useful for key size of
+512 bits to satisfy the export restricted ciphers and does give away key length
+if a longer key would be allowed.
+
+The B<tmp_rsa_callback> is called with the B<keylength> needed and
+the B<is_export> information. The B<is_export> flag is set, when the
+ephemeral RSA key exchange is performed with an export cipher.
+
+=head1 EXAMPLES
+
+Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the
+generation of a RSA key costs a lot of computer time, they saved for later
+reuse. For demonstration purposes, two keys for 512 bits and 1024 bits
+respectively are generated.
+
+ ...
+ /* Set up ephemeral RSA stuff */
+ RSA *rsa_512 = NULL;
+ RSA *rsa_1024 = NULL;
+
+ rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
+ if (rsa_512 == NULL)
+     evaluate_error_queue();
+
+ rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
+ if (rsa_1024 == NULL)
+   evaluate_error_queue();
+
+ ...
+
+ RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
+ {
+    RSA *rsa_tmp=NULL;
+
+    switch (keylength) {
+    case 512:
+      if (rsa_512)
+        rsa_tmp = rsa_512;
+      else { /* generate on the fly, should not happen in this example */
+        rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
+        rsa_512 = rsa_tmp; /* Remember for later reuse */
+      }
+      break;
+    case 1024:
+      if (rsa_1024)
+        rsa_tmp=rsa_1024;
+      else
+        should_not_happen_in_this_example();
+      break;
+    default:
+      /* Generating a key on the fly is very costly, so use what is there */
+      if (rsa_1024)
+        rsa_tmp=rsa_1024;
+      else
+        rsa_tmp=rsa_512; /* Use at least a shorter key */
+    }
+    return(rsa_tmp);
+ }
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_tmp_rsa_callback() and SSL_set_tmp_rsa_callback() do not return
+diagnostic output.
+
+SSL_CTX_set_tmp_rsa() and SSL_set_tmp_rsa() do return 1 on success and 0
+on failure. Check the error queue to find out the reason of failure.
+
+SSL_CTX_need_tmp_rsa() and SSL_need_tmp_rsa() return 1 if a temporary
+RSA key is needed and 0 otherwise.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
+L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_new(3)|SSL_new(3)>, L<ciphers(1)|ciphers(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
new file mode 100644
index 0000000000..fc0b76118f
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod
@@ -0,0 +1,284 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
+                         int (*verify_callback)(int, X509_STORE_CTX *));
+ void SSL_set_verify(SSL *s, int mode,
+                     int (*verify_callback)(int, X509_STORE_CTX *));
+ void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
+ void SSL_set_verify_depth(SSL *s, int depth);
+
+ int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and
+specifies the B<verify_callback> function to be used. If no callback function
+shall be specified, the NULL pointer can be used for B<verify_callback>.
+
+SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and
+specifies the B<verify_callback> function to be used. If no callback function
+shall be specified, the NULL pointer can be used for B<verify_callback>. In
+this case last B<verify_callback> set specifically for this B<ssl> remains. If
+no special B<callback> was set before, the default callback for the underlying
+B<ctx> is used, that was valid at the the time B<ssl> was created with
+L<SSL_new(3)|SSL_new(3)>.
+
+SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
+verification that shall be allowed for B<ctx>. (See the BUGS section.)
+
+SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
+verification that shall be allowed for B<ssl>. (See the BUGS section.)
+
+=head1 NOTES
+
+The verification of certificates can be controlled by a set of logically
+or'ed B<mode> flags:
+
+=over 4
+
+=item SSL_VERIFY_NONE
+
+B<Server mode:> the server will not send a client certificate request to the
+client, so the client will not send a certificate.
+
+B<Client mode:> if not using an anonymous cipher (by default disabled), the
+server will send a certificate which will be checked. The result of the
+certificate verification process can be checked after the TLS/SSL handshake
+using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function.
+The handshake will be continued regardless of the verification result.
+
+=item SSL_VERIFY_PEER
+
+B<Server mode:> the server sends a client certificate request to the client.
+The certificate returned (if any) is checked. If the verification process
+fails as indicated by B<verify_callback>, the TLS/SSL handshake is
+immediately terminated with an alert message containing the reason for
+the verification failure.
+The behaviour can be controlled by the additional
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
+
+B<Client mode:> the server certificate is verified. If the verification process
+fails as indicated by B<verify_callback>, the TLS/SSL handshake is
+immediately terminated with an alert message containing the reason for
+the verification failure. If no server certificate is sent, because an
+anonymous cipher is used, SSL_VERIFY_PEER is ignored.
+
+=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+
+B<Server mode:> if the client did not return a certificate, the TLS/SSL
+handshake is immediately terminated with a "handshake failure" alert.
+This flag must be used together with SSL_VERIFY_PEER.
+
+B<Client mode:> ignored
+
+=item SSL_VERIFY_CLIENT_ONCE
+
+B<Server mode:> only request a client certificate on the initial TLS/SSL
+handshake. Do not ask for a client certificate again in case of a
+renegotiation. This flag must be used together with SSL_VERIFY_PEER.
+
+B<Client mode:> ignored
+
+=back
+
+Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
+set at any time.
+
+SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up
+to which depth certificates in a chain are used during the verification
+procedure. If the certificate chain is longer than allowed, the certificates
+above the limit are ignored. Error messages are generated as if these
+certificates would not be present, most likely a
+X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued.
+The depth count is "level 0:peer certificate", "level 1: CA certificate",
+"level 2: higher level CA certificate", and so on. Setting the maximum
+depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
+allowing for the peer certificate and additional 9 CA certificates.
+
+The B<verify_callback> function is used to control the behaviour when the
+SSL_VERIFY_PEER flag is set. It must be supplied by the application and
+receives two arguments: B<preverify_ok> indicates, whether the verification of
+the certificate in question was passed (preverify_ok=1) or not
+(preverify_ok=0). B<x509_ctx> is a pointer to the complete context used
+for the certificate chain verification.
+
+The certificate chain is checked starting with the deepest nesting level
+(the root CA certificate) and worked upward to the peer's certificate.
+At each level signatures and issuer attributes are checked. Whenever
+a verification error is found, the error number is stored in B<x509_ctx>
+and B<verify_callback> is called with B<preverify_ok>=0. By applying
+X509_CTX_store_* functions B<verify_callback> can locate the certificate
+in question and perform additional steps (see EXAMPLES). If no error is
+found for a certificate, B<verify_callback> is called with B<preverify_ok>=1
+before advancing to the next level.
+
+The return value of B<verify_callback> controls the strategy of the further
+verification process. If B<verify_callback> returns 0, the verification
+process is immediately stopped with "verification failed" state. If
+SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
+the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
+the verification process is continued. If B<verify_callback> always returns
+1, the TLS/SSL handshake will never be terminated because of this application
+experiencing a verification failure. The calling process can however
+retrieve the error code of the last verification error using
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its
+own error storage managed by B<verify_callback>.
+
+If no B<verify_callback> is specified, the default callback will be used.
+Its return value is identical to B<preverify_ok>, so that any verification
+failure will lead to a termination of the TLS/SSL handshake with an
+alert message, if SSL_VERIFY_PEER is set.
+
+=head1 BUGS
+
+In client mode, it is not checked whether the SSL_VERIFY_PEER flag
+is set, but whether SSL_VERIFY_NONE is not set. This can lead to
+unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not
+used as required (exactly one must be set at any time).
+
+The certificate verification depth set with SSL[_CTX]_verify_depth()
+stops the verification at a certain depth. The error message produced
+will be that of an incomplete certificate chain and not
+X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
+
+=head1 RETURN VALUES
+
+The SSL*_set_verify*() functions do not provide diagnostic information.
+
+=head1 EXAMPLES
+
+The following code sequence realizes an example B<verify_callback> function
+that will always continue the TLS/SSL handshake regardless of verification
+failure, if wished. The callback realizes a verification depth limit with
+more informational output.
+
+All verification errors are printed, informations about the certificate chain
+are printed on request.
+The example is realized for a server that does allow but not require client
+certificates.
+
+The example makes use of the ex_data technique to store application data
+into/retrieve application data from the SSL structure
+(see L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
+
+ ...
+ typedef struct {
+   int verbose_mode;
+   int verify_depth;
+   int always_continue;
+ } mydata_t;
+ int mydata_index;
+ ...
+ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ {
+    char    buf[256];
+    X509   *err_cert;
+    int     err, depth;
+    SSL    *ssl;
+    mydata_t *mydata;
+
+    err_cert = X509_STORE_CTX_get_current_cert(ctx);
+    err = X509_STORE_CTX_get_error(ctx);
+    depth = X509_STORE_CTX_get_error_depth(ctx);
+
+    /*
+     * Retrieve the pointer to the SSL of the connection currently treated
+     * and the application specific data stored into the SSL object.
+     */
+    ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+    mydata = SSL_get_ex_data(ssl, mydata_index);
+
+    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
+
+    /*
+     * Catch a too long certificate chain. The depth limit set using
+     * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
+     * that whenever the "depth>verify_depth" condition is met, we
+     * have violated the limit and want to log this error condition.
+     * We must do it here, because the CHAIN_TOO_LONG error would not
+     * be found explicitly; only errors introduced by cutting off the
+     * additional certificates would be logged.
+     */
+    if (depth > mydata->verify_depth) {
+        preverify_ok = 0;
+        err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+        X509_STORE_CTX_set_error(ctx, err);
+    } 
+    if (!preverify_ok) {
+        printf("verify error:num=%d:%s:depth=%d:%s\n", err,
+                 X509_verify_cert_error_string(err), depth, buf);
+    }
+    else if (mydata->verbose_mode)
+    {
+        printf("depth=%d:%s\n", depth, buf);
+    }
+
+    /*
+     * At this point, err contains the last verification error. We can use
+     * it for something special
+     */
+    if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
+    {
+      X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+      printf("issuer= %s\n", buf);
+    }
+
+    if (mydata->always_continue)
+      return 1;
+    else
+      return preverify_ok;
+ }
+ ...
+
+ mydata_t mydata;
+
+ ...
+ mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
+
+ ...
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+                    verify_callback);
+
+ /*
+  * Let the verify_callback catch the verify_depth error so that we get
+  * an appropriate error in the logfile.
+  */
+ SSL_CTX_set_verify_depth(verify_depth + 1);
+
+ /*
+  * Set up the SSL specific data into "mydata" and store it into th SSL
+  * structure.
+  */
+ mydata.verify_depth = verify_depth; ...
+ SSL_set_ex_data(ssl, mydata_index, &mydata);
+                                             
+ ...
+ SSL_accept(ssl);       /* check of success left out for clarity */
+ if (peer = SSL_get_peer_certificate(ssl))
+ {
+   if (SSL_get_verify_result(ssl) == X509_V_OK)
+   {
+     /* The client sent a certificate which verified OK */
+   }
+ }
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
+L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
+L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
+L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
new file mode 100644
index 0000000000..3b2fe6fc50
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod
@@ -0,0 +1,154 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key - load certificate and key data
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
+ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
+ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_use_certificate(SSL *ssl, X509 *x);
+ int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
+ int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+
+ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
+
+ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
+ int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d,
+                                 long len);
+ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
+ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
+ int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
+ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
+ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
+ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
+ int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+
+ int SSL_CTX_check_private_key(SSL_CTX *ctx);
+ int SSL_check_private_key(SSL *ssl);
+
+=head1 DESCRIPTION
+
+These functions load the certificates and private keys into the SSL_CTX
+or SSL object, respectively.
+
+The SSL_CTX_* class of functions loads the certificates and keys into the
+SSL_CTX object B<ctx>. The information is passed to SSL objects B<ssl>
+created from B<ctx> with L<SSL_new(3)|SSL_new(3)> by copying, so that
+changes applied to B<ctx> do not propagate to already existing SSL objects.
+
+The SSL_* class of functions only loads certificates and keys into a
+specific SSL object. The specific information is kept, when
+L<SSL_clear(3)|SSL_clear(3)> is called for this SSL object.
+
+SSL_CTX_use_certificate() loads the certificate B<x> into B<ctx>,
+SSL_use_certificate() loads B<x> into B<ssl>. The rest of the
+certificates needed to form the complete certificate chain can be
+specified using the
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+function.
+
+SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from
+the memory location B<d> (with length B<len>) into B<ctx>,
+SSL_use_certificate_ASN1() loads the ASN1 encoded certificate into B<ssl>.
+
+SSL_CTX_use_certificate_file() loads the first certificate stored in B<file>
+into B<ctx>. The formatting B<type> of the certificate must be specified
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
+SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>.
+See the NOTES section on why SSL_CTX_use_certificate_chain_file()
+should be preferred.
+
+SSL_CTX_use_certificate_chain_file() loads a certificate chain from 
+B<file> into B<ctx>. The certificates must be in PEM format and must
+be sorted starting with the certificate to the highest level (root CA).
+There is no corresponding function working on a single SSL object.
+
+SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
+SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA
+to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>;
+SSL_use_RSAPrivateKey() adds B<rsa> as private key of type RSA to B<ssl>.
+
+SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
+stored at memory location B<d> (length B<len>) to B<ctx>.
+SSL_CTX_use_RSAPrivateKey_ASN1() adds the private key of type RSA
+stored at memory location B<d> (length B<len>) to B<ctx>.
+SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private
+key to B<ssl>.
+
+SSL_CTX_use_PrivateKey_file() adds the first private key found in
+B<file> to B<ctx>. The formatting B<type> of the certificate must be specified
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
+SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in
+B<file> to B<ctx>. SSL_use_PrivateKey_file() adds the first private key found
+in B<file> to B<ssl>; SSL_use_RSAPrivateKey_file() adds the first private
+RSA key found to B<ssl>.
+
+SSL_CTX_check_private_key() checks the consistency of a private key with
+the corresponding certificate loaded into B<ctx>. If more than one
+key/certificate pair (RSA/DSA) is installed, the last item installed will
+be checked. If e.g. the last item was a RSA certificate or key, the RSA
+key/certificate pair will be checked. SSL_check_private_key() performs
+the same check for B<ssl>. If no key/certificate was explicitly added for
+this B<ssl>, the last item added into B<ctx> will be checked.
+
+=head1 NOTES
+  
+The internal certificate store of OpenSSL can hold two private key/certificate
+pairs at a time: one key/certificate of type RSA and one key/certificate
+of type DSA. The certificate used depends on the cipher select, see
+also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
+
+When reading certificates and private keys from file, files of type
+SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
+one certificate or private key, consequently 
+SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting.
+Files of type SSL_FILETYPE_PEM can contain more than one item.
+
+SSL_CTX_use_certificate_chain_file() adds the first certificate found
+in the file to the certificate store. The other certificates are added
+to the store of chain certificates using
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
+There exists only one extra chain store, so that the same chain is appended
+to both types of certificates, RSA and DSA! If it is not intended to use
+both type of certificate at the same time, it is recommended to use the
+SSL_CTX_use_certificate_chain_file() instead of the
+SSL_CTX_use_certificate_file() function in order to allow the use of
+complete certificate chains even when no trusted CA storage is used or
+when the CA issuing the certificate shall not be added to the trusted
+CA storage.
+
+If additional certificates are needed to complete the chain during the
+TLS negotiation, CA certificates are additionally looked up in the
+locations of trusted CA certificates, see
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+
+The private keys loaded from file can be encrypted. In order to successfully
+load encrypted keys, a function returning the passphrase must have been
+supplied, see
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>.
+(Certificate files might be encrypted as well from the technical point
+of view, it however does not make sense as the data in the certificate
+is considered public anyway.)
+
+=head1 RETURN VALUES
+
+On success, the functions return 1.
+Otherwise check out the error stack to find out the reason.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
new file mode 100644
index 0000000000..df30ccbb32
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_free.pod
@@ -0,0 +1,25 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_free - free an allocated SSL_SESSION structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_SESSION_free(SSL_SESSION *session);
+
+=head1 DESCRIPTION
+
+SSL_SESSION_free() decrements the reference count of B<session> and removes
+the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated
+memory, if the the reference count has reached 0.
+
+=head1 RETURN VALUES
+
+SSL_SESSION_free() does not provide diagnostic information.
+
+L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod
new file mode 100644
index 0000000000..dd5cb4f04b
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_SESSION_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
+
+ void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+                int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_SESSION_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_SESSION_set_ex_data() is used to store application data at B<arg> for B<idx>
+into the B<session> object.
+
+SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from
+B<session>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 WARNINGS
+
+The application data is only maintained for sessions held in memory. The
+application data is not included when dumping the session with
+i2d_SSL_SESSION() (and all functions indirectly calling the dump functions
+like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can
+therefore not be restored.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod
new file mode 100644
index 0000000000..cd33b73aa3
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod
@@ -0,0 +1,63 @@
+=pod
+
+=head1 NAME
+
+SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_SESSION_get_time(SSL_SESSION *s);
+ long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
+ long SSL_SESSION_get_timeout(SSL_SESSION *s);
+ long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
+
+ long SSL_get_time(SSL_SESSION *s);
+ long SSL_set_time(SSL_SESSION *s, long tm);
+ long SSL_get_timeout(SSL_SESSION *s);
+ long SSL_set_timeout(SSL_SESSION *s, long tm);
+
+=head1 DESCRIPTION
+
+SSL_SESSION_get_time() returns the time at which the session B<s> was
+established. The time is given in seconds since the Epoch and therefore
+compatible to the time delivered by the time() call.
+
+SSL_SESSION_set_time() replaces the creation time of the session B<s> with
+the chosen value B<tm>.
+
+SSL_SESSION_get_timeout() returns the timeout value set for session B<s>
+in seconds.
+
+SSL_SESSION_set_timeout() sets the timeout value for session B<s> in seconds
+to B<tm>.
+
+The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout()
+functions are synonyms for the SSL_SESSION_*() counterparts.
+
+=head1 NOTES
+
+Sessions are expired by examining the creation time and the timeout value.
+Both are set at creation time of the session to the actual time and the
+default timeout value at creation, respectively, as set by
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>.
+Using these functions it is possible to extend or shorten the lifetime
+of the session.
+
+=head1 RETURN VALUES
+
+SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently
+valid values.
+
+SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success.
+
+If any of the function is passed the NULL pointer for the session B<s>, 
+0 is returned.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_accept.pod b/src/lib/libssl/src/doc/ssl/SSL_accept.pod
new file mode 100644
index 0000000000..0c79ac515e
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_accept.pod
@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+SSL_accept - wait for a TLS/SSL client to initiate a TLS/SSL handshake
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_accept(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_accept() waits for a TLS/SSL client to initiate the TLS/SSL handshake.
+The communication channel must already have been set and assigned to the
+B<ssl> by setting an underlying B<BIO>.
+
+=head1 NOTES
+
+The behaviour of SSL_accept() depends on the underlying BIO. 
+
+If the underlying BIO is B<blocking>, SSL_accept() will only return once the
+handshake has been finished or an error occurred, except for SGC (Server
+Gated Cryptography). For SGC, SSL_accept() may return with -1, but
+SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and SSL_accept()
+should be called again.
+
+If the underlying BIO is B<non-blocking>, SSL_accept() will also return
+when the underlying BIO could not satisfy the needs of SSL_accept()
+to continue the handshake. In this case a call to SSL_get_error() with the
+return value of SSL_accept() will yield B<SSL_ERROR_WANT_READ> or
+B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
+taking appropriate action to satisfy the needs of SSL_accept().
+The action depends on the underlying BIO. When using a non-blocking socket,
+nothing is to be done, but select() can be used to check for the required
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
+=item 0
+
+The TLS/SSL handshake was not successful but was shut down controlled and
+by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+return value B<ret> to find out the reason.
+
+=item -1
+
+The TLS/SSL handshake was not successful because a fatal error occurred either
+at the protocol level or a connection failure occurred. The shutdown was
+not clean. It can also occur of action is need to continue the operation
+for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
+to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_alert_type_string.pod b/src/lib/libssl/src/doc/ssl/SSL_alert_type_string.pod
new file mode 100644
index 0000000000..94e28cc307
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_alert_type_string.pod
@@ -0,0 +1,228 @@
+=pod
+
+=head1 NAME
+
+SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long - get textual description of alert information
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_alert_type_string(int value);
+ const char *SSL_alert_type_string_long(int value);
+
+ const char *SSL_alert_desc_string(int value);
+ const char *SSL_alert_desc_string_long(int value);
+
+=head1 DESCRIPTION
+
+SSL_alert_type_string() returns a one letter string indicating the
+type of the alert specified by B<value>.
+
+SSL_alert_type_string_long() returns a string indicating the type of the alert
+specified by B<value>.
+
+SSL_alert_desc_string() returns a two letter string as a short form
+describing the reason of the alert specified by B<value>.
+
+SSL_alert_desc_string_long() returns a string describing the reason
+of the alert specified by B<value>.
+
+=head1 NOTES
+
+When one side of an SSL/TLS communication wants to inform the peer about
+a special situation, it sends an alert. The alert is sent as a special message
+and does not influence the normal data stream (unless its contents results
+in the communication being canceled).
+
+A warning alert is sent, when a non-fatal error condition occurs. The
+"close notify" alert is sent as a warning alert. Other examples for
+non-fatal errors are certificate errors ("certificate expired",
+"unsupported certificate"), for which a warning alert may be sent.
+(The sending party may however decide to send a fatal error.) The
+receiving side may cancel the connection on reception of a warning
+alert on it discretion.
+
+Several alert messages must be sent as fatal alert messages as specified
+by the TLS RFC. A fatal alert always leads to a connection abort.
+
+=head1 RETURN VALUES
+
+The following strings can occur for SSL_alert_type_string() or
+SSL_alert_type_string_long():
+
+=over 4
+
+=item "W"/"warning"
+
+=item "F"/"fatal"
+
+=item "U"/"unknown"
+
+This indicates that no support is available for this alert type.
+Probably B<value> does not contain a correct alert message.
+
+=back
+
+The following strings can occur for SSL_alert_desc_string() or
+SSL_alert_desc_string_long():
+
+=over 4
+
+=item "CN"/"close notify"
+
+The connection shall be closed. This is a warning alert.
+
+=item "UM"/"unexpected message"
+
+An inappropriate message was received. This alert is always fatal
+and should never be observed in communication between proper
+implementations.
+
+=item "BM"/"bad record mac"
+
+This alert is returned if a record is received with an incorrect
+MAC. This message is always fatal.
+
+=item "DF"/"decompression failure"
+
+The decompression function received improper input (e.g. data
+that would expand to excessive length). This message is always
+fatal.
+
+=item "HF"/"handshake failure"
+
+Reception of a handshake_failure alert message indicates that the
+sender was unable to negotiate an acceptable set of security
+parameters given the options available. This is a fatal error.
+
+=item "NC"/"no certificate"
+
+A client, that was asked to send a certificate, does not send a certificate
+(SSLv3 only).
+
+=item "BC"/"bad certificate"
+
+A certificate was corrupt, contained signatures that did not
+verify correctly, etc
+
+=item "UC"/"unsupported certificate"
+
+A certificate was of an unsupported type.
+
+=item "CR"/"certificate revoked"
+
+A certificate was revoked by its signer.
+
+=item "CE"/"certificate expired"
+
+A certificate has expired or is not currently valid.
+
+=item "CU"/"certificate unknown"
+
+Some other (unspecified) issue arose in processing the
+certificate, rendering it unacceptable.
+
+=item "IP"/"illegal parameter"
+
+A field in the handshake was out of range or inconsistent with
+other fields. This is always fatal.
+
+=item "DC"/"decryption failed"
+
+A TLSCiphertext decrypted in an invalid way: either it wasn't an
+even multiple of the block length or its padding values, when
+checked, weren't correct. This message is always fatal.
+
+=item "RO"/"record overflow"
+
+A TLSCiphertext record was received which had a length more than
+2^14+2048 bytes, or a record decrypted to a TLSCompressed record
+with more than 2^14+1024 bytes. This message is always fatal.
+
+=item "CA"/"unknown CA"
+
+A valid certificate chain or partial chain was received, but the
+certificate was not accepted because the CA certificate could not
+be located or couldn't be matched with a known, trusted CA.  This
+message is always fatal.
+
+=item "AD"/"access denied"
+
+A valid certificate was received, but when access control was
+applied, the sender decided not to proceed with negotiation.
+This message is always fatal.
+
+=item "DE"/"decode error"
+
+A message could not be decoded because some field was out of the
+specified range or the length of the message was incorrect. This
+message is always fatal.
+
+=item "CY"/"decrypt error"
+
+A handshake cryptographic operation failed, including being
+unable to correctly verify a signature, decrypt a key exchange,
+or validate a finished message.
+
+=item "ER"/"export restriction"
+
+A negotiation not in compliance with export restrictions was
+detected; for example, attempting to transfer a 1024 bit
+ephemeral RSA key for the RSA_EXPORT handshake method. This
+message is always fatal.
+
+=item "PV"/"protocol version"
+
+The protocol version the client has attempted to negotiate is
+recognized, but not supported. (For example, old protocol
+versions might be avoided for security reasons). This message is
+always fatal.
+
+=item "IS"/"insufficient security"
+
+Returned instead of handshake_failure when a negotiation has
+failed specifically because the server requires ciphers more
+secure than those supported by the client. This message is always
+fatal.
+
+=item "IE"/"internal error"
+
+An internal error unrelated to the peer or the correctness of the
+protocol makes it impossible to continue (such as a memory
+allocation failure). This message is always fatal.
+
+=item "US"/"user canceled"
+
+This handshake is being canceled for some reason unrelated to a
+protocol failure. If the user cancels an operation after the
+handshake is complete, just closing the connection by sending a
+close_notify is more appropriate. This alert should be followed
+by a close_notify. This message is generally a warning.
+
+=item "NR"/"no renegotiation"
+
+Sent by the client in response to a hello request or by the
+server in response to a client hello after initial handshaking.
+Either of these would normally lead to renegotiation; when that
+is not appropriate, the recipient should respond with this alert;
+at that point, the original requester can decide whether to
+proceed with the connection. One case where this would be
+appropriate would be where a server has spawned a process to
+satisfy a request; the process might receive security parameters
+(key length, authentication, etc.) at startup and it might be
+difficult to communicate changes to these parameters after that
+point. This message is always a warning.
+
+=item "UK"/"unknown"
+
+This indicates that no description is available for this alert type.
+Probably B<value> does not contain a correct alert message.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_clear.pod b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
new file mode 100644
index 0000000000..862fd8291d
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+SSL_clear - reset SSL object to allow another connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_clear(SSL *ssl);
+
+=head1 DESCRIPTION
+
+Reset B<ssl> to allow another connection. All settings (method, ciphers,
+BIOs) are kept. A completely negotiated B<SSL_SESSION> is not freed but left
+untouched for the underlying B<SSL_CTX>.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+The SSL_clear() operation could not be performed. Check the error stack to
+find out the reason.
+
+=item 1
+
+The SSL_clear() operation was successful.
+
+=back
+
+L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_connect.pod b/src/lib/libssl/src/doc/ssl/SSL_connect.pod
new file mode 100644
index 0000000000..debe41744f
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_connect.pod
@@ -0,0 +1,69 @@
+=pod
+
+=head1 NAME
+
+SSL_connect - initiate the TLS/SSL handshake with an TLS/SSL server
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_connect(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_connect() initiates the TLS/SSL handshake with a server. The communication
+channel must already have been set and assigned to the B<ssl> by setting an
+underlying B<BIO>.
+
+=head1 NOTES
+
+The behaviour of SSL_connect() depends on the underlying BIO. 
+
+If the underlying BIO is B<blocking>, SSL_connect() will only return once the
+handshake has been finished or an error occurred.
+
+If the underlying BIO is B<non-blocking>, SSL_connect() will also return
+when the underlying BIO could not satisfy the needs of SSL_connect()
+to continue the handshake. In this case a call to SSL_get_error() with the
+return value of SSL_connect() will yield B<SSL_ERROR_WANT_READ> or
+B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
+taking appropriate action to satisfy the needs of SSL_connect().
+The action depends on the underlying BIO. When using a non-blocking socket,
+nothing is to be done, but select() can be used to check for the required
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
+=item 0
+
+The TLS/SSL handshake was not successful but was shut down controlled and
+by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
+return value B<ret> to find out the reason.
+
+=item -1
+
+The TLS/SSL handshake was not successful, because a fatal error occurred either
+at the protocol level or a connection failure occurred. The shutdown was
+not clean. It can also occur of action is need to continue the operation
+for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
+to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_free.pod b/src/lib/libssl/src/doc/ssl/SSL_free.pod
new file mode 100644
index 0000000000..f3f0c345f8
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_free.pod
@@ -0,0 +1,33 @@
+=pod
+
+=head1 NAME
+
+SSL_free - free an allocated SSL structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_free(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_free() decrements the reference count of B<ssl>, and removes the SSL
+structure pointed to by B<ssl> and frees up the allocated memory if the
+the reference count has reached 0.
+
+It also calls the free()ing procedures for indirectly affected items, if
+applicable: the buffering BIO, the read and write BIOs,
+cipher lists specially created for this B<ssl>, the B<SSL_SESSION>.
+Do not explicitly free these indirectly freed up items before or after
+calling SSL_free(), as trying to free things twice may lead to program
+failure.
+
+=head1 RETURN VALUES
+
+SSL_free() does not provide diagnostic information.
+
+L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod b/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod
new file mode 100644
index 0000000000..52d0227b19
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_SSL_CTX.pod
@@ -0,0 +1,26 @@
+=pod
+
+=head1 NAME
+
+SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_SSL_CTX() returns a pointer to the SSL_CTX object, from which
+B<ssl> was created with L<SSL_new(3)|SSL_new(3)>.
+
+=head1 RETURN VALUES
+
+The pointer to the SSL_CTX object is returned.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod
new file mode 100644
index 0000000000..2a57455c23
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_ciphers.pod
@@ -0,0 +1,42 @@
+=pod
+
+=head1 NAME
+
+SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *ssl);
+ const char *SSL_get_cipher_list(SSL *ssl, int priority);
+
+=head1 DESCRIPTION
+
+SSL_get_ciphers() returns the stack of available SSL_CIPHERs for B<ssl>,
+sorted by preference. If B<ssl> is NULL or no ciphers are available, NULL
+is returned.
+
+SSL_get_cipher_list() returns a pointer to the name of the SSL_CIPHER
+listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are
+available, or there are less ciphers than B<priority> available, NULL
+is returned.
+
+=head1 NOTES
+
+The details of the ciphers obtained by SSL_get_ciphers() can be obtained using
+the L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)> family of functions.
+
+Call SSL_get_cipher_list() with B<priority> starting from 0 to obtain the
+sorted list of available ciphers, until NULL is returned.
+
+=head1 RETURN VALUES
+
+See DESCRIPTION
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
+L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod
new file mode 100644
index 0000000000..40e01cf9c8
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); 
+
+=head1 DESCRIPTION
+
+SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
+B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>.
+
+SSL_get_client_CA_list() returns the list of client CAs explicitly
+set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in
+server mode. In client mode, SSL_get_client_CA_list returns the list of
+client CAs sent from the server, if any.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return
+diagnostic information.
+
+SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return
+values:
+
+=over 4
+
+=item STACK_OF(X509_NAMES)
+
+List of CA names explicitly set (for B<ctx> or in server mode) or send
+by the server (client mode).
+
+=item NULL
+
+No client CA list was explicitly set (for B<ctx> or in server mode) or
+the server did not send a list of CAs (client mode).
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod b/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod
new file mode 100644
index 0000000000..2dd7261d89
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_current_cipher.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+SSL_get_current_cipher, SSL_get_cipher, SSL_get_cipher_name,
+SSL_get_cipher_bits, SSL_get_cipher_version - get SSL_CIPHER of a connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
+ #define SSL_get_cipher(s) \
+                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
+ #define SSL_get_cipher_name(s) \
+                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
+ #define SSL_get_cipher_bits(s,np) \
+                SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
+ #define SSL_get_cipher_version(s) \
+                SSL_CIPHER_get_version(SSL_get_current_cipher(s))
+
+=head1 DESCRIPTION
+
+SSL_get_current_cipher() returns a pointer to an SSL_CIPHER object containing
+the description of the actually used cipher of a connection established with
+the B<ssl> object.
+
+SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the
+name of the currently used cipher. SSL_get_cipher_bits() is a
+macro to obtain the number of secret/algorithm bits used and 
+SSL_get_cipher_version() returns the protocol name.
+See L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)> for more details.
+
+=head1 RETURN VALUES
+
+SSL_get_current_cipher() returns the cipher actually used or NULL, when
+no session has been established.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod b/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod
new file mode 100644
index 0000000000..8d43b31345
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_default_timeout.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+SSL_get_default_timeout - get default session timeout value
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_get_default_timeout(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_default_timeout() returns the default timeout value assigned to
+SSL_SESSION objects negotiated for the protocol valid for B<ssl>.
+
+=head1 NOTES
+
+Whenever a new session is negotiated, it is assigned a timeout value,
+after which it will not be accepted for session reuse. If the timeout
+value was not explicitly set using
+L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, the hardcoded default
+timeout for the protocol will be used.
+
+SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
+for all currently supported protocols (SSLv2, SSLv3, and TLSv1).
+
+=head1 RETURN VALUES
+
+See description.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
+L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
+L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_error.pod b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod
new file mode 100644
index 0000000000..9cacdedc57
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_error.pod
@@ -0,0 +1,91 @@
+=pod
+
+=head1 NAME
+
+SSL_get_error - obtain result code for SSL I/O operation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_error(SSL *ssl, int ret);
+
+=head1 DESCRIPTION
+
+SSL_get_error() returns a result code (suitable for the C "switch"
+statement) for a preceding call to SSL_connect(), SSL_accept(),
+SSL_read(), or SSL_write() on B<ssl>.  The value returned by that
+SSL I/O function must be passed to SSL_get_error() in parameter
+B<ret>.
+
+In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
+current thread's OpenSSL error queue.  Thus, SSL_get_error() must be
+used in the same thread that performed the SSL I/O operation, and no
+other OpenSSL function calls should appear in between.  The current
+thread's error queue must be empty before the SSL I/O operation is
+attempted, or SSL_get_error() will not work reliably.
+
+=head1 RETURN VALUES
+
+The following return values can currently occur:
+
+=over 4
+
+=item SSL_ERROR_NONE
+
+The SSL I/O operation completed.  This result code is returned
+if and only if B<ret E<gt> 0>.
+
+=item SSL_ERROR_ZERO_RETURN
+
+The SSL connection has been closed.  If the protocol version is SSL 3.0
+or TLS 1.0, this result code is returned only if a closure
+alerts has occurred in the protocol, i.e. if the connection has been
+closed cleanly.
+
+=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
+
+The operation did not complete; the same SSL I/O function should be
+called again later.  There will be protocol progress if, by then, the
+underlying B<BIO> has data available for reading (if the result code is
+B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>). 
+For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that
+select() or poll() on the underlying socket can be used to find out
+when the SSL I/O function should be retried.
+
+Caveat: Any SSL I/O function can lead to either of
+B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read()
+may want to write data and SSL_write() may want to read data.
+
+=item SSL_ERROR_WANT_X509_LOOKUP
+
+The operation did not complete because an application callback set by
+SSL_CTX_set_client_cert_cb() has asked to be called again.
+The SSL I/O function should be called again later.
+Details depend on the application.
+
+=item SSL_ERROR_SYSCALL
+
+Some I/O error occurred.  The OpenSSL error queue may contain more
+information on the error.  If the error queue is empty
+(i.e. ERR_get_error() returns 0), B<ret> can be used to find out more
+about the error: If B<ret == 0>, an EOF was observed that violates
+the protocol.  If B<ret == -1>, the underlying B<BIO> reported an
+I/O error (for socket I/O on Unix systems, consult B<errno> for details).
+
+=item SSL_ERROR_SSL
+
+A failure in the SSL library occurred, usually a protocol error.  The
+OpenSSL error queue contains more information on the error.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<err(3)|err(3)>
+
+=head1 HISTORY
+
+SSL_get_error() was added in SSLeay 0.8.
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
new file mode 100644
index 0000000000..165c6a5b2c
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure
+from X509_STORE_CTX
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+
+=head1 DESCRIPTION
+
+SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which
+the pointer to the SSL object is stored into the X509_STORE_CTX object.
+
+=head1 NOTES
+
+Whenever a X509_STORE_CTX object is created for the verification of the
+peers certificate during a handshake, a pointer to the SSL object is
+stored into the X509_STORE_CTX object to identify the connection affected.
+To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can
+be used with the correct index. This index is globally the same for all
+X509_STORE_CTX objects and can be retrieved using
+SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when
+SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application
+program directly or indirectly during other SSL setup functions or during
+the handshake.
+
+The value depends on other index values defined for X509_STORE_CTX objects
+before the SSL index is created.
+
+=head1 RETURN VALUES
+
+=over 4
+
+=item E<gt>=0
+
+The index value to access the pointer.
+
+=item E<lt>0
+
+An error occurred, check the error stack for a detailed error message.
+
+=back
+
+=head1 EXAMPLES
+
+The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to
+access the SSL object for the connection to be accessed during the
+verify_callback() when checking the peers certificate. Please check
+the example in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod
new file mode 100644
index 0000000000..2b69bb1050
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_ex_new_index(long argl, void *argp,
+                CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+
+ int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
+
+ void *SSL_get_ex_data(SSL *ssl, int idx);
+
+ typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+                int idx, long argl, void *argp);
+ typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
+                int idx, long argl, void *argp);
+
+=head1 DESCRIPTION
+
+Several OpenSSL structures can have application specific data attached to them.
+These functions are used internally by OpenSSL to manipulate application
+specific data attached to a specific structure.
+
+SSL_get_ex_new_index() is used to register a new index for application
+specific data.
+
+SSL_set_ex_data() is used to store application data at B<arg> for B<idx> into
+the B<ssl> object.
+
+SSL_get_ex_data() is used to retrieve the information for B<idx> from
+B<ssl>.
+
+A detailed description for the B<*_get_ex_new_index()> functionality
+can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
+The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+
+=head1 EXAMPLES
+
+An example on how to use the functionality is included in the example
+verify_callback() in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>,
+L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod b/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod
new file mode 100644
index 0000000000..a3f7625931
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_fd.pod
@@ -0,0 +1,44 @@
+=pod
+
+=head1 NAME
+
+SSL_get_fd - get file descriptor linked to an SSL object
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_get_fd(SSL *ssl);
+ int SSL_get_rfd(SSL *ssl);
+ int SSL_get_wfd(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_fd() returns the file descriptor which is linked to B<ssl>.
+SSL_get_rfd() and SSL_get_wfd() return the file descriptors for the
+read or the write channel, which can be different. If the read and the
+write channel are different, SSL_get_fd() will return the file descriptor
+of the read channel.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item -1
+
+The operation failed, because the underlying BIO is not of the correct type
+(suitable for file descriptors).
+
+=item E<gt>=0
+
+The file descriptor linked to B<ssl>.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_set_fd(3)|SSL_set_fd(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod
new file mode 100644
index 0000000000..e93e8206fa
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACKOF(X509) *SSL_get_peer_cert_chain(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
+forming the certificate chain of the peer. If called on the client side,
+the stack also contains the peer's certificate; if called on the server
+side, the peer's certificate must be obtained seperately using
+L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
+If the peer did not present a certificate, NULL is returned.
+
+=head1 NOTES
+
+The peer certificate chain is not necessarily available after reusing
+a session, in which case a NULL pointer is returned.
+
+The reference count of the STACKOF(X509) object is not incremented.
+If the corresponding session is freed, the pointer must not be used
+any longer.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+No certificate was presented by the peer or no connection was established
+or the certificate chain is no longer available when a session is reused.
+
+=item Pointer to a STACKOF(X509)
+
+The return value points to the certificate chain presented by the peer.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod
new file mode 100644
index 0000000000..79c089aa51
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+SSL_get_peer_certificate - get the X509 certificate of the peer
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ X509 *SSL_get_peer_certificate(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_peer_certificate() returns a pointer to the X509 certificate the
+peer presented. If the peer did not present a certificate, NULL is returned.
+
+=head1 NOTES
+
+That a certificate is returned does not indicate information about the
+verification state, use L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+to check the verification state.
+
+The reference count of the X509 object is incremented by one, so that it
+will not be destroyed when the session containing the peer certificate is
+freed. The X509 object must be explicitely freed using X509_free().
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+No certificate was presented by the peer or no connection was established.
+
+=item Pointer to an X509 certificate
+
+The return value points to the certificate presented by the peer.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_rbio.pod b/src/lib/libssl/src/doc/ssl/SSL_get_rbio.pod
new file mode 100644
index 0000000000..3d98233cac
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_rbio.pod
@@ -0,0 +1,40 @@
+=pod
+
+=head1 NAME
+
+SSL_get_rbio - get BIO linked to an SSL object
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ BIO *SSL_get_rbio(SSL *ssl);
+ BIO *SSL_get_wbio(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_rbio() and SSL_get_wbio() return pointers to the BIOs for the
+read or the write channel, which can be different. The reference count
+of the BIO is not incremented.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+No BIO was connected to the SSL object
+
+=item Any other pointer
+
+The BIO linked to B<ssl>.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_set_bio(3)|SSL_set_bio(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_session.pod b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod
new file mode 100644
index 0000000000..aff41fb9cf
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_session.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+SSL_get_session - retrieve TLS/SSL session data
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_SESSION *SSL_get_session(SSL *ssl);
+ SSL_SESSION *SSL_get0_session(SSL *ssl);
+ SSL_SESSION *SSL_get1_session(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
+B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
+that the pointer can become invalid when the B<ssl> is freed and
+SSL_SESSION_free() is implicitly called.
+
+SSL_get0_session() is the same as SSL_get_session().
+
+SSL_get1_session() is the same as SSL_get_session(), but the reference
+count of the B<SSL_SESSION> is incremented by one.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+There is no session available in B<ssl>.
+
+=item Pointer to an SSL
+
+The return value points to the data of an SSL session.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>,
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod
new file mode 100644
index 0000000000..4d66236a05
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod
@@ -0,0 +1,57 @@
+=pod
+
+=head1 NAME
+
+SSL_get_verify_result - get result of peer certificate verification
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ long SSL_get_verify_result(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_verify_result() returns the result of the verification of the
+X509 certificate presented by the peer, if any.
+
+=head1 NOTES
+
+SSL_get_verify_result() can only return one error code while the verification
+of a certificate can fail because of many reasons at the same time. Only
+the last verification error that occured during the processing is available
+from SSL_get_verify_result().
+
+The verification result is part of the established session and is restored
+when a session is reused.
+
+=head1 BUGS
+
+If no peer certificate was presented, the returned result code is
+X509_V_OK. This is because no verification error occured, it does however
+not indicate success. SSL_get_verify_result() is only useful in connection
+with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
+
+=head1 RETURN VALUES
+
+The following return values can currently occur:
+
+=over 4
+
+=item X509_V_OK
+
+The verification succeeded or no peer certificate was presented.
+
+=item Any other value
+
+Documented in L<verify(1)|verify(1)>.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_verify_result(3)|SSL_set_verify_result(3)>,
+L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
+L<verify(1)|verify(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_get_version.pod b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod
new file mode 100644
index 0000000000..24d5291256
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_get_version.pod
@@ -0,0 +1,46 @@
+=pod
+
+=head1 NAME
+
+SSL_get_version - get the protocol version of a connection.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_get_version(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_get_cipher_version() returns the name of the protocol used for the
+connection B<ssl>.
+
+=head1 RETURN VALUES
+
+The following strings can occur:
+
+=over 4
+
+=item SSLv2
+
+The connection uses the SSLv2 protocol.
+
+=item SSLv3
+
+The connection uses the SSLv3 protocol.
+
+=item TLSv1
+
+The connection uses the TLSv1 protocol.
+
+=item unknown
+
+This indicates that no version has been set (no connection established).
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_library_init.pod b/src/lib/libssl/src/doc/ssl/SSL_library_init.pod
new file mode 100644
index 0000000000..ecf3c4858e
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_library_init.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SSL_library_init, OpenSSL_add_ssl_algorithms, SSLeay_add_ssl_algorithms
+- initialize SSL library by registering algorithms
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_library_init(void);
+ #define OpenSSL_add_ssl_algorithms()    SSL_library_init()
+ #define SSLeay_add_ssl_algorithms()     SSL_library_init()
+
+=head1 DESCRIPTION
+
+SSL_library_init() registers the available ciphers and digests.
+
+OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
+for SSL_library_init().
+
+=head1 NOTES
+
+SSL_library_init() must be called before any other action takes place.
+
+=head1 WARNING
+
+SSL_library_init() only registers ciphers. Another important initialization
+is the seeding of the PRNG (Pseudo Random Number Generator), which has to
+be performed separately.
+
+=head1 EXAMPLES
+
+A typical TLS/SSL application will start with the library initialization,
+will provide readable error messages and will seed the PRNG.
+
+ SSL_load_error_strings();                /* readable error messages */
+ SSL_library_init();                      /* initialize library */
+ actions_to_seed_PRNG(); 
+
+=head1 RETURN VALUES
+
+SSL_library_init() always returns "1", so it is safe to discard the return
+value.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
+L<RAND_add(3)|RAND_add(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod b/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod
new file mode 100644
index 0000000000..02527dc2ed
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_load_client_CA_file.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+SSL_load_client_CA_file - load certificate names from file
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
+
+=head1 DESCRIPTION
+
+SSL_load_client_CA_file() reads certificates from B<file> and returns
+a STACK_OF(X509_NAME) with the subject names found.
+
+=head1 NOTES
+
+SSL_load_client_CA_file() reads a file of PEM formatted certificates and
+extracts the X509_NAMES of the certificates found. While the name suggests
+the specific usage as support function for
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+it is not limited to CA certificates.
+
+=head1 EXAMPLES
+
+Load names of CAs from file and use it as a client CA list:
+
+ SSL_CTX *ctx;
+ STACK_OF(X509_NAME) *cert_names;
+
+ ... 
+ cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
+ if (cert_names != NULL)
+   SSL_CTX_set_client_CA_list(ctx, cert_names);
+ else
+   error_handling();
+ ...
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+The operation failed, check out the error stack for the reason.
+
+=item Pointer to STACK_OF(X509_NAME)
+
+Pointer to the subject names of the successfully read certificates.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_new.pod b/src/lib/libssl/src/doc/ssl/SSL_new.pod
new file mode 100644
index 0000000000..8e8638fa95
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_new.pod
@@ -0,0 +1,42 @@
+=pod
+
+=head1 NAME
+
+SSL_new - create a new SSL structure for a connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL *SSL_new(SSL_CTX *ctx);
+
+=head1 DESCRIPTION
+
+SSL_new() creates a new B<SSL> structure which is needed to hold the
+data for a TLS/SSL connection. The new structure inherits the settings
+of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1),
+options, verification settings, timeout settings.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item NULL
+
+The creation of a new SSL structure failed. Check the error stack to
+find out the reason.
+
+=item Pointer to an SSL structure
+
+The return value points to an allocated SSL structure.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_pending.pod b/src/lib/libssl/src/doc/ssl/SSL_pending.pod
new file mode 100644
index 0000000000..744e1855e1
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_pending.pod
@@ -0,0 +1,30 @@
+=pod
+
+=head1 NAME
+
+SSL_pending - obtain number of readable bytes buffered in an SSL object
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_pending(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_pending() returns the number of bytes which are available inside
+B<ssl> for immediate read.
+
+=head1 NOTES
+
+Data are received in blocks from the peer. Therefore data can be buffered
+inside B<ssl> and are ready for immediate retrieval with
+L<SSL_read(3)|SSL_read(3)>.
+
+=head1 RETURN VALUES
+
+The number of bytes pending is returned.
+
+L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_read.pod b/src/lib/libssl/src/doc/ssl/SSL_read.pod
new file mode 100644
index 0000000000..072dc26cf2
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_read.pod
@@ -0,0 +1,77 @@
+=pod
+
+=head1 NAME
+
+SSL_read - read bytes from a TLS/SSL connection.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_read(SSL *ssl, char *buf, int num);
+
+=head1 DESCRIPTION
+
+SSL_read() tries to read B<num> bytes from the specified B<ssl> into the
+buffer B<buf>.
+
+=head1 NOTES
+
+If necessary, SSL_read() will negotiate a TLS/SSL session, if
+not already explicitly performed by SSL_connect() or SSL_accept(). If the
+peer requests a re-negotiation, it will be performed transparently during
+the SSL_read() operation. The behaviour of SSL_read() depends on the
+underlying BIO. 
+
+If the underlying BIO is B<blocking>, SSL_read() will only return, once the
+read operation has been finished or an error occurred.
+
+If the underlying BIO is B<non-blocking>, SSL_read() will also return
+when the underlying BIO could not satisfy the needs of SSL_read()
+to continue the operation. In this case a call to SSL_get_error() with the
+return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or
+B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
+call to SSL_read() can also cause write operations! The calling process
+then must repeat the call after taking appropriate action to satisfy the
+needs of SSL_read(). The action depends on the underlying BIO. When using a
+non-blocking socket, nothing is to be done, but select() can be used to check
+for the required condition. When using a buffering BIO, like a BIO pair, data
+must be written into or retrieved out of the BIO before being able to continue.
+
+=head1 WARNING
+
+When an SSL_read() operation has to be repeated because of
+B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>, it must be repeated
+with the same arguments.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item E<gt>0
+
+The read operation was successful; the return value is the number of
+bytes actually read from the TLS/SSL connection.
+
+=item 0
+
+The read operation was not successful, probably because no data was
+available. Call SSL_get_error() with the return value B<ret> to find out,
+whether an error occurred.
+
+=item -1
+
+The read operation was not successful, because either an error occurred
+or action must be taken by the calling process. Call SSL_get_error() with the
+return value B<ret> to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
+L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_rstate_string.pod b/src/lib/libssl/src/doc/ssl/SSL_rstate_string.pod
new file mode 100644
index 0000000000..bdb8a1fcd5
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_rstate_string.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+SSL_rstate_string, SSL_rstate_string_long - get textual description of state of an SSL object during read operation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_rstate_string(SSL *ssl);
+ const char *SSL_rstate_string_long(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_rstate_string() returns a 2 letter string indicating the current read state
+of the SSL object B<ssl>.
+
+SSL_rstate_string_long() returns a string indicating the current read state of
+the SSL object B<ssl>.
+
+=head1 NOTES
+
+When performing a read operation, the SSL/TLS engine must parse the record,
+consisting of header and body. When working in a blocking environment,
+SSL_rstate_string[_long]() should always return "RD"/"read done".
+
+This function should only seldom be needed in applications.
+
+=head1 RETURN VALUES
+
+SSL_rstate_string() and SSL_rstate_string_long() can return the following
+values:
+
+=over 4
+
+=item "RH"/"read header"
+
+The header of the record is being evaluated.
+
+=item "RB"/"read body"
+
+The body of the record is being evaluated.
+
+=item "RD"/"read done"
+
+The record has been completely processed.
+
+=item "unknown"/"unknown"
+
+The read state is unknown. This should never happen.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_session_reused.pod b/src/lib/libssl/src/doc/ssl/SSL_session_reused.pod
new file mode 100644
index 0000000000..da7d06264d
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_session_reused.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+SSL_session_reused - query whether a reused session was negotiated during handshake
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_session_reused(SSL *ssl);
+
+=head1 DESCRIPTION
+
+Query, whether a reused session was negotiated during the handshake.
+
+=head1 NOTES
+
+During the negotiation, a client can propose to reuse a session. The server
+then looks up the session in its cache. If both client and server agree
+on the session, it will be reused and a flag is being set that can be
+queried by the application.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+A new session was negotiated.
+
+=item 1
+
+A session was reused.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_bio.pod b/src/lib/libssl/src/doc/ssl/SSL_set_bio.pod
new file mode 100644
index 0000000000..67c9756d3f
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_bio.pod
@@ -0,0 +1,34 @@
+=pod
+
+=head1 NAME
+
+SSL_set_bio - connect the SSL object with a BIO
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
+
+=head1 DESCRIPTION
+
+SSL_set_bio() connects the BIOs B<rbio> and B<wbio> for the read and write
+operations of the TLS/SSL (encrypted) side of B<ssl>.
+
+The SSL engine inherits the behaviour of B<rbio> and B<wbio>, respectively.
+If a BIO is non-blocking, the B<ssl> will also have non-blocking behaviour.
+
+If there was already a BIO connected to B<ssl>, BIO_free() will be called
+(for both the reading and writing side, if different).
+
+=head1 RETURN VALUES
+
+SSL_set_bio() cannot fail.
+
+=head1 SEE ALSO
+
+L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod b/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod
new file mode 100644
index 0000000000..a8c4463c64
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_connect_state.pod
@@ -0,0 +1,47 @@
+=pod
+
+=head1 NAME
+
+SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in client or server mode
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_connect_state(SSL *ssl);
+
+ void SSL_set_accept_state(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_set_connect_state() B<ssl> to work in client mode.
+
+SSL_set_accept_state() B<ssl> to work in server mode.
+
+=head1 NOTES
+
+When the SSL_CTX object was created with L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+it was either assigned a dedicated client method, a dedicated server
+method, or a generic method, that can be used for both client and
+server connections. (The method might have been changed with
+L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
+SSL_set_ssl_method().)
+
+In order to successfully accomplish the handshake, the SSL routines need
+to know whether they should act in server or client mode. If the generic
+method was used, this is not clear from the method itself and must be set
+with either SSL_set_connect_state() or SSL_set_accept_state(). If these
+routines are not called, the default value set when L<SSL_new(3)|SSL_new(3)>
+is called is server mode.
+
+=head1 RETURN VALUES
+
+SSL_set_connect_state() and SSL_set_accept_state() do not return diagnostic
+information.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_fd.pod b/src/lib/libssl/src/doc/ssl/SSL_set_fd.pod
new file mode 100644
index 0000000000..70291128fc
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_fd.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+SSL_set_fd - connect the SSL object with a file descriptor
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_set_fd(SSL *ssl, int fd);
+ int SSL_set_rfd(SSL *ssl, int fd);
+ int SSL_set_wfd(SSL *ssl, int fd);
+
+=head1 DESCRIPTION
+
+SSL_set_fd() sets the file descriptor B<fd> as the input/output facility
+for the TLS/SSL (encrypted) side of B<ssl>. B<fd> will typically be the
+socket file descriptor of a network connection.
+
+When performing the operation, a B<socket BIO> is automatically created to
+interface between the B<ssl> and B<fd>. The BIO and hence the SSL engine
+inherit the behaviour of B<fd>. If B<fd> is non-blocking, the B<ssl> will
+also have non-blocking behaviour.
+
+If there was already a BIO connected to B<ssl>, BIO_free() will be called
+(for both the reading and writing side, if different).
+
+SSL_set_rfd() and SSL_set_wfd() perform the respective action, but only
+for the read channel or the write channel, which can be set independently.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+The operation failed. Check the error stack to find out why.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_fd(3)|SSL_get_fd(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
+L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
+L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_session.pod b/src/lib/libssl/src/doc/ssl/SSL_set_session.pod
new file mode 100644
index 0000000000..9f78d9e434
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_session.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+SSL_set_session - set a TLS/SSL session to be used during TLS/SSL connect
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_set_session(SSL *ssl, SSL_SESSION *session);
+
+=head1 DESCRIPTION
+
+SSL_set_session() sets B<session> to be used when the TLS/SSL connection
+is to be established. SSL_set_session() is only useful for TLS/SSL clients.
+When the session is set, the reference count of B<session> is incremented
+by 1. If the session is not reused, the reference count is decremented
+again during SSL_connect().
+
+If there is already a session set inside B<ssl> (because it was set with
+SSL_set_session() before or because the same B<ssl> was already used for
+a connection), SSL_SESSION_free() will be called for that session.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 0
+
+The operation failed; check the error stack to find out the reason.
+
+=item 1
+
+The operation succeeded.
+
+=back
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod
new file mode 100644
index 0000000000..6b196c1f15
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod
@@ -0,0 +1,68 @@
+=pod
+
+=head1 NAME
+
+SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_shutdown(SSL *ssl, int mode);
+
+ int SSL_get_shutdown(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_set_shutdown() sets the shutdown state of B<ssl> to B<mode>.
+
+SSL_get_shutdown() returns the shutdown mode of B<ssl>.
+
+=head1 NOTES
+
+The shutdown state of an ssl connection is a bitmask of:
+
+=over 4
+
+=item 0
+
+No shutdown setting, yet.
+
+=item SSL_SENT_SHUTDOWN
+
+A "close notify" shutdown alert was sent to the peer, the connection is being
+considered closed and the session is closed and correct.
+
+=item SSL_RECEIVED_SHUTDOWN
+
+A shutdown alert was received form the peer, either a normal "close notify"
+or a fatal error.
+
+=back
+
+SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time.
+
+The shutdown state of the connection is used to determine the state of
+the ssl session. If the session is still open, when
+L<SSL_clear(3)|SSL_clear(3)> or L<SSL_free(3)|SSL_free(3)> is called,
+it is considered bad and removed according to RFC2246.
+The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN.
+SSL_set_shutdown() can be used to set this state without sending a
+close alert to the peer (see L<SSL_shutdown(3)|SSL_shutdown(3)>).
+
+If a "close notify" was received, SSL_RECEIVED_SHUTDOWN will be set,
+for setting SSL_SENT_SHUTDOWN the application must however still call
+L<SSL_shutdown(3)|SSL_shutdown(3)> or SSL_set_shutdown() itself.
+
+=head1 RETURN VALUES
+
+SSL_set_shutdown() does not return diagnostic information.
+
+SSL_get_shutdown() returns the current setting.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
+L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_set_verify_result.pod b/src/lib/libssl/src/doc/ssl/SSL_set_verify_result.pod
new file mode 100644
index 0000000000..04ab101aad
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_set_verify_result.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+SSL_set_verify_result - override result of peer certificate verification
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_set_verify_result(SSL *ssl, long verify_result);
+
+=head1 DESCRIPTION
+
+SSL_set_verify_result() sets B<verify_result> of the object B<ssl> to be the
+result of the verification of the X509 certificate presented by the peer,
+if any.
+
+=head1 NOTES
+
+SSL_set_verify_result() overrides the verification result. It only changes
+the verification result of the B<ssl> object. It does not become part of the
+established session, so if the session is to be reused later, the original
+value will reappear.
+
+The valid codes for B<verify_result> are documented in L<verify(1)|verify(1)>.
+
+=head1 RETURN VALUES
+
+SSL_set_verify_result() does not provide a return value.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
+L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
+L<verify(1)|verify(1)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod
new file mode 100644
index 0000000000..20e273bd4d
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_shutdown.pod
@@ -0,0 +1,62 @@
+=pod
+
+=head1 NAME
+
+SSL_shutdown - shut down a TLS/SSL connection
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_shutdown(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown
+alert to the peer. The behaviour of SSL_shutdown() depends on the underlying
+BIO. 
+
+If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
+handshake has been finished or an error occurred.
+
+If the underlying BIO is B<non-blocking>, SSL_shutdown() will also return
+when the underlying BIO could not satisfy the needs of SSL_shutdown()
+to continue the handshake. In this case a call to SSL_get_error() with the
+return value of SSL_shutdown() will yield B<SSL_ERROR_WANT_READ> or
+B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
+taking appropriate action to satisfy the needs of SSL_shutdown().
+The action depends on the underlying BIO. When using a non-blocking socket,
+nothing is to be done, but select() can be used to check for the required
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item 1
+
+The shutdown was successfully completed.
+
+=item 0
+
+The shutdown was not successful. Call SSL_get_error() with the return
+value B<ret> to find out the reason.
+
+=item -1
+
+The shutdown was not successful because a fatal error occurred either
+at the protocol level or a connection failure occurred. It can also occur of
+action is need to continue the operation for non-blocking BIOs.
+Call SSL_get_error() with the return value B<ret> to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
+L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_state_string.pod b/src/lib/libssl/src/doc/ssl/SSL_state_string.pod
new file mode 100644
index 0000000000..b4be1aaa48
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_state_string.pod
@@ -0,0 +1,45 @@
+=pod
+
+=head1 NAME
+
+SSL_state_string, SSL_state_string_long - get textual description of state of an SSL object
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_state_string(SSL *ssl);
+ const char *SSL_state_string_long(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_state_string() returns a 6 letter string indicating the current state
+of the SSL object B<ssl>.
+
+SSL_state_string_long() returns a string indicating the current state of
+the SSL object B<ssl>.
+
+=head1 NOTES
+
+During its use, an SSL objects passes several states. The state is internally
+maintained. Querying the state information is not very informative before
+or when a connection has been established. It however can be of significant
+interest during the handshake.
+
+When using non-blocking sockets, the function call performing the handshake
+may return with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition,
+so that SSL_state_string[_long]() may be called.
+
+For both blocking or non-blocking sockets, the details state information
+can be used within the info_callback function set with the
+SSL_set_info_callback() call.
+
+=head1 RETURN VALUES
+
+Detailed description of possible states to be included later.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_want.pod b/src/lib/libssl/src/doc/ssl/SSL_want.pod
new file mode 100644
index 0000000000..50cc89db80
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_want.pod
@@ -0,0 +1,77 @@
+=pod
+
+=head1 NAME
+
+SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup - obtain state information TLS/SSL I/O operation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_want(SSL *ssl);
+ int SSL_want_nothing(SSL *ssl);
+ int SSL_want_read(SSL *ssl);
+ int SSL_want_write(SSL *ssl);
+ int SSL_want_x509_lookup(SSL *ssl);
+
+=head1 DESCRIPTION
+
+SSL_want() returns state information for the SSL object B<ssl>.
+
+The other SSL_want_*() calls are shortcuts for the possible states returned
+by SSL_want().
+
+=head1 NOTES
+
+SSL_want() examines the internal state information of the SSL object. Its
+return values are similar to that of L<SSL_get_error(3)|SSL_get_error(3)>.
+Unlike L<SSL_get_error(3)|SSL_get_error(3)>, which also evaluates the
+error queue, the results are obtained by examining an internal state flag
+only. The information must therefore only be used for normal operation under
+non-blocking I/O. Error conditions are not handled and must be treated
+using L<SSL_get_error(3)|SSL_get_error(3)>.
+
+The result returned by SSL_want() should always be consistent with
+the result of L<SSL_get_error(3)|SSL_get_error(3)>.
+
+=head1 RETURN VALUES
+
+The following return values can currently occur for SSL_want():
+
+=over 4
+
+=item SSL_NOTHING
+
+There is no data to be written or to be read.
+
+=item SSL_WRITING
+
+There are data in the SSL buffer that must be written to the underlying
+B<BIO> layer in order to complete the actual SSL_*() operation.
+A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+SSL_ERROR_WANT_WRITE.
+
+=item SSL_READING
+
+More data must be read from the underlying B<BIO> layer in order to
+complete the actual SSL_*() operation.
+A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+SSL_ERROR_WANT_READ.
+
+=item SSL_X509_LOOKUP
+
+The operation did not complete because an application callback set by
+SSL_CTX_set_client_cert_cb() has asked to be called again.
+A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+SSL_ERROR_WANT_X509_LOOKUP.
+
+=back
+
+SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup()
+return 1, when the corresponding condition is true or 0 otherwise.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<err(3)|err(3)>, L<SSL_get_error(3)|SSL_get_error(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/SSL_write.pod b/src/lib/libssl/src/doc/ssl/SSL_write.pod
new file mode 100644
index 0000000000..db67c187e0
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/SSL_write.pod
@@ -0,0 +1,76 @@
+=pod
+
+=head1 NAME
+
+SSL_read - write bytes to a TLS/SSL connection.
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_write(SSL *ssl, char *buf, int num);
+
+=head1 DESCRIPTION
+
+SSL_write() writes B<num> bytes from the buffer B<buf> into the specified
+B<ssl> connection.
+
+=head1 NOTES
+
+If necessary, SSL_write() will negotiate a TLS/SSL session, if
+not already explicitly performed by SSL_connect() or SSL_accept(). If the
+peer requests a re-negotiation, it will be performed transparently during
+the SSL_write() operation. The behaviour of SSL_write() depends on the
+underlying BIO. 
+
+If the underlying BIO is B<blocking>, SSL_write() will only return, once the
+write operation has been finished or an error occurred.
+
+If the underlying BIO is B<non-blocking>, SSL_write() will also return,
+when the underlying BIO could not satisfy the needs of SSL_write()
+to continue the operation. In this case a call to SSL_get_error() with the
+return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
+B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
+call to SSL_write() can also cause write operations! The calling process
+then must repeat the call after taking appropriate action to satisfy the
+needs of SSL_write(). The action depends on the underlying BIO. When using a
+non-blocking socket, nothing is to be done, but select() can be used to check
+for the required condition. When using a buffering BIO, like a BIO pair, data
+must be written into or retrieved out of the BIO before being able to continue.
+
+=head1 WARNING
+
+When an SSL_write() operation has to be repeated because of
+B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>, it must be repeated
+with the same arguments.
+
+=head1 RETURN VALUES
+
+The following return values can occur:
+
+=over 4
+
+=item E<gt>0
+
+The write operation was successful, the return value is the number of
+bytes actually written to the TLS/SSL connection.
+
+=item 0
+
+The write operation was not successful. Call SSL_get_error() with the return
+value B<ret> to find out, whether an error occurred.
+
+=item -1
+
+The read operation was not successful, because either an error occurred
+or action must be taken by the calling process. Call SSL_get_error() with the
+return value B<ret> to find out the reason.
+
+=back
+
+=head1 SEE ALSO
+
+L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>,
+L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod
new file mode 100644
index 0000000000..9a1ba6c47b
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod
@@ -0,0 +1,56 @@
+=pod
+
+=head1 NAME
+
+d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
+ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+d2i_SSL_SESSION() transforms the external ASN1 representation of an SSL/TLS
+session, stored as binary data at location B<pp> with length B<length>, into
+an SSL_SESSION object.
+
+i2d_SSL_SESSION() transforms the SSL_SESSION object B<in> into the ASN1
+representation and stores it into the memory location pointed to by B<pp>.
+The length of the resulting ASN1 representation is returned. If B<pp> is
+the NULL pointer, only the length is calculated and returned.
+
+=head1 NOTES
+
+The SSL_SESSION object is built from several malloc()ed parts, it can
+therefore not be moved, copied or stored directly. In order to store
+session data on disk or into a database, it must be transformed into
+a binary ASN1 representation.
+
+When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically
+allocated.
+
+When using i2d_SSL_SESSION(), the memory location pointed to by B<pp> must be
+large enough to hold the binary representation of the session. There is no
+known limit on the size of the created ASN1 representation, so the necessary
+amount of space should be obtained by first calling i2d_SSL_SESSION() with
+B<pp=NULL>, and obtain the size needed, then allocate the memory and
+call i2d_SSL_SESSION() again.
+
+=head1 RETURN VALUES
+
+d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION
+object. In case of failure the NULL-pointer is returned and the error message
+can be retrieved from the error stack.
+
+i2d_SSL_SESSION() returns the size of the ASN1 representation in bytes.
+When the session is not valid, B<0> is returned and no operation is performed.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+
+=cut
diff --git a/src/lib/libssl/src/doc/ssl/ssl.pod b/src/lib/libssl/src/doc/ssl/ssl.pod
new file mode 100644
index 0000000000..e53876654a
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssl/ssl.pod
@@ -0,0 +1,634 @@
+
+=pod
+
+=head1 NAME
+
+SSL - OpenSSL SSL/TLS library
+
+=head1 SYNOPSIS
+
+=head1 DESCRIPTION
+
+The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
+Transport Layer Security (TLS v1) protocols. It provides a rich API which is
+documented here.
+
+=head1 HEADER FILES
+
+Currently the OpenSSL B<ssl> library provides the following C header files
+containing the prototypes for the data structures and and functions:
+
+=over 4
+
+=item B<ssl.h>
+
+That's the common header file for the SSL/TLS API.  Include it into your
+program to make the API of the B<ssl> library available. It internally
+includes both more private SSL headers and headers from the B<crypto> library.
+Whenever you need hard-core details on the internals of the SSL API, look
+inside this header file.
+
+=item B<ssl2.h>
+
+That's the sub header file dealing with the SSLv2 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl3.h>
+
+That's the sub header file dealing with the SSLv3 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<ssl23.h>
+
+That's the sub header file dealing with the combined use of the SSLv2 and
+SSLv3 protocols.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=item B<tls1.h>
+
+That's the sub header file dealing with the TLSv1 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+
+=back
+
+=head1 DATA STRUCTURES
+
+Currently the OpenSSL B<ssl> library functions deals with the following data
+structures:
+
+=over 4
+
+=item B<SSL_METHOD> (SSL Method)
+
+That's a dispatch structure describing the internal B<ssl> library
+methods/functions which implement the various protocol versions (SSLv1, SSLv2
+and TLSv1). It's needed to create an B<SSL_CTX>.
+
+=item B<SSL_CIPHER> (SSL Cipher)
+
+This structure holds the algorithm information for a particular cipher which
+are a core part of the SSL/TLS protocol. The available ciphers are configured
+on a B<SSL_CTX> basis and the actually used ones are then part of the
+B<SSL_SESSION>.
+
+=item B<SSL_CTX> (SSL Context)
+
+That's the global context structure which is created by a server or client
+once per program life-time and which holds mainly default values for the
+B<SSL> structures which are later created for the connections.
+
+=item B<SSL_SESSION> (SSL Session)
+
+This is a structure containing the current SSL session details for a
+connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
+
+=item B<SSL> (SSL Connection)
+
+That's the main SSL/TLS structure which is created by a server or client per
+established connection. This actually is the core structure in the SSL API.
+Under run-time the application usually deals with this structure which has
+links to mostly all other structures.
+
+=back
+
+=head1 API FUNCTIONS
+
+Currently the OpenSSL B<ssl> library exports 214 API functions.
+They are documented in the following:
+
+=head2 DEALING WITH PROTOCOL METHODS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol methods defined in B<SSL_METHOD> structures.
+
+=over 4
+
+=item SSL_METHOD *B<SSLv2_client_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv2_server_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv2_method>(void);
+
+Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<SSLv3_client_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<SSLv3_server_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<SSLv3_method>(void);
+
+Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
+
+=item SSL_METHOD *B<TLSv1_client_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
+
+=item SSL_METHOD *B<TLSv1_server_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
+
+=item SSL_METHOD *B<TLSv1_method>(void);
+
+Constructor for the TLSv1 SSL_METHOD structure for combined client and server.
+
+=back
+
+=head2 DEALING WITH CIPHERS
+
+Here we document the various API functions which deal with the SSL/TLS
+ciphers defined in B<SSL_CIPHER> structures.
+
+=over 4
+
+=item char *B<SSL_CIPHER_description>(SSL_CIPHER *cipher, char *buf, int len);
+
+Write a string to I<buf> (with a maximum size of I<len>) containing a human
+readable description of I<cipher>. Returns I<buf>.
+
+=item int B<SSL_CIPHER_get_bits>(SSL_CIPHER *cipher, int *alg_bits);
+
+Determine the number of bits in I<cipher>. Because of export crippled ciphers
+there are two bits: The bits the algorithm supports in general (stored to
+I<alg_bits>) and the bits which are actually used (the return value).
+
+=item char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
+
+Return the internal name of I<cipher> as a string. These are the various
+strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+definitions in the header files.
+
+=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+
+Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
+in the specification the first time).
+
+=back
+
+=head2 DEALING WITH PROTOCOL CONTEXTS
+
+Here we document the various API functions which deal with the SSL/TLS
+protocol context defined in the B<SSL_CTX> structure.
+
+=over 4
+
+=item int B<SSL_CTX_add_client_CA>(SSL_CTX *ctx, X509 *x);
+
+=item long B<SSL_CTX_add_extra_chain_cert>(SSL_CTX *ctx, X509 *x509);
+
+=item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
+
+=item void B<SSL_CTX_flush_sessions>(SSL_CTX *s, long t);
+
+=item void B<SSL_CTX_free>(SSL_CTX *a);
+
+=item char *B<SSL_CTX_get_app_data>(SSL_CTX *ctx);
+
+=item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
+
+=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+
+=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+
+=item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
+
+=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
+
+=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+
+=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+
+=item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_load_verify_locations>(SSL_CTX *ctx, char *CAfile, char *CApath);
+
+=item long B<SSL_CTX_need_tmp_RSA>(SSL_CTX *ctx);
+
+=item SSL_CTX *B<SSL_CTX_new>(SSL_METHOD *meth);
+
+=item int B<SSL_CTX_remove_session>(SSL_CTX *ctx, SSL_SESSION *c);
+
+=item int B<SSL_CTX_sess_accept>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_accept_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cache_full>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_cb_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_good>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_connect_renegotiate>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_get_cache_size>(SSL_CTX *ctx);
+
+=item SSL_SESSION *(*B<SSL_CTX_sess_get_get_cb>(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);
+
+=item int (*B<SSL_CTX_sess_get_new_cb>(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);
+
+=item void (*B<SSL_CTX_sess_get_remove_cb>(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);
+
+=item int B<SSL_CTX_sess_hits>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_misses>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_sess_number>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_sess_set_cache_size>(SSL_CTX *ctx,t);
+
+=item void B<SSL_CTX_sess_set_get_cb>(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));
+
+=item void B<SSL_CTX_sess_set_new_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));
+
+=item void B<SSL_CTX_sess_set_remove_cb>(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));
+
+=item int B<SSL_CTX_sess_timeouts>(SSL_CTX *ctx);
+
+=item LHASH *B<SSL_CTX_sessions>(SSL_CTX *ctx);
+
+=item void B<SSL_CTX_set_app_data>(SSL_CTX *ctx, void *arg);
+
+=item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
+
+=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg)
+
+=item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
+
+=item void B<SSL_CTX_set_client_CA_list>(SSL_CTX *ctx, STACK *list);
+
+=item void B<SSL_CTX_set_client_cert_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+
+=item void B<SSL_CTX_set_default_passwd_cb>(SSL_CTX *ctx, int (*cb);(void))
+
+=item void B<SSL_CTX_set_default_read_ahead>(SSL_CTX *ctx, int m);
+
+=item int B<SSL_CTX_set_default_verify_paths>(SSL_CTX *ctx);
+
+=item int B<SSL_CTX_set_ex_data>(SSL_CTX *s, int idx, char *arg);
+
+=item void B<SSL_CTX_set_info_callback>(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));
+
+=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
+
+=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
+
+=item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode);
+
+=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, SSL_METHOD *meth);
+
+=item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t);
+
+=item long B<SSL_CTX_set_tmp_dh>(SSL_CTX* ctx, DH *dh);
+
+=item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
+
+=item long B<SSL_CTX_set_tmp_rsa>(SSL_CTX *ctx, RSA *rsa);
+
+=item SSL_CTX_set_tmp_rsa_callback
+
+C<long B<SSL_CTX_set_tmp_rsa_callback>(SSL_CTX *B<ctx>, RSA *(*B<cb>)(SSL *B<ssl>, int B<export>, int B<keylength>));>
+
+Sets the callback which will be called when a temporary private key is
+required. The B<C<export>> flag will be set if the reason for needing
+a temp key is that an export ciphersuite is in use, in which case,
+B<C<keylength>> will contain the required keylength in bits. Generate a key of
+appropriate size (using ???) and return it.
+
+=item SSL_set_tmp_rsa_callback
+
+long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
+
+The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL
+session instead of a context.
+
+=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
+
+=item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
+
+=item int B<SSL_CTX_use_PrivateKey_ASN1>(int type, SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_PrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_RSAPrivateKey>(SSL_CTX *ctx, RSA *rsa);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_ASN1>(SSL_CTX *ctx, unsigned char *d, long len);
+
+=item int B<SSL_CTX_use_RSAPrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+
+=item int B<SSL_CTX_use_certificate>(SSL_CTX *ctx, X509 *x);
+
+=item int B<SSL_CTX_use_certificate_ASN1>(SSL_CTX *ctx, int len, unsigned char *d);
+
+=item int B<SSL_CTX_use_certificate_file>(SSL_CTX *ctx, char *file, int type);
+
+=back
+
+=head2 DEALING WITH SESSIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+sessions defined in the B<SSL_SESSION> structures.
+
+=over 4
+
+=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+
+=item void B<SSL_SESSION_free>(SSL_SESSION *ss);
+
+=item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
+
+=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+
+=item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+
+=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+
+=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+
+=item SSL_SESSION *B<SSL_SESSION_new>(void);
+
+=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+
+=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+
+=item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
+
+=item int B<SSL_SESSION_set_ex_data>(SSL_SESSION *s, int idx, char *arg);
+
+=item long B<SSL_SESSION_set_time>(SSL_SESSION *s, long t);
+
+=item long B<SSL_SESSION_set_timeout>(SSL_SESSION *s, long t);
+
+=back
+
+=head2 DEALING WITH CONNECTIONS
+
+Here we document the various API functions which deal with the SSL/TLS
+connection defined in the B<SSL> structure.
+
+=over 4
+
+=item int B<SSL_accept>(SSL *ssl);
+
+=item int B<SSL_add_dir_cert_subjects_to_stack>(STACK *stack, const char *dir);
+
+=item int B<SSL_add_file_cert_subjects_to_stack>(STACK *stack, const char *file);
+
+=item int B<SSL_add_client_CA>(SSL *ssl, X509 *x);
+
+=item char *B<SSL_alert_desc_string>(int value);
+
+=item char *B<SSL_alert_desc_string_long>(int value);
+
+=item char *B<SSL_alert_type_string>(int value);
+
+=item char *B<SSL_alert_type_string_long>(int value);
+
+=item int B<SSL_check_private_key>(SSL *ssl);
+
+=item void B<SSL_clear>(SSL *ssl);
+
+=item long B<SSL_clear_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_connect>(SSL *ssl);
+
+=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+
+=item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
+
+=item int B<SSL_do_handshake>(SSL *ssl);
+
+=item SSL *B<SSL_dup>(SSL *ssl);
+
+=item STACK *B<SSL_dup_CA_list>(STACK *sk);
+
+=item void B<SSL_free>(SSL *ssl);
+
+=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+
+=item char *B<SSL_get_app_data>(SSL *ssl);
+
+=item X509 *B<SSL_get_certificate>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_cipher>(SSL *ssl);
+
+=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+
+=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+
+=item char *B<SSL_get_cipher_name>(SSL *ssl);
+
+=item char *B<SSL_get_cipher_version>(SSL *ssl);
+
+=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+
+=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+
+=item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
+
+=item long B<SSL_get_default_timeout>(SSL *ssl);
+
+=item int B<SSL_get_error>(SSL *ssl, int i);
+
+=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+
+=item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
+
+=item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+
+=item int B<SSL_get_fd>(SSL *ssl);
+
+=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+
+=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+
+=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+
+=item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
+
+=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+
+=item BIO *B<SSL_get_rbio>(SSL *ssl);
+
+=item int B<SSL_get_read_ahead>(SSL *ssl);
+
+=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+
+=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+
+=item int B<SSL_get_shutdown>(SSL *ssl);
+
+=item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
+
+=item int B<SSL_get_state>(SSL *ssl);
+
+=item long B<SSL_get_time>(SSL *ssl);
+
+=item long B<SSL_get_timeout>(SSL *ssl);
+
+=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+
+=item int B<SSL_get_verify_mode>(SSL *ssl);
+
+=item long B<SSL_get_verify_result>(SSL *ssl);
+
+=item char *B<SSL_get_version>(SSL *ssl);
+
+=item BIO *B<SSL_get_wbio>(SSL *ssl);
+
+=item int B<SSL_in_accept_init>(SSL *ssl);
+
+=item int B<SSL_in_before>(SSL *ssl);
+
+=item int B<SSL_in_connect_init>(SSL *ssl);
+
+=item int B<SSL_in_init>(SSL *ssl);
+
+=item int B<SSL_is_init_finished>(SSL *ssl);
+
+=item STACK *B<SSL_load_client_CA_file>(char *file);
+
+=item void B<SSL_load_error_strings>(void);
+
+=item SSL *B<SSL_new>(SSL_CTX *ctx);
+
+=item long B<SSL_num_renegotiations>(SSL *ssl);
+
+=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_pending>(SSL *ssl);
+
+=item int B<SSL_read>(SSL *ssl, char *buf, int num);
+
+=item int B<SSL_renegotiate>(SSL *ssl);
+
+=item char *B<SSL_rstate_string>(SSL *ssl);
+
+=item char *B<SSL_rstate_string_long>(SSL *ssl);
+
+=item long B<SSL_session_reused>(SSL *ssl);
+
+=item void B<SSL_set_accept_state>(SSL *ssl);
+
+=item void B<SSL_set_app_data>(SSL *ssl, char *arg);
+
+=item void B<SSL_set_bio>(SSL *ssl, BIO *rbio, BIO *wbio);
+
+=item int B<SSL_set_cipher_list>(SSL *ssl, char *str);
+
+=item void B<SSL_set_client_CA_list>(SSL *ssl, STACK *list);
+
+=item void B<SSL_set_connect_state>(SSL *ssl);
+
+=item int B<SSL_set_ex_data>(SSL *ssl, int idx, char *arg);
+
+=item int B<SSL_set_fd>(SSL *ssl, int fd);
+
+=item void B<SSL_set_info_callback>(SSL *ssl, void (*cb);(void))
+
+=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
+
+=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
+
+=item void B<SSL_set_read_ahead>(SSL *ssl, int yes);
+
+=item int B<SSL_set_rfd>(SSL *ssl, int fd);
+
+=item int B<SSL_set_session>(SSL *ssl, SSL_SESSION *session);
+
+=item void B<SSL_set_shutdown>(SSL *ssl, int mode);
+
+=item int B<SSL_set_ssl_method>(SSL *ssl, SSL_METHOD *meth);
+
+=item void B<SSL_set_time>(SSL *ssl, long t);
+
+=item void B<SSL_set_timeout>(SSL *ssl, long t);
+
+=item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
+
+=item void B<SSL_set_verify_result>(SSL *ssl, long arg);
+
+=item int B<SSL_set_wfd>(SSL *ssl, int fd);
+
+=item int B<SSL_shutdown>(SSL *ssl);
+
+=item int B<SSL_state>(SSL *ssl);
+
+=item char *B<SSL_state_string>(SSL *ssl);
+
+=item char *B<SSL_state_string_long>(SSL *ssl);
+
+=item long B<SSL_total_renegotiations>(SSL *ssl);
+
+=item int B<SSL_use_PrivateKey>(SSL *ssl, EVP_PKEY *pkey);
+
+=item int B<SSL_use_PrivateKey_ASN1>(int type, SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_PrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_RSAPrivateKey>(SSL *ssl, RSA *rsa);
+
+=item int B<SSL_use_RSAPrivateKey_ASN1>(SSL *ssl, unsigned char *d, long len);
+
+=item int B<SSL_use_RSAPrivateKey_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_certificate>(SSL *ssl, X509 *x);
+
+=item int B<SSL_use_certificate_ASN1>(SSL *ssl, int len, unsigned char *d);
+
+=item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_version>(SSL *ssl);
+
+=item int B<SSL_want>(SSL *ssl);
+
+=item int B<SSL_want_nothing>(SSL *ssl);
+
+=item int B<SSL_want_read>(SSL *ssl);
+
+=item int B<SSL_want_write>(SSL *ssl);
+
+=item int B<SSL_want_x509_lookup>(s);
+
+=item int B<SSL_write>(SSL *ssl, char *buf, int num);
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
+L<SSL_get_error(3)|SSL_get_error(3)>
+
+=head1 HISTORY
+
+The L<ssl(3)|ssl(3)> document appeared in OpenSSL 0.9.2
+
+=cut
+
diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt
new file mode 100644
index 0000000000..094e28ce48
--- /dev/null
+++ b/src/lib/libssl/src/doc/ssleay.txt
@@ -0,0 +1,7014 @@
+
+Bundle of old SSLeay documentation files [OBSOLETE!]
+
+==== readme ========================================================
+
+This is the old 0.6.6 docuementation.  Most of the cipher stuff is still
+relevent but I'm working (very slowly) on new docuemtation.
+The current version can be found online at
+
+http://www.cryptsoft.com/ssleay/doc
+
+==== API.doc ========================================================
+
+SSL - SSLv2/v3/v23 etc.
+
+BIO - methods and how they plug together
+
+MEM - memory allocation callback
+
+CRYPTO - locking for threads
+
+EVP - Ciphers/Digests/signatures
+
+RSA - methods
+
+X509 - certificate retrieval
+
+X509 - validation
+
+X509 - X509v3 extensions
+
+Objects - adding object identifiers
+
+ASN.1 - parsing
+
+PEM - parsing
+
+==== ssl/readme =====================================================
+
+22 Jun 1996
+This file belongs in ../apps, but I'll leave it here because it deals
+with SSL :-)  It is rather dated but it gives you an idea of how
+things work.
+===
+
+17 Jul 1995
+I have been changing things quite a bit and have not fully updated
+this file, so take what you read with a grain of salt
+eric
+===
+The s_client and s_server programs can be used to test SSL capable
+IP/port addresses and the verification of the X509 certificates in use
+by these services.  I strongly advise having a look at the code to get
+an idea of how to use the authentication under SSLeay.  Any feedback
+on changes and improvements would be greatly accepted.
+
+This file will probably be gibberish unless you have read
+rfc1421, rfc1422, rfc1423 and rfc1424 which describe PEM
+authentication.
+
+A Brief outline (and examples) how to use them to do so.
+
+NOTE:
+The environment variable SSL_CIPER is used to specify the prefered
+cipher to use, play around with setting it's value to combinations of
+RC4-MD5, EXP-RC4-MD5, CBC-DES-MD5, CBC3-DES-MD5, CFB-DES-NULL
+in a : separated list.
+
+This directory contains 3 X509 certificates which can be used by these programs.
+client.pem: a file containing a certificate and private key to be used
+        by s_client.
+server.pem :a file containing a certificate and private key to be used
+        by s_server.
+eay1024.pem:the certificate used to sign client.pem and server.pem.
+        This would be your CA's certificate.  There is also a link
+        from the file a8556381.0 to eay1024.PEM.  The value a8556381
+        is returned by 'x509 -hash -noout <eay1024.pem' and is the
+        value used by X509 verification routines to 'find' this
+        certificte when search a directory for it.
+        [the above is not true any more, the CA cert is 
+         ../certs/testca.pem which is signed by ../certs/mincomca.pem]
+
+When testing the s_server, you may get
+bind: Address already in use
+errors.  These indicate the port is still being held by the unix
+kernel and you are going to have to wait for it to let go of it.  If
+this is the case, remember to use the port commands on the s_server and
+s_client to talk on an alternative port.
+
+=====
+s_client.
+This program can be used to connect to any IP/hostname:port that is
+talking SSL.  Once connected, it will attempt to authenticate the
+certificate it was passed and if everything works as expected, a 2
+directional channel will be open.  Any text typed will be sent to the
+other end.  type Q<cr> to exit.  Flags are as follows.
+-host arg       : Arg is the host or IP address to connect to.
+-port arg       : Arg is the port to connect to (https is 443).
+-verify arg     : Turn on authentication of the server certificate.
+                : Arg specifies the 'depth', this will covered below.
+-cert arg       : The optional certificate to use.  This certificate
+                : will be returned to the server if the server
+                : requests it for client authentication.
+-key arg        : The private key that matches the certificate
+                : specified by the -cert option.  If this is not
+                : specified (but -cert is), the -cert file will be
+                : searched for the Private key.  Both files are
+                : assumed to be in PEM format.
+-CApath arg     : When to look for certificates when 'verifying' the
+                : certificate from the server.
+-CAfile arg     : A file containing certificates to be used for
+                : 'verifying' the server certificate.
+-reconnect      : Once a connection has been made, drop it and
+                : reconnect with same session-id.  This is for testing :-).
+
+The '-verify n' parameter specifies not only to verify the servers
+certificate but to also only take notice of 'n' levels.  The best way
+to explain is to show via examples.
+Given
+s_server -cert server.PEM is running.
+
+s_client
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify error:num=1:unable to get issuer certificate
+        verify return:1
+        CIPHER is CBC-DES-MD5
+What has happened is that the 'SSLeay demo server' certificate's
+issuer ('CA') could not be found but because verify is not on, we
+don't care and the connection has been made anyway.  It is now 'up'
+using CBC-DES-MD5 mode.  This is an unauthenticate secure channel.
+You may not be talking to the right person but the data going to them
+is encrypted.
+
+s_client -verify 0
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify error:num=1:unable to get issuer certificate
+        verify return:1
+        CIPHER is CBC-DES-MD5
+We are 'verifying' but only to depth 0, so since the 'SSLeay demo server'
+certificate passed the date and checksum, we are happy to proceed.
+
+s_client -verify 1
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify error:num=1:unable to get issuer certificate
+        verify return:0
+        ERROR
+        verify error:unable to get issuer certificate
+In this case we failed to make the connection because we could not
+authenticate the certificate because we could not find the
+'CA' certificate.
+
+s_client -verify 1 -CAfile eay1024.PEM
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+We loaded the certificates from the file eay1024.PEM.  Everything
+checked out and so we made the connection.
+
+s_client -verify 1 -CApath .
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+We looked in out local directory for issuer certificates and 'found'
+a8556381.0 and so everything is ok.
+
+It is worth noting that 'CA' is a self certified certificate.  If you
+are passed one of these, it will fail to 'verify' at depth 0 because
+we need to lookup the certifier of a certificate from some information
+that we trust and keep locally.
+
+SSL_CIPHER=CBC3-DES-MD5:RC4-MD5
+export SSL_CIPHER
+s_client -verify 10 -CApath . -reconnect
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        drop the connection and reconnect with the same session id
+        CIPHER is CBC3-DES-MD5
+This has done a full connection and then re-estabished it with the
+same session id but a new socket.  No RSA stuff occures on the second
+connection.  Note that we said we would prefer to use CBC3-DES-MD5
+encryption and so, since the server supports it, we are.
+
+=====
+s_server
+This program accepts SSL connections on a specified port
+Once connected, it will estabish an SSL connection and optionaly
+attempt to authenticate the client.  A 2 directional channel will be
+open.  Any text typed will be sent to the other end.  Type Q<cr> to exit.
+Flags are as follows.
+-port arg       : Arg is the port to listen on.
+-verify arg     : Turn on authentication of the client if they have a
+                : certificate.  Arg specifies the 'depth'.
+-Verify arg     : Turn on authentication of the client. If they don't
+                : have a valid certificate, drop the connection.
+-cert arg       : The certificate to use.  This certificate
+                : will be passed to the client.  If it is not
+                : specified, it will default to server.PEM
+-key arg        : The private key that matches the certificate
+                : specified by the -cert option.  If this is not
+                : specified (but -cert is), the -cert file will be
+                : searched for the Private key.  Both files are
+                : assumed to be in PEM format.  Default is server.PEM
+-CApath arg     : When to look for certificates when 'verifying' the
+                : certificate from the client.
+-CAfile arg     : A file containing certificates to be used for
+                : 'verifying' the client certificate.
+
+For the following 'demo'  I will specify the s_server command and
+the s_client command and then list the output from the s_server.
+s_server
+s_client
+        CONNECTED
+        CIPHER is CBC-DES-MD5
+Everything up and running
+
+s_server -verify 0
+s_client  
+        CONNECTED
+        CIPHER is CBC-DES-MD5
+Ok since no certificate was returned and we don't care.
+
+s_server -verify 0
+./s_client -cert client.PEM
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+        issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify error:num=1:unable to get issuer certificate
+        verify return:1
+        CIPHER is CBC-DES-MD5
+Ok since we were only verifying to level 0
+
+s_server -verify 4
+s_client -cert client.PEM
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+        issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify error:num=1:unable to get issuer certificate
+        verify return:0
+        ERROR
+        verify error:unable to get issuer certificate
+Bad because we could not authenticate the returned certificate.
+
+s_server -verify 4 -CApath .
+s_client -cert client.PEM
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+Ok because we could authenticate the returned certificate :-).
+
+s_server -Verify 0 -CApath .
+s_client
+        CONNECTED
+        ERROR
+        SSL error:function is:REQUEST_CERTIFICATE
+                 :error is   :client end did not return a certificate
+Error because no certificate returned.
+
+s_server -Verify 4 -CApath .
+s_client -cert client.PEM
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+Full authentication of the client.
+
+So in summary to do full authentication of both ends
+s_server -Verify 9 -CApath .
+s_client -cert client.PEM -CApath . -verify 9
+From the server side
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+From the client side
+        CONNECTED
+        depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
+        verify return:1
+        depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
+        verify return:1
+        CIPHER is CBC-DES-MD5
+
+For general probing of the 'internet https' servers for the
+distribution area, run
+s_client -host www.netscape.com -port 443 -verify 4 -CApath ../rsa/hash
+Then enter
+GET /
+and you should be talking to the https server on that host.
+
+www.rsa.com was refusing to respond to connections on 443 when I was
+testing.
+
+have fun :-).
+
+eric
+
+==== a_verify.doc ========================================================
+
+From eay@mincom.com Fri Oct  4 18:29:06 1996
+Received: by orb.mincom.oz.au id AA29080
+  (5.65c/IDA-1.4.4 for eay); Fri, 4 Oct 1996 08:29:07 +1000
+Date: Fri, 4 Oct 1996 08:29:06 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: wplatzer <wplatzer@iaik.tu-graz.ac.at>
+Cc: Eric Young <eay@mincom.oz.au>, SSL Mailing List <ssl-users@mincom.com>
+Subject: Re: Netscape's Public Key
+In-Reply-To: <19961003134837.NTM0049@iaik.tu-graz.ac.at>
+Message-Id: <Pine.SOL.3.91.961004081346.8018K-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Thu, 3 Oct 1996, wplatzer wrote:
+> I get Public Key from Netscape (Gold 3.0b4), but cannot do anything
+> with it... It looks like (asn1parse):
+> 
+> 0:d=0 hl=3 l=180 cons: SEQUENCE
+> 3:d=1 hl=2 l= 96 cons: SEQUENCE
+> 5:d=2 hl=2 l= 92 cons: SEQUENCE
+> 7:d=3 hl=2 l= 13 cons: SEQUENCE
+> 9:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
+> 20:d=4 hl=2 l= 0 prim: NULL
+> 22:d=3 hl=2 l= 75 prim: BIT STRING
+> 99:d=2 hl=2 l= 0 prim: IA5STRING :
+> 101:d=1 hl=2 l= 13 cons: SEQUENCE
+> 103:d=2 hl=2 l= 9 prim: OBJECT :md5withRSAEncryption
+> 114:d=2 hl=2 l= 0 prim: NULL
+> 116:d=1 hl=2 l= 65 prim: BIT STRING
+> 
+> The first BIT STRING is the public key and the second BIT STRING is 
+> the signature.
+> But a public key consists of the public exponent and the modulus. Are 
+> both numbers in the first BIT STRING?
+> Is there a document simply describing this coding stuff (checking 
+> signature, get the public key, etc.)?
+
+Minimal in SSLeay.  If you want to see what the modulus and exponent are,
+try asn1parse -offset 25 -length 75 <key.pem
+asn1parse will currently stuff up on the 'length 75' part (fixed in next 
+release) but it will print the stuff.  If you are after more 
+documentation on ASN.1, have a look at www.rsa.com and get their PKCS 
+documents, most of my initial work on SSLeay was done using them.
+
+As for SSLeay,
+util/crypto.num and util/ssl.num are lists of all exported functions in 
+the library (but not macros :-(.
+
+The ones for extracting public keys from certificates and certificate 
+requests are EVP_PKEY *      X509_REQ_extract_key(X509_REQ *req);
+EVP_PKEY *      X509_extract_key(X509 *x509);
+
+To verify a signature on a signed ASN.1 object
+int X509_verify(X509 *a,EVP_PKEY *key);
+int X509_REQ_verify(X509_REQ *a,EVP_PKEY *key);
+int X509_CRL_verify(X509_CRL *a,EVP_PKEY *key);
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a,EVP_PKEY *key);
+
+I should mention that EVP_PKEY can be used to hold a public or a private key,
+since for  things like RSA and DSS, a public key is just a subset of what 
+is stored for the private key.
+
+To sign any of the above structures
+
+int X509_sign(X509 *a,EVP_PKEY *key,EVP_MD *md);
+int X509_REQ_sign(X509_REQ *a,EVP_PKEY *key,EVP_MD *md);
+int X509_CRL_sign(X509_CRL *a,EVP_PKEY *key,EVP_MD *md);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *a,EVP_PKEY *key,EVP_MD *md);
+
+where md is the message digest to sign with.
+
+There are all defined in x509.h and all the _sign and _verify functions are
+actually macros to the ASN1_sign() and ASN1_verify() functions.
+These functions will put the correct algorithm identifiers in the correct 
+places in the structures.
+
+eric
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+==== x509 =======================================================
+
+X509_verify()
+X509_sign()
+
+X509_get_version()
+X509_get_serialNumber()
+X509_get_issuer()
+X509_get_subject()
+X509_get_notBefore()
+X509_get_notAfter()
+X509_get_pubkey()
+
+X509_set_version()
+X509_set_serialNumber()
+X509_set_issuer()
+X509_set_subject()
+X509_set_notBefore()
+X509_set_notAfter()
+X509_set_pubkey()
+
+X509_get_extensions()
+X509_set_extensions()
+
+X509_EXTENSIONS_clear()
+X509_EXTENSIONS_retrieve()
+X509_EXTENSIONS_add()
+X509_EXTENSIONS_delete()
+
+==== x509 attribute ================================================
+
+PKCS7
+        STACK of X509_ATTRIBUTES
+                ASN1_OBJECT
+                STACK of ASN1_TYPE
+
+So it is
+
+p7.xa[].obj
+p7.xa[].data[]
+
+get_obj_by_nid(STACK , nid)
+get_num_by_nid(STACK , nid)
+get_data_by_nid(STACK , nid, index)
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_new(void );
+void            X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **ex,
+                        int nid, STACK *value);
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **ex,
+                        int nid, STACK *value);
+
+int             X509_ATTRIBUTE_set_object(X509_ATTRIBUTE *ex,ASN1_OBJECT *obj);
+int             X509_ATTRIBUTE_add_data(X509_ATTRIBUTE *ex, int index,
+                        ASN1_TYPE *value);
+
+ASN1_OBJECT *   X509_ATTRIBUTE_get_object(X509_ATTRIBUTE *ex);
+int             X509_ATTRIBUTE_get_num(X509_ATTRIBUTE *ne);
+ASN1_TYPE *     X509_ATTRIBUTE_get_data(X509_ATTRIBUTE *ne,int index);
+
+ASN1_TYPE *     X509_ATTRIBUTE_get_data_by_NID(X509_ATTRIBUTE *ne,
+                        ASN1_OBJECT *obj);
+
+X509_ATTRIBUTE *PKCS7_get_s_att_by_NID(PKCS7 *p7,int nid);
+X509_ATTRIBUTE *PKCS7_get_u_att_by_NID(PKCS7 *p7,int nid);
+
+==== x509 v3 ========================================================
+
+The 'new' system.
+
+The X509_EXTENSION_METHOD includes extensions and attributes and/or names. 
+Basically everthing that can be added to an X509 with an OID identifying it.
+
+It operates via 2 methods per object id.
+int a2i_XXX(X509 *x,char *str,int len);
+int i2a_XXX(BIO *bp,X509 *x);
+
+The a2i_XXX function will add the object with a value converted from the
+string into the X509.  Len can be -1 in which case the length is calculated
+via strlen(str).   Applications can always use direct knowledge to load and
+unload the relevent objects themselves.
+
+i2a_XXX will print to the passed BIO, a text representation of the
+relevet object.  Use a memory BIO if you want it printed to a buffer :-).
+
+X509_add_by_NID(X509 *x,int nid,char *str,int len);
+X509_add_by_OBJ(X509 *x,ASN1_OBJECT *obj,char *str,int len);
+
+X509_print_by_name(BIO *bp,X509 *x);
+X509_print_by_NID(BIO *bp,X509 *x);
+X509_print_by_OBJ(BIO *bp,X509 *x);
+
+==== verify ========================================================
+
+X509_verify_cert_chain(
+        CERT_STORE *cert_store,
+        STACK /* X509 */ *certs,
+        int *verify_result,
+        int (*verify_error_callback)()
+        char *argument_to_callback, /* SSL */
+
+app_verify_callback(
+        char *app_verify_arg, /* from SSL_CTX */
+        STACK /* X509 */ *certs,
+        int *verify_result,
+        int (*verify_error_callback)()
+        SSL *s,
+
+int X509_verify_cert(
+        CERT_STORE *cert_store,
+        X509 *x509,
+        int *verify_result,
+        int (*verify_error_callback)(),
+        char *arg,
+
+==== apps.doc ========================================================
+
+The applications
+
+Ok, where to begin....
+In the begining, when SSLeay was small (April 1995), there
+were but few applications, they did happily cohabit in
+the one bin directory.  Then over time, they did multiply and grow,
+and they started to look like microsoft software; 500k to print 'hello world'.
+A new approach was needed.  They were coalessed into one 'Monolithic'
+application, ssleay.  This one program is composed of many programs that
+can all be compiled independantly.
+
+ssleay has 3 modes of operation.
+1) If the ssleay binaray has the name of one of its component programs, it
+executes that program and then exits.  This can be achieve by using hard or
+symbolic links, or failing that, just renaming the binary.
+2) If the first argument to ssleay is the name of one of the component
+programs, that program runs that program and then exits.
+3) If there are no arguments, ssleay enters a 'command' mode.  Each line is
+interpreted as a program name plus arguments.  After each 'program' is run,
+ssleay returns to the comand line.
+
+dgst    - message digests
+enc     - encryption and base64 encoding
+
+ans1parse - 'pulls' appart ASN.1 encoded objects like certificates.
+
+dh      - Diffle-Hellman parameter manipulation.
+rsa     - RSA manipulations.
+crl     - Certificate revokion list manipulations
+x509    - X509 cert fiddles, including signing.
+pkcs7   - pkcs7 manipulation, only DER versions right now.
+
+genrsa  - generate an RSA private key.
+gendh   - Generate a set of Diffle-Hellman parameters.
+req     - Generate a PKCS#10 object, a certificate request.
+
+s_client - SSL client program
+s_server - SSL server program
+s_time   - A SSL protocol timing program
+s_mult   - Another SSL server, but it multiplexes
+           connections.
+s_filter - under development
+
+errstr  - Convert SSLeay error numbers to strings.
+ca      - Sign certificate requests, and generate
+          certificate revokion lists
+crl2pkcs7 - put a crl and certifcates into a pkcs7 object.
+speed   - Benchmark the ciphers.
+verify  - Check certificates
+hashdir - under development
+
+[ there a now a few more options, play with the program to see what they
+  are ]
+
+==== asn1.doc ========================================================
+
+The ASN.1 Routines.
+
+ASN.1 is a specification for how to encode structured 'data' in binary form.
+The approach I have take to the manipulation of structures and their encoding
+into ASN.1 is as follows.
+
+For each distinct structure there are 4 function of the following form
+TYPE *TYPE_new(void);
+void TYPE_free(TYPE *);
+TYPE *d2i_TYPE(TYPE **a,unsigned char **pp,long length);
+long i2d_TYPE(TYPE *a,unsigned char **pp);      /* CHECK RETURN VALUE */
+
+where TYPE is the type of the 'object'.  The TYPE that have these functions
+can be in one of 2 forms, either the internal C malloc()ed data structure
+or in the DER (a variant of ASN.1 encoding) binary encoding which is just
+an array of unsigned bytes.  The 'i2d' functions converts from the internal
+form to the DER form and the 'd2i' functions convert from the DER form to
+the internal form.
+
+The 'new' function returns a malloc()ed version of the structure with all
+substructures either created or left as NULL pointers.  For 'optional'
+fields, they are normally left as NULL to indicate no value.  For variable
+size sub structures (often 'SET OF' or 'SEQUENCE OF' in ASN.1 syntax) the
+STACK data type is used to hold the values.  Have a read of stack.doc
+and have a look at the relevant header files to see what I mean.  If there
+is an error while malloc()ing the structure, NULL is returned.
+
+The 'free' function will free() all the sub components of a particular
+structure.  If any of those sub components have been 'removed', replace
+them with NULL pointers, the 'free' functions are tolerant of NULL fields.
+
+The 'd2i' function copies a binary representation into a C structure.  It
+operates as follows.  'a' is a pointer to a pointer to
+the structure to populate, 'pp' is a pointer to a pointer to where the DER
+byte string is located and 'length' is the length of the '*pp' data.
+If there are no errors, a pointer to the populated structure is returned.
+If there is an error, NULL is returned.  Errors can occur because of
+malloc() failures but normally they will be due to syntax errors in the DER
+encoded data being parsed. It is also an error if there was an
+attempt to read more that 'length' bytes from '*p'.  If
+everything works correctly, the value in '*p' is updated
+to point at the location just beyond where the DER
+structure was read from.  In this way, chained calls to 'd2i' type
+functions can be made, with the pointer into the 'data' array being
+'walked' along the input byte array.
+Depending on the value passed for 'a', different things will be done.  If
+'a' is NULL, a new structure will be malloc()ed and returned.  If '*a' is
+NULL, a new structure will be malloc()ed and put into '*a' and returned.
+If '*a' is not NULL, the structure in '*a' will be populated, or in the
+case of an error, free()ed and then returned.
+Having these semantics means that a structure
+can call a 'd2i' function to populate a field and if the field is currently
+NULL, the structure will be created.
+
+The 'i2d' function type is used to copy a C structure to a byte array.
+The parameter 'a' is the structure to convert and '*p' is where to put it.
+As for the 'd2i' type structure, 'p' is updated to point after the last
+byte written.  If p is NULL, no data is written.  The function also returns
+the number of bytes written.  Where this becomes useful is that if the
+function is called with a NULL 'p' value, the length is returned.  This can
+then be used to malloc() an array of bytes and then the same function can
+be recalled passing the malloced array to be written to. e.g.
+
+int len;
+unsigned char *bytes,*p;
+len=i2d_X509(x,NULL);   /* get the size of the ASN1 encoding of 'x' */
+if ((bytes=(unsigned char *)malloc(len)) == NULL)
+        goto err;
+p=bytes;
+i2d_X509(x,&p);
+
+Please note that a new variable, 'p' was passed to i2d_X509.  After the
+call to i2d_X509 p has been incremented by len bytes.
+
+Now the reason for this functional organisation is that it allows nested
+structures to be built up by calling these functions as required.  There
+are various macros used to help write the general 'i2d', 'd2i', 'new' and
+'free' functions.  They are discussed in another file and would only be
+used by some-one wanting to add new structures to the library.  As you
+might be able to guess, the process of writing ASN.1 files can be a bit CPU
+expensive for complex structures.  I'm willing to live with this since the
+simpler library code make my life easier and hopefully most programs using
+these routines will have their execution profiles dominated by cipher or
+message digest routines.
+What follows is a list of 'TYPE' values and the corresponding ASN.1
+structure and where it is used.
+
+TYPE                    ASN.1
+ASN1_INTEGER            INTEGER
+ASN1_BIT_STRING         BIT STRING
+ASN1_OCTET_STRING       OCTET STRING
+ASN1_OBJECT             OBJECT IDENTIFIER
+ASN1_PRINTABLESTRING    PrintableString
+ASN1_T61STRING          T61String
+ASN1_IA5STRING          IA5String
+ASN1_UTCTIME            UTCTime
+ASN1_TYPE               Any of the above mentioned types plus SEQUENCE and SET
+
+Most of the above mentioned types are actualled stored in the
+ASN1_BIT_STRING type and macros are used to differentiate between them.
+The 3 types used are
+
+typedef struct asn1_object_st
+        {
+        /* both null if a dynamic ASN1_OBJECT, one is
+         * defined if a 'static' ASN1_OBJECT */
+        char *sn,*ln;
+        int nid;
+        int length;
+        unsigned char *data;
+        } ASN1_OBJECT;
+This is used to store ASN1 OBJECTS.  Read 'objects.doc' for details ono
+routines to manipulate this structure.  'sn' and 'ln' are used to hold text
+strings that represent the object (short name and long or lower case name).
+These are used by the 'OBJ' library.  'nid' is a number used by the OBJ
+library to uniquely identify objects.  The ASN1 routines will populate the
+'length' and 'data' fields which will contain the bit string representing
+the object.
+
+typedef struct asn1_bit_string_st
+        {
+        int length;
+        int type;
+        unsigned char *data;
+        } ASN1_BIT_STRING;
+This structure is used to hold all the other base ASN1 types except for
+ASN1_UTCTIME (which is really just a 'char *').  Length is the number of
+bytes held in data and type is the ASN1 type of the object (there is a list
+in asn1.h).
+
+typedef struct asn1_type_st
+        {
+        int type;
+        union   {
+                char *ptr;
+                ASN1_INTEGER *          integer;
+                ASN1_BIT_STRING *       bit_string;
+                ASN1_OCTET_STRING *     octet_string;
+                ASN1_OBJECT *           object;
+                ASN1_PRINTABLESTRING *  printablestring;
+                ASN1_T61STRING *        t61string;
+                ASN1_IA5STRING *        ia5string;
+                ASN1_UTCTIME *          utctime;
+                ASN1_BIT_STRING *       set;
+                ASN1_BIT_STRING *       sequence;
+                } value;
+        } ASN1_TYPE;
+This structure is used in a few places when 'any' type of object can be
+expected.
+
+X509                    Certificate
+X509_CINF               CertificateInfo
+X509_ALGOR              AlgorithmIdentifier
+X509_NAME               Name                    
+X509_NAME_ENTRY         A single sub component of the name.
+X509_VAL                Validity
+X509_PUBKEY             SubjectPublicKeyInfo
+The above mentioned types are declared in x509.h. They are all quite
+straight forward except for the X509_NAME/X509_NAME_ENTRY pair.
+A X509_NAME is a STACK (see stack.doc) of X509_NAME_ENTRY's.
+typedef struct X509_name_entry_st
+        {
+        ASN1_OBJECT *object;
+        ASN1_BIT_STRING *value;
+        int set;
+        int size;       /* temp variable */
+        } X509_NAME_ENTRY;
+The size is a temporary variable used by i2d_NAME and set is the set number
+for the particular NAME_ENTRY.  A X509_NAME is encoded as a sequence of
+sequence of sets.  Normally each set contains only a single item.
+Sometimes it contains more.  Normally throughout this library there will be
+only one item per set.  The set field contains the 'set' that this entry is
+a member of.  So if you have just created a X509_NAME structure and
+populated it with X509_NAME_ENTRYs, you should then traverse the X509_NAME
+(which is just a STACK) and set the 'set/' field to incrementing numbers.
+For more details on why this is done, read the ASN.1 spec for Distinguished
+Names.
+
+X509_REQ                CertificateRequest
+X509_REQ_INFO           CertificateRequestInfo
+These are used to hold certificate requests.
+
+X509_CRL                CertificateRevocationList
+These are used to hold a certificate revocation list
+
+RSAPrivateKey           PrivateKeyInfo
+RSAPublicKey            PublicKeyInfo
+Both these 'function groups' operate on 'RSA' structures (see rsa.doc).
+The difference is that the RSAPublicKey operations only manipulate the m
+and e fields in the RSA structure.
+
+DSAPrivateKey           DSS private key
+DSAPublicKey            DSS public key
+Both these 'function groups' operate on 'DSS' structures (see dsa.doc).
+The difference is that the RSAPublicKey operations only manipulate the 
+XXX fields in the DSA structure.
+
+DHparams                DHParameter
+This is used to hold the p and g value for The Diffie-Hellman operation.
+The function deal with the 'DH' strucure (see dh.doc).
+
+Now all of these function types can be used with several other functions to give
+quite useful set of general manipulation routines.  Normally one would
+not uses these functions directly but use them via macros. 
+
+char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
+'x' is the input structure case to a 'char *', 'i2d' is the 'i2d_TYPE'
+function for the type that 'x' is and d2i is the 'd2i_TYPE' function for the
+type that 'x' is.  As is obvious from the parameters, this function
+duplicates the strucutre by transforming it into the DER form and then
+re-loading it into a new strucutre and returning the new strucutre.  This
+is obviously a bit cpu intensive but when faced with a complex dynamic
+structure this is the simplest programming approach.  There are macros for
+duplicating the major data types but is simple to add extras.
+
+char *ASN1_d2i_fp(char *(*new)(),char *(*d2i)(),FILE *fp,unsigned char **x);
+'x' is a pointer to a pointer of the 'desired type'.  new and d2i are the
+corresponding 'TYPE_new' and 'd2i_TYPE' functions for the type and 'fp' is
+an open file pointer to read from.  This function reads from 'fp' as much
+data as it can and then uses 'd2i' to parse the bytes to load and return
+the parsed strucutre in 'x' (if it was non-NULL) and to actually return the
+strucutre.  The behavior of 'x' is as per all the other d2i functions.
+
+char *ASN1_d2i_bio(char *(*new)(),char *(*d2i)(),BIO *fp,unsigned char **x);
+The 'BIO' is the new IO type being used in SSLeay (see bio.doc).  This
+function is the same as ASN1_d2i_fp() except for the BIO argument.
+ASN1_d2i_fp() actually calls this function.
+
+int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+'x' is converted to bytes by 'i2d' and then written to 'out'.  ASN1_i2d_fp
+and ASN1_d2i_fp are not really symetric since ASN1_i2d_fp will read all
+available data from the file pointer before parsing a single item while
+ASN1_i2d_fp can be used to write a sequence of data objects.  To read a
+series of objects from a file I would sugest loading the file into a buffer
+and calling the relevent 'd2i' functions.
+
+char *ASN1_d2i_bio(char *(*new)(),char *(*d2i)(),BIO *fp,unsigned char **x);
+This function is the same as ASN1_i2d_fp() except for the BIO argument.
+ASN1_i2d_fp() actually calls this function.
+
+char *  PEM_ASN1_read(char *(*d2i)(),char *name,FILE *fp,char **x,int (*cb)());
+This function will read the next PEM encoded (base64) object of the same
+type as 'x' (loaded by the d2i function).  'name' is the name that is in
+the '-----BEGIN name-----' that designates the start of that object type.
+If the data is encrypted, 'cb' will be called to prompt for a password.  If
+it is NULL a default function will be used to prompt from the password.
+'x' is delt with as per the standard 'd2i' function interface.  This
+function can be used to read a series of objects from a file.  While any
+data type can be encrypted (see PEM_ASN1_write) only RSA private keys tend
+to be encrypted.
+
+char *  PEM_ASN1_read_bio(char *(*d2i)(),char *name,BIO *fp,
+        char **x,int (*cb)());
+Same as PEM_ASN1_read() except using a BIO.  This is called by
+PEM_ASN1_read().
+
+int     PEM_ASN1_write(int (*i2d)(),char *name,FILE *fp,char *x,EVP_CIPHER *enc,
+                unsigned char *kstr,int klen,int (*callback)());
+
+int     PEM_ASN1_write_bio(int (*i2d)(),char *name,BIO *fp,
+                char *x,EVP_CIPHER *enc,unsigned char *kstr,int klen,
+                int (*callback)());
+
+int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
+        ASN1_BIT_STRING *signature, char *data, RSA *rsa, EVP_MD *type);
+int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1,
+        ASN1_BIT_STRING *signature,char *data, RSA *rsa);
+
+int ASN1_BIT_STRING_cmp(ASN1_BIT_STRING *a, ASN1_BIT_STRING *b);
+ASN1_BIT_STRING *ASN1_BIT_STRING_type_new(int type );
+
+int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
+void ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
+ASN1_UTCTIME *ASN1_UTCTIME_dup(ASN1_UTCTIME *a);
+
+ASN1_BIT_STRING *d2i_asn1_print_type(ASN1_BIT_STRING **a,unsigned char **pp,
+                long length,int type);
+
+int             i2d_ASN1_SET(STACK *a, unsigned char **pp,
+                        int (*func)(), int ex_tag, int ex_class);
+STACK *         d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
+                        char *(*func)(), int ex_tag, int ex_class);
+
+int i2a_ASN1_OBJECT(BIO *bp,ASN1_OBJECT *object);
+int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
+int a2i_ASN1_INTEGER(BIO *bp,ASN1_INTEGER *bs,char *buf,int size);
+
+int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
+long ASN1_INTEGER_get(ASN1_INTEGER *a);
+ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai);
+BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai,BIGNUM *bn);
+
+/* given a string, return the correct type.  Max is the maximum number
+ * of bytes to parse.  It stops parsing when 'max' bytes have been
+ * processed or a '\0' is hit */
+int ASN1_PRINTABLE_type(unsigned char *s,int max);
+
+void ASN1_parse(BIO *fp,unsigned char *pp,long len);
+
+int i2d_ASN1_bytes(ASN1_BIT_STRING *a, unsigned char **pp, int tag, int class);
+ASN1_BIT_STRING *d2i_ASN1_bytes(ASN1_OCTET_STRING **a, unsigned char **pp,
+        long length, int Ptag, int Pclass);
+
+/* PARSING */
+int asn1_Finish(ASN1_CTX *c);
+
+/* SPECIALS */
+int ASN1_get_object(unsigned char **pp, long *plength, int *ptag,
+        int *pclass, long omax);
+int ASN1_check_infinite_end(unsigned char **p,long len);
+void ASN1_put_object(unsigned char **pp, int constructed, int length,
+        int tag, int class);
+int ASN1_object_size(int constructed, int length, int tag);
+
+X509 *  X509_get_cert(CERTIFICATE_CTX *ctx,X509_NAME * name,X509 *tmp_x509);
+int     X509_add_cert(CERTIFICATE_CTX *ctx,X509 *);
+
+char *  X509_cert_verify_error_string(int n);
+int     X509_add_cert_file(CERTIFICATE_CTX *c,char *file, int type);
+char *  X509_gmtime (char *s, long adj);
+int     X509_add_cert_dir (CERTIFICATE_CTX *c,char *dir, int type);
+int     X509_load_verify_locations (CERTIFICATE_CTX *ctx,
+                char *file_env, char *dir_env);
+int     X509_set_default_verify_paths(CERTIFICATE_CTX *cts);
+X509 *  X509_new_D2i_X509(int len, unsigned char *p);
+char *  X509_get_default_cert_area(void );
+char *  X509_get_default_cert_dir(void );
+char *  X509_get_default_cert_file(void );
+char *  X509_get_default_cert_dir_env(void );
+char *  X509_get_default_cert_file_env(void );
+char *  X509_get_default_private_dir(void );
+X509_REQ *X509_X509_TO_req(X509 *x, RSA *rsa);
+int     X509_cert_verify(CERTIFICATE_CTX *ctx,X509 *xs, int (*cb)()); 
+
+CERTIFICATE_CTX *CERTIFICATE_CTX_new();
+void CERTIFICATE_CTX_free(CERTIFICATE_CTX *c);
+
+void X509_NAME_print(BIO *fp, X509_NAME *name, int obase);
+int             X509_print_fp(FILE *fp,X509 *x);
+int             X509_print(BIO *fp,X509 *x);
+
+X509_INFO *     X509_INFO_new(void);
+void            X509_INFO_free(X509_INFO *a);
+
+char *          X509_NAME_oneline(X509_NAME *a);
+
+#define X509_verify(x,rsa)
+#define X509_REQ_verify(x,rsa)
+#define X509_CRL_verify(x,rsa)
+
+#define X509_sign(x,rsa,md)
+#define X509_REQ_sign(x,rsa,md)
+#define X509_CRL_sign(x,rsa,md)
+
+#define X509_dup(x509)
+#define d2i_X509_fp(fp,x509)
+#define i2d_X509_fp(fp,x509)
+#define d2i_X509_bio(bp,x509)
+#define i2d_X509_bio(bp,x509)
+
+#define X509_CRL_dup(crl)
+#define d2i_X509_CRL_fp(fp,crl)
+#define i2d_X509_CRL_fp(fp,crl)
+#define d2i_X509_CRL_bio(bp,crl)
+#define i2d_X509_CRL_bio(bp,crl)
+
+#define X509_REQ_dup(req)
+#define d2i_X509_REQ_fp(fp,req)
+#define i2d_X509_REQ_fp(fp,req)
+#define d2i_X509_REQ_bio(bp,req)
+#define i2d_X509_REQ_bio(bp,req)
+
+#define RSAPrivateKey_dup(rsa)
+#define d2i_RSAPrivateKey_fp(fp,rsa)
+#define i2d_RSAPrivateKey_fp(fp,rsa)
+#define d2i_RSAPrivateKey_bio(bp,rsa)
+#define i2d_RSAPrivateKey_bio(bp,rsa)
+
+#define X509_NAME_dup(xn)
+#define X509_NAME_ENTRY_dup(ne)
+
+void X509_REQ_print_fp(FILE *fp,X509_REQ *req);
+void X509_REQ_print(BIO *fp,X509_REQ *req);
+
+RSA *X509_REQ_extract_key(X509_REQ *req);
+RSA *X509_extract_key(X509 *x509);
+
+int             X509_issuer_and_serial_cmp(X509 *a, X509 *b);
+unsigned long   X509_issuer_and_serial_hash(X509 *a);
+
+X509_NAME *     X509_get_issuer_name(X509 *a);
+int             X509_issuer_name_cmp(X509 *a, X509 *b);
+unsigned long   X509_issuer_name_hash(X509 *a);
+
+X509_NAME *     X509_get_subject_name(X509 *a);
+int             X509_subject_name_cmp(X509 *a,X509 *b);
+unsigned long   X509_subject_name_hash(X509 *x);
+
+int             X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
+unsigned long   X509_NAME_hash(X509_NAME *x);
+
+
+==== bio.doc ========================================================
+
+BIO Routines
+
+This documentation is rather sparse, you are probably best 
+off looking at the code for specific details.
+
+The BIO library is a IO abstraction that was originally 
+inspired by the need to have callbacks to perform IO to FILE 
+pointers when using Windows 3.1 DLLs.  There are two types 
+of BIO; a source/sink type and a filter type.
+The source/sink methods are as follows:
+-       BIO_s_mem()  memory buffer - a read/write byte array that
+        grows until memory runs out :-).
+-       BIO_s_file()  FILE pointer - A wrapper around the normal 
+        'FILE *' commands, good for use with stdin/stdout.
+-       BIO_s_fd()  File descriptor - A wrapper around file 
+        descriptors, often used with pipes.
+-       BIO_s_socket()  Socket - Used around sockets.  It is 
+        mostly in the Microsoft world that sockets are different 
+        from file descriptors and there are all those ugly winsock 
+        commands.
+-       BIO_s_null()  Null - read nothing and write nothing.; a 
+        useful endpoint for filter type BIO's specifically things 
+        like the message digest BIO.
+
+The filter types are
+-       BIO_f_buffer()  IO buffering - does output buffering into 
+        larger chunks and performs input buffering to allow gets() 
+        type functions.
+-       BIO_f_md()  Message digest - a transparent filter that can 
+        be asked to return a message digest for the data that has 
+        passed through it.
+-       BIO_f_cipher()  Encrypt or decrypt all data passing 
+        through the filter.
+-       BIO_f_base64()  Base64 decode on read and encode on write.
+-       BIO_f_ssl()  A filter that performs SSL encryption on the 
+        data sent through it.
+
+Base BIO functions.
+The BIO library has a set of base functions that are 
+implemented for each particular type.  Filter BIOs will 
+normally call the equivalent function on the source/sink BIO 
+that they are layered on top of after they have performed 
+some modification to the data stream.  Multiple filter BIOs 
+can be 'push' into a stack of modifers, so to read from a 
+file, unbase64 it, then decrypt it, a BIO_f_cipher, 
+BIO_f_base64 and a BIO_s_file would probably be used.  If a 
+sha-1 and md5 message digest needed to be generated, a stack 
+two BIO_f_md() BIOs and a BIO_s_null() BIO could be used.
+The base functions are
+-       BIO *BIO_new(BIO_METHOD *type); Create  a new BIO of  type 'type'.
+-       int BIO_free(BIO *a); Free a BIO structure.  Depending on 
+        the configuration, this will free the underlying data 
+        object for a source/sink BIO.
+-       int BIO_read(BIO *b, char *data, int len); Read upto 'len' 
+        bytes into 'data'. 
+-       int BIO_gets(BIO *bp,char *buf, int size); Depending on 
+        the BIO, this can either be a 'get special' or a get one 
+        line of data, as per fgets();
+-       int BIO_write(BIO *b, char *data, int len); Write 'len' 
+        bytes from 'data' to the 'b' BIO.
+-       int BIO_puts(BIO *bp,char *buf); Either a 'put special' or 
+        a write null terminated string as per fputs().
+-       long BIO_ctrl(BIO *bp,int cmd,long larg,char *parg);  A 
+        control function which is used to manipulate the BIO 
+        structure and modify it's state and or report on it.  This 
+        function is just about never used directly, rather it 
+        should be used in conjunction with BIO_METHOD specific 
+        macros.
+-       BIO *BIO_push(BIO *new_top, BIO *old); new_top is apped to the
+        top of the 'old' BIO list.  new_top should be a filter BIO.
+        All writes will go through 'new_top' first and last on read.
+        'old' is returned.
+-       BIO *BIO_pop(BIO *bio); the new topmost BIO is returned, NULL if
+        there are no more.
+
+If a particular low level BIO method is not supported 
+(normally BIO_gets()), -2 will be returned if that method is 
+called.  Otherwise the IO methods (read, write, gets, puts) 
+will return the number of bytes read or written, and 0 or -1 
+for error (or end of input).  For the -1 case, 
+BIO_should_retry(bio) can be called to determine if it was a 
+genuine error or a temporary problem.  -2 will also be 
+returned if the BIO has not been initalised yet, in all 
+cases, the correct error codes are set (accessible via the 
+ERR library).
+
+
+The following functions are convenience functions:
+-       int BIO_printf(BIO *bio, char * format, ..);  printf but 
+        to a BIO handle.
+-       long BIO_ctrl_int(BIO *bp,int cmd,long larg,int iarg); a 
+        convenience function to allow a different argument types 
+        to be passed to BIO_ctrl().
+-       int BIO_dump(BIO *b,char *bytes,int len); output 'len' 
+        bytes from 'bytes' in a hex dump debug format.
+-       long BIO_debug_callback(BIO *bio, int cmd, char *argp, int 
+        argi, long argl, long ret) - a default debug BIO callback, 
+        this is mentioned below.  To use this one normally has to 
+        use the BIO_set_callback_arg() function to assign an 
+        output BIO for the callback to use.
+-       BIO *BIO_find_type(BIO *bio,int type); when there is a 'stack'
+        of BIOs, this function scan the list and returns the first
+        that is of type 'type', as listed in buffer.h under BIO_TYPE_XXX.
+-       void BIO_free_all(BIO *bio); Free the bio and all other BIOs
+        in the list.  It walks the bio->next_bio list.
+
+
+
+Extra commands are normally implemented as macros calling BIO_ctrl().
+-       BIO_number_read(BIO *bio) - the number of bytes processed 
+        by BIO_read(bio,.).
+-       BIO_number_written(BIO *bio) - the number of bytes written 
+        by BIO_write(bio,.).
+-       BIO_reset(BIO *bio) - 'reset' the BIO.
+-       BIO_eof(BIO *bio) - non zero if we are at the current end 
+        of input.
+-       BIO_set_close(BIO *bio, int close_flag) - set the close flag.
+-       BIO_get_close(BIO *bio) - return the close flag.
+        BIO_pending(BIO *bio) - return the number of bytes waiting 
+        to be read (normally buffered internally).
+-       BIO_flush(BIO *bio) - output any data waiting to be output.
+-       BIO_should_retry(BIO *io) - after a BIO_read/BIO_write 
+        operation returns 0 or -1, a call to this function will 
+        return non zero if you should retry the call later (this 
+        is for non-blocking IO).
+-       BIO_should_read(BIO *io) - we should retry when data can 
+        be read.
+-       BIO_should_write(BIO *io) - we should retry when data can 
+        be written.
+-       BIO_method_name(BIO *io) - return a string for the method name.
+-       BIO_method_type(BIO *io) - return the unique ID of the BIO method.
+-       BIO_set_callback(BIO *io,  long (*callback)(BIO *io, int 
+        cmd, char *argp, int argi, long argl, long ret); - sets 
+        the debug callback.
+-       BIO_get_callback(BIO *io) - return the assigned function 
+        as mentioned above.
+-       BIO_set_callback_arg(BIO *io, char *arg)  - assign some 
+        data against the BIO.  This is normally used by the debug 
+        callback but could in reality be used for anything.  To 
+        get an idea of how all this works, have a look at the code 
+        in the default debug callback mentioned above.  The 
+        callback can modify the return values.
+
+Details of the BIO_METHOD structure.
+typedef struct bio_method_st
+        {
+        int type;
+        char *name;
+        int (*bwrite)();
+        int (*bread)();
+        int (*bputs)();
+        int (*bgets)();
+        long (*ctrl)();
+        int (*create)();
+        int (*destroy)();
+        } BIO_METHOD;
+
+The 'type' is the numeric type of the BIO, these are listed in buffer.h;
+'Name' is a textual representation of the BIO 'type'.
+The 7 function pointers point to the respective function 
+methods, some of which can be NULL if not implemented.
+The BIO structure
+typedef struct bio_st
+        {
+        BIO_METHOD *method;
+        long (*callback)(BIO * bio, int mode, char *argp, int 
+                argi, long argl, long ret);
+        char *cb_arg; /* first argument for the callback */
+        int init;
+        int shutdown;
+        int flags;      /* extra storage */
+        int num;
+        char *ptr;
+        struct bio_st *next_bio; /* used by filter BIOs */
+        int references;
+        unsigned long num_read;
+        unsigned long num_write;
+        } BIO;
+
+-       'Method' is the BIO method.
+-       'callback', when configured, is called before and after 
+        each BIO method is called for that particular BIO.  This 
+        is intended primarily for debugging and of informational feedback.
+-       'init' is 0 when the BIO can be used for operation.  
+        Often, after a BIO is created, a number of operations may 
+        need to be performed before it is available for use.  An 
+        example is for BIO_s_sock().  A socket needs to be 
+        assigned to the BIO before it can be used.
+-       'shutdown', this flag indicates if the underlying 
+        comunication primative being used should be closed/freed 
+        when the BIO is closed.
+-       'flags' is used to hold extra state.  It is primarily used 
+        to hold information about why a non-blocking operation 
+        failed and to record startup protocol information for the 
+        SSL BIO.
+-       'num' and 'ptr' are used to hold instance specific state 
+        like file descriptors or local data structures.
+-       'next_bio' is used by filter BIOs to hold the pointer of the
+        next BIO in the chain. written data is sent to this BIO and
+        data read is taken from it.
+-       'references' is used to indicate the number of pointers to 
+        this structure.  This needs to be '1' before a call to 
+        BIO_free() is made if the BIO_free() function is to 
+        actually free() the structure, otherwise the reference 
+        count is just decreased.  The actual BIO subsystem does 
+        not really use this functionality but it is useful when 
+        used in more advanced applicaion.
+-       num_read and num_write are the total number of bytes 
+        read/written via the 'read()' and 'write()' methods.
+
+BIO_ctrl operations.
+The following is the list of standard commands passed as the 
+second parameter to BIO_ctrl() and should be supported by 
+all BIO as best as possible.  Some are optional, some are 
+manditory, in any case, where is makes sense, a filter BIO 
+should pass such requests to underlying BIO's.
+-       BIO_CTRL_RESET  - Reset the BIO back to an initial state.
+-       BIO_CTRL_EOF    - return 0 if we are not at the end of input, 
+        non 0 if we are.
+-       BIO_CTRL_INFO   - BIO specific special command, normal
+        information return.
+-       BIO_CTRL_SET    - set IO specific parameter.
+-       BIO_CTRL_GET    - get IO specific parameter.
+-       BIO_CTRL_GET_CLOSE - Get the close on BIO_free() flag, one 
+        of BIO_CLOSE or BIO_NOCLOSE.
+-       BIO_CTRL_SET_CLOSE - Set the close on BIO_free() flag.
+-       BIO_CTRL_PENDING - Return the number of bytes available 
+        for instant reading
+-       BIO_CTRL_FLUSH  - Output pending data, return number of bytes output.
+-       BIO_CTRL_SHOULD_RETRY - After an IO error (-1 returned) 
+        should we 'retry' when IO is possible on the underlying IO object.
+-       BIO_CTRL_RETRY_TYPE - What kind of IO are we waiting on.
+
+The following command is a special BIO_s_file() specific option.
+-       BIO_CTRL_SET_FILENAME - specify a file to open for IO.
+
+The BIO_CTRL_RETRY_TYPE needs a little more explanation.  
+When performing non-blocking IO, or say reading on a memory 
+BIO, when no data is present (or cannot be written), 
+BIO_read() and/or BIO_write() will return -1.  
+BIO_should_retry(bio) will return true if this is due to an 
+IO condition rather than an actual error.  In the case of 
+BIO_s_mem(), a read when there is no data will return -1 and 
+a should retry when there is more 'read' data.
+The retry type is deduced from 2 macros
+BIO_should_read(bio) and BIO_should_write(bio).
+Now while it may appear obvious that a BIO_read() failure 
+should indicate that a retry should be performed when more 
+read data is available, this is often not true when using 
+things like an SSL BIO.  During the SSL protocol startup 
+multiple reads and writes are performed, triggered by any 
+SSL_read or SSL_write.
+So to write code that will transparently handle either a 
+socket or SSL BIO,
+        i=BIO_read(bio,..)
+        if (I == -1)
+                {
+                if (BIO_should_retry(bio))
+                        {
+                        if (BIO_should_read(bio))
+                                {
+                                /* call us again when BIO can be read */
+                                }
+                        if (BIO_should_write(bio))
+                                {
+                                /* call us again when BIO can be written */
+                                }
+                        }
+                }
+
+At this point in time only read and write conditions can be 
+used but in the future I can see the situation for other 
+conditions, specifically with SSL there could be a condition 
+of a X509 certificate lookup taking place and so the non-
+blocking BIO_read would require a retry when the certificate 
+lookup subsystem has finished it's lookup.  This is all 
+makes more sense and is easy to use in a event loop type 
+setup.
+When using the SSL BIO, either SSL_read() or SSL_write()s 
+can be called during the protocol startup and things will 
+still work correctly.
+The nice aspect of the use of the BIO_should_retry() macro 
+is that all the errno codes that indicate a non-fatal error 
+are encapsulated in one place.  The Windows specific error 
+codes and WSAGetLastError() calls are also hidden from the 
+application.
+
+Notes on each BIO method.
+Normally buffer.h is just required but depending on the 
+BIO_METHOD, ssl.h or evp.h will also be required.
+
+BIO_METHOD *BIO_s_mem(void);
+-       BIO_set_mem_buf(BIO *bio, BUF_MEM *bm, int close_flag) - 
+        set the underlying BUF_MEM structure for the BIO to use.
+-       BIO_get_mem_ptr(BIO *bio, char **pp) - if pp is not NULL, 
+        set it to point to the memory array and return the number 
+        of bytes available.
+A read/write BIO.  Any data written is appended to the 
+memory array and any read is read from the front.  This BIO 
+can be used for read/write at the same time. BIO_gets() is 
+supported in the fgets() sense.
+BIO_CTRL_INFO can be used to retrieve pointers to the memory 
+buffer and it's length.
+
+BIO_METHOD *BIO_s_file(void);
+-       BIO_set_fp(BIO *bio, FILE *fp, int close_flag) - set 'FILE *' to use.
+-       BIO_get_fp(BIO *bio, FILE **fp) - get the 'FILE *' in use.
+-       BIO_read_filename(BIO *bio, char *name) - read from file.
+-       BIO_write_filename(BIO *bio, char *name) - write to file.
+-       BIO_append_filename(BIO *bio, char *name) - append to file.
+This BIO sits over the normal system fread()/fgets() type 
+functions. Gets() is supported.  This BIO in theory could be 
+used for read and write but it is best to think of each BIO 
+of this type as either a read or a write BIO, not both.
+
+BIO_METHOD *BIO_s_socket(void);
+BIO_METHOD *BIO_s_fd(void);
+-       BIO_sock_should_retry(int i) - the underlying function 
+        used to determine if a call should be retried; the 
+        argument is the '0' or '-1' returned by the previous BIO 
+        operation.
+-       BIO_fd_should_retry(int i) - same as the 
+-       BIO_sock_should_retry() except that it is different internally.
+-       BIO_set_fd(BIO *bio, int fd, int close_flag) - set the 
+        file descriptor to use
+-       BIO_get_fd(BIO *bio, int *fd) - get the file descriptor.
+These two methods are very similar.  Gets() is not 
+supported, if you want this functionality, put a 
+BIO_f_buffer() onto it.  This BIO is bi-directional if the 
+underlying file descriptor is.  This is normally the case 
+for sockets but not the case for stdio descriptors.
+
+BIO_METHOD *BIO_s_null(void);
+Read and write as much data as you like, it all disappears 
+into this BIO.
+
+BIO_METHOD *BIO_f_buffer(void);
+-       BIO_get_buffer_num_lines(BIO *bio) - return the number of 
+        complete lines in the buffer.
+-       BIO_set_buffer_size(BIO *bio, long size) - set the size of 
+        the buffers.
+This type performs input and output buffering.  It performs 
+both at the same time.  The size of the buffer can be set 
+via the set buffer size option.  Data buffered for output is 
+only written when the buffer fills.
+
+BIO_METHOD *BIO_f_ssl(void);
+-       BIO_set_ssl(BIO *bio, SSL *ssl, int close_flag) - the SSL 
+        structure to use.
+-       BIO_get_ssl(BIO *bio, SSL **ssl) - get the SSL structure 
+        in use.
+The SSL bio is a little different from normal BIOs because 
+the underlying SSL structure is a little different.  A SSL 
+structure performs IO via a read and write BIO.  These can 
+be different and are normally set via the
+SSL_set_rbio()/SSL_set_wbio() calls.  The SSL_set_fd() calls 
+are just wrappers that create socket BIOs and then call 
+SSL_set_bio() where the read and write BIOs are the same.  
+The BIO_push() operation makes the SSLs IO BIOs the same, so 
+make sure the BIO pushed is capable of two directional 
+traffic.  If it is not, you will have to install the BIOs 
+via the more conventional SSL_set_bio() call.  BIO_pop() will retrieve
+the 'SSL read' BIO.
+
+BIO_METHOD *BIO_f_md(void);
+-       BIO_set_md(BIO *bio, EVP_MD *md) - set the message digest 
+        to use.
+-       BIO_get_md(BIO *bio, EVP_MD **mdp) - return the digest 
+        method in use in mdp, return 0 if not set yet.
+-       BIO_reset() reinitializes the digest (EVP_DigestInit()) 
+        and passes the reset to the underlying BIOs.
+All data read or written via BIO_read() or BIO_write() to 
+this BIO will be added to the calculated digest.  This 
+implies that this BIO is only one directional.  If read and 
+write operations are performed, two separate BIO_f_md() BIOs 
+are reuqired to generate digests on both the input and the 
+output.  BIO_gets(BIO *bio, char *md, int size) will place the 
+generated digest into 'md' and return the number of bytes.  
+The EVP_MAX_MD_SIZE should probably be used to size the 'md' 
+array.  Reading the digest will also reset it.
+
+BIO_METHOD *BIO_f_cipher(void);
+-       BIO_reset() reinitializes the cipher.
+-       BIO_flush() should be called when the last bytes have been 
+        output to flush the final block of block ciphers.
+-       BIO_get_cipher_status(BIO *b), when called after the last 
+        read from a cipher BIO, returns non-zero if the data 
+        decrypted correctly, otherwise, 0.
+-       BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *key, 
+        unsigned char *iv, int encrypt)   This function is used to 
+        setup a cipher BIO.  The length of key and iv are 
+        specified by the choice of EVP_CIPHER.  Encrypt is 1 to 
+        encrypt and 0 to decrypt.
+
+BIO_METHOD *BIO_f_base64(void);
+-       BIO_flush() should be called when the last bytes have been output.
+This BIO base64 encodes when writing and base64 decodes when 
+reading.  It will scan the input until a suitable begin line 
+is found.  After reading data, BIO_reset() will reset the 
+BIO to start scanning again.  Do not mix reading and writing 
+on the same base64 BIO.  It is meant as a single stream BIO.
+
+Directions      type
+both            BIO_s_mem()
+one/both        BIO_s_file()
+both            BIO_s_fd()
+both            BIO_s_socket() 
+both            BIO_s_null()
+both            BIO_f_buffer()
+one             BIO_f_md()  
+one             BIO_f_cipher()  
+one             BIO_f_base64()  
+both            BIO_f_ssl()
+
+It is easy to mix one and two directional BIOs, all one has 
+to do is to keep two separate BIO pointers for reading and 
+writing and be careful about usage of underlying BIOs.  The 
+SSL bio by it's very nature has to be two directional but 
+the BIO_push() command will push the one BIO into the SSL 
+BIO for both reading and writing.
+
+The best example program to look at is apps/enc.c and/or perhaps apps/dgst.c.
+
+
+==== blowfish.doc ========================================================
+
+The Blowfish library.
+
+Blowfish is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses variable size key, but 128bit (16 byte) key would normally be considered
+good.  It can be used in all the modes that DES can be used.  This
+library implements the ecb, cbc, cfb64, ofb64 modes.
+
+Blowfish is quite a bit faster that DES, and much faster than IDEA or
+RC2.  It is one of the faster block ciphers.
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'blowfish.h'.
+
+All of the encryption functions take what is called an BF_KEY as an 
+argument.  An BF_KEY is an expanded form of the Blowfish key.
+For all modes of the Blowfish algorithm, the BF_KEY used for
+decryption is the same one that was used for encryption.
+
+The define BF_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. BF_DECRYPT is passed to
+specify decryption.
+
+Please note that any of the encryption modes specified in my DES library
+could be used with Blowfish.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic Blowfish encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple Blowfish, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  BF_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void BF_set_key(
+BF_KEY *ks;
+int len;
+unsigned char *key;
+        BF_set_key converts an 'len' byte key into a BF_KEY.
+        A 'ks' is an expanded form of the 'key' which is used to
+        perform actual encryption.  It can be regenerated from the Blowfish key
+        so it only needs to be kept when encryption or decryption is about
+        to occur.  Don't save or pass around BF_KEY's since they
+        are CPU architecture dependent, 'key's are not.  Blowfish is an
+        interesting cipher in that it can be used with a variable length
+        key.  'len' is the length of 'key' to be used as the key.
+        A 'len' of 16 is recomended by me, but blowfish can use upto
+        72 bytes.  As a warning, blowfish has a very very slow set_key
+        function, it actually runs BF_encrypt 521 times.
+        
+void BF_encrypt(unsigned long *data, BF_KEY *key);
+void BF_decrypt(unsigned long *data, BF_KEY *key);
+        These are the Blowfish encryption function that gets called by just
+        about every other Blowfish routine in the library.  You should not
+        use this function except to implement 'modes' of Blowfish.
+        I say this because the
+        functions that call this routine do the conversion from 'char *' to
+        long, and this needs to be done to make sure 'non-aligned' memory
+        access do not occur.
+        Data is a pointer to 2 unsigned long's and key is the
+        BF_KEY to use. 
+
+void BF_ecb_encrypt(
+unsigned char *in,
+unsigned char *out,
+BF_KEY *key,
+int encrypt);
+        This is the basic Electronic Code Book form of Blowfish (in DES this
+        mode is called Electronic Code Book so I'm going to use the term
+        for blowfish as well.
+        Input is encrypted into output using the key represented by
+        key.  Depending on the encrypt, encryption or
+        decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+        
+void BF_cbc_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *ks,
+unsigned char *ivec,
+int encrypt);
+        This routine implements Blowfish in Cipher Block Chaining mode.
+        Input, which should be a multiple of 8 bytes is encrypted
+        (or decrypted) to output which will also be a multiple of 8 bytes.
+        The number of bytes is in length (and from what I've said above,
+        should be a multiple of 8).  If length is not a multiple of 8, bad 
+        things will probably happen.  ivec is the initialisation vector.
+        This function updates iv after each call so that it can be passed to
+        the next call to BF_cbc_encrypt().
+        
+void BF_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *schedule,
+unsigned char *ivec,
+int *num,
+int encrypt);
+        This is one of the more useful functions in this Blowfish library, it
+        implements CFB mode of Blowfish with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        'Encrypt' is used to indicate encryption or decryption.
+        CFB64 mode operates by using the cipher to generate a stream
+        of bytes which is used to encrypt the plain text.
+        The cipher text is then encrypted to generate the next 64 bits to
+        be xored (incrementally) with the next 64 bits of plain
+        text.  As can be seen from this, to encrypt or decrypt,
+        the same 'cipher stream' needs to be generated but the way the next
+        block of data is gathered for encryption is different for
+        encryption and decryption.
+        
+void BF_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+BF_KEY *schedule,
+unsigned char *ivec,
+int *num);
+        This functions implements OFB mode of Blowfish with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        This is in effect a stream cipher, there is no encryption or
+        decryption mode.
+        
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+BF_set_key().
+
+=====
+For more information about the specific Blowfish modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for Blowfish.
+
+
+==== bn.doc ========================================================
+
+The Big Number library.
+
+#include "bn.h" when using this library.
+
+This big number library was written for use in implementing the RSA and DH
+public key encryption algorithms.  As such, features such as negative
+numbers have not been extensively tested but they should work as expected.
+This library uses dynamic memory allocation for storing its data structures
+and so there are no limit on the size of the numbers manipulated by these
+routines but there is always the requirement to check return codes from
+functions just in case a memory allocation error has occurred.
+
+The basic object in this library is a BIGNUM.  It is used to hold a single
+large integer.  This type should be considered opaque and fields should not
+be modified or accessed directly.
+typedef struct bignum_st
+        {
+        int top;        /* Index of last used d. */
+        BN_ULONG *d;    /* Pointer to an array of 'BITS2' bit chunks. */
+        int max;        /* Size of the d array. */
+        int neg;
+        } BIGNUM;
+The big number is stored in a malloced array of BN_ULONG's.  A BN_ULONG can
+be either 16, 32 or 64 bits in size, depending on the 'number of  bits'
+specified in bn.h. 
+The 'd' field is this array.  'max' is the size of the 'd' array that has
+been allocated.  'top' is the 'last' entry being used, so for a value of 4,
+bn.d[0]=4 and bn.top=1.  'neg' is 1 if the number is negative.
+When a BIGNUM is '0', the 'd' field can be NULL and top == 0.
+
+Various routines in this library require the use of 'temporary' BIGNUM
+variables during their execution.  Due to the use of dynamic memory
+allocation to create BIGNUMs being rather expensive when used in
+conjunction with repeated subroutine calls, the BN_CTX structure is
+used.  This structure contains BN_CTX BIGNUMs.  BN_CTX
+is the maximum number of temporary BIGNUMs any publicly exported 
+function will use.
+
+#define BN_CTX  12
+typedef struct bignum_ctx
+        {
+        int tos;                        /* top of stack */
+        BIGNUM *bn[BN_CTX];     /* The variables */
+        } BN_CTX;
+
+The functions that follow have been grouped according to function.  Most
+arithmetic functions return a result in the first argument, sometimes this
+first argument can also be an input parameter, sometimes it cannot.  These
+restrictions are documented.
+
+extern BIGNUM *BN_value_one;
+There is one variable defined by this library, a BIGNUM which contains the
+number 1.  This variable is useful for use in comparisons and assignment.
+
+Get Size functions.
+
+int BN_num_bits(BIGNUM *a);
+        This function returns the size of 'a' in bits.
+        
+int BN_num_bytes(BIGNUM *a);
+        This function (macro) returns the size of 'a' in bytes.
+        For conversion of BIGNUMs to byte streams, this is the number of
+        bytes the output string will occupy.  If the output byte
+        format specifies that the 'top' bit indicates if the number is
+        signed, so an extra '0' byte is required if the top bit on a
+        positive number is being written, it is upto the application to
+        make this adjustment.  Like I said at the start, I don't
+        really support negative numbers :-).
+
+Creation/Destruction routines.
+
+BIGNUM *BN_new();
+        Return a new BIGNUM object.  The number initially has a value of 0.  If
+        there is an error, NULL is returned.
+        
+void    BN_free(BIGNUM *a);
+        Free()s a BIGNUM.
+        
+void    BN_clear(BIGNUM *a);
+        Sets 'a' to a value of 0 and also zeros all unused allocated
+        memory.  This function is used to clear a variable of 'sensitive'
+        data that was held in it.
+        
+void    BN_clear_free(BIGNUM *a);
+        This function zeros the memory used by 'a' and then free()'s it.
+        This function should be used to BN_free() BIGNUMS that have held
+        sensitive numeric values like RSA private key values.  Both this
+        function and BN_clear tend to only be used by RSA and DH routines.
+
+BN_CTX *BN_CTX_new(void);
+        Returns a new BN_CTX.  NULL on error.
+        
+void    BN_CTX_free(BN_CTX *c);
+        Free a BN_CTX structure.  The BIGNUMs in 'c' are BN_clear_free()ed.
+        
+BIGNUM *bn_expand(BIGNUM *b, int bits);
+        This is an internal function that should not normally be used.  It
+        ensures that 'b' has enough room for a 'bits' bit number.  It is
+        mostly used by the various BIGNUM routines.  If there is an error,
+        NULL is returned. if not, 'b' is returned.
+        
+BIGNUM *BN_copy(BIGNUM *to, BIGNUM *from);
+        The 'from' is copied into 'to'.  NULL is returned if there is an
+        error, otherwise 'to' is returned.
+
+BIGNUM *BN_dup(BIGNUM *a);
+        A new BIGNUM is created and returned containing the value of 'a'.
+        NULL is returned on error.
+
+Comparison and Test Functions.
+
+int BN_is_zero(BIGNUM *a)
+        Return 1 if 'a' is zero, else 0.
+
+int BN_is_one(a)
+        Return 1 is 'a' is one, else 0.
+
+int BN_is_word(a,w)
+        Return 1 if 'a' == w, else 0.  'w' is a BN_ULONG.
+
+int BN_cmp(BIGNUM *a, BIGNUM *b);
+        Return -1 if 'a' is less than 'b', 0 if 'a' and 'b' are the same
+        and 1 is 'a' is greater than 'b'.  This is a signed comparison.
+        
+int BN_ucmp(BIGNUM *a, BIGNUM *b);
+        This function is the same as BN_cmp except that the comparison
+        ignores the sign of the numbers.
+        
+Arithmetic Functions
+For all of these functions, 0 is returned if there is an error and 1 is
+returned for success.  The return value should always be checked.  eg.
+if (!BN_add(r,a,b)) goto err;
+Unless explicitly mentioned, the 'return' value can be one of the
+'parameters' to the function.
+
+int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+        Add 'a' and 'b' and return the result in 'r'.  This is r=a+b.
+        
+int BN_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+        Subtract 'a' from 'b' and put the result in 'r'. This is r=a-b.
+        
+int BN_lshift(BIGNUM *r, BIGNUM *a, int n);
+        Shift 'a' left by 'n' bits.  This is r=a*(2^n).
+        
+int BN_lshift1(BIGNUM *r, BIGNUM *a);
+        Shift 'a' left by 1 bit.  This form is more efficient than
+        BN_lshift(r,a,1).  This is r=a*2.
+        
+int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
+        Shift 'a' right by 'n' bits.  This is r=int(a/(2^n)).
+        
+int BN_rshift1(BIGNUM *r, BIGNUM *a);
+        Shift 'a' right by 1 bit.  This form is more efficient than
+        BN_rshift(r,a,1).  This is r=int(a/2).
+        
+int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+        Multiply a by b and return the result in 'r'. 'r' must not be
+        either 'a' or 'b'.  It has to be a different BIGNUM.
+        This is r=a*b.
+
+int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+        Multiply a by a and return the result in 'r'. 'r' must not be
+        'a'.  This function is alot faster than BN_mul(r,a,a).  This is r=a*a.
+
+int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx);
+        Divide 'm' by 'd' and return the result in 'dv' and the remainder
+        in 'rem'.  Either of 'dv' or 'rem' can be NULL in which case that
+        value is not returned.  'ctx' needs to be passed as a source of
+        temporary BIGNUM variables.
+        This is dv=int(m/d), rem=m%d.
+        
+int BN_mod(BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx);
+        Find the remainder of 'm' divided by 'd' and return it in 'rem'.
+        'ctx' holds the temporary BIGNUMs required by this function.
+        This function is more efficient than BN_div(NULL,rem,m,d,ctx);
+        This is rem=m%d.
+
+int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *m,BN_CTX *ctx);
+        Multiply 'a' by 'b' and return the remainder when divided by 'm'.
+        'ctx' holds the temporary BIGNUMs required by this function.
+        This is r=(a*b)%m.
+
+int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,BN_CTX *ctx);
+        Raise 'a' to the 'p' power and return the remainder when divided by
+        'm'.  'ctx' holds the temporary BIGNUMs required by this function.
+        This is r=(a^p)%m.
+
+int BN_reciprocal(BIGNUM *r, BIGNUM *m, BN_CTX *ctx);
+        Return the reciprocal of 'm'.  'ctx' holds the temporary variables
+        required.  This function returns -1 on error, otherwise it returns
+        the number of bits 'r' is shifted left to make 'r' into an integer.
+        This number of bits shifted is required in BN_mod_mul_reciprocal().
+        This is r=(1/m)<<(BN_num_bits(m)+1).
+        
+int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BIGNUM *m, 
+        BIGNUM *i, int nb, BN_CTX *ctx);
+        This function is used to perform an efficient BN_mod_mul()
+        operation.  If one is going to repeatedly perform BN_mod_mul() with
+        the same modulus is worth calculating the reciprocal of the modulus
+        and then using this function.  This operation uses the fact that
+        a/b == a*r where r is the reciprocal of b.  On modern computers
+        multiplication is very fast and big number division is very slow.
+        'x' is multiplied by 'y' and then divided by 'm' and the remainder
+        is returned.  'i' is the reciprocal of 'm' and 'nb' is the number
+        of bits as returned from BN_reciprocal().  Normal usage is as follows.
+        bn=BN_reciprocal(i,m);
+        for (...)
+                { BN_mod_mul_reciprocal(r,x,y,m,i,bn,ctx); }
+        This is r=(x*y)%m.  Internally it is approximately
+        r=(x*y)-m*(x*y/m) or r=(x*y)-m*((x*y*i) >> bn)
+        This function is used in BN_mod_exp() and BN_is_prime().
+
+Assignment Operations
+
+int BN_one(BIGNUM *a)
+        Set 'a' to hold the value one.
+        This is a=1.
+        
+int BN_zero(BIGNUM *a)
+        Set 'a' to hold the value zero.
+        This is a=0.
+        
+int BN_set_word(BIGNUM *a, unsigned long w);
+        Set 'a' to hold the value of 'w'.  'w' is an unsigned long.
+        This is a=w.
+
+unsigned long BN_get_word(BIGNUM *a);
+        Returns 'a' in an unsigned long.  Not remarkably, often 'a' will
+        be biger than a word, in which case 0xffffffffL is returned.
+
+Word Operations
+These functions are much more efficient that the normal bignum arithmetic
+operations.
+
+BN_ULONG BN_mod_word(BIGNUM *a, unsigned long w);
+        Return the remainder of 'a' divided by 'w'.
+        This is return(a%w).
+        
+int BN_add_word(BIGNUM *a, unsigned long w);
+        Add 'w' to 'a'.  This function does not take the sign of 'a' into
+        account.  This is a+=w;
+        
+Bit operations.
+
+int BN_is_bit_set(BIGNUM *a, int n);
+        This function return 1 if bit 'n' is set in 'a' else 0.
+
+int BN_set_bit(BIGNUM *a, int n);
+        This function sets bit 'n' to 1 in 'a'. 
+        This is a&= ~(1<<n);
+
+int BN_clear_bit(BIGNUM *a, int n);
+        This function sets bit 'n' to zero in 'a'.  Return 0 if less
+        than 'n' bits in 'a' else 1.  This is a&= ~(1<<n);
+
+int BN_mask_bits(BIGNUM *a, int n);
+        Truncate 'a' to n bits long.  This is a&= ~((~0)<<n)
+
+Format conversion routines.
+
+BIGNUM *BN_bin2bn(unsigned char *s, int len,BIGNUM *ret);
+        This function converts 'len' bytes in 's' into a BIGNUM which
+        is put in 'ret'.  If ret is NULL, a new BIGNUM is created.
+        Either this new BIGNUM or ret is returned.  The number is
+        assumed to be in bigendian form in 's'.  By this I mean that
+        to 'ret' is created as follows for 'len' == 5.
+        ret = s[0]*2^32 + s[1]*2^24 + s[2]*2^16 + s[3]*2^8 + s[4];
+        This function cannot be used to convert negative numbers.  It
+        is always assumed the number is positive.  The application
+        needs to diddle the 'neg' field of th BIGNUM its self.
+        The better solution would be to save the numbers in ASN.1 format
+        since this is a defined standard for storing big numbers.
+        Look at the functions
+
+        ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai);
+        BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai,BIGNUM *bn);
+        int i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
+        ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
+                long length;
+
+int BN_bn2bin(BIGNUM *a, unsigned char *to);
+        This function converts 'a' to a byte string which is put into
+        'to'.  The representation is big-endian in that the most
+        significant byte of 'a' is put into to[0].  This function
+        returns the number of bytes used to hold 'a'.  BN_num_bytes(a)
+        would return the same value and can be used to determine how
+        large 'to' needs to be.  If the number is negative, this
+        information is lost.  Since this library was written to
+        manipulate large positive integers, the inability to save and
+        restore them is not considered to be a problem by me :-).
+        As for BN_bin2bn(), look at the ASN.1 integer encoding funtions
+        for SSLeay.  They use BN_bin2bn() and BN_bn2bin() internally.
+        
+char *BN_bn2ascii(BIGNUM *a);
+        This function returns a malloc()ed string that contains the
+        ascii hexadecimal encoding of 'a'.  The number is in bigendian
+        format with a '-' in front if the number is negative.
+
+int BN_ascii2bn(BIGNUM **bn, char *a);
+        The inverse of BN_bn2ascii.  The function returns the number of
+        characters from 'a' were processed in generating a the bignum.
+        error is inticated by 0 being returned.  The number is a
+        hex digit string, optionally with a leading '-'.  If *bn
+        is null, a BIGNUM is created and returned via that variable.
+        
+int BN_print_fp(FILE *fp, BIGNUM *a);
+        'a' is printed to file pointer 'fp'.  It is in the same format
+        that is output from BN_bn2ascii().  0 is returned on error,
+        1 if things are ok.
+
+int BN_print(BIO *bp, BIGNUM *a);
+        Same as BN_print except that the output is done to the SSLeay libraries
+        BIO routines.  BN_print_fp() actually calls this function.
+
+Miscellaneous Routines.
+
+int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+        This function returns in 'rnd' a random BIGNUM that is bits
+        long.  If bottom is 1, the number returned is odd.  If top is set,
+        the top 2 bits of the number are set.  This is useful because if
+        this is set, 2 'n; bit numbers multiplied together will return a 2n
+        bit number.  If top was not set, they could produce a 2n-1 bit
+        number.
+
+BIGNUM *BN_mod_inverse(BIGNUM *a, BIGNUM *n,BN_CTX *ctx);
+        This function create a new BIGNUM and returns it.  This number
+        is the inverse mod 'n' of 'a'.  By this it is meant that the
+        returned value 'r' satisfies (a*r)%n == 1.  This function is
+        used in the generation of RSA keys.  'ctx', as per usual,
+        is used to hold temporary variables that are required by the
+        function.  NULL is returned on error.
+
+int BN_gcd(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_CTX *ctx);
+        'r' has the greatest common divisor of 'a' and 'b'.  'ctx' is
+        used for temporary variables and 0 is returned on error.
+
+int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(),BN_CTX *ctx,
+        char *cb_arg);
+        This function is used to check if a BIGNUM ('p') is prime.
+        It performs this test by using the Miller-Rabin randomised
+        primality test.  This is a probalistic test that requires a
+        number of rounds to ensure the number is prime to a high
+        degree of probability.  Since this can take quite some time, a
+        callback function can be passed and it will be called each
+        time 'p' passes a round of the prime testing.  'callback' will
+        be called as follows, callback(1,n,cb_arg) where n is the number of
+        the round, just passed.  As per usual 'ctx' contains temporary
+        variables used.  If ctx is NULL, it does not matter, a local version
+        will be malloced.  This parameter is present to save some mallocing
+        inside the function but probably could be removed.
+        0 is returned on error.
+        'ncheck' is the number of Miller-Rabin tests to run.  It is
+        suggested to use the value 'BN_prime_checks' by default.
+
+BIGNUM *BN_generate_prime(
+int bits,
+int strong,
+BIGNUM *a,
+BIGNUM *rems,
+void (*callback)());
+char *cb_arg
+        This function is used to generate prime numbers.  It returns a
+        new BIGNUM that has a high probability of being a prime.
+        'bits' is the number of bits that
+        are to be in the prime.  If 'strong' is true, the returned prime
+        will also be a strong prime ((p-1)/2 is also prime).
+        While searching for the prime ('p'), we
+        can add the requirement that the prime fill the following
+        condition p%a == rem.  This can be used to help search for
+        primes with specific features, which is required when looking
+        for primes suitable for use with certain 'g' values in the
+        Diffie-Hellman key exchange algorithm.  If 'a' is NULL,
+        this condition is not checked.  If rem is NULL, rem is assumed
+        to be 1.  Since this search for a prime
+        can take quite some time, if callback is not NULL, it is called
+        in the following situations.
+        We have a suspected prime (from a quick sieve),
+        callback(0,sus_prime++,cb_arg). Each item to be passed to BN_is_prime().
+        callback(1,round++,cb_arg).  Each successful 'round' in BN_is_prime().
+        callback(2,round,cb_arg). For each successful BN_is_prime() test.
+
+Hints
+-----
+
+DSA wants 64*32 to use word mont mul, but RSA wants to use full.
+
+==== callback.doc ========================================================
+
+Callback functions used in SSLeay.
+
+--------------------------
+The BIO library.  
+
+Each BIO structure can have a callback defined against it.  This callback is
+called 2 times for each BIO 'function'.  It is passed 6 parameters.
+BIO_debug_callback() is an example callback which is defined in
+crypto/buffer/bio_cb.c and is used in apps/dgst.c  This is intended mostly
+for debuging or to notify the application of IO.
+
+long BIO_debug_callback(BIO *bio,int cmd,char *argp,int argi,long argl,
+        long ret);
+bio is the BIO being called, cmd is the type of BIO function being called.
+Look at the BIO_CB_* defines in buffer.h.  Argp and argi are the arguments
+passed to BIO_read(), BIO_write, BIO_gets(), BIO_puts().  In the case of
+BIO_ctrl(), argl is also defined.  The first time the callback is called,
+before the underlying function has been executed, 0 is passed as 'ret', and
+if the return code from the callback is not > 0, the call is aborted
+and the returned <= 0 value is returned.
+The second time the callback is called, the 'cmd' value also has
+BIO_CB_RETURN logically 'or'ed with it.  The 'ret' value is the value returned
+from the actuall function call and whatever the callback returns is returned
+from the BIO function.
+
+BIO_set_callback(b,cb) can be used to set the callback function
+(b is a BIO), and BIO_set_callback_arg(b,arg) can be used to
+set the cb_arg argument in the BIO strucutre.  This field is only intended
+to be used by application, primarily in the callback function since it is
+accessable since the BIO is passed.
+
+--------------------------
+The PEM library.
+
+The pem library only really uses one type of callback,
+static int def_callback(char *buf, int num, int verify);
+which is used to return a password string if required.
+'buf' is the buffer to put the string in.  'num' is the size of 'buf'
+and 'verify' is used to indicate that the password should be checked.
+This last flag is mostly used when reading a password for encryption.
+
+For all of these functions, a NULL callback will call the above mentioned
+default callback.  This default function does not work under Windows 3.1.
+For other machines, it will use an application defined prompt string
+(EVP_set_pw_prompt(), which defines a library wide prompt string)
+if defined, otherwise it will use it's own PEM password prompt.
+It will then call EVP_read_pw_string() to get a password from the console.
+If your application wishes to use nice fancy windows to retrieve passwords,
+replace this function.  The callback should return the number of bytes read
+into 'buf'.  If the number of bytes <= 0, it is considered an error.
+
+Functions that take this callback are listed below.  For the 'read' type
+functions, the callback will only be required if the PEM data is encrypted.
+
+For the Write functions, normally a password can be passed in 'kstr', of
+'klen' bytes which will be used if the 'enc' cipher is not NULL.  If
+'kstr' is NULL, the callback will be used to retrieve a password.
+
+int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len,
+        int (*callback)());
+char *PEM_ASN1_read_bio(char *(*d2i)(),char *name,BIO *bp,char **x,int (*cb)());
+char *PEM_ASN1_read(char *(*d2i)(),char *name,FILE *fp,char **x,int (*cb)());
+int PEM_ASN1_write_bio(int (*i2d)(),char *name,BIO *bp,char *x,
+        EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)());
+int PEM_ASN1_write(int (*i2d)(),char *name,FILE *fp,char *x,
+        EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)());
+STACK *PEM_X509_INFO_read(FILE *fp, STACK *sk, int (*cb)());
+STACK *PEM_X509_INFO_read_bio(BIO *fp, STACK *sk, int (*cb)());
+
+#define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb)
+#define PEM_write_DSAPrivateKey(fp,x,enc,kstr,klen,cb)
+#define PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb)
+#define PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb)
+#define PEM_read_SSL_SESSION(fp,x,cb)
+#define PEM_read_X509(fp,x,cb)
+#define PEM_read_X509_REQ(fp,x,cb)
+#define PEM_read_X509_CRL(fp,x,cb)
+#define PEM_read_RSAPrivateKey(fp,x,cb)
+#define PEM_read_DSAPrivateKey(fp,x,cb)
+#define PEM_read_PrivateKey(fp,x,cb)
+#define PEM_read_PKCS7(fp,x,cb)
+#define PEM_read_DHparams(fp,x,cb)
+#define PEM_read_bio_SSL_SESSION(bp,x,cb)
+#define PEM_read_bio_X509(bp,x,cb)
+#define PEM_read_bio_X509_REQ(bp,x,cb)
+#define PEM_read_bio_X509_CRL(bp,x,cb)
+#define PEM_read_bio_RSAPrivateKey(bp,x,cb)
+#define PEM_read_bio_DSAPrivateKey(bp,x,cb)
+#define PEM_read_bio_PrivateKey(bp,x,cb)
+#define PEM_read_bio_PKCS7(bp,x,cb)
+#define PEM_read_bio_DHparams(bp,x,cb)
+int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
+RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
+
+Now you will notice that macros like
+#define PEM_write_X509(fp,x) \
+                PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \
+                                        (char *)x, NULL,NULL,0,NULL)
+Don't do encryption normally.  If you want to PEM encrypt your X509 structure,
+either just call PEM_ASN1_write directly or just define you own
+macro variant.  As you can see, this macro just sets all encryption related
+parameters to NULL.
+
+
+--------------------------
+The SSL library.
+
+#define SSL_set_info_callback(ssl,cb)
+#define SSL_CTX_set_info_callback(ctx,cb)
+void callback(SSL *ssl,int location,int ret)
+This callback is called each time around the SSL_connect()/SSL_accept() 
+state machine.  So it will be called each time the SSL protocol progresses.
+It is mostly present for use when debugging.  When SSL_connect() or
+SSL_accept() return, the location flag is SSL_CB_ACCEPT_EXIT or
+SSL_CB_CONNECT_EXIT and 'ret' is the value about to be returned.
+Have a look at the SSL_CB_* defines in ssl.h.  If an info callback is defined
+against the SSL_CTX, it is called unless there is one set against the SSL.
+Have a look at
+void client_info_callback() in apps/s_client() for an example.
+
+Certificate verification.
+void SSL_set_verify(SSL *s, int mode, int (*callback) ());
+void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*callback)());
+This callback is used to help verify client and server X509 certificates.
+It is actually passed to X509_cert_verify(), along with the SSL structure
+so you have to read about X509_cert_verify() :-).  The SSL_CTX version is used
+if the SSL version is not defined.  X509_cert_verify() is the function used
+by the SSL part of the library to verify certificates.  This function is
+nearly always defined by the application.
+
+void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg);
+int callback(char *arg,SSL *s,X509 *xs,STACK *cert_chain);
+This call is used to replace the SSLeay certificate verification code.
+The 'arg' is kept in the SSL_CTX and is passed to the callback.
+If the callback returns 0, the certificate is rejected, otherwise it
+is accepted.  The callback is replacing the X509_cert_verify() call.
+This feature is not often used, but if you wished to implement
+some totally different certificate authentication system, this 'hook' is
+vital.
+
+SSLeay keeps a cache of session-ids against each SSL_CTX.  These callbacks can
+be used to notify the application when a SSL_SESSION is added to the cache
+or to retrieve a SSL_SESSION that is not in the cache from the application.
+#define SSL_CTX_sess_set_get_cb(ctx,cb)
+SSL_SESSION *callback(SSL *s,char *session_id,int session_id_len,int *copy);
+If defined, this callback is called to return the SESSION_ID for the
+session-id in 'session_id', of 'session_id_len' bytes.  'copy' is set to 1
+if the server is to 'take a copy' of the SSL_SESSION structure.  It is 0
+if the SSL_SESSION is being 'passed in' so the SSLeay library is now
+responsible for 'free()ing' the structure.  Basically it is used to indicate
+if the reference count on the SSL_SESSION structure needs to be incremented.
+
+#define SSL_CTX_sess_set_new_cb(ctx,cb)
+int callback(SSL *s, SSL_SESSION *sess);
+When a new connection is established, if the SSL_SESSION is going to be added
+to the cache, this callback is called.  Return 1 if a 'copy' is required,
+otherwise, return 0.  This return value just causes the reference count
+to be incremented (on return of a 1), this means the application does
+not need to worry about incrementing the refernece count (and the
+locking that implies in a multi-threaded application).
+
+void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,int (*cb)());
+This sets the SSL password reading function.
+It is mostly used for windowing applications
+and used by PEM_read_bio_X509() and PEM_read_bio_RSAPrivateKey()
+calls inside the SSL library.   The only reason this is present is because the
+calls to PEM_* functions is hidden in the SSLeay library so you have to
+pass in the callback some how.
+
+#define SSL_CTX_set_client_cert_cb(ctx,cb)
+int callback(SSL *s,X509 **x509, EVP_PKEY **pkey);
+Called when a client certificate is requested but there is not one set
+against the SSL_CTX or the SSL.  If the callback returns 1, x509 and
+pkey need to point to valid data.  The library will free these when
+required so if the application wants to keep these around, increment
+their reference counts.  If 0 is returned, no client cert is
+available.  If -1 is returned, it is assumed that the callback needs
+to be called again at a later point in time.  SSL_connect will return
+-1 and SSL_want_x509_lookup(ssl) returns true.  Remember that
+application data can be attached to an SSL structure via the
+SSL_set_app_data(SSL *ssl,char *data) call.
+
+--------------------------
+The X509 library.
+
+int X509_cert_verify(CERTIFICATE_CTX *ctx,X509 *xs, int (*cb)(),
+        int *error,char *arg,STACK *cert_chain);
+int verify_callback(int ok,X509 *xs,X509 *xi,int depth,int error,char *arg,
+        STACK *cert_chain);
+
+X509_cert_verify() is used to authenticate X509 certificates.  The 'ctx' holds
+the details of the various caches and files used to locate certificates.
+'xs' is the certificate to verify and 'cb' is the application callback (more
+detail later).  'error' will be set to the error code and 'arg' is passed
+to the 'cb' callback.  Look at the VERIFY_* defines in crypto/x509/x509.h
+
+When ever X509_cert_verify() makes a 'negative' decision about a
+certitificate, the callback is called.  If everything checks out, the
+callback is called with 'VERIFY_OK' or 'VERIFY_ROOT_OK' (for a self
+signed cert that is not the passed certificate).
+
+The callback is passed the X509_cert_verify opinion of the certificate 
+in 'ok', the certificate in 'xs', the issuer certificate in 'xi',
+the 'depth' of the certificate in the verification 'chain', the
+VERIFY_* code in 'error' and the argument passed to X509_cert_verify()
+in 'arg'. cert_chain is a list of extra certs to use if they are not
+in the cache.
+
+The callback can be used to look at the error reason, and then return 0
+for an 'error' or '1' for ok.  This will override the X509_cert_verify()
+opinion of the certificates validity.  Processing will continue depending on
+the return value.  If one just wishes to use the callback for informational
+reason, just return the 'ok' parameter.
+
+--------------------------
+The BN and DH library.
+
+BIGNUM *BN_generate_prime(int bits,int strong,BIGNUM *add,
+        BIGNUM *rem,void (*callback)(int,int));
+int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int),
+
+Read doc/bn.doc for the description of these 2.
+
+DH *DH_generate_parameters(int prime_len,int generator,
+        void (*callback)(int,int));
+Read doc/bn.doc for the description of the callback, since it is just passed
+to BN_generate_prime(), except that it is also called as
+callback(3,0) by this function.
+
+--------------------------
+The CRYPTO library.
+
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,char *file,
+        int line));
+void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,
+        int type,char *file, int line));
+void CRYPTO_set_id_callback(unsigned long (*func)(void));
+
+Read threads.doc for info on these ones.
+
+
+==== cipher.doc ========================================================
+
+The Cipher subroutines.
+
+These routines require "evp.h" to be included.
+
+These functions are a higher level interface to the various cipher
+routines found in this library.  As such, they allow the same code to be
+used to encrypt and decrypt via different ciphers with only a change
+in an initial parameter.  These routines also provide buffering for block
+ciphers.
+
+These routines all take a pointer to the following structure to specify
+which cipher to use.  If you wish to use a new cipher with these routines,
+you would probably be best off looking an how an existing cipher is
+implemented and copying it.  At this point in time, I'm not going to go
+into many details.  This structure should be considered opaque
+
+typedef struct pem_cipher_st
+        {
+        int type;
+        int block_size;
+        int key_len;
+        int iv_len;
+        void (*enc_init)();     /* init for encryption */
+        void (*dec_init)();     /* init for decryption */
+        void (*do_cipher)();    /* encrypt data */
+        } EVP_CIPHER;
+        
+The type field is the object NID of the cipher type
+(read the section on Objects for an explanation of what a NID is).
+The cipher block_size is how many bytes need to be passed
+to the cipher at a time.  Key_len is the
+length of the key the cipher requires and iv_len is the length of the
+initialisation vector required.  enc_init is the function
+called to initialise the ciphers context for encryption and dec_init is the
+function to initialise for decryption (they need to be different, especially
+for the IDEA cipher).
+
+One reason for specifying the Cipher via a pointer to a structure
+is that if you only use des-cbc, only the des-cbc routines will
+be included when you link the program.  If you passed an integer
+that specified which cipher to use, the routine that mapped that
+integer to a set of cipher functions would cause all the ciphers
+to be link into the code.  This setup also allows new ciphers
+to be added by the application (with some restrictions).
+
+The thirteen ciphers currently defined in this library are
+
+EVP_CIPHER *EVP_des_ecb();     /* DES in ecb mode,     iv=0, block=8, key= 8 */
+EVP_CIPHER *EVP_des_ede();     /* DES in ecb ede mode, iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_des_ede3();    /* DES in ecb ede mode, iv=0, block=8, key=24 */
+EVP_CIPHER *EVP_des_cfb();     /* DES in cfb mode,     iv=8, block=1, key= 8 */
+EVP_CIPHER *EVP_des_ede_cfb(); /* DES in ede cfb mode, iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_des_ede3_cfb();/* DES in ede cfb mode, iv=8, block=1, key=24 */
+EVP_CIPHER *EVP_des_ofb();     /* DES in ofb mode,     iv=8, block=1, key= 8 */
+EVP_CIPHER *EVP_des_ede_ofb(); /* DES in ede ofb mode, iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_des_ede3_ofb();/* DES in ede ofb mode, iv=8, block=1, key=24 */
+EVP_CIPHER *EVP_des_cbc();     /* DES in cbc mode,     iv=8, block=8, key= 8 */
+EVP_CIPHER *EVP_des_ede_cbc(); /* DES in cbc ede mode, iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_des_ede3_cbc();/* DES in cbc ede mode, iv=8, block=8, key=24 */
+EVP_CIPHER *EVP_desx_cbc();    /* DES in desx cbc mode,iv=8, block=8, key=24 */
+EVP_CIPHER *EVP_rc4();         /* RC4,                 iv=0, block=1, key=16 */
+EVP_CIPHER *EVP_idea_ecb();    /* IDEA in ecb mode,    iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_idea_cfb();    /* IDEA in cfb mode,    iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_idea_ofb();    /* IDEA in ofb mode,    iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_idea_cbc();    /* IDEA in cbc mode,    iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_rc2_ecb();     /* RC2 in ecb mode,     iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_rc2_cfb();     /* RC2 in cfb mode,     iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_rc2_ofb();     /* RC2 in ofb mode,     iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_rc2_cbc();     /* RC2 in cbc mode,     iv=8, block=8, key=16 */
+EVP_CIPHER *EVP_bf_ecb();      /* Blowfish in ecb mode,iv=0, block=8, key=16 */
+EVP_CIPHER *EVP_bf_cfb();      /* Blowfish in cfb mode,iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_bf_ofb();      /* Blowfish in ofb mode,iv=8, block=1, key=16 */
+EVP_CIPHER *EVP_bf_cbc();      /* Blowfish in cbc mode,iv=8, block=8, key=16 */
+
+The meaning of the compound names is as follows.
+des     The base cipher is DES.
+idea    The base cipher is IDEA
+rc4     The base cipher is RC4-128
+rc2     The base cipher is RC2-128
+ecb     Electronic Code Book form of the cipher.
+cbc     Cipher Block Chaining form of the cipher.
+cfb     64 bit Cipher Feedback form of the cipher.
+ofb     64 bit Output Feedback form of the cipher.
+ede     The cipher is used in Encrypt, Decrypt, Encrypt mode.  The first
+        and last keys are the same.
+ede3    The cipher is used in Encrypt, Decrypt, Encrypt mode.
+
+All the Cipher routines take a EVP_CIPHER_CTX pointer as an argument.
+The state of the cipher is kept in this structure.
+
+typedef struct EVP_CIPHER_Ctx_st
+        {
+        EVP_CIPHER *cipher;
+        int encrypt;            /* encrypt or decrypt */
+        int buf_len;            /* number we have left */
+        unsigned char buf[8];
+        union   {
+                .... /* cipher specific stuff */
+                } c;
+        } EVP_CIPHER_CTX;
+
+Cipher is a pointer the the EVP_CIPHER for the current context.  The encrypt
+flag indicates encryption or decryption.  buf_len is the number of bytes
+currently being held in buf.
+The 'c' union holds the cipher specify context.
+
+The following functions are to be used.
+
+int EVP_read_pw_string(
+char *buf,
+int len,
+char *prompt,
+int verify,
+        This function is the same as des_read_pw_string() (des.doc).
+
+void EVP_set_pw_prompt(char *prompt);
+        This function sets the 'default' prompt to use to use in
+        EVP_read_pw_string when the prompt parameter is NULL.  If the
+        prompt parameter is NULL, this 'default prompt' feature is turned
+        off.  Be warned, this is a global variable so weird things
+        will happen if it is used under Win16 and care must be taken
+        with a multi-threaded version of the library.
+
+char *EVP_get_pw_prompt();
+        This returns a pointer to the default prompt string.  NULL
+        if it is not set.
+
+int EVP_BytesToKey(
+EVP_CIPHER *type,
+EVP_MD *md,
+unsigned char *salt,
+unsigned char *data,
+int datal,
+int count,
+unsigned char *key,
+unsigned char *iv);
+        This function is used to generate a key and an initialisation vector
+        for a specified cipher from a key string and a salt.  Type
+        specifies the cipher the 'key' is being generated for.  Md is the
+        message digest algorithm to use to generate the key and iv.  The salt
+        is an optional 8 byte object that is used to help seed the key
+        generator.
+        If the salt value is NULL, it is just not used.  Datal is the
+        number of bytes to use from 'data' in the key generation.  
+        This function returns the key size for the specified cipher, if
+        data is NULL, this value is returns and no other
+        computation is performed.  Count is
+        the number of times to loop around the key generator.  I would
+        suggest leaving it's value as 1.  Key and iv are the structures to
+        place the returning iv and key in.  If they are NULL, no value is
+        generated for that particular value.
+        The algorithm used is as follows
+        
+        /* M[] is an array of message digests
+         * MD() is the message digest function */
+        M[0]=MD(data . salt);
+        for (i=1; i<count; i++) M[0]=MD(M[0]);
+
+        i=1
+        while (data still needed for key and iv)
+                {
+                M[i]=MD(M[i-1] . data . salt);
+                for (i=1; i<count; i++) M[i]=MD(M[i]);
+                i++;
+                }
+
+        If the salt is NULL, it is not used.
+        The digests are concatenated together.
+        M = M[0] . M[1] . M[2] .......
+
+        For key= 8, iv=8 => key=M[0.. 8], iv=M[ 9 .. 16].
+        For key=16, iv=0 => key=M[0..16].
+        For key=16, iv=8 => key=M[0..16], iv=M[17 .. 24].
+        For key=24, iv=8 => key=M[0..24], iv=M[25 .. 32].
+
+        This routine will produce DES-CBC keys and iv that are compatible
+        with the PKCS-5 standard when md2 or md5 are used.  If md5 is
+        used, the salt is NULL and count is 1, this routine will produce
+        the password to key mapping normally used with RC4.
+        I have attempted to logically extend the PKCS-5 standard to
+        generate keys and iv for ciphers that require more than 16 bytes,
+        if anyone knows what the correct standard is, please inform me.
+        When using sha or sha1, things are a bit different under this scheme,
+        since sha produces a 20 byte digest.  So for ciphers requiring
+        24 bits of data, 20 will come from the first MD and 4 will
+        come from the second.
+
+        I have considered having a separate function so this 'routine'
+        can be used without the requirement of passing a EVP_CIPHER *,
+        but I have decided to not bother.  If you wish to use the
+        function without official EVP_CIPHER structures, just declare
+        a local one and set the key_len and iv_len fields to the
+        length you desire.
+
+The following routines perform encryption and decryption 'by parts'.  By
+this I mean that there are groups of 3 routines.  An Init function that is
+used to specify a cipher and initialise data structures.  An Update routine
+that does encryption/decryption, one 'chunk' at a time.  And finally a
+'Final' function that finishes the encryption/decryption process.
+All these functions take a EVP_CIPHER pointer to specify which cipher to
+encrypt/decrypt with.  They also take a EVP_CIPHER_CTX object as an
+argument.  This structure is used to hold the state information associated
+with the operation in progress.
+
+void EVP_EncryptInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv);
+        This function initialise a EVP_CIPHER_CTX for encryption using the
+        cipher passed in the 'type' field.  The cipher is initialised to use
+        'key' as the key and 'iv' for the initialisation vector (if one is
+        required).  If the type, key or iv is NULL, the value currently in the
+        EVP_CIPHER_CTX is reused.  So to perform several decrypt
+        using the same cipher, key and iv, initialise with the cipher,
+        key and iv the first time and then for subsequent calls,
+        reuse 'ctx' but pass NULL for type, key and iv.  You must make sure
+        to pass a key that is large enough for a particular cipher.  I
+        would suggest using the EVP_BytesToKey() function.
+
+void EVP_EncryptUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+        This function takes 'inl' bytes from 'in' and outputs bytes
+        encrypted by the cipher 'ctx' was initialised with into 'out'.  The
+        number of bytes written to 'out' is put into outl.  If a particular
+        cipher encrypts in blocks, less or more bytes than input may be
+        output.  Currently the largest block size used by supported ciphers
+        is 8 bytes, so 'out' should have room for 'inl+7' bytes.  Normally
+        EVP_EncryptInit() is called once, followed by lots and lots of
+        calls to EVP_EncryptUpdate, followed by a single EVP_EncryptFinal
+        call.
+
+void EVP_EncryptFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl);
+        Because quite a large number of ciphers are block ciphers, there is
+        often an incomplete block to write out at the end of the
+        encryption.  EVP_EncryptFinal() performs processing on this last
+        block.  The last block in encoded in such a way that it is possible
+        to determine how many bytes in the last block are valid.  For 8 byte
+        block size ciphers, if only 5 bytes in the last block are valid, the
+        last three bytes will be filled with the value 3.  If only 2 were
+        valid, the other 6 would be filled with sixes.  If all 8 bytes are
+        valid, a extra 8 bytes are appended to the cipher stream containing
+        nothing but 8 eights.  These last bytes are output into 'out' and
+        the number of bytes written is put into 'outl'  These last bytes
+        are output into 'out' and the number of bytes written is put into
+        'outl'.  This form of block cipher finalisation is compatible with
+        PKCS-5.  Please remember that even if you are using ciphers like
+        RC4 that has no blocking and so the function will not write
+        anything into 'out', it would still be a good idea to pass a
+        variable for 'out' that can hold 8 bytes just in case the cipher is
+        changed some time in the future.  It should also be remembered
+        that the EVP_CIPHER_CTX contains the password and so when one has
+        finished encryption with a particular EVP_CIPHER_CTX, it is good
+        practice to zero the structure 
+        (ie. memset(ctx,0,sizeof(EVP_CIPHER_CTX)).
+        
+void EVP_DecryptInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv);
+        This function is basically the same as EVP_EncryptInit() accept that
+        is prepares the EVP_CIPHER_CTX for decryption.
+
+void EVP_DecryptUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+        This function is basically the same as EVP_EncryptUpdate()
+        except that it performs decryption.  There is one
+        fundamental difference though.  'out' can not be the same as
+        'in' for any ciphers with a block size greater than 1 if more
+        than one call to EVP_DecryptUpdate() will be made.  This
+        is because this routine can hold a 'partial' block between
+        calls.  When a partial block is decrypted (due to more bytes
+        being passed via this function, they will be written to 'out'
+        overwriting the input bytes in 'in' that have not been read
+        yet.  From this it should also be noted that 'out' should
+        be at least one 'block size' larger than 'inl'.  This problem
+        only occurs on the second and subsequent call to
+        EVP_DecryptUpdate() when using a block cipher.
+
+int EVP_DecryptFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl);
+        This function is different to EVP_EncryptFinal in that it 'removes'
+        any padding bytes appended when the data was encrypted.  Due to the
+        way in which 1 to 8 bytes may have been appended when encryption
+        using a block cipher, 'out' can end up with 0 to 7 bytes being put
+        into it.  When decoding the padding bytes, it is possible to detect
+        an incorrect decryption.  If the decryption appears to be wrong, 0
+        is returned.  If everything seems ok, 1 is returned.  For ciphers
+        with a block size of 1 (RC4), this function would normally not
+        return any bytes and would always return 1.  Just because this
+        function returns 1 does not mean the decryption was correct. It
+        would normally be wrong due to either the wrong key/iv or
+        corruption of the cipher data fed to EVP_DecryptUpdate().
+        As for EVP_EncryptFinal, it is a good idea to zero the
+        EVP_CIPHER_CTX after use since the structure contains the key used
+        to decrypt the data.
+        
+The following Cipher routines are convenience routines that call either
+EVP_EncryptXxx or EVP_DecryptXxx depending on weather the EVP_CIPHER_CTX
+was setup to encrypt or decrypt.  
+
+void EVP_CipherInit(
+EVP_CIPHER_CTX *ctx,
+EVP_CIPHER *type,
+unsigned char *key,
+unsigned char *iv,
+int enc);
+        This function take arguments that are the same as EVP_EncryptInit()
+        and EVP_DecryptInit() except for the extra 'enc' flag.  If 1, the
+        EVP_CIPHER_CTX is setup for encryption, if 0, decryption.
+
+void EVP_CipherUpdate(
+EVP_CIPHER_CTX *ctx,
+unsigned char *out,
+int *outl,
+unsigned char *in,
+int inl);
+        Again this function calls either EVP_EncryptUpdate() or
+        EVP_DecryptUpdate() depending on state in the 'ctx' structure.
+        As noted for EVP_DecryptUpdate(), when this routine is used
+        for decryption with block ciphers, 'out' should not be the
+        same as 'in'.
+
+int EVP_CipherFinal(
+EVP_CIPHER_CTX *ctx,
+unsigned char *outm,
+int *outl);
+        This routine call EVP_EncryptFinal() or EVP_DecryptFinal()
+        depending on the state information in 'ctx'.  1 is always returned
+        if the mode is encryption, otherwise the return value is the return
+        value of EVP_DecryptFinal().
+
+==== cipher.m ========================================================
+
+Date: Tue, 15 Oct 1996 08:16:14 +1000 (EST)
+From: Eric Young <eay@mincom.com>
+X-Sender: eay@orb
+To: Roland Haring <rharing@tandem.cl>
+Cc: ssl-users@mincom.com
+Subject: Re: Symmetric encryption with ssleay
+In-Reply-To: <m0vBpyq-00001aC@tandemnet.tandem.cl>
+Message-Id: <Pine.SOL.3.91.961015075623.11394A-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Sender: ssl-lists-owner@mincom.com
+Precedence: bulk
+Status: RO
+X-Status: 
+
+On Fri, 11 Oct 1996, Roland Haring wrote:
+> THE_POINT:
+>       Would somebody be so kind to give me the minimum basic 
+>       calls I need to do to libcrypto.a to get some text encrypted
+>       and decrypted again? ...hopefully with code included to do
+>       base64 encryption and decryption ... e.g. that sign-it.c code
+>       posted some while ago was a big help :-) (please, do not point
+>       me to apps/enc.c where I suspect my Heissenbug to be hidden :-)
+
+Ok, the base64 encoding stuff in 'enc.c' does the wrong thing sometimes 
+when the data is less than a line long (this is for decoding).  I'll dig 
+up the exact fix today and post it.  I am taking longer on 0.6.5 than I 
+intended so I'll just post this patch.
+
+The documentation to read is in
+doc/cipher.doc,
+doc/encode.doc (very sparse :-).
+and perhaps
+doc/digest.doc,
+
+The basic calls to encrypt with say triple DES are
+
+Given
+char key[EVP_MAX_KEY_LENGTH];
+char iv[EVP_MAX_IV_LENGTH];
+EVP_CIPHER_CTX ctx;
+unsigned char out[512+8];
+int outl;
+
+/* optional generation of key/iv data from text password using md5
+ * via an upward compatable verson of PKCS#5. */
+EVP_BytesToKey(EVP_des_ede3_cbc,EVP_md5,NULL,passwd,strlen(passwd),
+        key,iv);
+
+/* Initalise the EVP_CIPHER_CTX */
+EVP_EncryptInit(ctx,EVP_des_ede3_cbc,key,iv);
+
+while (....)
+        {
+        /* This is processing 512 bytes at a time, the bytes are being
+         * copied into 'out', outl bytes are output.  'out' should not be the
+         * same as 'in' for reasons mentioned in the documentation. */
+        EVP_EncryptUpdate(ctx,out,&outl,in,512);
+        }
+
+/* Output the last 'block'.  If the cipher is a block cipher, the last
+ * block is encoded in such a way so that a wrong decryption will normally be
+ * detected - again, one of the PKCS standards. */
+
+EVP_EncryptFinal(ctx,out,&outl);
+
+To decrypt, use the EVP_DecryptXXXXX functions except that EVP_DecryptFinal()
+will return 0 if the decryption fails (only detectable on block ciphers).
+
+You can also use
+EVP_CipherInit()
+EVP_CipherUpdate()
+EVP_CipherFinal()
+which does either encryption or decryption depending on an extra 
+parameter to EVP_CipherInit().
+
+
+To do the base64 encoding,
+EVP_EncodeInit()
+EVP_EncodeUpdate()
+EVP_EncodeFinal()
+
+EVP_DecodeInit()
+EVP_DecodeUpdate()
+EVP_DecodeFinal()
+
+where the encoding is quite simple, but the decoding can be a bit more 
+fun (due to dud input).
+
+EVP_DecodeUpdate() returns -1 for an error on an input line, 0 if the 
+'last line' was just processed, and 1 if more lines should be submitted.
+
+EVP_DecodeFinal() returns -1 for an error or 1 if things are ok.
+
+So the loop becomes
+EVP_DecodeInit(....)
+for (;;)
+        {
+        i=EVP_DecodeUpdate(....);
+        if (i < 0) goto err;
+
+        /* process the data */
+
+        if (i == 0) break;
+        }
+EVP_DecodeFinal(....);
+/* process the data */
+
+The problem in 'enc.c' is that I was stuff the processing up after the 
+EVP_DecodeFinal(...) when the for(..) loop was not being run (one line of 
+base64 data) and this was because 'enc.c' tries to scan over a file until
+it hits the first valid base64 encoded line.
+
+hope this helps a bit.
+eric
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+==== conf.doc ========================================================
+
+The CONF library.
+
+The CONF library is a simple set of routines that can be used to configure
+programs.  It is a superset of the genenv() function with some extra
+structure.
+
+The library consists of 5 functions.
+
+LHASH *CONF_load(LHASH *config,char *file);
+This function is called to load in a configuration file.  Multiple
+configuration files can be loaded, with each subsequent 'load' overwriting
+any already defined 'variables'.  If there is an error, NULL is returned.
+If config is NULL, a new LHASH structure is created and returned, otherwise
+the new data in the 'file' is loaded into the 'config' structure.
+
+void CONF_free(LHASH *config);
+This function free()s the data in config.
+
+char *CONF_get_string(LHASH *config,char *section,char *name);
+This function returns the string found in 'config' that corresponds to the
+'section' and 'name' specified.  Classes and the naming system used will be
+discussed later in this document.  If the variable is not defined, an NULL
+is returned.
+
+long CONF_get_long(LHASH *config,char *section, char *name);
+This function is the same as CONF_get_string() except that it converts the
+string to an long and returns it.  If variable is not a number or the
+variable does not exist, 0 is returned.  This is a little problematic but I
+don't know of a simple way around it.
+
+STACK *CONF_get_section(LHASH *config, char *section);
+This function returns a 'stack' of CONF_VALUE items that are all the
+items defined in a particular section.  DO NOT free() any of the
+variable returned.  They will disappear when CONF_free() is called.
+
+The 'lookup' model.
+The configuration file is divided into 'sections'.  Each section is started by
+a line of the form '[ section ]'.  All subsequent variable definitions are
+of this section.  A variable definition is a simple alpha-numeric name
+followed by an '=' and then the data.  A section or variable name can be
+described by a regular expression of the following form '[A-Za-z0-9_]+'.
+The value of the variable is the text after the '=' until the end of the
+line, stripped of leading and trailing white space.
+At this point I should mention that a '#' is a comment character, \ is the
+escape character, and all three types of quote can be used to stop any
+special interpretation of the data.
+Now when the data is being loaded, variable expansion can occur.  This is
+done by expanding any $NAME sequences into the value represented by the
+variable NAME.  If the variable is not in the current section, the different
+section can be specified by using the $SECTION::NAME form.  The ${NAME} form
+also works and is very useful for expanding variables inside strings.
+
+When a variable is looked up, there are 2 special section. 'default', which
+is the initial section, and 'ENV' which is the processes environment
+variables (accessed via getenv()).  When a variable is looked up, it is
+first 'matched' with it's section (if one was specified), if this fails, the
+'default' section is matched.
+If the 'lhash' variable passed was NULL, the environment is searched.
+
+Now why do we bother with sections?  So we can have multiple programs using
+the same configuration file, or multiple instances of the same program
+using different variables.  It also provides a nice mechanism to override
+the processes environment variables (eg ENV::HOME=/tmp).  If there is a
+program specific variable missing, we can have default values.
+Multiple configuration files can be loaded, with each new value clearing
+any predefined values.  A system config file can provide 'default' values,
+and application/usr specific files can provide overriding values.
+
+Examples
+
+# This is a simple example
+SSLEAY_HOME     = /usr/local/ssl
+ENV::PATH       = $SSLEAY_HOME/bin:$PATH        # override my path
+
+[X509]
+cert_dir        = $SSLEAY_HOME/certs    # /usr/local/ssl/certs
+
+[SSL]
+CIPHER          = DES-EDE-MD5:RC4-MD5
+USER_CERT       = $HOME/${USER}di'r 5'  # /home/eay/eaydir 5
+USER_CERT       = $HOME/\${USER}di\'r   # /home/eay/${USER}di'r
+USER_CERT       = "$HOME/${US"ER}di\'r  # $HOME/${USER}di'r
+
+TEST            = 1234\
+5678\
+9ab                                     # TEST=123456789ab
+TTT             = 1234\n\n              # TTT=1234<nl><nl>
+
+
+
+==== des.doc ========================================================
+
+The DES library.
+
+Please note that this library was originally written to operate with
+eBones, a version of Kerberos that had had encryption removed when it left
+the USA and then put back in.  As such there are some routines that I will
+advise not using but they are still in the library for historical reasons.
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'des.h'.
+
+All of the encryption functions take what is called a des_key_schedule as an 
+argument.  A des_key_schedule is an expanded form of the des key.
+A des_key is 8 bytes of odd parity, the type used to hold the key is a
+des_cblock.  A des_cblock is an array of 8 bytes, often in this library
+description I will refer to input bytes when the function specifies
+des_cblock's as input or output, this just means that the variable should
+be a multiple of 8 bytes.
+
+The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to
+specify decryption.  The functions and global variable are as follows:
+
+int des_check_key;
+        DES keys are supposed to be odd parity.  If this variable is set to
+        a non-zero value, des_set_key() will check that the key has odd
+        parity and is not one of the known weak DES keys.  By default this
+        variable is turned off;
+        
+void des_set_odd_parity(
+des_cblock *key );
+        This function takes a DES key (8 bytes) and sets the parity to odd.
+        
+int des_is_weak_key(
+des_cblock *key );
+        This function returns a non-zero value if the DES key passed is a
+        weak, DES key.  If it is a weak key, don't use it, try a different
+        one.  If you are using 'random' keys, the chances of hitting a weak
+        key are 1/2^52 so it is probably not worth checking for them.
+        
+int des_set_key(
+des_cblock *key,
+des_key_schedule schedule);
+        Des_set_key converts an 8 byte DES key into a des_key_schedule.
+        A des_key_schedule is an expanded form of the key which is used to
+        perform actual encryption.  It can be regenerated from the DES key
+        so it only needs to be kept when encryption or decryption is about
+        to occur.  Don't save or pass around des_key_schedule's since they
+        are CPU architecture dependent, DES keys are not.  If des_check_key
+        is non zero, zero is returned if the key has the wrong parity or
+        the key is a weak key, else 1 is returned.
+        
+int des_key_sched(
+des_cblock *key,
+des_key_schedule schedule);
+        An alternative name for des_set_key().
+
+int des_rw_mode;                /* defaults to DES_PCBC_MODE */
+        This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default).
+        This specifies the function to use in the enc_read() and enc_write()
+        functions.
+
+void des_encrypt(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+        This is the DES encryption function that gets called by just about
+        every other DES routine in the library.  You should not use this
+        function except to implement 'modes' of DES.  I say this because the
+        functions that call this routine do the conversion from 'char *' to
+        long, and this needs to be done to make sure 'non-aligned' memory
+        access do not occur.  The characters are loaded 'little endian',
+        have a look at my source code for more details on how I use this
+        function.
+        Data is a pointer to 2 unsigned long's and ks is the
+        des_key_schedule to use.  enc, is non zero specifies encryption,
+        zero if decryption.
+
+void des_encrypt2(
+unsigned long *data,
+des_key_schedule ks,
+int enc);
+        This functions is the same as des_encrypt() except that the DES
+        initial permutation (IP) and final permutation (FP) have been left
+        out.  As for des_encrypt(), you should not use this function.
+        It is used by the routines in my library that implement triple DES.
+        IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
+        as des_encrypt() des_encrypt() des_encrypt() except faster :-).
+
+void des_ecb_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks,
+int enc);
+        This is the basic Electronic Code Book form of DES, the most basic
+        form.  Input is encrypted into output using the key represented by
+        ks.  If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise
+        decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+        (the des_cblock structure is 8 chars).
+        
+void des_ecb3_encrypt(
+des_cblock *input,
+des_cblock *output,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+int enc);
+        This is the 3 key EDE mode of ECB DES.  What this means is that 
+        the 8 bytes of input is encrypted with ks1, decrypted with ks2 and
+        then encrypted again with ks3, before being put into output;
+        C=E(ks3,D(ks2,E(ks1,M))).  There is a macro, des_ecb2_encrypt()
+        that only takes 2 des_key_schedules that implements,
+        C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1.
+        
+void des_cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+        This routine implements DES in Cipher Block Chaining mode.
+        Input, which should be a multiple of 8 bytes is encrypted
+        (or decrypted) to output which will also be a multiple of 8 bytes.
+        The number of bytes is in length (and from what I've said above,
+        should be a multiple of 8).  If length is not a multiple of 8, I'm
+        not being held responsible :-).  ivec is the initialisation vector.
+        This function does not modify this variable.  To correctly implement
+        cbc mode, you need to do one of 2 things; copy the last 8 bytes of
+        cipher text for use as the next ivec in your application,
+        or use des_ncbc_encrypt(). 
+        Only this routine has this problem with updating the ivec, all
+        other routines that are implementing cbc mode update ivec.
+        
+void des_ncbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+int enc);
+        For historical reasons, des_cbc_encrypt() did not update the
+        ivec with the value requires so that subsequent calls to
+        des_cbc_encrypt() would 'chain'.  This was needed so that the same
+        'length' values would not need to be used when decrypting.
+        des_ncbc_encrypt() does the right thing.  It is the same as
+        des_cbc_encrypt accept that ivec is updates with the correct value
+        to pass in subsequent calls to des_ncbc_encrypt().  I advise using
+        des_ncbc_encrypt() instead of des_cbc_encrypt();
+
+void des_xcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk,
+des_cblock *ivec,
+des_cblock *inw,
+des_cblock *outw,
+int enc);
+        This is RSA's DESX mode of DES.  It uses inw and outw to
+        'whiten' the encryption.  inw and outw are secret (unlike the iv)
+        and are as such, part of the key.  So the key is sort of 24 bytes.
+        This is much better than cbc des.
+        
+void des_3cbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule sk1,
+des_key_schedule sk2,
+des_cblock *ivec1,
+des_cblock *ivec2,
+int enc);
+        This function is flawed, do not use it.  I have left it in the
+        library because it is used in my des(1) program and will function
+        correctly when used by des(1).  If I removed the function, people
+        could end up unable to decrypt files.
+        This routine implements outer triple cbc encryption using 2 ks and
+        2 ivec's.  Use des_ede2_cbc_encrypt() instead.
+        
+void des_ede3_cbc_encrypt(
+des_cblock *input,
+des_cblock *output, 
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2, 
+des_key_schedule ks3, 
+des_cblock *ivec,
+int enc);
+        This function implements outer triple CBC DES encryption with 3
+        keys.  What this means is that each 'DES' operation
+        inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))).
+        Again, this is cbc mode so an ivec is requires.
+        This mode is used by SSL.
+        There is also a des_ede2_cbc_encrypt() that only uses 2
+        des_key_schedule's, the first being reused for the final
+        encryption.  C=E(ks1,D(ks2,E(ks1,M))).  This form of triple DES
+        is used by the RSAref library.
+        
+void des_pcbc_encrypt(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+        This is Propagating Cipher Block Chaining mode of DES.  It is used
+        by Kerberos v4.  It's parameters are the same as des_ncbc_encrypt().
+        
+void des_cfb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int enc);
+        Cipher Feedback Back mode of DES.  This implementation 'feeds back'
+        in numbit blocks.  The input (and output) is in multiples of numbits
+        bits.  numbits should to be a multiple of 8 bits.  Length is the
+        number of bytes input.  If numbits is not a multiple of 8 bits,
+        the extra bits in the bytes will be considered padding.  So if
+        numbits is 12, for each 2 input bytes, the 4 high bits of the
+        second byte will be ignored.  So to encode 72 bits when using
+        a numbits of 12 take 12 bytes.  To encode 72 bits when using
+        numbits of 9 will take 16 bytes.  To encode 80 bits when using
+        numbits of 16 will take 10 bytes. etc, etc.  This padding will
+        apply to both input and output.
+
+        
+void des_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num,
+int enc);
+        This is one of the more useful functions in this DES library, it
+        implements CFB mode of DES with 64bit feedback.  Why is this
+        useful you ask?  Because this routine will allow you to encrypt an
+        arbitrary number of bytes, no 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  num contains 'how far' we are though ivec.  If this does
+        not make much sense, read more about cfb mode of DES :-).
+        
+void des_ede3_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num,
+int enc);
+        Same as des_cfb64_encrypt() accept that the DES operation is
+        triple DES.  As usual, there is a macro for
+        des_ede2_cfb64_encrypt() which reuses ks1.
+
+void des_ofb_encrypt(
+unsigned char *in,
+unsigned char *out,
+int numbits,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+        This is a implementation of Output Feed Back mode of DES.  It is
+        the same as des_cfb_encrypt() in that numbits is the size of the
+        units dealt with during input and output (in bits).
+        
+void des_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num);
+        The same as des_cfb64_encrypt() except that it is Output Feed Back
+        mode.
+
+void des_ede3_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks1,
+des_key_schedule ks2,
+des_key_schedule ks3,
+des_cblock *ivec,
+int *num);
+        Same as des_ofb64_encrypt() accept that the DES operation is
+        triple DES.  As usual, there is a macro for
+        des_ede2_ofb64_encrypt() which reuses ks1.
+
+int des_read_pw_string(
+char *buf,
+int length,
+char *prompt,
+int verify);
+        This routine is used to get a password from the terminal with echo
+        turned off.  Buf is where the string will end up and length is the
+        size of buf.  Prompt is a string presented to the 'user' and if
+        verify is set, the key is asked for twice and unless the 2 copies
+        match, an error is returned.  A return code of -1 indicates a
+        system error, 1 failure due to use interaction, and 0 is success.
+
+unsigned long des_cbc_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+des_key_schedule ks,
+des_cblock *ivec);
+        This function produces an 8 byte checksum from input that it puts in
+        output and returns the last 4 bytes as a long.  The checksum is
+        generated via cbc mode of DES in which only the last 8 byes are
+        kept.  I would recommend not using this function but instead using
+        the EVP_Digest routines, or at least using MD5 or SHA.  This
+        function is used by Kerberos v4 so that is why it stays in the
+        library.
+        
+char *des_fcrypt(
+const char *buf,
+const char *salt
+char *ret);
+        This is my fast version of the unix crypt(3) function.  This version
+        takes only a small amount of space relative to other fast
+        crypt() implementations.  This is different to the normal crypt
+        in that the third parameter is the buffer that the return value
+        is written into.  It needs to be at least 14 bytes long.  This
+        function is thread safe, unlike the normal crypt.
+
+char *crypt(
+const char *buf,
+const char *salt);
+        This function calls des_fcrypt() with a static array passed as the
+        third parameter.  This emulates the normal non-thread safe semantics
+        of crypt(3).
+
+void des_string_to_key(
+char *str,
+des_cblock *key);
+        This function takes str and converts it into a DES key.  I would
+        recommend using MD5 instead and use the first 8 bytes of output.
+        When I wrote the first version of these routines back in 1990, MD5
+        did not exist but I feel these routines are still sound.  This
+        routines is compatible with the one in MIT's libdes.
+        
+void des_string_to_2keys(
+char *str,
+des_cblock *key1,
+des_cblock *key2);
+        This function takes str and converts it into 2 DES keys.
+        I would recommend using MD5 and using the 16 bytes as the 2 keys.
+        I have nothing against these 2 'string_to_key' routines, it's just
+        that if you say that your encryption key is generated by using the
+        16 bytes of an MD5 hash, every-one knows how you generated your
+        keys.
+
+int des_read_password(
+des_cblock *key,
+char *prompt,
+int verify);
+        This routine combines des_read_pw_string() with des_string_to_key().
+
+int des_read_2passwords(
+des_cblock *key1,
+des_cblock *key2,
+char *prompt,
+int verify);
+        This routine combines des_read_pw_string() with des_string_to_2key().
+
+void des_random_seed(
+des_cblock key);
+        This routine sets a starting point for des_random_key().
+        
+void des_random_key(
+des_cblock ret);
+        This function return a random key.  Make sure to 'seed' the random
+        number generator (with des_random_seed()) before using this function.
+        I personally now use a MD5 based random number system.
+
+int des_enc_read(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+        This function will write to a file descriptor the encrypted data
+        from buf.  This data will be preceded by a 4 byte 'byte count' and
+        will be padded out to 8 bytes.  The encryption is either CBC of
+        PCBC depending on the value of des_rw_mode.  If it is DES_PCBC_MODE,
+        pcbc is used, if DES_CBC_MODE, cbc is used.  The default is to use
+        DES_PCBC_MODE.
+
+int des_enc_write(
+int fd,
+char *buf,
+int len,
+des_key_schedule ks,
+des_cblock *iv);
+        This routines read stuff written by des_enc_read() and decrypts it.
+        I have used these routines quite a lot but I don't believe they are
+        suitable for non-blocking io.  If you are after a full
+        authentication/encryption over networks, have a look at SSL instead.
+
+unsigned long des_quad_cksum(
+des_cblock *input,
+des_cblock *output,
+long length,
+int out_count,
+des_cblock *seed);
+        This is a function from Kerberos v4 that is not anything to do with
+        DES but was needed.  It is a cksum that is quicker to generate than
+        des_cbc_cksum();  I personally would use MD5 routines now.
+=====
+Modes of DES
+Quite a bit of the following information has been taken from
+        AS 2805.5.2
+        Australian Standard
+        Electronic funds transfer - Requirements for interfaces,
+        Part 5.2: Modes of operation for an n-bit block cipher algorithm
+        Appendix A
+
+There are several different modes in which DES can be used, they are
+as follows.
+
+Electronic Codebook Mode (ECB) (des_ecb_encrypt())
+- 64 bits are enciphered at a time.
+- The order of the blocks can be rearranged without detection.
+- The same plaintext block always produces the same ciphertext block
+  (for the same key) making it vulnerable to a 'dictionary attack'.
+- An error will only affect one ciphertext block.
+
+Cipher Block Chaining Mode (CBC) (des_cbc_encrypt())
+- a multiple of 64 bits are enciphered at a time.
+- The CBC mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext blocks dependent on the
+  current and all preceding plaintext blocks and therefore blocks can not
+  be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- An error will affect the current and the following ciphertext blocks.
+
+Cipher Feedback Mode (CFB) (des_cfb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The CFB mode produces the same ciphertext whenever the same
+  plaintext is encrypted using the same key and starting variable.
+- The chaining operation makes the ciphertext variables dependent on the
+  current and all preceding variables and therefore j-bit variables are
+  chained together and can not be rearranged.
+- The use of different starting variables prevents the same plaintext
+  enciphering to the same ciphertext.
+- The strength of the CFB mode depends on the size of k (maximal if
+  j == k).  In my implementation this is always the case.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- An error will affect the current and the following ciphertext variables.
+
+Output Feedback Mode (OFB) (des_ofb_encrypt())
+- a number of bits (j) <= 64 are enciphered at a time.
+- The OFB mode produces the same ciphertext whenever the same
+  plaintext enciphered using the same key and starting variable.  More
+  over, in the OFB mode the same key stream is produced when the same
+  key and start variable are used.  Consequently, for security reasons
+  a specific start variable should be used only once for a given key.
+- The absence of chaining makes the OFB more vulnerable to specific attacks.
+- The use of different start variables values prevents the same
+  plaintext enciphering to the same ciphertext, by producing different
+  key streams.
+- Selection of a small value for j will require more cycles through
+  the encipherment algorithm per unit of plaintext and thus cause
+  greater processing overheads.
+- Only multiples of j bits can be enciphered.
+- OFB mode of operation does not extend ciphertext errors in the
+  resultant plaintext output.  Every bit error in the ciphertext causes
+  only one bit to be in error in the deciphered plaintext.
+- OFB mode is not self-synchronising.  If the two operation of
+  encipherment and decipherment get out of synchronism, the system needs
+  to be re-initialised.
+- Each re-initialisation should use a value of the start variable
+ different from the start variable values used before with the same
+ key.  The reason for this is that an identical bit stream would be
+ produced each time from the same parameters.  This would be
+ susceptible to a ' known plaintext' attack.
+
+Triple ECB Mode (des_ecb3_encrypt())
+- Encrypt with key1, decrypt with key2 and encrypt with key3 again.
+- As for ECB encryption but increases the key length to 168 bits.
+  There are theoretic attacks that can be used that make the effective
+  key length 112 bits, but this attack also requires 2^56 blocks of
+  memory, not very likely, even for the NSA.
+- If both keys are the same it is equivalent to encrypting once with
+  just one key.
+- If the first and last key are the same, the key length is 112 bits.
+  There are attacks that could reduce the key space to 55 bit's but it
+  requires 2^56 blocks of memory.
+- If all 3 keys are the same, this is effectively the same as normal
+  ecb mode.
+
+Triple CBC Mode (des_ede3_cbc_encrypt())
+- Encrypt with key1, decrypt with key2 and then encrypt with key3.
+- As for CBC encryption but increases the key length to 168 bits with
+  the same restrictions as for triple ecb mode.
+
+==== digest.doc ========================================================
+
+
+The Message Digest subroutines.
+
+These routines require "evp.h" to be included.
+
+These functions are a higher level interface to the various message digest
+routines found in this library.  As such, they allow the same code to be
+used to digest via different algorithms with only a change in an initial
+parameter.  They are basically just a front-end to the MD2, MD5, SHA
+and SHA1
+routines.
+
+These routines all take a pointer to the following structure to specify
+which message digest algorithm to use.
+typedef struct evp_md_st
+        {
+        int type;
+        int pkey_type;
+        int md_size;
+        void (*init)();
+        void (*update)();
+        void (*final)();
+
+        int required_pkey_type; /*EVP_PKEY_xxx */
+        int (*sign)();
+        int (*verify)();
+        } EVP_MD;
+
+If additional message digest algorithms are to be supported, a structure of
+this type needs to be declared and populated and then the Digest routines
+can be used with that algorithm.  The type field is the object NID of the
+digest type (read the section on Objects for an explanation).  The pkey_type
+is the Object type to use when the a message digest is generated by there
+routines and then is to be signed with the pkey algorithm.  Md_size is
+the size of the message digest returned.  Init, update
+and final are the relevant functions to perform the message digest function
+by parts.  One reason for specifying the message digest to use via this
+mechanism is that if you only use md5, only the md5 routines will
+be included in you linked program.  If you passed an integer
+that specified which message digest to use, the routine that mapped that
+integer to a set of message digest functions would cause all the message
+digests functions to be link into the code.  This setup also allows new
+message digest functions to be added by the application.
+
+The six message digests defined in this library are
+
+EVP_MD *EVP_md2(void);  /* RSA sign/verify */
+EVP_MD *EVP_md5(void);  /* RSA sign/verify */
+EVP_MD *EVP_sha(void);  /* RSA sign/verify */
+EVP_MD *EVP_sha1(void); /* RSA sign/verify */
+EVP_MD *EVP_dss(void);  /* DSA sign/verify */
+EVP_MD *EVP_dss1(void); /* DSA sign/verify */
+
+All the message digest routines take a EVP_MD_CTX pointer as an argument.
+The state of the message digest is kept in this structure.
+
+typedef struct pem_md_ctx_st
+        {
+        EVP_MD *digest;
+        union   {
+                unsigned char base[4]; /* this is used in my library as a
+                                        * 'pointer' to all union elements
+                                        * structures. */
+                MD2_CTX md2;
+                MD5_CTX md5;
+                SHA_CTX sha;
+                } md;
+        } EVP_MD_CTX;
+
+The Digest functions are as follows.
+
+void EVP_DigestInit(
+EVP_MD_CTX *ctx,
+EVP_MD *type);
+        This function is used to initialise the EVP_MD_CTX.  The message
+        digest that will associated with 'ctx' is specified by 'type'.
+
+void EVP_DigestUpdate(
+EVP_MD_CTX *ctx,
+unsigned char *data,
+unsigned int cnt);
+        This function is used to pass more data to the message digest
+        function.  'cnt' bytes are digested from 'data'.
+
+void EVP_DigestFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int *len);
+        This function finishes the digestion and puts the message digest
+        into 'md'.  The length of the message digest is put into len;
+        EVP_MAX_MD_SIZE is the size of the largest message digest that
+        can be returned from this function.  Len can be NULL if the
+        size of the digest is not required.
+        
+
+==== encode.doc ========================================================
+
+
+void    EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
+void    EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,
+                int *outl,unsigned char *in,int inl);
+void    EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl);
+int     EVP_EncodeBlock(unsigned char *t, unsigned char *f, int n);
+
+void    EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
+int     EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
+                unsigned char *in, int inl);
+int     EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
+                char *out, int *outl);
+int     EVP_DecodeBlock(unsigned char *t, unsigned
+                char *f, int n);
+
+
+==== envelope.doc ========================================================
+
+The following routines are use to create 'digital' envelopes.
+By this I mean that they perform various 'higher' level cryptographic
+functions.  Have a read of 'cipher.doc' and 'digest.doc' since those
+routines are used by these functions.
+cipher.doc contains documentation about the cipher part of the
+envelope library and digest.doc contatins the description of the
+message digests supported.
+
+To 'sign' a document involves generating a message digest and then encrypting
+the digest with an private key.
+
+#define EVP_SignInit(a,b)               EVP_DigestInit(a,b)
+#define EVP_SignUpdate(a,b,c)           EVP_DigestUpdate(a,b,c)
+Due to the fact this operation is basically just an extended message
+digest, the first 2 functions are macro calls to Digest generating
+functions.
+
+int     EVP_SignFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int *s,
+EVP_PKEY *pkey);
+        This finalisation function finishes the generation of the message
+digest and then encrypts the digest (with the correct message digest 
+object identifier) with the EVP_PKEY private key.  'ctx' is the message digest
+context.  'md' will end up containing the encrypted message digest.  This
+array needs to be EVP_PKEY_size(pkey) bytes long.  's' will actually
+contain the exact length.  'pkey' of course is the private key.  It is
+one of EVP_PKEY_RSA or EVP_PKEY_DSA type.
+If there is an error, 0 is returned, otherwise 1.
+                
+Verify is used to check an signed message digest.
+
+#define EVP_VerifyInit(a,b)             EVP_DigestInit(a,b)
+#define EVP_VerifyUpdate(a,b,c)         EVP_DigestUpdate(a,b,c)
+Since the first step is to generate a message digest, the first 2 functions
+are macros.
+
+int EVP_VerifyFinal(
+EVP_MD_CTX *ctx,
+unsigned char *md,
+unsigned int s,
+EVP_PKEY *pkey);
+        This function finishes the generation of the message digest and then
+compares it with the supplied encrypted message digest.  'md' contains the
+'s' bytes of encrypted message digest.  'pkey' is used to public key decrypt
+the digest.  It is then compared with the message digest just generated.
+If they match, 1 is returned else 0.
+
+int     EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+                int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk);
+Must have at least one public key, error is 0.  I should also mention that
+the buffers pointed to by 'ek' need to be EVP_PKEY_size(pubk[n]) is size.
+
+#define EVP_SealUpdate(a,b,c,d,e)       EVP_EncryptUpdate(a,b,c,d,e)    
+void    EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
+
+
+int     EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+                int ekl,unsigned char *iv,EVP_PKEY *priv);
+0 on failure
+
+#define EVP_OpenUpdate(a,b,c,d,e)       EVP_DecryptUpdate(a,b,c,d,e)
+
+int     EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
+Decrypt final return code
+
+
+==== error.doc ========================================================
+
+The error routines.
+
+The 'error' system I've implemented is intended to server 2 purpose, to
+record the reason why a command failed and to record where in the libraries
+the failure occurred.  It is more or less setup to record a 'trace' of which
+library components were being traversed when the error occurred.
+
+When an error is recorded, it is done so a as single unsigned long which is
+composed of three parts.  The top byte is the 'library' number, the middle
+12 bytes is the function code, and the bottom 12 bits is the 'reason' code.
+
+Each 'library', or should a say, 'section' of the SSLeay library has a
+different unique 'library' error number.  Each function in the library has
+a number that is unique for that library.  Each 'library' also has a number
+for each 'error reason' that is only unique for that 'library'.
+
+Due to the way these error routines record a 'error trace', there is an
+array per thread that is used to store the error codes.
+The various functions in this library are used to access
+and manipulate this array.
+
+void ERR_put_error(int lib, int func,int reason);
+        This routine records an error in library 'lib', function 'func'
+and reason 'reason'.  As errors get 'put' into the buffer, they wrap
+around and overwrite old errors if too many are written.  It is assumed
+that the last errors are the most important.
+
+unsigned long ERR_get_error(void );
+        This function returns the last error added to the error buffer.
+In effect it is popping the value off the buffer so repeated calls will
+continue to return values until there are no more errors to return in which
+case 0 is returned.
+
+unsigned long ERR_peek_error(void );
+        This function returns the value of the last error added to the
+error buffer but does not 'pop' it from the buffer.
+
+void ERR_clear_error(void );
+        This function clears the error buffer, discarding all unread
+errors.
+
+While the above described error system obviously produces lots of different
+error number, a method for 'reporting' these errors in a human readable
+form is required.  To achieve this, each library has the option of
+'registering' error strings.
+
+typedef struct ERR_string_data_st
+        {
+        unsigned long error;
+        char *string;
+        } ERR_STRING_DATA;
+
+The 'ERR_STRING_DATA' contains an error code and the corresponding text
+string.  To add new function error strings for a library, the
+ERR_STRING_DATA needs to be 'registered' with the library.
+
+void ERR_load_strings(unsigned long lib,ERR_STRING_DATA *err);
+        This function 'registers' the array of ERR_STRING_DATA pointed to by
+'err' as error text strings for the error library 'lib'.
+
+void ERR_free_strings(void);
+        This function free()s all the loaded error strings.
+
+char *ERR_error_string(unsigned long error,char *buf);
+        This function returns a text string that is a human readable
+version of the error represented by 'error'.  Buff should be at least 120
+bytes long and if it is NULL, the return value is a pointer to a static
+variable that will contain the error string, otherwise 'buf' is returned.
+If there is not a text string registered for a particular error, a text
+string containing the error number is returned instead.
+
+void ERR_print_errors(BIO *bp);
+void ERR_print_errors_fp(FILE *fp);
+        This function is a convenience routine that prints the error string
+for each error until all errors have been accounted for.
+
+char *ERR_lib_error_string(unsigned long e);
+char *ERR_func_error_string(unsigned long e);
+char *ERR_reason_error_string(unsigned long e);
+The above three functions return the 3 different components strings for the
+error 'e'.  ERR_error_string() uses these functions.
+
+void ERR_load_ERR_strings(void );
+        This function 'registers' the error strings for the 'ERR' module.
+
+void ERR_load_crypto_strings(void );
+        This function 'register' the error strings for just about every
+library in the SSLeay package except for the SSL routines.  There is no
+need to ever register any error text strings and you will probably save in
+program size.  If on the other hand you do 'register' all errors, it is
+quite easy to determine why a particular routine failed.
+
+As a final footnote as to why the error system is designed as it is.
+1) I did not want a single 'global' error code.
+2) I wanted to know which subroutine a failure occurred in.
+3) For Windows NT etc, it should be simple to replace the 'key' routines
+   with code to pass error codes back to the application.
+4) I wanted the option of meaningful error text strings.
+
+Late breaking news - the changes to support threads.
+
+Each 'thread' has an 'ERR_STATE' state associated with it.
+ERR_STATE *ERR_get_state(void ) will return the 'state' for the calling
+thread/process.
+
+ERR_remove_state(unsigned long pid); will 'free()' this state.  If pid == 0
+the current 'thread/process' will have it's error state removed.
+If you do not remove the error state of a thread, this could be considered a
+form of memory leak, so just after 'reaping' a thread that has died,
+call ERR_remove_state(pid).
+
+Have a read of thread.doc for more details for what is required for
+multi-threading support.  All the other error routines will
+work correctly when using threads.
+
+
+==== idea.doc ========================================================
+
+The IDEA library.
+IDEA is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses a 128bit (16 byte) key.  It can be used in all the modes that DES can
+be used.  This library implements the ecb, cbc, cfb64 and ofb64 modes.
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'idea.h'.
+
+All of the encryption functions take what is called an IDEA_KEY_SCHEDULE as an 
+argument.  An IDEA_KEY_SCHEDULE is an expanded form of the idea key.
+For all modes of the IDEA algorithm, the IDEA_KEY_SCHEDULE used for
+decryption is different to the one used for encryption.
+
+The define IDEA_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. IDEA_DECRYPT is passed to
+specify decryption.  For some mode there is no encryption/decryption
+flag since this is determined by the IDEA_KEY_SCHEDULE.
+
+So to encrypt you would do the following
+idea_set_encrypt_key(key,encrypt_ks);
+idea_ecb_encrypt(...,encrypt_ks);
+idea_cbc_encrypt(....,encrypt_ks,...,IDEA_ENCRYPT);
+
+To Decrypt
+idea_set_encrypt_key(key,encrypt_ks);
+idea_set_decrypt_key(encrypt_ks,decrypt_ks);
+idea_ecb_encrypt(...,decrypt_ks);
+idea_cbc_encrypt(....,decrypt_ks,...,IDEA_DECRYPT);
+
+Please note that any of the encryption modes specified in my DES library
+could be used with IDEA.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic IDEA encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple IDEA, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  idea_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void idea_set_encrypt_key(
+unsigned char *key;
+IDEA_KEY_SCHEDULE *ks);
+        idea_set_encrypt_key converts a 16 byte IDEA key into an
+        IDEA_KEY_SCHEDULE.  The IDEA_KEY_SCHEDULE is an expanded form of
+        the key which can be used to perform IDEA encryption.
+        An IDEA_KEY_SCHEDULE is an expanded form of the key which is used to
+        perform actual encryption.  It can be regenerated from the IDEA key
+        so it only needs to be kept when encryption is about
+        to occur.  Don't save or pass around IDEA_KEY_SCHEDULE's since they
+        are CPU architecture dependent, IDEA keys are not.
+        
+void idea_set_decrypt_key(
+IDEA_KEY_SCHEDULE *encrypt_ks,
+IDEA_KEY_SCHEDULE *decrypt_ks);
+        This functions converts an encryption IDEA_KEY_SCHEDULE into a
+        decryption IDEA_KEY_SCHEDULE.  For all decryption, this conversion
+        of the key must be done.  In some modes of IDEA, an
+        encryption/decryption flag is also required, this is because these
+        functions involve block chaining and the way this is done changes
+        depending on which of encryption of decryption is being done.
+        Please note that there is no quick way to generate the decryption
+        key schedule other than generating the encryption key schedule and
+        then converting it.
+
+void idea_encrypt(
+unsigned long *data,
+IDEA_KEY_SCHEDULE *ks);
+        This is the IDEA encryption function that gets called by just about
+        every other IDEA routine in the library.  You should not use this
+        function except to implement 'modes' of IDEA.  I say this because the
+        functions that call this routine do the conversion from 'char *' to
+        long, and this needs to be done to make sure 'non-aligned' memory
+        access do not occur.
+        Data is a pointer to 2 unsigned long's and ks is the
+        IDEA_KEY_SCHEDULE to use.  Encryption or decryption depends on the
+        IDEA_KEY_SCHEDULE.
+
+void idea_ecb_encrypt(
+unsigned char *input,
+unsigned char *output,
+IDEA_KEY_SCHEDULE *ks);
+        This is the basic Electronic Code Book form of IDEA (in DES this
+        mode is called Electronic Code Book so I'm going to use the term
+        for idea as well :-).
+        Input is encrypted into output using the key represented by
+        ks.  Depending on the IDEA_KEY_SCHEDULE, encryption or
+        decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+        
+void idea_cbc_encrypt(
+unsigned char *input,
+unsigned char *output,
+long length,
+IDEA_KEY_SCHEDULE *ks,
+unsigned char *ivec,
+int enc);
+        This routine implements IDEA in Cipher Block Chaining mode.
+        Input, which should be a multiple of 8 bytes is encrypted
+        (or decrypted) to output which will also be a multiple of 8 bytes.
+        The number of bytes is in length (and from what I've said above,
+        should be a multiple of 8).  If length is not a multiple of 8, bad 
+        things will probably happen.  ivec is the initialisation vector.
+        This function updates iv after each call so that it can be passed to
+        the next call to idea_cbc_encrypt().
+        
+void idea_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num,
+int enc);
+        This is one of the more useful functions in this IDEA library, it
+        implements CFB mode of IDEA with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        Enc is used to indicate encryption or decryption.
+        One very important thing to remember is that when decrypting, use
+        the encryption form of the key.
+        CFB64 mode operates by using the cipher to
+        generate a stream of bytes which is used to encrypt the plain text.
+        The cipher text is then encrypted to generate the next 64 bits to
+        be xored (incrementally) with the next 64 bits of plain
+        text.  As can be seen from this, to encrypt or decrypt,
+        the same 'cipher stream' needs to be generated but the way the next
+        block of data is gathered for encryption is different for
+        encryption and decryption.  What this means is that to encrypt
+        idea_set_encrypt_key(key,ks);
+        idea_cfb64_encrypt(...,ks,..,IDEA_ENCRYPT)
+        do decrypt
+        idea_set_encrypt_key(key,ks)
+        idea_cfb64_encrypt(...,ks,...,IDEA_DECRYPT)
+        Note: The same IDEA_KEY_SCHEDULE but different encryption flags.
+        For idea_cbc or idea_ecb, idea_set_decrypt_key() would need to be
+        used to generate the IDEA_KEY_SCHEDULE for decryption.
+        The reason I'm stressing this point is that I just wasted 3 hours
+        today trying to decrypt using this mode and the decryption form of
+        the key :-(.
+        
+void idea_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+des_key_schedule ks,
+des_cblock *ivec,
+int *num);
+        This functions implements OFB mode of IDEA with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        This is in effect a stream cipher, there is no encryption or
+        decryption mode.  The same key and iv should be used to
+        encrypt and decrypt.
+        
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+idea_set_encrypt_key().
+
+=====
+For more information about the specific IDEA modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for IDEA.
+
+
+==== legal.doc ========================================================
+
+From eay@mincom.com Thu Jun 27 00:25:45 1996
+Received: by orb.mincom.oz.au id AA15821
+  (5.65c/IDA-1.4.4 for eay); Wed, 26 Jun 1996 14:25:45 +1000
+Date: Wed, 26 Jun 1996 14:25:45 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: Ken Toll <ktoll@ren.digitalage.com>
+Cc: Eric Young <eay@mincom.oz.au>, ssl-talk@netscape.com
+Subject: Re: Unidentified subject!
+In-Reply-To: <9606261950.ZM28943@ren.digitalage.com>
+Message-Id: <Pine.SOL.3.91.960626131156.28573K-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: O
+X-Status: 
+
+
+This is a little off topic but since SSLeay is a free implementation of
+the SSLv2 protocol, I feel it is worth responding on the topic of if it 
+is actually legal for Americans to use free cryptographic software.
+
+On Wed, 26 Jun 1996, Ken Toll wrote:
+> Is the U.S the only country that SSLeay cannot be used commercially 
+> (because of RSAref) or is that going to be an issue with every country 
+> that a client/server application (non-web browser/server) is deployed 
+> and sold?
+
+>From what I understand, the software patents that apply to algorithms 
+like RSA and DH only apply in the USA.  The IDEA algorithm I believe is 
+patened in europe (USA?), but considing how little it is used by other SSL 
+implementations, it quite easily be left out of the SSLeay build
+(this can be done with a compile flag).
+
+Actually if the RSA patent did apply outside the USA, it could be rather
+interesting since RSA is not alowed to let RSA toolkits outside of the USA
+[1], and since these are the only forms that they will alow the algorithm
+to be used in, it would mean that non-one outside of the USA could produce
+public key software which would be a very strong statment for
+international patent law to make :-).  This logic is a little flawed but
+it still points out some of the more interesting permutations of USA
+patent law and ITAR restrictions. 
+
+Inside the USA there is also the unresolved issue of RC4/RC2 which were
+made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2).  I have
+copies of the origional postings if people are interested.  RSA I believe 
+claim that they were 'trade-secrets' and that some-one broke an NDA in 
+revealing them.  Other claim they reverse engineered the algorithms from 
+compiled binaries.  If the algorithms were reverse engineered, I belive 
+RSA had no legal leg to stand on.  If an NDA was broken, I don't know.
+Regardless, RSA, I belive, is willing to go to court over the issue so 
+licencing is probably the best idea, or at least talk to them.
+If there are people who actually know more about this, pease let me know, I 
+don't want to vilify or spread miss-information if I can help it.
+
+If you are not producing a web browser, it is easy to build SSLeay with
+RC2/RC4 removed. Since RC4 is the defacto standard cipher in 
+all web software (and it is damn fast) it is more or less required for 
+www use. For non www use of SSL, especially for an application where 
+interoperability with other vendors is not critical just leave it out.
+
+Removing IDEA, RC2 and RC4 would only leave DES and Triple DES but 
+they should be ok.  Considing that Triple DES can encrypt at rates of
+410k/sec on a pentium 100, and 940k/sec on a P6/200, this is quite 
+reasonable performance.  Single DES clocks in at 1160k/s and 2467k/s
+respectivly is actually quite fast for those not so paranoid (56 bit key).[1]
+
+> Is it possible to get a certificate for commercial use outside of the U.S.?
+yes.
+
+Thawte Consulting issues certificates (they are the people who sell the
+        Sioux httpd server and are based in South Africa)
+Verisign will issue certificates for Sioux (sold from South Africa), so this
+        proves that they will issue certificate for OS use if they are
+        happy with the quality of the software.
+
+(The above mentioned companies just the ones that I know for sure are issuing
+ certificates outside the USA).
+
+There is always the point that if you are using SSL for an intra net, 
+SSLeay provides programs that can be used so you can issue your own 
+certificates.  They need polishing but at least it is a good starting point.
+
+I am not doing anything outside Australian law by implementing these
+algorithms (to the best of my knowedge).  It is another example of how 
+the world legal system does not cope with the internet very well.
+
+I may start making shared libraries available (I have now got DLL's for 
+Windows).  This will mean that distributions into the usa could be 
+shipped with a version with a reduced cipher set and the versions outside 
+could use the DLL/shared library with all the ciphers (and without RSAref).
+
+This could be completly hidden from the application, so this would not 
+even require a re-linking.
+
+This is the reverse of what people were talking about doing to get around 
+USA export regulations :-)
+
+eric
+
+[1]:    The RSAref2.0 tookit is available on at least 3 ftp sites in Europe
+        and one in South Africa.
+
+[2]:    Since I always get questions when I post benchmark numbers :-),
+        DES performace figures are in 1000's of bytes per second in cbc 
+        mode using an 8192 byte buffer.  The pentium 100 was running Windows NT 
+        3.51 DLLs and the 686/200 was running NextStep.
+        I quote pentium 100 benchmarks because it is basically the
+        'entry level' computer that most people buy for personal use.
+        Windows 95 is the OS shipping on those boxes, so I'll give
+        NT numbers (the same Win32 runtime environment).  The 686
+        numbers are present as an indication of where we will be in a
+        few years.
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au    | RTFM Win32 GetMessage().
+
+
+
+==== lhash.doc ========================================================
+
+The LHASH library.
+
+I wrote this library in 1991 and have since forgotten why I called it lhash.
+It implements a hash table from an article I read at the
+time from 'Communications of the ACM'.  What makes this hash
+table different is that as the table fills, the hash table is
+increased (or decreased) in size via realloc().
+When a 'resize' is done, instead of all hashes being redistributed over
+twice as many 'buckets', one bucket is split.  So when an 'expand' is done,
+there is only a minimal cost to redistribute some values.  Subsequent
+inserts will cause more single 'bucket' redistributions but there will
+never be a sudden large cost due to redistributing all the 'buckets'.
+
+The state for a particular hash table is kept in the LHASH structure.
+The LHASH structure also records statistics about most aspects of accessing
+the hash table.  This is mostly a legacy of my writing this library for
+the reasons of implementing what looked like a nice algorithm rather than
+for a particular software product.
+
+Internal stuff you probably don't want to know about.
+The decision to increase or decrease the hash table size is made depending
+on the 'load' of the hash table.  The load is the number of items in the
+hash table divided by the size of the hash table.  The default values are
+as follows.  If (hash->up_load < load) => expand.
+if (hash->down_load > load) =>  contract.  The 'up_load' has a default value of
+1 and 'down_load' has a default value of 2.  These numbers can be modified
+by the application by just playing with the 'up_load' and 'down_load'
+variables.  The 'load' is kept in a form which is multiplied by 256.  So
+hash->up_load=8*256; will cause a load of 8 to be set.
+
+If you are interested in performance the field to watch is
+num_comp_calls.  The hash library keeps track of the 'hash' value for
+each item so when a lookup is done, the 'hashes' are compared, if
+there is a match, then a full compare is done, and
+hash->num_comp_calls is incremented.  If num_comp_calls is not equal
+to num_delete plus num_retrieve it means that your hash function is
+generating hashes that are the same for different values.  It is
+probably worth changing your hash function if this is the case because
+even if your hash table has 10 items in a 'bucked', it can be searched
+with 10 'unsigned long' compares and 10 linked list traverses.  This
+will be much less expensive that 10 calls to you compare function.
+
+LHASH *lh_new(
+unsigned long (*hash)(),
+int (*cmp)());
+        This function is used to create a new LHASH structure.  It is passed
+        function pointers that are used to store and retrieve values passed
+        into the hash table.  The 'hash'
+        function is a hashing function that will return a hashed value of
+        it's passed structure.  'cmp' is passed 2 parameters, it returns 0
+        is they are equal, otherwise, non zero.
+        If there are any problems (usually malloc failures), NULL is
+        returned, otherwise a new LHASH structure is returned.  The
+        hash value is normally truncated to a power of 2, so make sure
+        that your hash function returns well mixed low order bits.
+        
+void lh_free(
+LHASH *lh);
+        This function free()s a LHASH structure.  If there is malloced
+        data in the hash table, it will not be freed.  Consider using the
+        lh_doall function to deallocate any remaining entries in the hash
+        table.
+        
+char *lh_insert(
+LHASH *lh,
+char *data);
+        This function inserts the data pointed to by data into the lh hash
+        table.  If there is already and entry in the hash table entry, the
+        value being replaced is returned.  A NULL is returned if the new
+        entry does not clash with an entry already in the table (the normal
+        case) or on a malloc() failure (perhaps I should change this....).
+        The 'char *data' is exactly what is passed to the hash and
+        comparison functions specified in lh_new().
+        
+char *lh_delete(
+LHASH *lh,
+char *data);
+        This routine deletes an entry from the hash table.  The value being
+        deleted is returned.  NULL is returned if there is no such value in
+        the hash table.
+
+char *lh_retrieve(
+LHASH *lh,
+char *data);
+        If 'data' is in the hash table it is returned, else NULL is
+        returned.  The way these routines would normally be uses is that a
+        dummy structure would have key fields populated and then
+        ret=lh_retrieve(hash,&dummy);.  Ret would now be a pointer to a fully
+        populated structure.
+
+void lh_doall(
+LHASH *lh,
+void (*func)(char *a));
+        This function will, for every entry in the hash table, call function
+        'func' with the data item as parameters.
+        This function can be quite useful when used as follows.
+        void cleanup(STUFF *a)
+                { STUFF_free(a); }
+        lh_doall(hash,cleanup);
+        lh_free(hash);
+        This can be used to free all the entries, lh_free() then
+        cleans up the 'buckets' that point to nothing.  Be careful
+        when doing this.  If you delete entries from the hash table,
+        in the call back function, the table may decrease in size,
+        moving item that you are
+        currently on down lower in the hash table.  This could cause
+        some entries to be skipped.  The best solution to this problem
+        is to set lh->down_load=0 before you start.  This will stop
+        the hash table ever being decreased in size.
+
+void lh_doall_arg(
+LHASH *lh;
+void(*func)(char *a,char *arg));
+char *arg;
+        This function is the same as lh_doall except that the function
+        called will be passed 'arg' as the second argument.
+        
+unsigned long lh_strhash(
+char *c);
+        This function is a demo string hashing function.  Since the LHASH
+        routines would normally be passed structures, this routine would
+        not normally be passed to lh_new(), rather it would be used in the
+        function passed to lh_new().
+
+The next three routines print out various statistics about the state of the
+passed hash table.  These numbers are all kept in the lhash structure.
+
+void lh_stats(
+LHASH *lh,
+FILE *out);
+        This function prints out statistics on the size of the hash table,
+        how many entries are in it, and the number and result of calls to
+        the routines in this library.
+
+void lh_node_stats(
+LHASH *lh,
+FILE *out);
+        For each 'bucket' in the hash table, the number of entries is
+        printed.
+        
+void lh_node_usage_stats(
+LHASH *lh,
+FILE *out);
+        This function prints out a short summary of the state of the hash
+        table.  It prints what I call the 'load' and the 'actual load'.
+        The load is the average number of data items per 'bucket' in the
+        hash table.  The 'actual load' is the average number of items per
+        'bucket', but only for buckets which contain entries.  So the
+        'actual load' is the average number of searches that will need to
+        find an item in the hash table, while the 'load' is the average number
+        that will be done to record a miss.
+
+==== md2.doc ========================================================
+
+The MD2 library.
+MD2 is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 16 byte hash.  The functions all need to be passed
+a MD2_CTX which is used to hold the MD2 context during multiple MD2_Update()
+function calls.  The normal method of use for this library is as follows
+
+MD2_Init(...);
+MD2_Update(...);
+...
+MD2_Update(...);
+MD2_Final(...);
+
+This library requires the inclusion of 'md2.h'.
+
+The main negative about MD2 is that it is slow, especially when compared
+to MD5.
+
+The functions are as follows:
+
+void MD2_Init(
+MD2_CTX *c);
+        This function needs to be called to initiate a MD2_CTX structure for
+        use.
+        
+void MD2_Update(
+MD2_CTX *c;
+unsigned char *data;
+unsigned long len);
+        This updates the message digest context being generated with 'len'
+        bytes from the 'data' pointer.  The number of bytes can be any
+        length.
+
+void MD2_Final(
+unsigned char *md;
+MD2_CTX *c;
+        This function is called when a message digest of the data digested
+        with MD2_Update() is wanted.  The message digest is put in the 'md'
+        array and is MD2_DIGEST_LENGTH (16) bytes long.
+
+unsigned char *MD2(
+unsigned long n;
+unsigned char *d;
+unsigned char *md;
+        This function performs a MD2_Init(), followed by a MD2_Update()
+        followed by a MD2_Final() (using a local MD2_CTX).
+        The resulting digest is put into 'md' if it is not NULL.
+        Regardless of the value of 'md', the message
+        digest is returned from the function.  If 'md' was NULL, the message
+        digest returned is being stored in a static structure.
+
+==== md5.doc ========================================================
+
+The MD5 library.
+MD5 is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 16 byte hash.  The functions all need to be passed
+a MD5_CTX which is used to hold the MD5 context during multiple MD5_Update()
+function calls.  This library also contains random number routines that are
+based on MD5
+
+The normal method of use for this library is as follows
+
+MD5_Init(...);
+MD5_Update(...);
+...
+MD5_Update(...);
+MD5_Final(...);
+
+This library requires the inclusion of 'md5.h'.
+
+The functions are as follows:
+
+void MD5_Init(
+MD5_CTX *c);
+        This function needs to be called to initiate a MD5_CTX structure for
+        use.
+        
+void MD5_Update(
+MD5_CTX *c;
+unsigned char *data;
+unsigned long len);
+        This updates the message digest context being generated with 'len'
+        bytes from the 'data' pointer.  The number of bytes can be any
+        length.
+
+void MD5_Final(
+unsigned char *md;
+MD5_CTX *c;
+        This function is called when a message digest of the data digested
+        with MD5_Update() is wanted.  The message digest is put in the 'md'
+        array and is MD5_DIGEST_LENGTH (16) bytes long.
+
+unsigned char *MD5(
+unsigned char *d;
+unsigned long n;
+unsigned char *md;
+        This function performs a MD5_Init(), followed by a MD5_Update()
+        followed by a MD5_Final() (using a local MD5_CTX).
+        The resulting digest is put into 'md' if it is not NULL.
+        Regardless of the value of 'md', the message
+        digest is returned from the function.  If 'md' was NULL, the message
+        digest returned is being stored in a static structure.
+
+
+==== memory.doc ========================================================
+
+In the interests of debugging SSLeay, there is an option to compile
+using some simple memory leak checking.
+
+All malloc(), free() and realloc() calls in SSLeay now go via
+Malloc(), Free() and Realloc() (except those in crypto/lhash).
+
+If CRYPTO_MDEBUG is defined, these calls are #defined to
+CRYPTO_malloc(), CRYPTO_free() and CRYPTO_realloc().
+If it is not defined, they are #defined to malloc(), free() and realloc().
+
+the CRYPTO_malloc() routines by default just call the underlying library
+functons.
+
+If CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) is called, memory leak detection is
+turned on.  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) turns it off.
+
+When turned on, each Malloc() or Realloc() call is recored along with the file
+and line number from where the call was made.   (This is done using the
+lhash library which always uses normal system malloc(3) routines).
+
+void CRYPTO_mem_leaks(BIO *b);
+void CRYPTO_mem_leaks_fp(FILE *fp);
+These both print out the list of memory that has not been free()ed.
+This will probably be rather hard to read, but if you look for the 'top level'
+structure allocation, this will often give an idea as to what is not being
+free()ed.  I don't expect people to use this stuff normally.
+
+==== ca.1 ========================================================
+
+From eay@orb.mincom.oz.au Thu Dec 28 23:56:45 1995
+Received: by orb.mincom.oz.au id AA07374
+  (5.65c/IDA-1.4.4 for eay); Thu, 28 Dec 1995 13:56:45 +1000
+Date: Thu, 28 Dec 1995 13:56:45 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: sameer <sameer@c2.org>
+Cc: ssleay@mincom.oz.au
+Subject: Re: 'ca'
+In-Reply-To: <199512230440.UAA23410@infinity.c2.org>
+Message-Id: <Pine.SOL.3.91.951228133525.7269A-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Fri, 22 Dec 1995, sameer wrote:
+>       I could use documentation on 'ca'. Thanks.
+
+Very quickly.
+The ca program uses the ssleay.conf file for most of its configuration
+
+./ca -help
+
+ -verbose        - Talk alot while doing things
+ -config file    - A config file. If you don't want to use the
+                   default config file
+ -name arg       - The particular CA definition to use
+        In the config file, the section to use for parameters.  This lets 
+        multiple setups to be contained in the one file.  By default, the 
+        default_ca variable is looked up in the [ ca ] section.  So in the 
+        shipped ssleay.conf, the CA definition used is CA_default.  It could be 
+        any other name.
+ -gencrl days    - Generate a new CRL, days is when the next CRL is due
+        This will generate a new certificate revocion list.
+ -days arg       - number of days to certify the certificate for
+        When certifiying certificates, this is the number of days to use.
+ -md arg         - md to use, one of md2, md5, sha or sha1
+ -policy arg     - The CA 'policy' to support
+        I'll describe this later, but there are 2 policies definied in the 
+        shipped ssleay.conf
+ -keyfile arg    - PEM RSA private key file
+ -key arg        - key to decode the RSA private key if it is encrypted
+        since we need to keep the CA's RSA key encrypted
+ -cert           - The CA certificate
+ -in file        - The input PEM encoded certificate request(s)
+ -out file       - Where to put the output file(s)
+ -outdir dir     - Where to put output certificates
+        The -out options concatinates all the output certificied
+        certificates to one file, -outdir puts them in a directory,
+        named by serial number.
+ -infiles ....   - The last argument, requests to process
+        The certificate requests to process, -in is the same.
+
+Just about all the above have default values defined in ssleay.conf.
+
+The key variables in ssleay.conf are (for the pariticular '-name' being 
+used, in the default, it is CA_default).
+
+dir is where all the CA database stuff is kept.
+certs is where all the previously issued certificates are kept.
+The database is a simple text database containing the following tab separated 
+fields.
+status: a value of 'R' - revoked, 'E' -expired or 'V' valid.
+issued date:  When the certificate was certified.
+revoked date:  When it was revoked, blank if not revoked.
+serial number:  The certificate serial number.
+certificate:    Where the certificate is located.
+CN:     The name of the certificate.
+
+The demo file has quite a few made up values it it.  The last 2 were 
+added by the ca program and are acurate.
+The CA program does not update the 'certificate' file correctly right now.
+The serial field should be unique as should the CN/status combination.
+The ca program checks these at startup.  What still needs to be 
+wrtten is a program to 'regenerate' the data base file from the issued 
+certificate list (and a CRL list).
+
+Back to the CA_default variables.
+
+Most of the variables are commented.
+
+policy is the default policy.
+
+Ok for policies, they define the order and which fields must be present 
+in the certificate request and what gets filled in.
+
+So a value of
+countryName             = match
+means that the country name must match the CA certificate.
+organizationalUnitName  = optional
+The org.Unit,Name does not have to be present and
+commonName              = supplied
+commonName must be supplied in the certificate request.
+
+For the 'policy_match' polocy, the order of the attributes in the 
+generated certiticate would be
+countryName
+stateOrProvinceName
+organizationName
+organizationalUnitName
+commonName
+emailAddress
+
+Have a play, it sort of makes sense.  If you think about how the persona 
+requests operate, it is similar to the 'policy_match' policy and the
+'policy_anything' is similar to what versign is doing.
+
+I hope this helps a bit.  Some backend scripts are definitly needed to 
+update the database and to make certificate revocion easy.  All 
+certificates issued should also be kept forever (or until they expire?)
+
+hope this helps
+eric (who has to run off an buy some cheap knee pads for the caving in 4 
+days time :-)
+
+--
+Eric Young                  | Signature removed since it was generating
+AARNet: eay@mincom.oz.au    | more followups than the message contents :-)
+
+
+==== ms3-ca.doc ========================================================
+
+Date: Mon, 9 Jun 97 08:00:33 +0200
+From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
+Subject: ms3-ca.doc
+Organization: TU Ilmenau, Fak. IA, FG Telematik
+Content-Length: 14575
+Status: RO
+X-Status: 
+
+Loading client certs into MSIE 3.01
+===================================
+
+This document conatains all the information necessary to succesfully set up 
+some scripts to issue client certs to Microsoft Internet Explorer. It 
+includes the required knowledge about the model MSIE uses for client 
+certification and includes complete sample scripts ready to play with. The 
+scripts were tested against a modified ca program of SSLeay 0.6.6 and should 
+work with the regular ca program that comes with version 0.8.0. I haven't 
+tested against MSIE 4.0
+
+You can use the information contained in this document in either way you 
+want. However if you feel it saved you a lot of time I ask you to be as fair 
+as to mention my name: Holger Reif <reif@prakinf.tu-ilmenau.de>.
+
+1.) The model used by MSIE
+--------------------------
+
+The Internet Explorer doesn't come with a embedded engine for installing 
+client certs like Netscape's Navigator. It rather uses the CryptoAPI (CAPI) 
+defined by Microsoft. CAPI comes with WindowsNT 4.0 or is installed together 
+with Internet Explorer since 3.01. The advantage of this approach is a higher 
+flexibility because the certificates in the (per user) system open 
+certificate store may be used by other applications as well. The drawback 
+however is that you need to do a bit more work to get a client cert issued.
+
+CAPI defines functions which will handle basic cryptographic work, eg. 
+generating keys, encrypting some data, signing text or building a certificate 
+request. The procedure is as follows: A CAPI function generates you a key 
+pair and saves it into the certificate store. After that one builds a 
+Distinguished Name. Together with that key pair another CAPI function forms a 
+PKCS#10 request which you somehow need to submit to a CA. Finally the issued 
+cert is given to a yet another CAPI function which saves it into the 
+certificate store.
+
+The certificate store with the user's keys and certs is in the registry. You 
+will find it under HKEY_CURRENT_USER/Software/Microsoft/Cryptography/ (I 
+leave it to you as a little exercise to figure out what all the entries mean 
+;-). Note that the keys are protected only with the user's usual Windows 
+login password.
+
+2.) The practical usage
+-----------------------
+
+Unfortunatly since CAPI is a system API you can't access its functions from 
+HTML code directly. For this purpose Microsoft provides a wrapper called 
+certenr3.dll. This DLL accesses the CAPI functions and provides an interface 
+usable from Visual Basic Script. One needs to install that library on the 
+computer which wants to have client cert. The easiest way is to load it as an 
+ActiveX control (certenr3.dll is properly authenticode signed by MS ;-). If 
+you have ever enrolled e cert request at a CA you will have installed it.
+
+At time of writing certenr3.dll is contained in 
+http://www.microsoft.com/workshop/prog/security/csa/certenr3.exe. It comes 
+with an README file which explains the available functions. It is labeled 
+beta but every CA seems to use it anyway. The license.txt allows you the 
+usage for your own purposes (as far as I understood) and a somehow limited 
+distribution. 
+
+The two functions of main interest are GenerateKeyPair and AcceptCredentials. 
+For complete explanation of all possible parameters see the README file. Here 
+are only minimal required parameters and their values.
+
+GenerateKeyPair(sessionID, FASLE, szName, 0, "ClientAuth", TRUE, FALSE, 1)
+- sessionID is a (locally to that computer) unique string to correlate the 
+generated key pair with a cert installed later.
+- szName is the DN of the form "C=DE; S=Thueringen; L=Ilmenau; CN=Holger 
+Reif; 1.2.840.113549.1.9.1=reif@prakinf.tu-ilmenau.de". Note that S is the 
+abreviation for StateOrProvince. The recognized abreviation include CN, O, C, 
+OU, G, I, L, S, T. If the abreviation is unknown (eg. for PKCS#9 email addr) 
+you need to use the full object identifier. The starting point for searching 
+them could be crypto/objects.h since all OIDs know to SSLeay are listed 
+there.
+- note: the possible ninth parameter which should give a default name to the 
+certificate storage location doesn't seem to work. Changes to the constant 
+values in the call above doesn't seem to make sense. You can't generate 
+PKCS#10 extensions with that function.
+
+The result of GenerateKeyPair is the base64 encoded PKCS#10 request. However 
+it has a little strange format that SSLeay doesn't accept. (BTW I feel the 
+decision of rejecting that format as standard conforming.) It looks like 
+follows:
+        1st line with 76 chars
+        2nd line with 76 chars
+        ...
+        (n-2)th line with 76 chars
+        (n-1)th line contains a multiple of 4 chars less then 76 (possible 
+empty)
+        (n)th line has zero or 4 chars (then with 1 or 2 equal signs - the 
+                original text's lenght wasn'T a multiple of 3) 
+        The line separator has two chars: 0x0d 0x0a
+
+AcceptCredentials(sessionID, credentials, 0, FALSE)
+- sessionID needs to be the same as while generating the key pair
+- credentials is the base64 encoded PKCS#7 object containing the cert. 
+
+CRL's and CA certs are not required simply just the client cert. (It seems to 
+me that both are not even checked somehow.) The only format of the base64 
+encoded object I succesfully used was all characters in a very long string 
+without line feeds or carriage returns. (Hey, it doesn't matter, only a 
+computer reads it!)
+
+The result should be S_OK. For error handling see the example that comes with 
+certenr3.dll.
+
+A note about ASN.1 character encodings. certenr3.dll seems to know only about 
+2 of them: UniversalString and PrintableString. First it is definitely wrong 
+for an email address which is IA5STRING (checked by ssleay's ca). Second 
+unfortunately MSIE (at least until version 3.02) can't handle UniversalString 
+correctly - they just blow up you cert store! Therefore ssleay's ca (starting 
+from version 0.8.0) tries to convert the encodings automatically to IA5STRING 
+or TeletexString. The beef is it will work only for the latin-1 (western) 
+charset. Microsoft still has to do abit of homework...
+
+3.) An example
+--------------
+
+At least you need two steps: generating the key & request and then installing 
+the certificate. A real world CA would have some more steps involved, eg. 
+accepting some license. Note that both scripts shown below are just 
+experimental state without any warrenty!
+
+First how to generate a request. Note that we can't use a static page because 
+of the sessionID. I generate it from system time plus pid and hope it is 
+unique enough. Your are free to feed it through md5 to get more impressive 
+ID's ;-) Then the intended text is read in with sed which inserts the 
+sessionID. 
+
+-----BEGIN ms-enroll.cgi-----
+#!/bin/sh
+SESSION_ID=`date '+%y%m%d%H%M%S'`$$
+echo Content-type: text/html
+echo
+sed s/template_for_sessId/$SESSION_ID/ <<EOF
+<HTML><HEAD>
+<TITLE>Certificate Enrollment Test Page</TITLE>
+</HEAD><BODY>
+
+<OBJECT
+    classid="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43"
+    codebase=certenr3.dll
+    id=certHelper
+    >
+</OBJECT>
+
+<CENTER>
+<H2>enrollment for a personal cert</H2>
+<BR><HR WIDTH=50%><BR><P>
+<FORM NAME="MSIE_Enrollment" ACTION="ms-gencert.cgi" ENCTYPE=x-www-form-
+encoded METHOD=POST>
+<TABLE>
+    <TR><TD>Country</TD><TD><INPUT NAME="Country" VALUE=""></TD></TR>
+    <TR><TD>State</TD><TD><INPUT NAME="StateOrProvince" VALUE=""></TD></TR>
+    <TR><TD>Location</TD><TD><INPUT NAME="Location" VALUE=""></TD></TR>
+    <TR><TD>Organization</TD><TD><INPUT NAME="Organization" 
+VALUE=""></TD></TR>
+    <TR><TD>Organizational Unit</TD>
+        <TD><INPUT NAME="OrganizationalUnit" VALUE=""></TD></TR>
+    <TR><TD>Name</TD><TD><INPUT NAME="CommonName" VALUE=""></TD></TR>
+    <TR><TD>eMail Address</TD>
+        <TD><INPUT NAME="EmailAddress" VALUE=""></TD></TR>
+    <TR><TD></TD>
+        <TD><INPUT TYPE="BUTTON" NAME="submit" VALUE="Beantragen"></TD></TR>
+</TABLE>
+        <INPUT TYPE="hidden" NAME="SessionId" VALUE="template_for_sessId">
+        <INPUT TYPE="hidden" NAME="Request" VALUE="">
+</FORM>
+<BR><HR WIDTH=50%><BR><P>
+</CENTER>
+
+<SCRIPT LANGUAGE=VBS>
+    Dim DN
+
+    Sub Submit_OnClick
+        Dim TheForm
+        Set TheForm = Document.MSIE_Enrollment
+        sessionId       = TheForm.SessionId.value
+        reqHardware     = FALSE
+        C               = TheForm.Country.value
+        SP              = TheForm.StateOrProvince.value
+        L               = TheForm.Location.value
+        O               = TheForm.Organization.value
+        OU              = TheForm.OrganizationalUnit.value
+        CN              = TheForm.CommonName.value
+        Email           = TheForm.EmailAddress.value
+        szPurpose       = "ClientAuth"
+        doAcceptanceUINow   = FALSE
+        doOnline        = TRUE
+
+        DN = ""
+
+        Call Add_RDN("C", C)
+        Call Add_RDN("S", SP)
+        Call Add_RDN("L", L)
+        Call Add_RDN("O", O)
+        Call Add_RDN("OU", OU)
+        Call Add_RDN("CN", CN)
+        Call Add_RDN("1.2.840.113549.1.9.1", Email)
+                      ' rsadsi
+                                     ' pkcs
+                                       ' pkcs9
+                                         ' eMailAddress
+        On Error Resume Next
+        sz10 = certHelper.GenerateKeyPair(sessionId, _
+                FALSE, DN, 0, ClientAuth, FASLE, TRUE, 1)_
+        theError = Err.Number
+        On Error Goto 0
+        if (sz10 = Empty OR theError <> 0) Then
+            sz = "The error '" & Hex(theError) & "' occurred." & chr(13) & _
+                chr(10) & "Your credentials could not be generated."
+            result = MsgBox(sz, 0, "Credentials Enrollment")
+            Exit Sub
+        else 
+            TheForm.Request.value = sz10
+            TheForm.Submit
+        end if
+    End Sub
+
+    Sub Add_RDN(sn, value)
+        if (value <> "") then
+            if (DN <> "") then
+                DN = DN & "; "
+            end if
+            DN = DN & sn & "=" & value
+        end if
+    End Sub
+</SCRIPT>
+</BODY>
+</HTML>
+EOF
+-----END ms-enroll.cgi-----
+
+Second, how to extract the request and feed the certificate back? We need to 
+"normalize" the base64 encoding of the PKCS#10 format which means 
+regenerating the lines and wrapping with BEGIN and END line. This is done by 
+gawk. The request is taken by ca the normal way. Then the cert needs to be 
+packed into a PKCS#7 structure (note: the use of a CRL is necessary for 
+crl2pkcs7 as of version 0.6.6. Starting with 0.8.0 it it might probably be 
+ommited). Finally we need to format the PKCS#7 object and generate the HTML 
+text. I use two templates to have a clearer script.
+
+1st note: postit2 is slightly modified from a program I found at ncsa's ftp 
+site. Grab it from http://www.easterngraphics.com/certs/IX9704/postit2.c. You 
+need utils.c from there too.
+
+2nd note: I'm note quite sure wether the gawk script really handles all 
+possible inputs for the request right! Today I don't use this construction 
+anymore myself.
+
+3d note: the cert must be of version 3! This could be done with the nsComment 
+line in ssleay.cnf...
+
+------BEGIN ms-gencert.cgi-----
+#!/bin/sh
+FILE="/tmp/"`date '+%y%m%d%H%M%S'-`$$
+rm -f "$FILE".*
+
+HOME=`pwd`; export HOME  # as ssleay.cnf insists on having such an env var
+cd /usr/local/ssl #where demoCA (as named in ssleay.conf) is located
+
+postit2 -s " " -i 0x0d > "$FILE".inp  # process the FORM vars
+
+SESSION_ID=`gawk '$1 == "SessionId" { print $2; exit }' "$FILE".inp`
+
+gawk \
+        'BEGIN { \
+                OFS = ""; \
+                print "-----BEGIN CERTIFICATE REQUEST-----"; \
+                req_seen=0 \
+        } \
+        $1 == "Request" { \
+                req_seen=1; \
+                if (length($2) == 72) print($2); \
+                lastline=$2; \
+                next; \
+        } \
+        { \
+                if (req_seen == 1) { \
+                        if (length($1) >= 72) print($1); \
+                        else if (length(lastline) < 72) { \
+                                req_seen=0; \
+                                print (lastline,$1); \
+                        } \
+                lastline=$1; \
+                } \
+        } \
+        END { \
+                print "-----END CERTIFICATE REQUEST-----"; \
+        }' > "$FILE".pem < "$FILE".inp 
+
+ssleay ca -batch -in "$FILE".pem -key passwd -out "$FILE".out
+ssleay crl2pkcs7 -certfile "$FILE".out -out "$FILE".pkcs7 -in demoCA/crl.pem
+
+sed s/template_for_sessId/$SESSION_ID/ <ms-enroll2a.html >"$FILE".cert
+/usr/local/bin/gawk \
+        'BEGIN  { \
+                OFS = ""; \
+                dq = sprintf("%c",34); \
+        } \
+        $0 ~ "PKCS7" { next; } \
+        { \
+                print dq$0dq" & _"; \
+        }' <"$FILE".pkcs7 >> "$FILE".cert
+cat  ms-enroll2b.html >>"$FILE".cert
+
+echo Content-type: text/html
+echo Content-length: `wc -c "$FILE".cert`
+echo
+cat "$FILE".cert
+rm -f "$FILE".*
+-----END ms-gencert.cgi-----
+
+----BEGIN ms-enroll2a.html----
+<HTML><HEAD><TITLE>Certificate Acceptance Test Page</TITLE></HEAD><BODY>
+
+<OBJECT
+    classid="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43"
+    codebase=certenr3.dll
+    id=certHelper
+    >
+</OBJECT>
+
+<CENTER>
+<H2>Your personal certificate</H2>
+<BR><HR WIDTH=50%><BR><P>
+Press the button!
+<P><INPUT TYPE=BUTTON VALUE="Nimm mich!" NAME="InstallCert">
+</CENTER>
+<BR><HR WIDTH=50%><BR>
+
+<SCRIPT LANGUAGE=VBS>
+    Sub InstallCert_OnClick
+
+        sessionId       = "template_for_sessId"
+credentials = "" & _
+----END ms-enroll2a.html----
+
+----BEGIN ms-enroll2b.html----
+""
+        On Error Resume Next
+        result = certHelper.AcceptCredentials(sessionId, credentials, 0, 
+FALSE)
+        if (IsEmpty(result)) Then
+           sz = "The error '" & Err.Number & "' occurred." & chr(13) & 
+chr(10) & "This Digital ID could not be registered."
+           msgOut = MsgBox(sz, 0, "Credentials Registration Error")
+           navigate "error.html"
+        else
+           sz = "Digital ID successfully registered."
+           msgOut = MsgBox(sz, 0, "Credentials Registration")
+           navigate "success.html"
+        end if
+        Exit Sub
+    End Sub
+</SCRIPT>
+</BODY>
+</HTML>
+----END ms-enroll2b.html----
+
+4.) What do do with the cert?
+-----------------------------
+
+The cert is visible (without restarting MSIE) under the following menu:
+View->Options->Security->Personal certs. You can examine it's contents at 
+least partially.
+
+To use it for client authentication you need to use SSL3.0 (fortunately 
+SSLeay supports it with 0.8.0). Furthermore MSIE is told to only supports a 
+kind of automatic selection of certs (I personally wasn't able to test it 
+myself). But there is a requirement that the issuer of the server cert and 
+the issuer of the client cert needs to be the same (according to a developer 
+from MS). Which means: you need may more then one cert to talk to all 
+servers...
+
+I'm sure we will get a bit more experience after ApacheSSL is available for 
+SSLeay 0.8.8.
+
+
+I hope you enjoyed reading and that in future questions on this topic will 
+rarely appear on ssl-users@moncom.com ;-)
+
+Ilmenau, 9th of June 1997
+Holger Reif <reif@prakinf.tu-ilmenau.de>
+-- 
+read you later  -  Holger Reif
+----------------------------------------  Signaturprojekt Deutsche Einheit
+TU Ilmenau - Informatik - Telematik                      (Verdamp lang her)
+Holger.Reif@PrakInf.TU-Ilmenau.DE         Alt wie ein Baum werden, um ueber
+http://Remus.PrakInf.TU-Ilmenau.DE/Reif/  alle 7 Bruecken gehen zu koennen
+
+
+==== ns-ca.doc ========================================================
+
+The following documentation was supplied by Jeff Barber, who provided the
+patch to the CA program to add this functionality.
+
+eric
+--
+Jeff Barber                                Email: jeffb@issl.atl.hp.com
+
+Hewlett Packard                            Phone: (404) 648-9503
+Internet and System Security Lab           Fax:   (404) 648-9516
+
+                         oo
+---------------------cut /\ here for ns-ca.doc ------------------------------
+
+This document briefly describes how to use SSLeay to implement a 
+certificate authority capable of dynamically serving up client
+certificates for version 3.0 beta 5 (and presumably later) versions of
+the Netscape Navigator.  Before describing how this is done, it's
+important to understand a little about how the browser implements its
+client certificate support.  This is documented in some detail in the
+URLs based at <URL:http://home.netscape.com/eng/security/certs.html>.
+Here's a brief overview:
+
+-       The Navigator supports a new HTML tag "KEYGEN" which will cause
+        the browser to generate an RSA key pair when you submit a form
+        containing the tag.  The public key, along with an optional
+        challenge (supposedly provided for use in certificate revocation
+        but I don't use it) is signed, DER-encoded, base-64 encoded
+        and sent to the web server as the value of the variable
+        whose NAME is provided in the KEYGEN tag.  The private key is
+        stored by the browser in a local key database.
+
+        This "Signed Public Key And Challenge" (SPKAC) arrives formatted
+        into 64 character lines (which are of course URL-encoded when 
+        sent via HTTP -- i.e. spaces, newlines and most punctuatation are
+        encoded as "%HH" where HH is the hex equivalent of the ASCII code).
+        Note that the SPKAC does not contain the other usual attributes
+        of a certificate request, especially the subject name fields.
+        These must be otherwise encoded in the form for submission along
+        with the SPKAC.
+
+-       Either immediately (in response to this form submission), or at
+        some later date (a real CA will probably verify your identity in
+        some way before issuing the certificate), a web server can send a
+        certificate based on the public key and other attributes back to
+        the browser by encoding it in DER (the binary form) and sending it
+        to the browser as MIME type:
+        "Content-type: application/x-x509-user-cert"
+
+        The browser uses the public key encoded in the certificate to
+        associate the certificate with the appropriate private key in
+        its local key database.  Now, the certificate is "installed".
+
+-       When a server wants to require authentication based on client
+        certificates, it uses the right signals via the SSL protocol to
+        trigger the Navigator to ask you which certificate you want to
+        send.  Whether the certificate is accepted is dependent on CA
+        certificates and so forth installed in the server and is beyond
+        the scope of this document.
+
+
+Now, here's how the SSLeay package can be used to provide client 
+certficates:
+
+-       You prepare a file for input to the SSLeay ca application.
+        The file contains a number of "name = value" pairs that identify
+        the subject.  The names here are the same subject name component
+        identifiers used in the CA section of the lib/ssleay.conf file,
+        such as "emailAddress", "commonName" "organizationName" and so
+        forth.  Both the long version and the short version (e.g. "Email",
+        "CN", "O") can be used.
+
+        One more name is supported: this one is "SPKAC".  Its value
+        is simply the value of the base-64 encoded SPKAC sent by the
+        browser (with all the newlines and other space charaters
+        removed -- and newline escapes are NOT supported).
+
+        [ As of SSLeay 0.6.4, multiple lines are supported.
+          Put a \ at the end of each line and it will be joined with the
+          previous line with the '\n' removed - eay ]
+        
+        Here's a sample input file:
+
+C = US
+SP = Georgia
+O = Some Organization, Inc.
+OU = Netscape Compatibility Group
+CN = John X. Doe
+Email = jxdoe@someorg.com
+SPKAC = MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwmk6FMJ4uAVIYbcvIOx5+bDGTfvL8X5gE+R67ccMk6rCSGbVQz2cetyQtnI+VIs0NwdD6wjuSuVtVFbLoHonowIDAQABFgAwDQYJKoZIhvcNAQEEBQADQQBFZDUWFl6BJdomtN1Bi53mwijy1rRgJ4YirF15yBEDM3DjAQkKXHYOIX+qpz4KXKnl6EYxTnGSFL5wWt8X2iyx
+
+-       You execute the ca command (either from a CGI program run out of
+        the web server, or as a later manual task) giving it the above
+        file as input.  For example, if the file were named /tmp/cert.req,
+        you'd run:
+        $SSLDIR/bin/ca -spkac /tmp/cert.req -out /tmp/cert
+
+        The output is in DER format (binary) if a -out argument is 
+        provided, as above; otherwise, it's in the PEM format (base-64
+        encoded DER).  Also, the "-batch" switch is implied by the
+        "-spkac" so you don't get asked whether to complete the signing
+        (probably it shouldn't work this way but I was only interested
+        in hacking together an online CA that could be used for issuing
+        test certificates).
+
+        The "-spkac" capability doesn't support multiple files (I think).
+
+        Any CHALLENGE provided in the SPKAC is simply ignored.
+
+        The interactions between the identification fields you provide
+        and those identified in your lib/ssleay.conf are the same as if
+        you did an ordinary "ca -in infile -out outfile" -- that is, if
+        something is marked as required in the ssleay.conf file and it
+        isn't found in the -spkac file, the certificate won't be issued.
+
+-       Now, you pick up the output from /tmp/cert and pass it back to
+        the Navigator prepending the Content-type string described earlier.
+
+-       In order to run the ca command out of a CGI program, you must
+        provide a password to decrypt the CA's private key.  You can
+        do this by using "echo MyKeyPassword | $SSLDIR/bin/ca ..."
+        I think there's a way to not encrypt the key file in the first
+        place, but I didn't see how to do that, so I made a small change
+        to the library that allows the password to be accepted from a pipe.
+        Either way is UTTERLY INSECURE and a real CA would never do that.
+
+        [ You can use the 'ssleay rsa' command to remove the password
+          from the private key, or you can use the '-key' option to the
+          ca command to specify the decryption key on the command line
+          or use the -nodes option when generating the key.
+          ca will try to clear the command line version of the password
+          but for quite a few operating systems, this is not possible.
+          - eric ]
+
+So, what do you have to do to make use of this stuff to create an online 
+demo CA capability with SSLeay?
+
+1       Create an HTML form for your users.  The form should contain
+        fields for all of the required or optional fields in ssleay.conf.
+        The form must contain a KEYGEN tag somewhere with at least a NAME
+        attribute.
+
+2       Create a CGI program to process the form input submitted by the
+        browser.  The CGI program must URL-decode the variables and create
+        the file described above, containing subject identification info
+        as well as the SPKAC block.  It should then run the the ca program
+        with the -spkac option.  If it works (check the exit status),
+        return the new certificate with the appropriate MIME type.  If not,
+        return the output of the ca command with MIME type "text/plain".
+
+3       Set up your web server to accept connections signed by your demo
+        CA.  This probably involves obtaining the PEM-encoded CA certificate
+        (ordinarily in $SSLDIR/CA/cacert.pem) and installing it into a
+        server database.  See your server manual for instructions.
+
+
+==== obj.doc ========================================================
+
+The Object library.
+
+As part of my Crypto library, I found I required a method of identifying various
+objects.  These objects normally had 3 different values associated with
+them, a short text name, a long (or lower case) text name, and an
+ASN.1 Object Identifier (which is a sequence of numbers).
+This library contains a static list of objects and functions to lookup
+according to one type and to return the other types.
+
+To use these routines, 'Object.h' needs to be included.
+
+For each supported object, #define entries are defined as follows
+#define SN_Algorithm                    "Algorithm"
+#define LN_algorithm                    "algorithm"
+#define NID_algorithm                   38
+#define OBJ_algorithm                   1L,3L,14L,3L,2L
+
+SN_  stands for short name.
+LN_  stands for either long name or lowercase name.
+NID_ stands for Numeric ID.  I each object has a unique NID and this
+     should be used internally to identify objects.
+OBJ_ stands for ASN.1 Object Identifier or ASN1_OBJECT as defined in the
+     ASN1 routines.  These values are used in ASN1 encoding.
+
+The following functions are to be used to return pointers into a static
+definition of these types.  What this means is "don't try to free() any
+pointers returned from these functions.
+
+ASN1_OBJECT *OBJ_nid2obj(
+int n);
+        Return the ASN1_OBJECT that corresponds to a NID of n.
+        
+char *OBJ_nid2ln(
+int n);
+        Return the long/lower case name of the object represented by the
+        NID of n.
+        
+char *OBJ_nid2sn(
+int n);
+        Return the short name for the object represented by the NID of n.
+
+ASN1_OBJECT *OBJ_dup(
+ASN1_OBJECT *o);
+        Duplicate and return a new ASN1_OBJECT that is the same as the
+        passed parameter.
+        
+int OBJ_obj2nid(
+ASN1_OBJECT *o);
+        Given ASN1_OBJECT o, return the NID that corresponds.
+        
+int OBJ_ln2nid(
+char *s);
+        Given the long/lower case name 's', return the NID of the object.
+        
+int OBJ_sn2nid(
+char *s);
+        Given the short name 's', return the NID of the object.
+        
+char *OBJ_bsearch(
+char *key,
+char *base,
+int num,
+int size,
+int (*cmp)());
+        Since I have come across a few platforms that do not have the
+        bsearch() function, OBJ_bsearch is my version of that function.
+        Feel free to use this function, but you may as well just use the
+        normal system bsearch(3) if it is present.  This version also
+        has tolerance of being passed NULL pointers.
+
+==== keys ===========================================================
+
+EVP_PKEY_DSA
+EVP_PKEY_DSA2
+EVP_PKEY_DSA3
+EVP_PKEY_DSA4
+
+EVP_PKEY_RSA
+EVP_PKEY_RSA2
+
+valid DSA pkey types
+        NID_dsa
+        NID_dsaWithSHA
+        NID_dsaWithSHA1
+        NID_dsaWithSHA1_2
+
+valid RSA pkey types
+        NID_rsaEncryption
+        NID_rsa
+
+NID_dsaWithSHA  NID_dsaWithSHA                  DSA             SHA
+NID_dsa         NID_dsaWithSHA1                 DSA             SHA1
+NID_md2         NID_md2WithRSAEncryption        RSA-pkcs1       MD2
+NID_md5         NID_md5WithRSAEncryption        RSA-pkcs1       MD5
+NID_mdc2        NID_mdc2WithRSA                 RSA-none        MDC2
+NID_ripemd160   NID_ripemd160WithRSA            RSA-pkcs1       RIPEMD160
+NID_sha         NID_shaWithRSAEncryption        RSA-pkcs1       SHA
+NID_sha1        NID_sha1WithRSAEncryption       RSA-pkcs1       SHA1
+
+==== rand.doc ========================================================
+
+My Random number library.
+
+These routines can be used to generate pseudo random numbers and can be
+used to 'seed' the pseudo random number generator (RNG).  The RNG make no
+effort to reproduce the same random number stream with each execution.
+Various other routines in the SSLeay library 'seed' the RNG when suitable
+'random' input data is available.  Read the section at the end for details
+on the design of the RNG.
+
+void RAND_bytes(
+unsigned char *buf,
+int num);
+        This routine puts 'num' random bytes into 'buf'.  One should make
+        sure RAND_seed() has been called before using this routine.
+        
+void RAND_seed(
+unsigned char *buf,
+int num);
+        This routine adds more 'seed' data the RNG state.  'num' bytes
+        are added to the RNG state, they are taken from 'buf'.  This
+        routine can be called with sensitive data such as user entered
+        passwords.  This sensitive data is in no way recoverable from
+        the RAND library routines or state.  Try to pass as much data
+        from 'random' sources as possible into the RNG via this function.
+        Also strongly consider using the RAND_load_file() and
+        RAND_write_file() routines.
+
+void RAND_cleanup();
+        When a program has finished with the RAND library, if it so
+        desires, it can 'zero' all RNG state.
+        
+The following 3 routines are convenience routines that can be used to
+'save' and 'restore' data from/to the RNG and it's state.
+Since the more 'random' data that is feed as seed data the better, why not
+keep it around between executions of the program?  Of course the
+application should pass more 'random' data in via RAND_seed() and 
+make sure no-one can read the 'random' data file.
+        
+char *RAND_file_name(
+char *buf,
+int size);
+        This routine returns a 'default' name for the location of a 'rand'
+        file.  The 'rand' file should keep a sequence of random bytes used
+        to initialise the RNG.  The filename is put in 'buf'.  Buf is 'size'
+        bytes long.  Buf is returned if things go well, if they do not,
+        NULL is returned.  The 'rand' file name is generated in the
+        following way.  First, if there is a 'RANDFILE' environment
+        variable, it is returned.  Second, if there is a 'HOME' environment
+        variable, $HOME/.rand is returned.  Third, NULL is returned.  NULL
+        is also returned if a buf would overflow.
+
+int RAND_load_file(
+char *file,
+long number);
+        This function 'adds' the 'file' into the RNG state.  It does this by
+        doing a RAND_seed() on the value returned from a stat() system call
+        on the file and if 'number' is non-zero, upto 'number' bytes read
+        from the file.  The number of bytes passed to RAND_seed() is returned.
+
+int RAND_write_file(
+char *file),
+        RAND_write_file() writes N random bytes to the file 'file', where
+        N is the size of the internal RND state (currently 1k).
+        This is a suitable method of saving RNG state for reloading via
+        RAND_load_file().
+
+What follows is a description of this RNG and a description of the rational
+behind it's design.
+
+It should be noted that this RNG is intended to be used to generate
+'random' keys for various ciphers including generation of DH and RSA keys.  
+
+It should also be noted that I have just created a system that I am happy with.
+It may be overkill but that does not worry me.  I have not spent that much
+time on this algorithm so if there are glaring errors, please let me know.
+Speed has not been a consideration in the design of these routines.
+
+First up I will state the things I believe I need for a good RNG.
+1) A good hashing algorithm to mix things up and to convert the RNG 'state'
+   to random numbers.
+2) An initial source of random 'state'.
+3) The state should be very large.  If the RNG is being used to generate
+   4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
+   If your RNG state only has 128 bits, you are obviously limiting the
+   search space to 128 bits, not 2048.  I'm probably getting a little
+   carried away on this last point but it does indicate that it may not be
+   a bad idea to keep quite a lot of RNG state.  It should be easier to
+   break a cipher than guess the RNG seed data.
+4) Any RNG seed data should influence all subsequent random numbers
+   generated.  This implies that any random seed data entered will have
+   an influence on all subsequent random numbers generated.
+5) When using data to seed the RNG state, the data used should not be
+   extractable from the RNG state.  I believe this should be a
+   requirement because one possible source of 'secret' semi random
+   data would be a private key or a password.  This data must
+   not be disclosed by either subsequent random numbers or a
+   'core' dump left by a program crash.
+6) Given the same initial 'state', 2 systems should deviate in their RNG state
+   (and hence the random numbers generated) over time if at all possible.
+7) Given the random number output stream, it should not be possible to determine
+   the RNG state or the next random number.
+
+
+The algorithm is as follows.
+
+There is global state made up of a 1023 byte buffer (the 'state'), a
+working message digest ('md') and a counter ('count').
+
+Whenever seed data is added, it is inserted into the 'state' as
+follows.
+        The input is chopped up into units of 16 bytes (or less for
+        the last block).  Each of these blocks is run through the MD5
+        message digest.  The data passed to the MD5 digest is the
+        current 'md', the same number of bytes from the 'state'
+        (the location determined by in incremented looping index) as
+        the current 'block' and the new key data 'block'.  The result
+        of this is kept in 'md' and also xored into the 'state' at the
+        same locations that were used as input into the MD5.
+        I believe this system addresses points 1 (MD5), 3 (the 'state'),
+        4 (via the 'md'), 5 (by the use of MD5 and xor).
+
+When bytes are extracted from the RNG, the following process is used.
+For each group of 8 bytes (or less), we do the following,
+        Input into MD5, the top 8 bytes from 'md', the byte that are
+        to be overwritten by the random bytes and bytes from the
+        'state' (incrementing looping index).  From this digest output
+        (which is kept in 'md'), the top (upto) 8 bytes are
+        returned to the caller and the bottom (upto) 8 bytes are xored
+        into the 'state'.
+        Finally, after we have finished 'generation' random bytes for the
+        called, 'count' (which is incremented) and 'md' are fed into MD5 and
+        the results are kept in 'md'.
+        I believe the above addressed points 1 (use of MD5), 6 (by
+        hashing into the 'state' the 'old' data from the caller that
+        is about to be overwritten) and 7 (by not using the 8 bytes
+        given to the caller to update the 'state', but they are used
+        to update 'md').
+
+So of the points raised, only 2 is not addressed, but sources of
+random data will always be a problem.
+        
+
+==== rc2.doc ========================================================
+
+The RC2 library.
+
+RC2 is a block cipher that operates on 64bit (8 byte) quantities.  It
+uses variable size key, but 128bit (16 byte) key would normally be considered
+good.  It can be used in all the modes that DES can be used.  This
+library implements the ecb, cbc, cfb64, ofb64 modes.
+
+I have implemented this library from an article posted to sci.crypt on
+11-Feb-1996.  I personally don't know how far to trust the RC2 cipher.
+While it is capable of having a key of any size, not much reseach has
+publically been done on it at this point in time (Apr-1996)
+since the cipher has only been public for a few months :-)
+It is of a similar speed to DES and IDEA, so unless it is required for
+meeting some standard (SSLv2, perhaps S/MIME), it would probably be advisable
+to stick to IDEA, or for the paranoid, Tripple DES.
+
+Mind you, having said all that, I should mention that I just read alot and
+implement ciphers, I'm a 'babe in the woods' when it comes to evaluating
+ciphers :-).
+
+For all calls that have an 'input' and 'output' variables, they can be the
+same.
+
+This library requires the inclusion of 'rc2.h'.
+
+All of the encryption functions take what is called an RC2_KEY as an 
+argument.  An RC2_KEY is an expanded form of the RC2 key.
+For all modes of the RC2 algorithm, the RC2_KEY used for
+decryption is the same one that was used for encryption.
+
+The define RC2_ENCRYPT is passed to specify encryption for the functions
+that require an encryption/decryption flag. RC2_DECRYPT is passed to
+specify decryption.
+
+Please note that any of the encryption modes specified in my DES library
+could be used with RC2.  I have only implemented ecb, cbc, cfb64 and
+ofb64 for the following reasons.
+- ecb is the basic RC2 encryption.
+- cbc is the normal 'chaining' form for block ciphers.
+- cfb64 can be used to encrypt single characters, therefore input and output
+  do not need to be a multiple of 8.
+- ofb64 is similar to cfb64 but is more like a stream cipher, not as
+  secure (not cipher feedback) but it does not have an encrypt/decrypt mode.
+- If you want triple RC2, thats 384 bits of key and you must be totally
+  obsessed with security.  Still, if you want it, it is simple enough to
+  copy the function from the DES library and change the des_encrypt to
+  RC2_encrypt; an exercise left for the paranoid reader :-).
+
+The functions are as follows:
+
+void RC2_set_key(
+RC2_KEY *ks;
+int len;
+unsigned char *key;
+int bits;
+        RC2_set_key converts an 'len' byte key into a RC2_KEY.
+        A 'ks' is an expanded form of the 'key' which is used to
+        perform actual encryption.  It can be regenerated from the RC2 key
+        so it only needs to be kept when encryption or decryption is about
+        to occur.  Don't save or pass around RC2_KEY's since they
+        are CPU architecture dependent, 'key's are not.  RC2 is an
+        interesting cipher in that it can be used with a variable length
+        key.  'len' is the length of 'key' to be used as the key.
+        A 'len' of 16 is recomended.  The 'bits' argument is an
+        interesting addition which I only found out about in Aug 96.
+        BSAFE uses this parameter to 'limit' the number of bits used
+        for the key.  To use the 'key' unmodified, set bits to 1024.
+        This is what old versions of my RC2 library did (SSLeay 0.6.3).
+        RSAs BSAFE library sets this parameter to be 128 if 128 bit
+        keys are being used.  So to be compatable with BSAFE, set it
+        to 128, if you don't want to reduce RC2's key length, leave it
+        at 1024.
+        
+void RC2_encrypt(
+unsigned long *data,
+RC2_KEY *key,
+int encrypt);
+        This is the RC2 encryption function that gets called by just about
+        every other RC2 routine in the library.  You should not use this
+        function except to implement 'modes' of RC2.  I say this because the
+        functions that call this routine do the conversion from 'char *' to
+        long, and this needs to be done to make sure 'non-aligned' memory
+        access do not occur.
+        Data is a pointer to 2 unsigned long's and key is the
+        RC2_KEY to use.  Encryption or decryption is indicated by 'encrypt'.
+        which can have the values RC2_ENCRYPT or RC2_DECRYPT.
+
+void RC2_ecb_encrypt(
+unsigned char *in,
+unsigned char *out,
+RC2_KEY *key,
+int encrypt);
+        This is the basic Electronic Code Book form of RC2 (in DES this
+        mode is called Electronic Code Book so I'm going to use the term
+        for rc2 as well.
+        Input is encrypted into output using the key represented by
+        key.  Depending on the encrypt, encryption or
+        decryption occurs.  Input is 8 bytes long and output is 8 bytes.
+        
+void RC2_cbc_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *ks,
+unsigned char *ivec,
+int encrypt);
+        This routine implements RC2 in Cipher Block Chaining mode.
+        Input, which should be a multiple of 8 bytes is encrypted
+        (or decrypted) to output which will also be a multiple of 8 bytes.
+        The number of bytes is in length (and from what I've said above,
+        should be a multiple of 8).  If length is not a multiple of 8, bad 
+        things will probably happen.  ivec is the initialisation vector.
+        This function updates iv after each call so that it can be passed to
+        the next call to RC2_cbc_encrypt().
+        
+void RC2_cfb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *schedule,
+unsigned char *ivec,
+int *num,
+int encrypt);
+        This is one of the more useful functions in this RC2 library, it
+        implements CFB mode of RC2 with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        'Encrypt' is used to indicate encryption or decryption.
+        CFB64 mode operates by using the cipher to generate a stream
+        of bytes which is used to encrypt the plain text.
+        The cipher text is then encrypted to generate the next 64 bits to
+        be xored (incrementally) with the next 64 bits of plain
+        text.  As can be seen from this, to encrypt or decrypt,
+        the same 'cipher stream' needs to be generated but the way the next
+        block of data is gathered for encryption is different for
+        encryption and decryption.
+        
+void RC2_ofb64_encrypt(
+unsigned char *in,
+unsigned char *out,
+long length,
+RC2_KEY *schedule,
+unsigned char *ivec,
+int *num);
+        This functions implements OFB mode of RC2 with 64bit feedback.
+        This allows you to encrypt an arbitrary number of bytes,
+        you do not require 8 byte padding.  Each call to this
+        routine will encrypt the input bytes to output and then update ivec
+        and num.  Num contains 'how far' we are though ivec.
+        This is in effect a stream cipher, there is no encryption or
+        decryption mode.
+        
+For reading passwords, I suggest using des_read_pw_string() from my DES library.
+To generate a password from a text string, I suggest using MD5 (or MD2) to
+produce a 16 byte message digest that can then be passed directly to
+RC2_set_key().
+
+=====
+For more information about the specific RC2 modes in this library
+(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the
+documentation on my DES library.  What is said about DES is directly
+applicable for RC2.
+
+
+==== rc4.doc ========================================================
+
+The RC4 library.
+RC4 is a stream cipher that operates on a byte stream.  It can be used with
+any length key but I would recommend normally using 16 bytes.
+
+This library requires the inclusion of 'rc4.h'.
+
+The RC4 encryption function takes what is called an RC4_KEY as an argument.
+The RC4_KEY is generated by the RC4_set_key function from the key bytes.
+
+RC4, being a stream cipher, does not have an encryption or decryption mode.
+It produces a stream of bytes that the input stream is xor'ed against and
+so decryption is just a case of 'encrypting' again with the same key.
+
+I have only put in one 'mode' for RC4 which is the normal one.  This means
+there is no initialisation vector and there is no feedback of the cipher
+text into the cipher.  This implies that you should not ever use the
+same key twice if you can help it.  If you do, you leave yourself open to
+known plain text attacks; if you know the plain text and
+corresponding cipher text in one message, all messages that used the same
+key can have the cipher text decoded for the corresponding positions in the
+cipher stream.
+
+The main positive feature of RC4 is that it is a very fast cipher; about 4
+times faster that DES.  This makes it ideally suited to protocols where the
+key is randomly chosen, like SSL.
+
+The functions are as follows:
+
+void RC4_set_key(
+RC4_KEY *key;
+int len;
+unsigned char *data);
+        This function initialises the RC4_KEY structure with the key passed
+        in 'data', which is 'len' bytes long.  The key data can be any
+        length but 16 bytes seems to be a good number.
+
+void RC4(
+RC4_KEY *key;
+unsigned long len;
+unsigned char *in;
+unsigned char *out);
+        Do the actual RC4 encryption/decryption.  Using the 'key', 'len'
+        bytes are transformed from 'in' to 'out'.  As mentioned above,
+        decryption is the operation as encryption.
+
+==== ref.doc ========================================================
+
+I have lots more references etc, and will update this list in the future,
+30 Aug 1996 - eay
+
+
+SSL     The SSL Protocol - from Netscapes.
+
+RC4     Newsgroups: sci.crypt
+        From: sterndark@netcom.com (David Sterndark)
+        Subject: RC4 Algorithm revealed.
+        Message-ID: <sternCvKL4B.Hyy@netcom.com>
+
+RC2     Newsgroups: sci.crypt
+        From: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+        Subject: Specification for Ron Rivests Cipher No.2
+        Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+
+MD2     RFC1319 The MD2 Message-Digest Algorithm
+MD5     RFC1321 The MD5 Message-Digest Algorithm
+
+X509 Certificates
+        RFC1421 Privacy Enhancement for Internet Electronic Mail: Part I
+        RFC1422 Privacy Enhancement for Internet Electronic Mail: Part II
+        RFC1423 Privacy Enhancement for Internet Electronic Mail: Part III
+        RFC1424 Privacy Enhancement for Internet Electronic Mail: Part IV
+
+RSA and various standard encoding
+        PKCS#1 RSA Encryption Standard
+        PKCS#5 Password-Based Encryption Standard
+        PKCS#7 Cryptographic Message Syntax Standard
+        A Layman's Guide to a Subset of ASN.1, BER, and DER
+        An Overview of the PKCS Standards
+        Some Examples of the PKCS Standards
+
+IDEA    Chapter 3 The Block Cipher IDEA
+
+RSA, prime number generation and bignum algorithms
+        Introduction To Algorithms,
+        Thomas Cormen, Charles Leiserson, Ronald Rivest,
+        Section 29 Arithmetic Circuits
+        Section 33 Number-Theoretic Algorithms
+
+Fast Private Key algorithm
+        Fast Decipherment Algorithm for RSA Public-Key Cryptosystem
+        J.-J. Quisquater and C. Couvreur, Electronics Letters,
+        14th October 1982, Vol. 18 No. 21
+
+Prime number generation and bignum algorithms.
+        PGP-2.3a
+
+==== rsa.doc ========================================================
+
+The RSA encryption and utility routines.
+
+The RSA routines are built on top of a big number library (the BN library).
+There are support routines in the X509 library for loading and manipulating
+the various objects in the RSA library.  When errors are returned, read
+about the ERR library for how to access the error codes.
+
+All RSA encryption is done according to the PKCS-1 standard which is
+compatible with PEM and RSAref.  This means that any values being encrypted
+must be less than the size of the modulus in bytes, minus 10, bytes long.
+
+This library uses RAND_bytes()() for it's random data, make sure to feed
+RAND_seed() with lots of interesting and varied data before using these
+routines.
+
+The RSA library has one specific data type, the RSA structure.
+It is composed of 8 BIGNUM variables (see the BN library for details) and
+can hold either a private RSA key or a public RSA key.
+Some RSA libraries have different structures for public and private keys, I
+don't.  For my libraries, a public key is determined by the fact that the
+RSA->d value is NULL.  These routines will operate on any size RSA keys.
+While I'm sure 4096 bit keys are very very secure, they take a lot longer
+to process that 1024 bit keys :-).
+
+The function in the RSA library are as follows.
+
+RSA *RSA_new();
+        This function creates a new RSA object.  The sub-fields of the RSA
+        type are also malloced so you should always use this routine to
+        create RSA variables.
+        
+void RSA_free(
+RSA *rsa);
+        This function 'frees' an RSA structure.  This routine should always
+        be used to free the RSA structure since it will also 'free' any
+        sub-fields of the RSA type that need freeing.
+        
+int RSA_size(
+RSA *rsa);      
+        This function returns the size of the RSA modulus in bytes.  Why do
+        I need this you may ask, well the reason is that when you encrypt
+        with RSA, the output string will be the size of the RSA modulus.
+        So the output for the RSA_encrypt and the input for the RSA_decrypt
+        routines need to be RSA_size() bytes long, because this is how many
+        bytes are expected.
+        
+For the following 4 RSA encryption routines, it should be noted that
+RSA_private_decrypt() should be used on the output from 
+RSA_public_encrypt() and RSA_public_decrypt() should be used on
+the output from RSA_private_encrypt().
+        
+int RSA_public_encrypt(
+int from_len;
+unsigned char *from     
+unsigned char *to       
+RSA *rsa);
+        This function implements RSA public encryption, the rsa variable
+        should be a public key (but can be a private key).  'from_len'
+        bytes taken from 'from' and encrypted and put into 'to'.  'to' needs
+        to be at least RSA_size(rsa) bytes long.  The number of bytes
+        written into 'to' is returned.  -1 is returned on an error.  The
+        operation performed is
+        to = from^rsa->e mod rsa->n.
+        
+int RSA_private_encrypt(
+int from_len;
+unsigned char *from     
+unsigned char *to       
+RSA *rsa);
+        This function implements RSA private encryption, the rsa variable
+        should be a private key.  'from_len' bytes taken from
+        'from' and encrypted and put into 'to'.  'to' needs
+        to be at least RSA_size(rsa) bytes long.  The number of bytes
+        written into 'to' is returned.  -1 is returned on an error.  The
+        operation performed is
+        to = from^rsa->d mod rsa->n.
+
+int RSA_public_decrypt(
+int from_len;
+unsigned char *from     
+unsigned char *to       
+RSA *rsa);
+        This function implements RSA public decryption, the rsa variable
+        should be a public key (but can be a private key).  'from_len'
+        bytes are taken from 'from' and decrypted.  The decrypted data is
+        put into 'to'.  The number of bytes encrypted is returned.  -1 is
+        returned to indicate an error. The operation performed is
+        to = from^rsa->e mod rsa->n.
+
+int RSA_private_decrypt(
+int from_len;
+unsigned char *from     
+unsigned char *to       
+RSA *rsa);
+        This function implements RSA private decryption, the rsa variable
+        should be a private key.  'from_len' bytes are taken
+        from 'from' and decrypted.  The decrypted data is
+        put into 'to'.  The number of bytes encrypted is returned.  -1 is
+        returned to indicate an error. The operation performed is
+        to = from^rsa->d mod rsa->n.
+
+int RSA_mod_exp(
+BIGNUM *n;
+BIGNUM *p;
+RSA *rsa);
+        Normally you will never use this routine.
+        This is really an internal function which is called by
+        RSA_private_encrypt() and RSA_private_decrypt().  It performs
+        n=n^p mod rsa->n except that it uses the 5 extra variables in the
+        RSA structure to make this more efficient.
+        
+RSA *RSA_generate_key(
+int bits;
+unsigned long e;
+void (*callback)();
+char *cb_arg;
+        This routine is used to generate RSA private keys.  It takes
+        quite a period of time to run and should only be used to
+        generate initial private keys that should then be stored
+        for later use.  The passed callback function 
+        will be called periodically so that feedback can be given
+        as to how this function is progressing.
+        'bits' is the length desired for the modulus, so it would be 1024
+        to generate a 1024 bit private key.
+        'e' is the value to use for the public exponent 'e'.  Traditionally
+        it is set to either 3 or 0x10001.
+        The callback function (if not NULL) is called in the following
+        situations.
+        when we have generated a suspected prime number to test,
+        callback(0,num1++,cb_arg).  When it passes a prime number test,
+        callback(1,num2++,cb_arg).  When it is rejected as one of
+        the 2 primes required due to gcd(prime,e value) != 0,
+        callback(2,num3++,cb_arg).  When finally accepted as one
+        of the 2 primes, callback(3,num4++,cb_arg).
+
+
+==== rsaref.doc ========================================================
+
+This package can be compiled to use the RSAref library.
+This library is not allowed outside of the USA but inside the USA it is
+claimed by RSA to be the only RSA public key library that can be used
+besides BSAFE..
+
+There are 2 files, rsaref/rsaref.c and rsaref/rsaref.h that contain the glue
+code to use RSAref.  These files were written by looking at the PGP
+source code and seeing which routines it used to access RSAref.
+I have also been sent by some-one a copy of the RSAref header file that
+contains the library error codes.
+
+[ Jun 1996 update - I have recently gotten hold of RSAref 2.0 from
+  South Africa and have been doing some performace tests. ]
+        
+They have now been tested against the recently announced RSAEURO
+library.
+
+There are 2 ways to use SSLeay and RSAref.  First, to build so that
+the programs must be linked with RSAref, add '-DRSAref' to CFLAG in the top
+level makefile and -lrsaref (or where ever you are keeping RSAref) to
+EX_LIBS.
+
+To build a makefile via util/mk1mf.pl to do this, use the 'rsaref' option.
+
+The second method is to build as per normal and link applications with
+the RSAglue library.  The correct library order would be
+cc -o cmd cmd.o -lssl -lRSAglue -lcrypto -lrsaref -ldes
+The RSAglue library is built in the rsa directory and is NOT
+automatically installed.
+
+Be warned that the RSAEURO library, that is claimed to be compatible
+with RSAref contains a different value for the maximum number of bits
+supported.  This changes structure sizes and so if you are using
+RSAEURO, change the value of RSAref_MAX_BITS in rsa/rsaref.h
+
+
+==== s_mult.doc ========================================================
+
+s_mult is a test program I hacked up on a Sunday for testing non-blocking
+IO.  It has a select loop at it's centre that handles multiple readers
+and writers.
+
+Try the following command
+ssleay s_mult -echo -nbio -ssl -v
+echo - sends any sent text back to the sender
+nbio - turns on non-blocking IO
+ssl  - accept SSL connections, default is normal text
+v    - print lots
+        type Q<cr> to quit
+
+In another window, run the following
+ssleay s_client -pause </etc/termcap
+
+The pause option puts in a 1 second pause in each read(2)/write(2) call
+so the other end will have read()s fail.
+
+==== session.doc ========================================================
+
+I have just checked over and re-worked the session stuff.
+The following brief example will ignore all setup information to do with
+authentication.
+
+Things operate as follows.
+
+The SSL environment has a 'context', a SSL_CTX structure.  This holds the
+cached SSL_SESSIONS (which can be reused) and the certificate lookup
+information.  Each SSL structure needs to be associated with a SSL_CTX.
+Normally only one SSL_CTX structure is needed per program.
+
+SSL_CTX *SSL_CTX_new(void ); 
+void    SSL_CTX_free(SSL_CTX *);
+These 2 functions create and destroy SSL_CTX structures
+
+The SSL_CTX has a session_cache_mode which is by default,
+in SSL_SESS_CACHE_SERVER mode.  What this means is that the library
+will automatically add new session-id's to the cache apon sucsessful
+SSL_accept() calls.
+If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added
+to the cache.
+SSL_set_session_cache_mode(ctx,mode)  will set the 'mode' and
+SSL_get_session_cache_mode(ctx) will get the cache 'mode'.
+The modes can be
+SSL_SESS_CACHE_OFF      - no caching
+SSL_SESS_CACHE_CLIENT   - only SSL_connect()
+SSL_SESS_CACHE_SERVER   - only SSL_accept()
+SSL_SESS_NO_CACHE_BOTH  - Either SSL_accept() or SSL_connect().
+If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are
+not automatically removed each 255, SSL_connect()s or SSL_accept()s.
+
+By default, apon every 255 successful SSL_connect() or SSL_accept()s,
+the cache is flush.  Please note that this could be expensive on
+a heavily loaded SSL server, in which case, turn this off and
+clear the cache of old entries 'manually' (with one of the functions
+listed below) every few hours.  Perhaps I should up this number, it is hard
+to say.  Remember, the '255' new calls is just a mechanims to get called
+every now and then, in theory at most 255 new session-id's will have been
+added but if 100 are added every minute, you would still have
+500 in the cache before any would start being flushed (assuming a 3 minute
+timeout)..
+
+int SSL_CTX_sess_hits(SSL_CTX *ctx);
+int SSL_CTX_sess_misses(SSL_CTX *ctx);
+int SSL_CTX_sess_timeouts(SSL_CTX *ctx);
+These 3 functions return statistics about the SSL_CTX.  These 3 are the
+number of session id reuses.  hits is the number of reuses, misses are the
+number of lookups that failed, and timeouts is the number of cached
+entries ignored because they had timeouted.
+
+ctx->new_session_cb is a function pointer to a function of type
+int new_session_callback(SSL *ssl,SSL_SESSION *new);
+This function, if set in the SSL_CTX structure is called whenever a new
+SSL_SESSION is added to the cache.  If the callback returns non-zero, it
+means that the application will have to do a SSL_SESSION_free()
+on the structure (this is
+to do with the cache keeping the reference counts correct, without the
+application needing to know about it.
+The 'active' parameter is the current SSL session for which this connection
+was created.
+
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,int (*cb)());
+to set the callback,
+int (*cb)() SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)
+to get the callback.
+
+If the 'get session' callback is set, when a session id is looked up and
+it is not in the session-id cache, this callback is called.  The callback is
+of the form
+SSL_SESSION *get_session_callback(unsigned char *sess_id,int sess_id_len,
+        int *copy);
+
+The get_session_callback is intended to return null if no session id is found.
+The reference count on the SSL_SESSION in incremented by the SSL library,
+if copy is 1.  Otherwise, the reference count is not modified.
+
+void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and
+int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback.
+
+These callbacks are basically indended to be used by processes to
+send their session-id's to other processes.  I currently have not implemented
+non-blocking semantics for these callbacks, it is upto the appication
+to make the callbacks effiecent if they require blocking (perhaps
+by 'saving' them and then 'posting them' when control returns from
+the SSL_accept().
+
+LHASH *SSL_CTX_sessions(SSL_CTX *ctx)
+This returns the session cache.  The lhash strucutre can be accessed for
+statistics about the cache.
+
+void lh_stats(LHASH *lh, FILE *out);
+void lh_node_stats(LHASH *lh, FILE *out);
+void lh_node_usage_stats(LHASH *lh, FILE *out);
+
+can be used to print details about it's activity and current state.
+You can also delve directly into the lhash structure for 14 different
+counters that are kept against the structure.  When I wrote the lhash library,
+I was interested in gathering statistics :-).
+Have a read of doc/lhash.doc in the SSLeay distribution area for more details
+on the lhash library.
+
+Now as mentioned ealier, when a SSL is created, it needs a SSL_CTX.
+SSL *   SSL_new(SSL_CTX *);
+
+This stores a session.  A session is secret information shared between 2
+SSL contexts.  It will only be created if both ends of the connection have
+authenticated their peer to their satisfaction.  It basically contains
+the information required to use a particular secret key cipher.
+
+To retrieve the SSL_CTX being used by a SSL,
+SSL_CTX *SSL_get_SSL_CTX(SSL *s);
+
+Now when a SSL session is established between to programs, the 'session'
+information that is cached in the SSL_CTX can me manipulated by the
+following functions.
+int SSL_set_session(SSL *s, SSL_SESSION *session);
+This will set the SSL_SESSION to use for the next SSL_connect().  If you use
+this function on an already 'open' established SSL connection, 'bad things
+will happen'.  This function is meaning-less when used on a ssl strucutre
+that is just about to be used in a SSL_accept() call since the
+SSL_accept() will either create a new session or retrieve one from the
+cache.
+
+SSL_SESSION *SSL_get_session(SSL *s);
+This will return the SSL_SESSION for the current SSL, NULL if there is
+no session associated with the SSL structure.
+
+The SSL sessions are kept in the SSL_CTX in a hash table, to remove a
+session
+void    SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
+and to add one
+int    SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
+SSL_CTX_add_session() returns 1 if the session was already in the cache (so it
+was not added).
+Whenever a new session is created via SSL_connect()/SSL_accept(),
+they are automatically added to the cache, depending on the session_cache_mode
+settings.  SSL_set_session()
+does not add it to the cache.  Just call SSL_CTX_add_session() if you do want the
+session added.  For a 'client' this would not normally be the case.
+SSL_CTX_add_session() is not normally ever used, except for doing 'evil' things
+which the next 2 funtions help you do.
+
+int     i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+These 2 functions are in the standard ASN1 library form and can be used to
+load and save to a byte format, the SSL_SESSION structure.
+With these functions, you can save and read these structures to a files or
+arbitary byte string.
+The PEM_write_SSL_SESSION(fp,x) and PEM_read_SSL_SESSION(fp,x,cb) will
+write to a file pointer in base64 encoding.
+
+What you can do with this, is pass session information between separate
+processes.  Please note, that you will probably also need to modify the
+timeout information on the SSL_SESSIONs.
+
+long SSL_get_time(SSL_SESSION *s)
+will return the 'time' that the session
+was loaded.  The timeout is relative to this time.  This information is
+saved when the SSL_SESSION is converted to binarary but it is stored
+in as a unix long, which is rather OS dependant, but easy to convert back.
+
+long SSL_set_time(SSL_SESSION *s,long t) will set the above mentioned time.
+The time value is just the value returned from time(3), and should really
+be defined by be to be time_t.
+
+long SSL_get_timeout(SSL_SESSION *s);
+long SSL_set_timeout(SSL_SESSION *s,long t);
+These 2 retrieve and set the timeout which is just a number of secconds
+from the 'SSL_get_time()' value.  When this time period has elapesed,
+the session will no longer be in the cache (well it will actually be removed
+the next time it is attempted to be retrieved, so you could 'bump'
+the timeout so it remains valid).
+The 'time' and 'timeout' are set on a session when it is created, not reset
+each time it is reused.  If you did wish to 'bump it', just after establishing
+a connection, do a
+SSL_set_time(ssl,time(NULL));
+
+You can also use
+SSL_CTX_set_timeout(SSL_CTX *ctx,unsigned long t) and
+SSL_CTX_get_timeout(SSL_CTX *ctx) to manipulate the default timeouts for
+all SSL connections created against a SSL_CTX.  If you set a timeout in
+an SSL_CTX, all new SSL's created will inherit the timeout.  It can be over
+written by the SSL_set_timeout(SSL *s,unsigned long t) function call.
+If you 'set' the timeout back to 0, the system default will be used.
+
+SSL_SESSION *SSL_SESSION_new();
+void SSL_SESSION_free(SSL_SESSION *ses);
+These 2 functions are used to create and dispose of SSL_SESSION functions.
+You should not ever normally need to use them unless you are using 
+i2d_SSL_SESSION() and/or d2i_SSL_SESSION().  If you 'load' a SSL_SESSION
+via d2i_SSL_SESSION(), you will need to SSL_SESSION_free() it.
+Both SSL_set_session() and SSL_CTX_add_session() will 'take copies' of the
+structure (via reference counts) when it is passed to them.
+
+SSL_CTX_flush_sessions(ctx,time);
+The first function will clear all sessions from the cache, which have expired
+relative to 'time' (which could just be time(NULL)).
+
+SSL_CTX_flush_sessions(ctx,0);
+This is a special case that clears everything.
+
+As a final comment, a 'session' is not enough to establish a new
+connection.  If a session has timed out, a certificate and private key
+need to have been associated with the SSL structure.
+SSL_copy_session_id(SSL *to,SSL *from); will copy not only the session
+strucutre but also the private key and certificate associated with
+'from'.
+
+EXAMPLES.
+
+So lets play at being a wierd SSL server.
+
+/* setup a context */
+ctx=SSL_CTX_new();
+
+/* Lets load some session from binary into the cache, why one would do
+ * this is not toally clear, but passing between programs does make sense
+ * Perhaps you are using 4096 bit keys and are happy to keep them
+ * valid for a week, to avoid the RSA overhead of 15 seconds, I'm not toally
+ * sure, perhaps this is a process called from an SSL inetd and this is being 
+ * passed to the application. */
+session=d2i_SSL_SESSION(....)
+SSL_CTX_add_session(ctx,session);
+
+/* Lets even add a session from a file */
+session=PEM_read_SSL_SESSION(....)
+SSL_CTX_add_session(ctx,session);
+
+/* create a new SSL structure */
+ssl=SSL_new(ctx);
+
+/* At this point we want to be able to 'create' new session if
+ * required, so we need a certificate and RSAkey. */
+SSL_use_RSAPrivateKey_file(ssl,...)
+SSL_use_certificate_file(ssl,...)
+
+/* Now since we are a server, it make little sence to load a session against
+ * the ssl strucutre since a SSL_accept() will either create a new session or
+ * grab an existing one from the cache. */
+
+/* grab a socket descriptor */
+fd=accept(...);
+
+/* associated it with the ssl strucutre */
+SSL_set_fd(ssl,fd);
+
+SSL_accept(ssl); /* 'do' SSL using out cert and RSA key */
+
+/* Lets print out the session details or lets save it to a file,
+ * perhaps with a secret key cipher, so that we can pass it to the FBI
+ * when they want to decode the session :-).  While we have RSA
+ * this does not matter much but when I do SSLv3, this will allow a mechanism
+ * for the server/client to record the information needed to decode
+ * the traffic that went over the wire, even when using Diffie-Hellman */
+PEM_write_SSL_SESSION(SSL_get_session(ssl),stdout,....)
+
+Lets 'connect' back to the caller using the same session id.
+
+ssl2=SSL_new(ctx);
+fd2=connect(them);
+SSL_set_fd(ssl2,fd2);
+SSL_set_session(ssl2,SSL_get_session(ssl));
+SSL_connect(ssl2);
+
+/* what the hell, lets accept no more connections using this session */
+SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl),SSL_get_session(ssl));
+
+/* we could have just as easily used ssl2 since they both are using the
+ * same session.
+ * You will note that both ssl and ssl2 are still using the session, and
+ * the SSL_SESSION structure will be free()ed when both ssl and ssl2
+ * finish using the session.  Also note that you could continue to initiate
+ * connections using this session by doing SSL_get_session(ssl) to get the
+ * existing session, but SSL_accept() will not be able to find it to
+ * use for incoming connections.
+ * Of corse, the session will timeout at the far end and it will no
+ * longer be accepted after a while.  The time and timeout are ignored except
+ * by SSL_accept(). */
+
+/* Since we have had our server running for 10 weeks, and memory is getting
+ * short, perhaps we should clear the session cache to remove those
+ * 100000 session entries that have expired.  Some may consider this
+ * a memory leak :-) */
+
+SSL_CTX_flush_sessions(ctx,time(NULL));
+
+/* Ok, after a bit more time we wish to flush all sessions from the cache
+ * so that all new connections will be authenticated and incure the
+ * public key operation overhead */
+
+SSL_CTX_flush_sessions(ctx,0);
+
+/* As a final note, to copy everything to do with a SSL, use */
+SSL_copy_session_id(SSL *to,SSL *from);
+/* as this also copies the certificate and RSA key so new session can
+ * be established using the same details */
+
+
+==== sha.doc ========================================================
+
+The SHA (Secure Hash Algorithm) library.
+SHA is a message digest algorithm that can be used to condense an arbitrary
+length message down to a 20 byte hash.  The functions all need to be passed
+a SHA_CTX which is used to hold the SHA context during multiple SHA_Update()
+function calls.  The normal method of use for this library is as follows
+This library contains both SHA and SHA-1 digest algorithms.  SHA-1 is
+an update to SHA (which should really be called SHA-0 now) which
+tweaks the algorithm slightly.  The SHA-1 algorithm is used by simply
+using SHA1_Init(), SHA1_Update(), SHA1_Final() and SHA1() instead of the
+SHA*() calls
+
+SHA_Init(...);
+SHA_Update(...);
+...
+SHA_Update(...);
+SHA_Final(...);
+
+This library requires the inclusion of 'sha.h'.
+
+The functions are as follows:
+
+void SHA_Init(
+SHA_CTX *c);
+        This function needs to be called to initiate a SHA_CTX structure for
+        use.
+        
+void SHA_Update(
+SHA_CTX *c;
+unsigned char *data;
+unsigned long len);
+        This updates the message digest context being generated with 'len'
+        bytes from the 'data' pointer.  The number of bytes can be any
+        length.
+
+void SHA_Final(
+unsigned char *md;
+SHA_CTX *c;
+        This function is called when a message digest of the data digested
+        with SHA_Update() is wanted.  The message digest is put in the 'md'
+        array and is SHA_DIGEST_LENGTH (20) bytes long.
+
+unsigned char *SHA(
+unsigned char *d;
+unsigned long n;
+unsigned char *md;
+        This function performs a SHA_Init(), followed by a SHA_Update()
+        followed by a SHA_Final() (using a local SHA_CTX).
+        The resulting digest is put into 'md' if it is not NULL.
+        Regardless of the value of 'md', the message
+        digest is returned from the function.  If 'md' was NULL, the message
+        digest returned is being stored in a static structure.
+        
+
+==== speed.doc ========================================================
+
+To get an idea of the performance of this library, use
+ssleay speed
+
+perl util/sp-diff.pl file1 file2
+
+will print out the relative differences between the 2 files which are
+expected to be the output from the speed program.
+
+The performace of the library is very dependant on the Compiler
+quality and various flags used to build.
+
+---
+
+These are some numbers I did comparing RSAref and SSLeay on a Pentium 100.
+[ These numbers are all out of date, as of SSL - 0.6.1 the RSA
+operations are about 2 times faster, so check the version number ]
+
+RSA performance.
+
+SSLeay 0.6.0
+Pentium 100, 32meg, Windows NT Workstation 3.51
+linux - gcc v 2.7.0 -O3 -fomit-frame-pointer -m486
+and
+Windows NT  - Windows NT 3.51 - Visual C++ 4.1   - 586 code + 32bit assember
+Windows 3.1 - Windows NT 3.51 - Visual C++ 1.52c - 286 code + 32bit assember
+NT Dos Shell- Windows NT 3.51 - Visual C++ 1.52c - 286 code + 16bit assember
+
+Times are how long it takes to do an RSA private key operation.
+
+               512bits 1024bits
+-------------------------------
+SSLeay NT dll   0.042s   0.202s see above
+SSLeay linux    0.046s   0.218s Assember inner loops (normal build) 
+SSLeay linux    0.067s   0.380s Pure C code with BN_LLONG defined
+SSLeay W3.1 dll 0.108s   0.478s see above
+SSLeay linux    0.109s   0.713s C without BN_LLONG.
+RSAref2.0 linux 0.149s   0.936s
+SSLeay MS-DOS   0.197s   1.049s see above
+
+486DX66, 32meg, Windows NT Server 3.51
+               512bits 1024bits
+-------------------------------
+SSLeay NT dll   0.084s   0.495s <- SSLeay 0.6.3
+SSLeay NT dll   0.154s   0.882s
+SSLeay W3.1 dll 0.335s   1.538s
+SSLeay MS-DOS   0.490s   2.790s
+
+What I find cute is that I'm still faster than RSAref when using standard C,
+without using the 'long long' data type :-), %35 faster for 512bit and we
+scale up to 3.2 times faster for the 'default linux' build.  I should mention
+that people should 'try' to use either x86-lnx.s (elf), x86-lnxa.s or
+x86-sol.s for any x86 based unix they are building on.  The only problems
+with be with syntax but the performance gain is quite large, especially for
+servers.  The code is very simple, you just need to modify the 'header'.
+
+The message is, if you are stuck using RSAref, the RSA performance will be
+bad. Considering the code was compiled for a pentium, the 486DX66 number
+would indicate 'Use RSAref and turn you Pentium 100 into a 486DX66' :-). 
+[ As of verson 0.6.1, it would be correct to say 'turn you pentium 100
+ into a 486DX33' :-) ]
+
+I won't tell people if the DLL's are using RSAref or my stuff if no-one
+asks :-).
+
+eric
+
+PS while I know I could speed things up further, I will probably not do
+   so due to the effort involved.  I did do some timings on the
+   SSLeay bignum format -> RSAref number format conversion that occurs
+   each time RSAref is used by SSLeay, and the numbers are trivial.
+   0.00012s a call for 512bit vs 0.149s for the time spent in the function.
+   0.00018s for 1024bit vs 0.938s.  Insignificant.
+   So the 'way to go', to support faster RSA libraries, if people are keen,
+   is to write 'glue' code in a similar way that I do for RSAref and send it
+   to me :-).
+   My base library still has the advantage of being able to operate on 
+   any size numbers, and is not that far from the performance from the
+   leaders in the field. (-%30?)
+   [ Well as of 0.6.1 I am now the leader in the filed on x86 (we at
+     least very close :-) ]
+
+   I suppose I should also mention some other numbers RSAref numbers, again
+   on my Pentium.
+                DES CBC         EDE-DES         MD5
+   RSAref linux  830k/s          302k/s         4390k/s
+   SSLeay linux  855k/s          319k/s        10025k/s
+   SSLeay NT    1158k/s          410k/s        10470k/s
+   SSLeay w31    378k/s          143k/s         2383k/s (fully 16bit)
+
+   Got to admit that Visual C++ 4.[01] is a damn fine compiler :-)
+--
+Eric Young                  | BOOL is tri-state according to Bill Gates.
+AARNet: eay@cryptsoft.com   | RTFM Win32 GetMessage().
+
+
+
+
+==== ssl-ciph.doc ========================================================
+
+This is a quick high level summery of how things work now.
+
+Each SSLv2 and SSLv3 cipher is composed of 4 major attributes plus a few extra
+minor ones.
+
+They are 'The key exchange algorithm', which is RSA for SSLv2 but can also
+be Diffle-Hellman for SSLv3.
+
+An 'Authenticion algorithm', which can be RSA, Diffle-Helman, DSS or
+none.
+
+The cipher
+
+The MAC digest.
+
+A cipher can also be an export cipher and is either an SSLv2 or a
+SSLv3 ciphers.
+
+To specify which ciphers to use, one can either specify all the ciphers,
+one at a time, or use 'aliases' to specify the preference and order for
+the ciphers.
+
+There are a large number of aliases, but the most importaint are
+kRSA, kDHr, kDHd and kEDH for key exchange types.
+
+aRSA, aDSS, aNULL and aDH for authentication
+DES, 3DES, RC4, RC2, IDEA and eNULL for ciphers
+MD5, SHA0 and SHA1 digests
+
+Now where this becomes interesting is that these can be put together to
+specify the order and ciphers you wish to use.
+
+To speed this up there are also aliases for certian groups of ciphers.
+The main ones are
+SSLv2   - all SSLv2 ciphers
+SSLv3   - all SSLv3 ciphers
+EXP     - all export ciphers
+LOW     - all low strngth ciphers (no export ciphers, normally single DES)
+MEDIUM  - 128 bit encryption
+HIGH    - Triple DES
+
+These aliases can be joined in a : separated list which specifies to
+add ciphers, move them to the current location and delete them.
+
+A simpler way to look at all of this is to use the 'ssleay ciphers -v' command.
+The default library cipher spec is
+!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP
+which means, first, remove from consideration any ciphers that do not
+authenticate.  Next up, use ciphers using RC4 and RSA.  Next include the HIGH,
+MEDIUM and the LOW security ciphers.  Finish up by adding all the export
+ciphers on the end, then 'pull' all the SSLv2 and export ciphers to
+the end of the list.
+
+The results are
+$ ssleay ciphers -v '!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP'
+
+RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
+RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
+EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
+EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
+DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
+IDEA-CBC-MD5            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
+EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
+EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
+DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
+DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5 
+DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5 
+IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5 
+RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5 
+RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 
+EXP-EDH-RSA-DES-CBC     SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
+EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
+EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
+EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
+EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
+EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
+
+I would recoment people use the 'ssleay ciphers -v "text"'
+command to check what they are going to use.
+
+Anyway, I'm falling asleep here so I'll do some more tomorrow.
+
+eric
+
+==== ssl.doc ========================================================
+
+SSL_CTX_sessions(SSL_CTX *ctx) - the session-id hash table.
+
+/* Session-id cache stats */
+SSL_CTX_sess_number
+SSL_CTX_sess_connect
+SSL_CTX_sess_connect_good
+SSL_CTX_sess_accept
+SSL_CTX_sess_accept_good
+SSL_CTX_sess_hits
+SSL_CTX_sess_cb_hits
+SSL_CTX_sess_misses
+SSL_CTX_sess_timeouts
+
+/* Session-id application notification callbacks */
+SSL_CTX_sess_set_new_cb
+SSL_CTX_sess_get_new_cb
+SSL_CTX_sess_set_get_cb
+SSL_CTX_sess_get_get_cb
+
+/* Session-id cache operation mode */
+SSL_CTX_set_session_cache_mode
+SSL_CTX_get_session_cache_mode
+
+/* Set default timeout values to use. */
+SSL_CTX_set_timeout
+SSL_CTX_get_timeout
+
+/* Global  SSL initalisation informational callback */
+SSL_CTX_set_info_callback
+SSL_CTX_get_info_callback
+SSL_set_info_callback
+SSL_get_info_callback
+
+/* If the SSL_accept/SSL_connect returned with -1, these indicate when
+ * we should re-call *.
+SSL_want
+SSL_want_nothing
+SSL_want_read
+SSL_want_write
+SSL_want_x509_lookup
+
+/* Where we are in SSL initalisation, used in non-blocking, perhaps
+ * have a look at ssl/bio_ssl.c */
+SSL_state
+SSL_is_init_finished
+SSL_in_init
+SSL_in_connect_init
+SSL_in_accept_init
+
+/* Used to set the 'inital' state so SSL_in_connect_init and SSL_in_accept_init
+ * can be used to work out which function to call. */
+SSL_set_connect_state
+SSL_set_accept_state
+
+/* Where to look for certificates for authentication */
+SSL_set_default_verify_paths /* calles SSL_load_verify_locations */
+SSL_load_verify_locations
+
+/* get info from an established connection */
+SSL_get_session
+SSL_get_certificate
+SSL_get_SSL_CTX
+
+SSL_CTX_new
+SSL_CTX_free
+SSL_new
+SSL_clear
+SSL_free
+
+SSL_CTX_set_cipher_list
+SSL_get_cipher
+SSL_set_cipher_list
+SSL_get_cipher_list
+SSL_get_shared_ciphers
+
+SSL_accept
+SSL_connect
+SSL_read
+SSL_write
+
+SSL_debug
+
+SSL_get_read_ahead
+SSL_set_read_ahead
+SSL_set_verify
+
+SSL_pending
+
+SSL_set_fd
+SSL_set_rfd
+SSL_set_wfd
+SSL_set_bio
+SSL_get_fd
+SSL_get_rbio
+SSL_get_wbio
+
+SSL_use_RSAPrivateKey
+SSL_use_RSAPrivateKey_ASN1
+SSL_use_RSAPrivateKey_file
+SSL_use_PrivateKey
+SSL_use_PrivateKey_ASN1
+SSL_use_PrivateKey_file
+SSL_use_certificate
+SSL_use_certificate_ASN1
+SSL_use_certificate_file
+
+ERR_load_SSL_strings
+SSL_load_error_strings
+
+/* human readable version of the 'state' of the SSL connection. */
+SSL_state_string
+SSL_state_string_long
+/* These 2 report what kind of IO operation the library was trying to
+ * perform last.  Probably not very usefull. */
+SSL_rstate_string
+SSL_rstate_string_long
+
+SSL_get_peer_certificate
+
+SSL_SESSION_new
+SSL_SESSION_print_fp
+SSL_SESSION_print
+SSL_SESSION_free
+i2d_SSL_SESSION
+d2i_SSL_SESSION
+
+SSL_get_time
+SSL_set_time
+SSL_get_timeout
+SSL_set_timeout
+SSL_copy_session_id
+SSL_set_session
+SSL_CTX_add_session
+SSL_CTX_remove_session
+SSL_CTX_flush_sessions
+
+BIO_f_ssl
+
+/* used to hold information as to why a certificate verification failed */
+SSL_set_verify_result
+SSL_get_verify_result
+
+/* can be used by the application to associate data with an SSL structure.
+ * It needs to be 'free()ed' by the application */
+SSL_set_app_data
+SSL_get_app_data
+
+/* The following all set values that are kept in the SSL_CTX but
+ * are used as the default values when an SSL session is created.
+ * They are over writen by the relevent SSL_xxxx functions */
+
+/* SSL_set_verify */
+void SSL_CTX_set_default_verify
+
+/* This callback, if set, totaly overrides the normal SSLeay verification
+ * functions and should return 1 on sucesss and 0 on failure */
+void SSL_CTX_set_cert_verify_callback
+
+/* The following are the same as the equivilent SSL_xxx functions.
+ * Only one copy of this information is kept and if a particular
+ * SSL structure has a local override, it is totally separate structure.
+ */
+int SSL_CTX_use_RSAPrivateKey
+int SSL_CTX_use_RSAPrivateKey_ASN1
+int SSL_CTX_use_RSAPrivateKey_file
+int SSL_CTX_use_PrivateKey
+int SSL_CTX_use_PrivateKey_ASN1
+int SSL_CTX_use_PrivateKey_file
+int SSL_CTX_use_certificate
+int SSL_CTX_use_certificate_ASN1
+int SSL_CTX_use_certificate_file
+
+
+==== ssl_ctx.doc ========================================================
+
+This is now a bit dated, quite a few of the SSL_ functions could be
+SSL_CTX_ functions.  I will update this in the future. 30 Aug 1996
+
+From eay@orb.mincom.oz.au Mon Dec 11 21:37:08 1995
+Received: by orb.mincom.oz.au id AA00696
+  (5.65c/IDA-1.4.4 for eay); Mon, 11 Dec 1995 11:37:08 +1000
+Date: Mon, 11 Dec 1995 11:37:08 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: sameer <sameer@c2.org>
+Cc: Eric Young <eay@mincom.oz.au>
+Subject: Re: PEM_readX509 oesn't seem to be working
+In-Reply-To: <199512110102.RAA12521@infinity.c2.org>
+Message-Id: <Pine.SOL.3.91.951211112115.28608D-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: RO
+X-Status: 
+
+On Sun, 10 Dec 1995, sameer wrote:
+>       OK, that's solved. I've found out that it is saying "no
+> certificate set" in SSL_accept because s->conn == NULL
+> so there is some place I need to initialize s->conn that I am
+> not initializing it.
+
+The full order of things for a server should be.
+
+ctx=SSL_CTX_new();
+
+/* The next line should not really be using ctx->cert but I'll leave it 
+ * this way right now... I don't want a X509_ routine to know about an SSL
+ * structure, there should be an SSL_load_verify_locations... hmm, I may 
+ * add it tonight.
+ */
+X509_load_verify_locations(ctx->cert,CAfile,CApath);
+
+/* Ok now for each new connection we do the following */
+con=SSL_new(ctx);
+SSL_set_fd(con,s);
+SSL_set_verify(con,verify,verify_callback);
+
+/* set the certificate and private key to use. */
+SSL_use_certificate_ASN1(con,X509_certificate);
+SSL_use_RSAPrivateKey_ASN1(con,RSA_private_key);
+
+SSL_accept(con);
+
+SSL_read(con)/SSL_write(con);
+
+There is a bit more than that but that is basically the structure.
+
+Create a context and specify where to lookup certificates.
+
+foreach connection
+        {
+        create a SSL structure
+        set the certificate and private key
+        do a SSL_accept
+        
+        we should now be ok
+        }
+
+eric
+--
+Eric Young                  | Signature removed since it was generating
+AARNet: eay@mincom.oz.au    | more followups than the message contents :-)
+
+
+
+==== ssleay.doc ========================================================
+
+SSLeay: a cryptographic kitchen sink.
+
+1st December 1995
+Way back at the start of April 1995, I was looking for a mindless
+programming project.  A friend of mine (Tim Hudson) said "why don't you do SSL,
+it has DES encryption in it and I would not mind using it in a SSL telnet".
+While it was true I had written a DES library in previous years, litle
+did I know what an expansive task SSL would turn into.
+
+First of all, the SSL protocol contains DES encryption.  Well and good.  My
+DES library was fast and portable.  It also contained the RSA's RC4 stream
+cipher.  Again, not a problem, some-one had just posted to sci.crypt
+something that was claimed to be RC4.  It also contained IDEA, I had the
+specifications, not a problem to implement.  MD5, an RFC, trivial, at most
+I could spend a week or so trying to see if I could speed up the
+implementation.  All in all a nice set of ciphers.
+Then the first 'expantion of the scope', RSA public key
+encryption.  Since I did not knowing a thing about public key encryption
+or number theory, this appeared quite a daunting task.  Just writing a
+big number library would be problomatic in itself, let alone making it fast.
+At this point the scope of 'implementing SSL' expands eponentialy.
+First of all, the RSA private keys  were being kept in ASN.1 format.
+Thankfully the RSA PKCS series of documents explains this format.  So I now
+needed to be able to encode and decode arbitary ASN.1 objects.  The Public
+keys were embeded in X509 certificates.  Hmm... these are not only
+ASN.1 objects but they make up a heirachy of authentication.  To
+authenticate a X509 certificate one needs to retrieve it's issuers
+certificate etc etc.  Hmm..., so I also need to implement some kind
+of certificate management software.  I would also have to implement
+software to authenticate certificates.  At this point the support code made
+the SSL part of my library look quite small.
+Around this time, the first version of SSLeay was released.
+
+Ah, but here was the problem, I was not happy with the code so far.  As may
+have become obvious, I had been treating all of this as a learning
+exersize, so I have completely written the library myself.  As such, due
+to the way it had grown like a fungus, much of the library was not
+'elagent' or neat.  There were global and static variables all over the
+place, the SSL part did not even handle non-blocking IO.
+The Great rewrite began.
+
+As of this point in time, the 'Great rewrite' has almost finished.  So what
+follows is an approximate list of what is actually SSLeay 0.5.0
+
+/********* This needs to be updated for 0.6.0+ *************/
+
+---
+The library contains the following routines.  Please note that most of these
+functions are not specfic for SSL or any other particular cipher
+implementation.  I have tried to make all the routines as general purpose
+as possible.  So you should not think of this library as an SSL
+implemtation, but rather as a library of cryptographic functions
+that also contains SSL.  I refer to each of these function groupings as
+libraries since they are often capable of functioning as independant
+libraries
+
+First up, the general ciphers and message digests supported by the library.
+
+MD2     rfc???, a standard 'by parts' interface to this algorithm.
+MD5     rfc???, the same type of interface as for the MD2 library except a
+        different algorithm.
+SHA     THe Secure Hash Algorithm.  Again the same type of interface as
+        MD2/MD5 except the digest is 20 bytes.
+SHA1    The 'revised' version of SHA.  Just about identical to SHA except
+        for one tweak of an inner loop.
+DES     This is my libdes library that has been floating around for the last
+        few years.  It has been enhanced for no other reason than completeness.
+        It now supports ecb, cbc, cfb, ofb, cfb64, ofb64 in normal mode and
+        triple DES modes of ecb, cbc, cfb64 and ofb64.  cfb64 and ofb64 are
+        functional interfaces to the 64 bit modes of cfb and ofb used in
+        such a way thay they function as single character interfaces.
+RC4     The RSA Inc. stream cipher.
+RC2     The RSA Inc. block cipher.
+IDEA    An implmentation of the IDEA cipher, the library supports ecb, cbc,
+        cfb64 and ofb64 modes of operation.
+
+Now all the above mentioned ciphers and digests libraries support high
+speed, minimal 'crap in the way' type interfaces.  For fastest and
+lowest level access, these routines should be used directly.
+
+Now there was also the matter of public key crypto systems.  These are
+based on large integer arithmatic.
+
+BN      This is my large integer library.  It supports all the normal
+        arithmentic operations.  It uses malloc extensivly and as such has
+        no limits of the size of the numbers being manipulated.  If you
+        wish to use 4000 bit RSA moduli, these routines will handle it.
+        This library also contains routines to 'generate' prime numbers and
+        to test for primality.  The RSA and DH libraries sit on top of this
+        library.  As of this point in time, I don't support SHA, but
+        when I do add it, it will just sit on top of the routines contained
+        in this library.
+RSA     This implements the RSA public key algorithm.  It also contains
+        routines that will generate a new private/public key pair.
+        All the RSA functions conform to the PKCS#1 standard.
+DH      This is an implementation of the
+        Diffie-Hellman protocol.  There are all the require routines for
+        the protocol, plus extra routines that can be used to generate a
+        strong prime for use with a specified generator.  While this last
+        routine is not generally required by applications implementing DH,
+        It is present for completeness and because I thing it is much
+        better to be able to 'generate' your own 'magic' numbers as oposed
+        to using numbers suplied by others.  I conform to the PKCS#3
+        standard where required.
+
+You may have noticed the preceeding section mentions the 'generation' of
+prime numbers.  Now this requries the use of 'random numbers'. 
+
+RAND    This psuedo-random number library is based on MD5 at it's core
+        and a large internal state (2k bytes).  Once you have entered enough
+        seed data into this random number algorithm I don't feel
+        you will ever need to worry about it generating predictable output.
+        Due to the way I am writing a portable library, I have left the
+        issue of how to get good initial random seed data upto the
+        application but I do have support routines for saving and loading a
+        persistant random number state for use between program runs.
+        
+Now to make all these ciphers easier to use, a higher level
+interface was required.  In this form, the same function would be used to
+encrypt 'by parts', via any one of the above mentioned ciphers.
+
+EVP     The Digital EnVeloPe library is quite large.  At it's core are
+        function to perform encryption and decryption by parts while using
+        an initial parameter to specify which of the 17 different ciphers
+        or 4 different message digests to use.  On top of these are implmented
+        the digital signature functions, sign, verify, seal and open.
+        Base64 encoding of binary data is also done in this library.
+
+PEM     rfc???? describe the format for Privacy Enhanced eMail.
+        As part of this standard, methods of encoding digital enveloped
+        data is an ascii format are defined.  As such, I use a form of these
+        to encode enveloped data.  While at this point in time full support
+        for PEM has not been built into the library, a minimal subset of
+        the secret key and Base64 encoding is present.  These reoutines are
+        mostly used to Ascii encode binary data with a 'type' associated
+        with it and perhaps details of private key encryption used to
+        encrypt the data.
+        
+PKCS7   This is another Digital Envelope encoding standard which uses ASN.1
+        to encode the data.  At this point in time, while there are some
+        routines to encode and decode this binary format, full support is
+        not present.
+        
+As Mentioned, above, there are several different ways to encode
+data structures.
+
+ASN1    This library is more a set of primatives used to encode the packing
+        and unpacking of data structures.  It is used by the X509
+        certificate standard and by the PKCS standards which are used by
+        this library.  It also contains routines for duplicating and signing
+        the structures asocisated with X509.
+        
+X509    The X509 library contains routines for packing and unpacking,
+        verifying and just about every thing else you would want to do with
+        X509 certificates.
+
+PKCS7   PKCS-7 is a standard for encoding digital envelope data
+        structures.  At this point in time the routines will load and save
+        DER forms of these structees.  They need to be re-worked to support
+        the BER form which is the normal way PKCS-7 is encoded.  If the
+        previous 2 sentances don't make much sense, don't worry, this
+        library is not used by this version of SSLeay anyway.
+
+OBJ     ASN.1 uses 'object identifiers' to identify objects.  A set of
+        functions were requred to translate from ASN.1 to an intenger, to a
+        character string.  This library provieds these translations
+        
+Now I mentioned an X509 library.  X509 specified a hieachy of certificates
+which needs to be traversed to authenticate particular certificates.
+
+METH    This library is used to push 'methods' of retrieving certificates
+        into the library.  There are some supplied 'methods' with SSLeay
+        but applications can add new methods if they so desire.
+        This library has not been finished and is not being used in this
+        version.
+        
+Now all the above are required for use in the initial point of this project.
+
+SSL     The SSL protocol.  This is a full implmentation of SSL v 2.  It
+        support both server and client authentication.  SSL v 3 support
+        will be added when the SSL v 3 specification is released in it's
+        final form.
+
+Now quite a few of the above mentioned libraries rely on a few 'complex'
+data structures.  For each of these I have a library.
+
+Lhash   This is a hash table library which is used extensivly.
+
+STACK   An implemetation of a Stack data structure.
+
+BUF     A simple character array structure that also support a function to
+        check that the array is greater that a certain size, if it is not,
+        it is realloced so that is it.
+        
+TXT_DB  A simple memory based text file data base.  The application can specify
+        unique indexes that will be enforced at update time.
+
+CONF    Most of the programs written for this library require a configuration
+        file.  Instead of letting programs constantly re-implment this
+        subsystem, the CONF library provides a consistant and flexable
+        interface to not only configuration files but also environment
+        variables.
+
+But what about when something goes wrong?
+The one advantage (and perhaps disadvantage) of all of these
+functions being in one library was the ability to implement a
+single error reporting system.
+        
+ERR     This library is used to report errors.  The error system records
+        library number, function number (in the library) and reason
+        number.  Multiple errors can be reported so that an 'error' trace
+        is created.  The errors can be printed in numeric or textual form.
+
+
+==== ssluse.doc ========================================================
+
+We have an SSL_CTX which contains global information for lots of
+SSL connections.  The session-id cache and the certificate verificate cache.
+It also contains default values for use when certificates are used.
+
+SSL_CTX
+        default cipher list
+        session-id cache
+        certificate cache
+        default session-id timeout period
+        New session-id callback
+        Required session-id callback
+        session-id stats
+        Informational callback
+        Callback that is set, overrides the SSLeay X509 certificate
+          verification
+        The default Certificate/Private Key pair
+        Default read ahead mode.
+        Default verify mode and verify callback.  These are not used
+          if the over ride callback mentioned above is used.
+        
+Each SSL can have the following defined for it before a connection is made.
+
+Certificate
+Private key
+Ciphers to use
+Certificate verify mode and callback
+IO object to use in the comunication.
+Some 'read-ahead' mode information.
+A previous session-id to re-use.
+
+A connection is made by using SSL_connect or SSL_accept.
+When non-blocking IO is being used, there are functions that can be used
+to determin where and why the SSL_connect or SSL_accept did not complete.
+This information can be used to recall the functions when the 'error'
+condition has dissapeared.
+
+After the connection has been made, information can be retrived about the
+SSL session and the session-id values that have been decided apon.
+The 'peer' certificate can be retrieved.
+
+The session-id values include
+'start time'
+'timeout length'
+
+
+
+==== stack.doc ========================================================
+
+The stack data structure is used to store an ordered list of objects.
+It is basically misnamed to call it a stack but it can function that way
+and that is what I originally used it for.  Due to the way element
+pointers are kept in a malloc()ed array, the most efficient way to use this
+structure is to add and delete elements from the end via sk_pop() and
+sk_push().  If you wish to do 'lookups' sk_find() is quite efficient since
+it will sort the stack (if required) and then do a binary search to lookup 
+the requested item.  This sorting occurs automatically so just sk_push()
+elements on the stack and don't worry about the order.  Do remember that if
+you do a sk_find(), the order of the elements will change.
+
+You should never need to 'touch' this structure directly.
+typedef struct stack_st
+        {
+        unsigned int num;
+        char **data;
+        int sorted;
+
+        unsigned int num_alloc;
+        int (*comp)();
+        } STACK;
+
+'num' holds the number of elements in the stack, 'data' is the array of
+elements.  'sorted' is 1 is the list has been sorted, 0 if not.
+
+num_alloc is the number of 'nodes' allocated in 'data'.  When num becomes
+larger than num_alloc, data is realloced to a larger size.
+If 'comp' is set, it is a function that is used to compare 2 of the items
+in the stack.  The function should return -1, 0 or 1, depending on the
+ordering.
+
+#define sk_num(sk)      ((sk)->num)
+#define sk_value(sk,n)  ((sk)->data[n])
+
+These 2 macros should be used to access the number of elements in the
+'stack' and to access a pointer to one of the values.
+
+STACK *sk_new(int (*c)());
+        This creates a new stack.  If 'c', the comparison function, is not
+specified, the various functions that operate on a sorted 'stack' will not
+work (sk_find()).  NULL is returned on failure.
+
+void sk_free(STACK *);
+        This function free()'s a stack structure.  The elements in the
+stack will not be freed so one should 'pop' and free all elements from the
+stack before calling this function or call sk_pop_free() instead.
+
+void sk_pop_free(STACK *st; void (*func)());
+        This function calls 'func' for each element on the stack, passing
+the element as the argument.  sk_free() is then called to free the 'stack'
+structure.
+
+int sk_insert(STACK *sk,char *data,int where);
+        This function inserts 'data' into stack 'sk' at location 'where'.
+If 'where' is larger that the number of elements in the stack, the element
+is put at the end.  This function tends to be used by other 'stack'
+functions.  Returns 0 on failure, otherwise the number of elements in the
+new stack.
+
+char *sk_delete(STACK *st,int loc);
+        Remove the item a location 'loc' from the stack and returns it.
+Returns NULL if the 'loc' is out of range.
+
+char *sk_delete_ptr(STACK *st, char *p);
+        If the data item pointed to by 'p' is in the stack, it is deleted
+from the stack and returned.  NULL is returned if the element is not in the
+stack.
+
+int sk_find(STACK *st,char *data);
+        Returns the location that contains a value that is equal to 
+the 'data' item.  If the comparison function was not set, this function
+does a linear search.  This function actually qsort()s the stack if it is not
+in order and then uses bsearch() to do the initial search.  If the
+search fails,, -1 is returned.  For mutliple items with the same
+value, the index of the first in the array is returned.
+
+int sk_push(STACK *st,char *data);
+        Append 'data' to the stack.  0 is returned if there is a failure
+(due to a malloc failure), else 1.  This is 
+sk_insert(st,data,sk_num(st));
+
+int sk_unshift(STACK *st,char *data);
+        Prepend 'data' to the front (location 0) of the stack.  This is
+sk_insert(st,data,0);
+
+char *sk_shift(STACK *st);
+        Return and delete from the stack the first element in the stack.
+This is sk_delete(st,0);
+
+char *sk_pop(STACK *st);
+        Return and delete the last element on the stack.  This is
+sk_delete(st,sk_num(sk)-1);
+
+void sk_zero(STACK *st);
+        Removes all items from the stack.  It does not 'free'
+pointers but is a quick way to clear a 'stack of references'.
+
+==== threads.doc ========================================================
+
+How to compile SSLeay for multi-threading.
+
+Well basically it is quite simple, set the compiler flags and build.
+I have only really done much testing under Solaris and Windows NT.
+If you library supports localtime_r() and gmtime_r() add,
+-DTHREADS to the makefile parameters.  You can probably survive with out
+this define unless you are going to have multiple threads generating
+certificates at once.  It will not affect the SSL side of things.
+
+The approach I have taken to doing locking is to make the application provide
+callbacks to perform locking and so that the SSLeay library can distinguish
+between threads (for the error state).
+
+To have a look at an example program, 'cd mt; vi mttest.c'.
+To build under solaris, sh solaris.sh, for Windows NT or Windows 95,
+win32.bat
+
+This will build mttest which will fire up 10 threads that talk SSL
+to each other 10 times.
+To enable everything to work, the application needs to call
+
+CRYPTO_set_id_callback(id_function);
+CRYPTO_set_locking_callback(locking_function);
+
+before any multithreading is started.
+id_function does not need to be defined under Windows NT or 95, the
+correct function will be called if it is not.  Under unix, getpid()
+is call if the id_callback is not defined, for solaris this is wrong
+(since threads id's are not pid's) but under IRIX it is correct
+(threads are just processes sharing the data segement).
+
+The locking_callback is used to perform locking by the SSLeay library.
+eg.
+
+void solaris_locking_callback(mode,type,file,line)
+int mode;
+int type;
+char *file;
+int line;
+        {
+        if (mode & CRYPTO_LOCK)
+                mutex_lock(&(lock_cs[type]));
+        else
+                mutex_unlock(&(lock_cs[type]));
+        }
+
+Now in this case I have used mutexes instead of read/write locks, since they
+are faster and there are not many read locks in SSLeay, you may as well
+always use write locks.  file and line are __FILE__ and __LINE__ from
+the compile and can be usefull when debugging.
+
+Now as you can see, 'type' can be one of a range of values, these values are
+defined in crypto/crypto.h
+CRYPTO_get_lock_name(type) will return a text version of what the lock is.
+There are CRYPTO_NUM_LOCKS locks required, so under solaris, the setup
+for multi-threading can be
+
+static mutex_t lock_cs[CRYPTO_NUM_LOCKS];
+
+void thread_setup()
+        {
+        int i;
+
+        for (i=0; i<CRYPTO_NUM_LOCKS; i++)
+                mutex_init(&(lock_cs[i]),USYNC_THREAD,NULL);
+        CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
+        CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+        }
+
+As a final note, under Windows NT or Windows 95, you have to be careful
+not to mix the various threaded, unthreaded and debug libraries.
+Normally if they are mixed incorrectly, mttest will crash just after printing
+out some usage statistics at the end.  This is because the
+different system libraries use different malloc routines and if
+data is malloc()ed inside crypt32.dll or ssl32.dll and then free()ed by a
+different library malloc, things get very confused.
+
+The default SSLeay DLL builds use /MD, so if you use this on your
+application, things will work as expected.  If you use /MDd,
+you will probably have to rebuild SSLeay using this flag.
+I should modify util/mk1mf.pl so it does all this correctly, but 
+this has not been done yet.
+
+One last warning.  Because locking overheads are actually quite large, the
+statistics collected against the SSL_CTX for successfull connections etc
+are not locked when updated.  This does make it possible for these
+values to be slightly lower than they should be, if you are
+running multithreaded on a multi-processor box, but this does not really
+matter much.
+
+
+==== txt_db.doc ========================================================
+
+TXT_DB, a simple text based in memory database.
+
+It holds rows of ascii data, for which the only special character is '\0'.
+The rows can be of an unlimited length.
+
+==== why.doc ========================================================
+
+This file is more of a note for other people who wish to understand why
+the build environment is the way it is :-).
+
+The include files 'depend' as follows.
+Each of 
+crypto/*/*.c includes crypto/cryptlib.h
+ssl/*.c include ssl/ssl_locl.h
+apps/*.c include apps/apps.h
+crypto/cryptlib.h, ssl/ssl_locl.h and apps/apps.h
+all include e_os.h which contains OS/environment specific information.
+If you need to add something todo with a particular environment,
+add it to this file.  It is worth remembering that quite a few libraries,
+like lhash, des, md, sha etc etc do not include crypto/cryptlib.h.  This
+is because these libraries should be 'independantly compilable' and so I
+try to keep them this way.
+e_os.h is not so much a part of SSLeay, as the placing in one spot all the
+evil OS dependant muck.
+
+I wanted to automate as many things as possible.  This includes
+error number generation.  A
+make errors
+will scan the source files for error codes, append them to the correct
+header files, and generate the functions to print the text version
+of the error numbers.  So don't even think about adding error numbers by
+hand, put them in the form
+XXXerr(XXXX_F_XXXX,YYYY_R_YYYY);
+on line and it will be automatically picked up my a make errors.
+
+In a similar vein, programs to be added into ssleay in the apps directory
+just need to have an entry added to E_EXE in makefile.ssl and
+everthing will work as expected.  Don't edit progs.h by hand.
+
+make links re-generates the symbolic links that are used.  The reason why
+I keep everything in its own directory, and don't put all the
+test programs and header files in 'test' and 'include' is because I want
+to keep the 'sub-libraries' independant.  I still 'pull' out
+indervidual libraries for use in specific projects where the code is
+required.  I have used the 'lhash' library in just about every software
+project I have worked on :-).
+
+make depend generates dependancies and
+make dclean removes them.
+
+You will notice that I use perl quite a bit when I could be using 'sed'.
+The reason I decided to do this was to just stick to one 'extra' program.
+For Windows NT, I have perl and no sed.
+
+The util/mk1mf.pl program can be used to generate a single makefile.
+I use this because makefiles under Microsoft are horrific.
+Each C compiler seems to have different linker formats, which have
+to be used because the retarted C compilers explode when you do
+cl -o file *.o.
+
+Now some would argue that I should just use the single makefile.  I don't
+like it during develoment for 2 reasons.  First, the actuall make
+command takes a long time.  For my current setup, if I'm in
+crypto/bn and I type make, only the crypto/bn directory gets rebuilt,
+which is nice when you are modifying prototypes in bn.h which
+half the SSLeay depends on.  The second is that to add a new souce file
+I just plonk it in at the required spot in the local makefile.  This
+then alows me to keep things local, I don't need to modify a 'global'
+tables (the make for unix, the make for NT, the make for w31...).
+When I am ripping apart a library structure, it is nice to only
+have to worry about one directory :-).
+
+Having said all this, for the hell of it I put together 2 files that
+#include all the souce code (generated by doing a ls */*.o after a build).
+crypto.c takes only 30 seconds to build under NT and 2 minutes under linux
+for my pentium100.  Much faster that the normal build :-).
+Again, the problem is that when using libraries, every program linked
+to libcrypto.a would suddenly get 330k of library when it may only need
+1k.  This technique does look like a nice way to do shared libraries though.
+
+Oh yes, as a final note, to 'build' a distribution, I just type
+make dist.
+This cleans and packages everything.  The directory needs to be called
+SSLeay since the make does a 'cd ..' and renames and tars things up.
+
+==== req.1 ========================================================
+
+The 'req' command is used to manipulate and deal with pkcs#10
+certificate requests.
+
+It's default mode of operation is to load a certificate and then
+write it out again.
+
+By default the 'req' is read from stdin in 'PEM' format.
+The -inform option can be used to specify 'pem' format or 'der'
+format.  PEM format is the base64 encoding of the DER format.
+
+By default 'req' then writes the request back out. -outform can be used
+to indicate the desired output format, be it 'pem' or 'der'.
+
+To specify an input file, use the '-in' option and the '-out' option
+can be used to specify the output file.
+
+If you wish to perform a command and not output the certificate
+request afterwards, use the '-noout' option.
+
+When a certificate is loaded, it can be printed in a human readable
+ascii format via the '-text' option.
+
+To check that the signature on a certificate request is correct, use
+the '-verify' option to make sure that the private key contained in the
+certificate request corresponds to the signature.
+
+Besides the default mode, there is also the 'generate a certificate
+request' mode.  There are several flags that trigger this mode.
+
+-new will generate a new RSA key (if required) and then prompts
+the user for details for the certificate request.
+-newkey has an argument that is the number of bits to make the new
+key.  This function also triggers '-new'.
+
+The '-new' option can have a key to use specified instead of having to
+load one, '-key' is used to specify the file containg the key.
+-keyform can be used to specify the format of the key.  Only
+'pem' and 'der' formats are supported, later, 'netscape' format may be added.
+
+Finally there is the '-x509' options which makes req output a self
+signed x509 certificate instead of a certificate request.
+
+Now as you may have noticed, there are lots of default options that
+cannot be specified via the command line.  They are held in a 'template'
+or 'configuration file'.  The -config option specifies which configuration
+file to use.  See conf.doc for details on the syntax of this file.
+
+The req command uses the 'req' section of the config file.
+
+---
+# The following variables are defined.  For this example I will populate
+# the various values
+[ req ]
+default_bits    = 512           # default number of bits to use.
+default_keyfile = testkey.pem   # Where to write the generated keyfile
+                                # if not specified.
+distinguished_name= req_dn      # The section that contains the
+                                # information about which 'object' we
+                                # want to put in the DN.
+attributes      = req_attr      # The objects we want for the
+                                # attributes field.
+encrypt_rsa_key = no            # Should we encrypt newly generated
+                                # keys.  I strongly recommend 'yes'.
+
+# The distinguished name section.  For the following entries, the
+# object names must exist in the SSLeay header file objects.h.  If they
+# do not, they will be silently ignored.  The entries have the following
+# format.
+# <object_name>         => string to prompt with
+# <object_name>_default => default value for people
+# <object_name>_value   => Automatically use this value for this field.
+# <object_name>_min     => minimum number of characters for data (def. 0)
+# <object_name>_max     => maximum number of characters for data (def. inf.)
+# All of these entries are optional except for the first one.
+[ req_dn ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Queensland
+
+localityName                    = Locality Name (eg, city)
+
+organizationName                = Organization Name (eg, company)
+organizationName_default        = Mincom Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = MTR
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# The next section is the attributes section.  This is exactly the
+# same as for the previous section except that the resulting objects are
+# put in the attributes field. 
+[ req_attr ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+----
+Also note that the order that attributes appear in this file is the
+order they will be put into the distinguished name.
+
+Once this request has been generated, it can be sent to a CA for
+certifying.
+
+----
+A few quick examples....
+
+To generate a new request and a new key
+req -new
+
+To generate a new request and a 1058 bit key
+req -newkey 1058
+
+To generate a new request using a pre-existing key
+req -new -key key.pem
+
+To generate a self signed x509 certificate from a certificate
+request using a supplied key, and we want to see the text form of the
+output certificate (which we will put in the file selfSign.pem
+req -x509 -in req.pem -key key.pem -text -out selfSign.pem
+
+Verify that the signature is correct on a certificate request.
+req -verify -in req.pem
+
+Verify that the signature was made using a specified public key.
+req -verify -in req.pem -key key.pem
+
+Print the contents of a certificate request
+req -text -in req.pem
+
+==== danger ========================================================
+
+If you specify a SSLv2 cipher, and the mode is SSLv23 and the server
+can talk SSLv3, it will claim there is no cipher since you should be
+using SSLv3.
+
+When tracing debug stuff, remember BIO_s_socket() is different to
+BIO_s_connect().
+
+BSD/OS assember is not working
+
diff --git a/src/lib/libssl/src/doc/standards.txt b/src/lib/libssl/src/doc/standards.txt
new file mode 100644
index 0000000000..61ccc5d7e0
--- /dev/null
+++ b/src/lib/libssl/src/doc/standards.txt
@@ -0,0 +1,121 @@
+Standards related to OpenSSL
+============================
+
+[Please, this is currently a draft.  I made a first try at finding
+ documents that describe parts of what OpenSSL implements.  There are
+ big gaps, and I've most certainly done something wrong.  Please
+ correct whatever is...  Also, this note should be removed when this
+ file is reaching a somewhat correct state.        -- Richard Levitte]
+
+
+All pointers in here will be either URL's or blobs of text borrowed
+from miscellaneous indexes, like rfc-index.txt (index of RFCs),
+1id-index.txt (index of Internet drafts) and the like.
+
+To find the latest possible RFCs, it's recommended to either browse
+ftp://ftp.isi.edu/in-notes/ or go to http://www.rfc-editor.org/ and
+use the search mechanism found there.
+To find the latest possible Internet drafts, it's recommended to
+browse ftp://ftp.isi.edu/internet-drafts/.
+To find the latest possible PKCS, it's recommended to browse
+http://www.rsasecurity.com/rsalabs/pkcs/.
+
+
+Implemented:
+------------
+
+These are documents that describe things that are implemented in OpenSSL.
+
+1319 The MD2 Message-Digest Algorithm. B. Kaliski. April 1992.
+     (Format: TXT=25661 bytes) (Status: INFORMATIONAL)
+
+1320 The MD4 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
+     TXT=32407 bytes) (Status: INFORMATIONAL)
+
+1321 The MD5 Message-Digest Algorithm. R. Rivest. April 1992. (Format:
+     TXT=35222 bytes) (Status: INFORMATIONAL)
+
+2246 The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999.
+     (Format: TXT=170401 bytes) (Status: PROPOSED STANDARD)
+
+2268 A Description of the RC2(r) Encryption Algorithm. R. Rivest.
+     January 1998. (Format: TXT=19048 bytes) (Status: INFORMATIONAL)
+
+2314 PKCS 10: Certification Request Syntax Version 1.5. B. Kaliski.
+     March 1998. (Format: TXT=15814 bytes) (Status: INFORMATIONAL)
+
+2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski.
+     March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL)
+
+2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski,
+     J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes
+     RFC2313) (Status: INFORMATIONAL)
+
+2459 Internet X.509 Public Key Infrastructure Certificate and CRL
+     Profile. R. Housley, W. Ford, W. Polk, D. Solo. January 1999.
+     (Format: TXT=278438 bytes) (Status: PROPOSED STANDARD)
+
+PKCS#8: Private-Key Information Syntax Standard
+
+PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
+
+
+Related:
+--------
+
+These are documents that are close to OpenSSL, for example the
+STARTTLS documents.
+
+1421 Privacy Enhancement for Internet Electronic Mail: Part I: Message
+     Encryption and Authentication Procedures. J. Linn. February 1993.
+     (Format: TXT=103894 bytes) (Obsoletes RFC1113) (Status: PROPOSED
+     STANDARD)
+
+1422 Privacy Enhancement for Internet Electronic Mail: Part II:
+     Certificate-Based Key Management. S. Kent. February 1993. (Format:
+     TXT=86085 bytes) (Obsoletes RFC1114) (Status: PROPOSED STANDARD)
+
+1423 Privacy Enhancement for Internet Electronic Mail: Part III:
+     Algorithms, Modes, and Identifiers. D. Balenson. February 1993.
+     (Format: TXT=33277 bytes) (Obsoletes RFC1115) (Status: PROPOSED
+     STANDARD)
+
+1424 Privacy Enhancement for Internet Electronic Mail: Part IV: Key
+     Certification and Related Services. B. Kaliski. February 1993.
+     (Format: TXT=17537 bytes) (Status: PROPOSED STANDARD)
+
+2487 SMTP Service Extension for Secure SMTP over TLS. P. Hoffman.
+     January 1999. (Format: TXT=15120 bytes) (Status: PROPOSED STANDARD)
+
+2585 Internet X.509 Public Key Infrastructure Operational Protocols:
+     FTP and HTTP. R. Housley, P. Hoffman. May 1999. (Format: TXT=14813
+     bytes) (Status: PROPOSED STANDARD)
+
+2595 Using TLS with IMAP, POP3 and ACAP. C. Newman. June 1999.
+     (Format: TXT=32440 bytes) (Status: PROPOSED STANDARD)
+
+2712 Addition of Kerberos Cipher Suites to Transport Layer Security
+     (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes)
+     (Status: PROPOSED STANDARD)
+
+2817 Upgrading to TLS Within HTTP/1.1. R. Khare, S. Lawrence. May
+     2000. (Format: TXT=27598 bytes) (Updates RFC2616) (Status: PROPOSED
+     STANDARD)
+
+2818 HTTP Over TLS. E. Rescorla. May 2000. (Format: TXT=15170 bytes)
+     (Status: INFORMATIONAL)
+
+  "Securing FTP with TLS", 01/27/2000, <draft-murray-auth-ftp-ssl-05.txt>  
+ 
+
+To be implemented:
+------------------
+
+These are documents that describe things that are planed to be
+implemented in the hopefully short future.
+
+2560 X.509 Internet Public Key Infrastructure Online Certificate
+     Status Protocol - OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin,
+     C. Adams. June 1999. (Format: TXT=43243 bytes) (Status: PROPOSED
+     STANDARD)
+
diff --git a/src/lib/libssl/src/e_os2.h b/src/lib/libssl/src/e_os2.h
new file mode 100644
index 0000000000..bd97b921a8
--- /dev/null
+++ b/src/lib/libssl/src/e_os2.h
@@ -0,0 +1,38 @@
+/* e_os2.h */
+
+#ifndef HEADER_E_OS2_H
+#define HEADER_E_OS2_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#include <openssl/opensslconf.h> /* OPENSSL_UNISTD */
+
+#ifdef MSDOS
+# define OPENSSL_UNISTD_IO <io.h>
+# define OPENSSL_DECLARE_EXIT extern void exit(int);
+#else
+# define OPENSSL_UNISTD_IO OPENSSL_UNISTD
+# define OPENSSL_DECLARE_EXIT /* declared in unistd.h */
+#endif
+
+/* Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN,
+   to define and declare certain global
+   symbols that, with some compilers under VMS, have to be defined and
+   declared explicitely with globaldef and globalref.  On other OS:es,
+   these macros are defined with something sensible. */
+
+#if defined(VMS) && !defined(__DECC)
+# define OPENSSL_EXTERN globalref
+# define OPENSSL_GLOBAL globaldef
+#else
+# define OPENSSL_EXTERN extern
+# define OPENSSL_GLOBAL
+#endif
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libssl/src/install.com b/src/lib/libssl/src/install.com
new file mode 100644
index 0000000000..16eac9aab2
--- /dev/null
+++ b/src/lib/libssl/src/install.com
@@ -0,0 +1,88 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1   root of the directory tree
+$!
+$       IF P1 .EQS. ""
+$       THEN
+$           WRITE SYS$OUTPUT "First argument missing."
+$           WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$           EXIT
+$       ENDIF
+$
+$       ARCH = "AXP"
+$       IF F$GETSYI("CPU") .LT. 128 THEN ARCH = "VAX"
+$
+$       ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - ".][000000" - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$       DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$       DEFINE/NOLOG WRK_SSLVLIB WRK_SSLROOT:[VAX_LIB]
+$       DEFINE/NOLOG WRK_SSLALIB WRK_SSLROOT:[ALPHA_LIB]
+$       DEFINE/NOLOG WRK_SSLLIB WRK_SSLROOT:[LIB]
+$       DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
+$       DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE]
+$       DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE]
+$       DEFINE/NOLOG WRK_SSLCERTS WRK_SSLROOT:[CERTS]
+$       DEFINE/NOLOG WRK_SSLPRIVATE WRK_SSLROOT:[PRIVATE]
+$
+$       IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$       IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVEXE:
+$       IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLAEXE:
+$       IF F$PARSE("WRK_SSLVLIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVLIB:
+$       IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLALIB:
+$       IF F$PARSE("WRK_SSLLIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLLIB:
+$       IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLINCLUDE:
+$       IF F$PARSE("WRK_SSLCERTS:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLCERTS:
+$       IF F$PARSE("WRK_SSLPRIVATE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLPRIVATE:
+$       IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[VMS]
+$
+$       SDIRS := CRYPTO,SSL,RSAREF,APPS,VMS!,TEST,TOOLS
+$       EXHEADER := e_os.h,e_os2.h
+$
+$       COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
+$
+$       I = 0
+$ LOOP_SDIRS: 
+$       D = F$ELEMENT(I, ",", SDIRS)
+$       I = I + 1
+$       IF D .EQS. "," THEN GOTO LOOP_SDIRS_END
+$       WRITE SYS$OUTPUT "Installing ",D," files."
+$       SET DEFAULT [.'D']
+$       @INSTALL 'ROOT']
+$       SET DEFAULT [-]
+$       GOTO LOOP_SDIRS
+$ LOOP_SDIRS_END:
+$
+$       DEASSIGN WRK_SSLROOT
+$       DEASSIGN WRK_SSLVLIB
+$       DEASSIGN WRK_SSLALIB
+$       DEASSIGN WRK_SSLLIB
+$       DEASSIGN WRK_SSLINCLUDE
+$       DEASSIGN WRK_SSLVEXE
+$       DEASSIGN WRK_SSLAEXE
+$       DEASSIGN WRK_SSLCERTS
+$       DEASSIGN WRK_SSLPRIVATE
+$
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "      Installation done!"
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "      You might want to purge ",ROOT,"...]"
+$       WRITE SYS$OUTPUT ""
+$
+$       EXIT
diff --git a/src/lib/libssl/src/ms/bcb4.bat b/src/lib/libssl/src/ms/bcb4.bat
new file mode 100644
index 0000000000..71a670e794
--- /dev/null
+++ b/src/lib/libssl/src/ms/bcb4.bat
@@ -0,0 +1,6 @@
+perl Configure BC-32

+perl util\mkfiles.pl > MINFO

+

+@rem create make file

+perl util\mk1mf.pl no-asm BC-NT > bcb.mak

+

diff --git a/src/lib/libssl/src/ms/do_masm.bat b/src/lib/libssl/src/ms/do_masm.bat
new file mode 100644
index 0000000000..5b64fecdb0
--- /dev/null
+++ b/src/lib/libssl/src/ms/do_masm.bat
@@ -0,0 +1,68 @@
+@echo off

+echo Generating x86 for MASM assember

+

+echo Bignum

+cd crypto\bn\asm

+perl x86.pl win32 > bn-win32.asm

+cd ..\..\..

+

+echo DES

+cd crypto\des\asm

+perl des-586.pl win32 > d-win32.asm

+cd ..\..\..

+

+echo "crypt(3)"

+

+cd crypto\des\asm

+perl crypt586.pl win32 > y-win32.asm

+cd ..\..\..

+

+echo Blowfish

+

+cd crypto\bf\asm

+perl bf-586.pl win32 > b-win32.asm

+cd ..\..\..

+

+echo CAST5

+cd crypto\cast\asm

+perl cast-586.pl win32 > c-win32.asm

+cd ..\..\..

+

+echo RC4

+cd crypto\rc4\asm

+perl rc4-586.pl win32 > r4-win32.asm

+cd ..\..\..

+

+echo MD5

+cd crypto\md5\asm

+perl md5-586.pl win32 > m5-win32.asm

+cd ..\..\..

+

+echo SHA1

+cd crypto\sha\asm

+perl sha1-586.pl win32 > s1-win32.asm

+cd ..\..\..

+

+echo RIPEMD160

+cd crypto\ripemd\asm

+perl rmd-586.pl win32 > rm-win32.asm

+cd ..\..\..

+

+echo RC5\32

+cd crypto\rc5\asm

+perl rc5-586.pl win32 > r5-win32.asm

+cd ..\..\..

+

+echo on

+

+perl util\mkfiles.pl >MINFO

+rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak

+rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak

+perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak

+perl util\mk1mf.pl VC-WIN32 >ms\nt.mak

+perl util\mk1mf.pl dll VC-WIN32 >ms\ntdll.mak

+

+perl util\mkdef.pl 16 libeay > ms\libeay16.def

+perl util\mkdef.pl 32 libeay > ms\libeay32.def

+perl util\mkdef.pl 16 ssleay > ms\ssleay16.def

+perl util\mkdef.pl 32 ssleay > ms\ssleay32.def

diff --git a/src/lib/libssl/src/ms/do_nasm.bat b/src/lib/libssl/src/ms/do_nasm.bat
new file mode 100644
index 0000000000..8859c15457
--- /dev/null
+++ b/src/lib/libssl/src/ms/do_nasm.bat
@@ -0,0 +1,69 @@
+

+@echo off

+echo Generating x86 for NASM assember

+

+echo Bignum

+cd crypto\bn\asm

+perl x86.pl win32n > bn-win32.asm

+cd ..\..\..

+

+echo DES

+cd crypto\des\asm

+perl des-586.pl win32n > d-win32.asm

+cd ..\..\..

+

+echo "crypt(3)"

+

+cd crypto\des\asm

+perl crypt586.pl win32n > y-win32.asm

+cd ..\..\..

+

+echo Blowfish

+

+cd crypto\bf\asm

+perl bf-586.pl win32n > b-win32.asm

+cd ..\..\..

+

+echo CAST5

+cd crypto\cast\asm

+perl cast-586.pl win32n > c-win32.asm

+cd ..\..\..

+

+echo RC4

+cd crypto\rc4\asm

+perl rc4-586.pl win32n > r4-win32.asm

+cd ..\..\..

+

+echo MD5

+cd crypto\md5\asm

+perl md5-586.pl win32n > m5-win32.asm

+cd ..\..\..

+

+echo SHA1

+cd crypto\sha\asm

+perl sha1-586.pl win32n > s1-win32.asm

+cd ..\..\..

+

+echo RIPEMD160

+cd crypto\ripemd\asm

+perl rmd-586.pl win32n > rm-win32.asm

+cd ..\..\..

+

+echo RC5\32

+cd crypto\rc5\asm

+perl rc5-586.pl win32n > r5-win32.asm

+cd ..\..\..

+

+echo on

+

+perl util\mkfiles.pl >MINFO

+rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak

+rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak

+perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak

+perl util\mk1mf.pl nasm VC-WIN32 >ms\nt.mak

+perl util\mk1mf.pl dll nasm VC-WIN32 >ms\ntdll.mak

+

+perl util\mkdef.pl 16 libeay > ms\libeay16.def

+perl util\mkdef.pl 32 libeay > ms\libeay32.def

+perl util\mkdef.pl 16 ssleay > ms\ssleay16.def

+perl util\mkdef.pl 32 ssleay > ms\ssleay32.def

diff --git a/src/lib/libssl/src/ms/do_nt.bat b/src/lib/libssl/src/ms/do_nt.bat
new file mode 100644
index 0000000000..9c06c27caa
--- /dev/null
+++ b/src/lib/libssl/src/ms/do_nt.bat
@@ -0,0 +1,7 @@
+

+perl util\mkfiles.pl >MINFO

+perl util\mk1mf.pl no-asm VC-NT >ms\nt.mak

+perl util\mk1mf.pl dll no-asm VC-NT >ms\ntdll.mak

+

+perl util\mkdef.pl libeay NT > ms\libeay32.def

+perl util\mkdef.pl ssleay NT > ms\ssleay32.def

diff --git a/src/lib/libssl/src/ms/mingw32.bat b/src/lib/libssl/src/ms/mingw32.bat
new file mode 100644
index 0000000000..1726c55bcd
--- /dev/null
+++ b/src/lib/libssl/src/ms/mingw32.bat
@@ -0,0 +1,92 @@
+@rem OpenSSL with Mingw32+GNU as

+@rem ---------------------------

+

+perl Configure Mingw32 %1 %2 %3 %4 %5 %6 %7 %8

+

+@echo off

+

+perl -e "exit 1 if '%1' eq 'no-asm'"

+if errorlevel 1 goto noasm

+

+echo Generating x86 for GNU assember

+

+echo Bignum

+cd crypto\bn\asm

+perl x86.pl gaswin > bn-win32.s

+cd ..\..\..

+

+echo DES

+cd crypto\des\asm

+perl des-586.pl gaswin > d-win32.s

+cd ..\..\..

+

+echo crypt

+cd crypto\des\asm

+perl crypt586.pl gaswin > y-win32.s

+cd ..\..\..

+

+echo Blowfish

+cd crypto\bf\asm

+perl bf-586.pl gaswin > b-win32.s

+cd ..\..\..

+

+echo CAST5

+cd crypto\cast\asm

+perl cast-586.pl gaswin > c-win32.s

+cd ..\..\..

+

+echo RC4

+cd crypto\rc4\asm

+perl rc4-586.pl gaswin > r4-win32.s

+cd ..\..\..

+

+echo MD5

+cd crypto\md5\asm

+perl md5-586.pl gaswin > m5-win32.s

+cd ..\..\..

+

+echo SHA1

+cd crypto\sha\asm

+perl sha1-586.pl gaswin > s1-win32.s

+cd ..\..\..

+

+echo RIPEMD160

+cd crypto\ripemd\asm

+perl rmd-586.pl gaswin > rm-win32.s

+cd ..\..\..

+

+echo RC5\32

+cd crypto\rc5\asm

+perl rc5-586.pl gaswin > r5-win32.s

+cd ..\..\..

+

+:noasm

+

+echo Generating makefile

+perl util\mkfiles.pl >MINFO

+perl util\mk1mf.pl gaswin Mingw32 >ms\mingw32a.mak

+perl util\mk1mf.pl gaswin Mingw32-files >ms\mingw32f.mak

+echo Generating DLL definition files

+perl util\mkdef.pl 32 libeay >ms\libeay32.def

+if errorlevel 1 goto end

+perl util\mkdef.pl 32 ssleay >ms\ssleay32.def

+if errorlevel 1 goto end

+

+rem Create files -- this can be skipped if using the GNU file utilities

+make -f ms/mingw32f.mak

+echo You can ignore the error messages above

+

+echo Building the libraries

+make -f ms/mingw32a.mak

+if errorlevel 1 goto end

+

+echo Generating the DLLs and input libraries

+dllwrap --dllname libeay32.dll --output-lib out/libeay32.a --def ms/libeay32.def out/libcrypto.a -lwsock32 -lgdi32

+if errorlevel 1 goto end

+dllwrap --dllname libssl32.dll --output-lib out/libssl32.a --def ms/ssleay32.def out/libssl.a out/libeay32.a

+if errorlevel 1 goto end

+

+echo Done compiling OpenSSL

+

+:end

+

diff --git a/src/lib/libssl/src/ms/mw.bat b/src/lib/libssl/src/ms/mw.bat
new file mode 100644
index 0000000000..dc37913b71
--- /dev/null
+++ b/src/lib/libssl/src/ms/mw.bat
@@ -0,0 +1,31 @@
+@rem OpenSSL with Mingw32

+@rem --------------------

+

+@rem Makefile

+perl util\mkfiles.pl >MINFO

+perl util\mk1mf.pl Mingw32 >ms\mingw32.mak

+perl util\mk1mf.pl Mingw32-files >ms\mingw32f.mak

+@rem DLL definition files

+perl util\mkdef.pl 32 libeay >ms\libeay32.def

+if errorlevel 1 goto end

+perl util\mkdef.pl 32 ssleay >ms\ssleay32.def

+if errorlevel 1 goto end

+

+@rem Create files -- this can be skipped if using the GNU file utilities

+make -f ms/mingw32f.mak

+echo You can ignore the error messages above

+

+@rem Build the libraries

+make -f ms/mingw32.mak

+if errorlevel 1 goto end

+

+@rem Generate the DLLs and input libraries

+dllwrap --dllname libeay32.dll --output-lib out/libeay32.a --def ms/libeay32.def out/libcrypto.a -lwsock32 -lgdi32

+if errorlevel 1 goto end

+dllwrap --dllname libssl32.dll --output-lib out/libssl32.a --def ms/ssleay32.def out/libssl.a out/libeay32.a

+if errorlevel 1 goto end

+

+echo Done compiling OpenSSL

+

+:end

+

diff --git a/src/lib/libssl/src/ms/tlhelp32.h b/src/lib/libssl/src/ms/tlhelp32.h
new file mode 100644
index 0000000000..8f4222e34f
--- /dev/null
+++ b/src/lib/libssl/src/ms/tlhelp32.h
@@ -0,0 +1,136 @@
+/*
+        tlhelp32.h - Include file for Tool help functions.
+
+        Written by Mumit Khan <khan@nanotech.wisc.edu>
+
+        This file is part of a free library for the Win32 API. 
+
+        This library is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+*/
+#ifndef _TLHELP32_H
+#define _TLHELP32_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+#define HF32_DEFAULT    1
+#define HF32_SHARED     2
+#define LF32_FIXED      0x1
+#define LF32_FREE       0x2
+#define LF32_MOVEABLE   0x4
+#define MAX_MODULE_NAME32       255
+#define TH32CS_SNAPHEAPLIST     0x1
+#define TH32CS_SNAPPROCESS      0x2
+#define TH32CS_SNAPTHREAD       0x4
+#define TH32CS_SNAPMODULE       0x8
+#define TH32CS_SNAPALL  (TH32CS_SNAPHEAPLIST|TH32CS_SNAPPROCESS|TH32CS_SNAPTHREAD|TH32CS_SNAPMODULE)
+#define TH32CS_INHERIT  0x80000000
+typedef struct tagHEAPLIST32 {
+        DWORD dwSize;
+        DWORD th32ProcessID;
+        DWORD th32HeapID;
+        DWORD dwFlags;
+} HEAPLIST32,*PHEAPLIST32,*LPHEAPLIST32;
+typedef struct tagHEAPENTRY32 {
+        DWORD dwSize;
+        HANDLE hHandle;
+        DWORD dwAddress;
+        DWORD dwBlockSize;
+        DWORD dwFlags;
+        DWORD dwLockCount;
+        DWORD dwResvd;
+        DWORD th32ProcessID;
+        DWORD th32HeapID;
+} HEAPENTRY32,*PHEAPENTRY32,*LPHEAPENTRY32;
+typedef struct tagPROCESSENTRY32W {
+        DWORD dwSize;
+        DWORD cntUsage;
+        DWORD th32ProcessID;
+        DWORD th32DefaultHeapID;
+        DWORD th32ModuleID;
+        DWORD cntThreads;
+        DWORD th32ParentProcessID;
+        LONG pcPriClassBase;
+        DWORD dwFlags;
+        WCHAR szExeFile[MAX_PATH];
+} PROCESSENTRY32W,*PPROCESSENTRY32W,*LPPROCESSENTRY32W;
+typedef struct tagPROCESSENTRY32 {
+        DWORD dwSize;
+        DWORD cntUsage;
+        DWORD th32ProcessID;
+        DWORD th32DefaultHeapID;
+        DWORD th32ModuleID;
+        DWORD cntThreads;
+        DWORD th32ParentProcessID;
+        LONG pcPriClassBase;
+        DWORD dwFlags;
+        CHAR  szExeFile[MAX_PATH];
+} PROCESSENTRY32,*PPROCESSENTRY32,*LPPROCESSENTRY32;
+typedef struct tagTHREADENTRY32 {
+        DWORD dwSize;
+        DWORD cntUsage;
+        DWORD th32ThreadID;
+        DWORD th32OwnerProcessID;
+        LONG tpBasePri;
+        LONG tpDeltaPri;
+        DWORD dwFlags;
+} THREADENTRY32,*PTHREADENTRY32,*LPTHREADENTRY32;
+typedef struct tagMODULEENTRY32W {
+        DWORD dwSize;
+        DWORD th32ModuleID;
+        DWORD th32ProcessID;
+        DWORD GlblcntUsage;
+        DWORD ProccntUsage;
+        BYTE *modBaseAddr;
+        DWORD modBaseSize;
+        HMODULE hModule; 
+        WCHAR szModule[MAX_MODULE_NAME32 + 1];
+        WCHAR szExePath[MAX_PATH];
+} MODULEENTRY32W,*PMODULEENTRY32W,*LPMODULEENTRY32W;
+typedef struct tagMODULEENTRY32 {
+        DWORD dwSize;
+        DWORD th32ModuleID;
+        DWORD th32ProcessID;
+        DWORD GlblcntUsage;
+        DWORD ProccntUsage;
+        BYTE *modBaseAddr;
+        DWORD modBaseSize;
+        HMODULE hModule;
+        char szModule[MAX_MODULE_NAME32 + 1];
+        char szExePath[MAX_PATH];
+} MODULEENTRY32,*PMODULEENTRY32,*LPMODULEENTRY32;
+BOOL WINAPI Heap32First(LPHEAPENTRY32,DWORD,DWORD);
+BOOL WINAPI Heap32ListFirst(HANDLE,LPHEAPLIST32);
+BOOL WINAPI Heap32ListNext(HANDLE,LPHEAPLIST32);
+BOOL WINAPI Heap32Next(LPHEAPENTRY32);
+BOOL WINAPI Module32First(HANDLE,LPMODULEENTRY32);
+BOOL WINAPI Module32FirstW(HANDLE,LPMODULEENTRY32W);
+BOOL WINAPI Module32Next(HANDLE,LPMODULEENTRY32);
+BOOL WINAPI Module32NextW(HANDLE,LPMODULEENTRY32W);
+BOOL WINAPI Process32First(HANDLE,LPPROCESSENTRY32);
+BOOL WINAPI Process32FirstW(HANDLE,LPPROCESSENTRY32W);
+BOOL WINAPI Process32Next(HANDLE,LPPROCESSENTRY32);
+BOOL WINAPI Process32NextW(HANDLE,LPPROCESSENTRY32W);
+BOOL WINAPI Thread32First(HANDLE,LPTHREADENTRY32);
+BOOL WINAPI Thread32Next(HANDLE,LPTHREADENTRY32);
+BOOL WINAPI Toolhelp32ReadProcessMemory(DWORD,LPCVOID,LPVOID,DWORD,LPDWORD);
+HANDLE WINAPI CreateToolhelp32Snapshot(DWORD,DWORD);
+#ifdef UNICODE
+#define LPMODULEENTRY32 LPMODULEENTRY32W
+#define LPPROCESSENTRY32 LPPROCESSENTRY32W
+#define MODULEENTRY32 MODULEENTRY32W
+#define Module32First Module32FirstW
+#define Module32Next Module32NextW
+#define PMODULEENTRY32 PMODULEENTRY32W
+#define PPROCESSENTRY32 PPROCESSENTRY32W
+#define PROCESSENTRY32 PROCESSENTRY32W
+#define Process32First Process32FirstW
+#define Process32Next Process32NextW
+#endif /* UNICODE */
+#ifdef __cplusplus
+}
+#endif
+#endif /* _TLHELP32_H */
+
diff --git a/src/lib/libssl/src/ms/x86asm.bat b/src/lib/libssl/src/ms/x86asm.bat
new file mode 100644
index 0000000000..4d80e706e4
--- /dev/null
+++ b/src/lib/libssl/src/ms/x86asm.bat
@@ -0,0 +1,57 @@
+

+@echo off

+echo Generating x86 assember

+

+echo Bignum

+cd crypto\bn\asm

+perl x86.pl win32n > bn-win32.asm

+cd ..\..\..

+

+echo DES

+cd crypto\des\asm

+perl des-586.pl win32n > d-win32.asm

+cd ..\..\..

+

+echo "crypt(3)"

+

+cd crypto\des\asm

+perl crypt586.pl win32n > y-win32.asm

+cd ..\..\..

+

+echo Blowfish

+

+cd crypto\bf\asm

+perl bf-586.pl win32n > b-win32.asm

+cd ..\..\..

+

+echo CAST5

+cd crypto\cast\asm

+perl cast-586.pl win32n > c-win32.asm

+cd ..\..\..

+

+echo RC4

+cd crypto\rc4\asm

+perl rc4-586.pl win32n > r4-win32.asm

+cd ..\..\..

+

+echo MD5

+cd crypto\md5\asm

+perl md5-586.pl win32n > m5-win32.asm

+cd ..\..\..

+

+echo SHA1

+cd crypto\sha\asm

+perl sha1-586.pl win32n > s1-win32.asm

+cd ..\..\..

+

+echo RIPEMD160

+cd crypto\ripemd\asm

+perl rmd-586.pl win32n > rm-win32.asm

+cd ..\..\..

+

+echo RC5\32

+cd crypto\rc5\asm

+perl rc5-586.pl win32n > r5-win32.asm

+cd ..\..\..

+

+echo on

diff --git a/src/lib/libssl/src/openssl.doxy b/src/lib/libssl/src/openssl.doxy
new file mode 100644
index 0000000000..479c311470
--- /dev/null
+++ b/src/lib/libssl/src/openssl.doxy
@@ -0,0 +1,7 @@
+PROJECT_NAME=OpenSSL
+GENERATE_LATEX=no
+OUTPUT_DIRECTORY=doxygen
+INPUT=ssl include
+FILE_PATTERNS=*.c *.h
+RECURSIVE=yes
+PREDEFINED=DOXYGEN
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
new file mode 100644
index 0000000000..1c8f4e9d81
--- /dev/null
+++ b/src/lib/libssl/src/openssl.spec
@@ -0,0 +1,213 @@
+%define libmaj 0
+%define libmin 9
+%define librel 6
+#%define librev 
+Release: 1
+
+%define openssldir /var/ssl
+
+Summary: Secure Sockets Layer and cryptography libraries and tools
+Name: openssl-engine
+Version: %{libmaj}.%{libmin}.%{librel}
+#Version: %{libmaj}.%{libmin}.%{librel}%{librev}
+Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
+Copyright: Freely distributable
+Group: System Environment/Libraries
+Provides: SSL
+URL: http://www.openssl.org/
+Packager: Damien Miller <djm@mindrot.org>
+BuildRoot:   /var/tmp/%{name}-%{version}-root
+
+%description
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, fully featured, and Open Source toolkit implementing the
+Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+protocols as well as a full-strength general purpose cryptography library.
+The project is managed by a worldwide community of volunteers that use the
+Internet to communicate, plan, and develop the OpenSSL tookit and its related
+documentation. 
+
+OpenSSL is based on the excellent SSLeay library developed from Eric A.
+Young and Tim J. Hudson.  The OpenSSL toolkit is licensed under an
+Apache-style licence, which basically means that you are free to get and
+use it for commercial and non-commercial purposes. 
+
+This package contains the base OpenSSL cryptography and SSL/TLS 
+libraries and tools.
+
+%package devel
+Summary: Secure Sockets Layer and cryptography static libraries and headers
+Group: Development/Libraries
+Requires: openssl-engine
+%description devel
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, fully featured, and Open Source toolkit implementing the
+Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+protocols as well as a full-strength general purpose cryptography library.
+The project is managed by a worldwide community of volunteers that use the
+Internet to communicate, plan, and develop the OpenSSL tookit and its related
+documentation. 
+
+OpenSSL is based on the excellent SSLeay library developed from Eric A.
+Young and Tim J. Hudson.  The OpenSSL toolkit is licensed under an
+Apache-style licence, which basically means that you are free to get and
+use it for commercial and non-commercial purposes. 
+
+This package contains the the OpenSSL cryptography and SSL/TLS 
+static libraries and header files required when developing applications.
+
+%package doc
+Summary: OpenSSL miscellaneous files
+Group: Documentation
+Requires: openssl-engine
+%description doc
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, fully featured, and Open Source toolkit implementing the
+Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+protocols as well as a full-strength general purpose cryptography library.
+The project is managed by a worldwide community of volunteers that use the
+Internet to communicate, plan, and develop the OpenSSL tookit and its related
+documentation. 
+
+OpenSSL is based on the excellent SSLeay library developed from Eric A.
+Young and Tim J. Hudson.  The OpenSSL toolkit is licensed under an
+Apache-style licence, which basically means that you are free to get and
+use it for commercial and non-commercial purposes. 
+
+This package contains the the OpenSSL cryptography and SSL/TLS extra
+documentation and POD files from which the man pages were produced.
+
+%prep
+
+%setup -q
+
+%build 
+
+%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr 
+
+perl util/perlpath.pl /usr/bin/perl
+
+%ifarch i386 i486 i586 i686
+./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-elf
+#!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-elf shared
+%endif
+%ifarch ppc
+./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc
+#!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared
+%endif
+%ifarch alpha
+./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha
+#!#./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared
+%endif
+LD_LIBRARY_PATH=`pwd` make
+LD_LIBRARY_PATH=`pwd` make rehash
+LD_LIBRARY_PATH=`pwd` make test
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT"
+
+# Rename manpages
+for x in $RPM_BUILD_ROOT/usr/man/man*/* 
+        do mv ${x} ${x}ssl
+done
+
+# Install RSAref stuff
+install -m644 rsaref/rsaref.h $RPM_BUILD_ROOT/usr/include/openssl
+install -m644 libRSAglue.a $RPM_BUILD_ROOT/usr/lib
+
+# Make backwards-compatibility symlink to ssleay
+ln -s /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay
+
+# Install shared libs
+install -m644 libcrypto.a $RPM_BUILD_ROOT/usr/lib
+#!#install -m755 libcrypto.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib
+install -m644 libssl.a $RPM_BUILD_ROOT/usr/lib
+#!#install -m755 libssl.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib
+(
+        cd $RPM_BUILD_ROOT/usr/lib
+        #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so.%{libmaj}
+        #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so
+        #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so.%{libmaj}
+        #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so
+)
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files 
+%defattr(0644,root,root,0755)
+%doc CHANGES CHANGES.SSLeay LICENSE NEWS README
+
+%attr(0755,root,root) /usr/bin/*
+#!#%attr(0755,root,root) /usr/lib/*.so*
+%attr(0755,root,root) %{openssldir}/misc/*
+%attr(0644,root,root) /usr/man/man[157]/*
+
+%config %attr(0644,root,root) %{openssldir}/openssl.cnf 
+%dir %attr(0755,root,root) %{openssldir}/certs
+%dir %attr(0755,root,root) %{openssldir}/lib
+%dir %attr(0755,root,root) %{openssldir}/misc
+%dir %attr(0750,root,root) %{openssldir}/private
+
+%files devel
+%doc CHANGES CHANGES.SSLeay LICENSE NEWS README
+
+%defattr(0644,root,root,0755)
+%attr(0644,root,root) /usr/lib/*.a
+%attr(0644,root,root) /usr/include/openssl/*
+%attr(0644,root,root) /usr/man/man[3]/*
+
+%files doc
+%doc CHANGES CHANGES.SSLeay LICENSE NEWS README
+%doc doc
+
+%post
+ldconfig
+
+%postun
+ldconfig
+
+%changelog
+* Thu Sep 14 2000 Richard Levitte <richard@levitte.org>
+- Changed to adapt to the new (supported) way of making shared libraries
+- Installs all static libraries, not just libRSAglue.a
+- Extra documents now end up in a separate document package
+* Sun Feb 27 2000 Damien Miller <djm@mindrot.org>
+- Merged patches to spec
+- Updated to 0.9.5beta2 (now with manpages)
+* Sat Feb  5 2000 Michal Jaegermann <michal@harddata.com>
+- added 'linux-alpha' to configuration
+- fixed nasty absolute links
+* Tue Jan 25 2000 Bennett Todd <bet@rahul.net>
+- Added -DSSL_ALLOW_ADH, bumped Release to 4
+* Thu Oct 14 1999 Damien Miller <djm@mindrot.org>
+- Set default permissions
+- Removed documentation from devel sub-package
+* Thu Sep 30 1999 Damien Miller <djm@mindrot.org>
+- Added "make test" stage
+- GPG signed
+* Tue Sep 10 1999 Damien Miller <damien@ibs.com.au>
+- Updated to version 0.9.4
+* Tue May 25 1999 Damien Miller <damien@ibs.com.au>
+- Updated to version 0.9.3
+- Added attributes for all files
+- Paramatised openssl directory
+* Sat Mar 20 1999 Carlo M. Arenas Belon <carenas@jmconsultores.com.pe>
+- Added "official" bnrec patch and taking other out
+- making a link from ssleay to openssl binary
+- putting all changelog together on SPEC file
+* Fri Mar  5 1999 Henri Gomez <gomez@slib.fr>
+- Added bnrec patch
+* Tue Dec 29 1998 Jonathan Ruano <kobalt@james.encomix.es>
+- minimum spec and patches changes for openssl
+- modified for openssl sources
+* Sat Aug  8 1998 Khimenko Victor <khim@sch57.msk.ru>
+- shared library creating process honours $RPM_OPT_FLAGS
+- shared libarry supports threads (as well as static library)
+* Wed Jul 22 1998 Khimenko Victor <khim@sch57.msk.ru>
+- building of shared library completely reworked
+* Tue Jul 21 1998 Khimenko Victor <khim@sch57.msk.ru>
+- RPM is BuildRoot'ed
+* Tue Feb 10 1998 Khimenko Victor <khim@sch57.msk.ru>
+- all stuff is moved out of /usr/local
diff --git a/src/lib/libssl/src/os2/OS2-EMX.cmd b/src/lib/libssl/src/os2/OS2-EMX.cmd
new file mode 100644
index 0000000000..8b2a092c68
--- /dev/null
+++ b/src/lib/libssl/src/os2/OS2-EMX.cmd
@@ -0,0 +1,61 @@
+@echo off
+
+perl Configure OS2-EMX
+perl util\mkfiles.pl > MINFO
+
+@rem create make file
+perl util\mk1mf.pl OS2-EMX > OS2-EMX.mak
+
+echo Generating x86 for GNU assember
+
+echo Bignum
+cd crypto\bn\asm
+rem perl x86.pl a.out > bn-os2.asm
+perl bn-586.pl a.out > bn-os2.asm 
+perl co-586.pl a.out > co-os2.asm 
+cd ..\..\..
+
+echo DES
+cd crypto\des\asm
+perl des-586.pl a.out > d-os2.asm
+cd ..\..\..
+
+echo crypt(3)
+cd crypto\des\asm
+perl crypt586.pl a.out > y-os2.asm
+cd ..\..\..
+
+echo Blowfish
+cd crypto\bf\asm
+perl bf-586.pl a.out > b-os2.asm
+cd ..\..\..
+
+echo CAST5
+cd crypto\cast\asm
+perl cast-586.pl a.out > c-os2.asm
+cd ..\..\..
+
+echo RC4
+cd crypto\rc4\asm
+perl rc4-586.pl a.out > r4-os2.asm
+cd ..\..\..
+
+echo MD5
+cd crypto\md5\asm
+perl md5-586.pl a.out > m5-os2.asm
+cd ..\..\..
+
+echo SHA1
+cd crypto\sha\asm
+perl sha1-586.pl a.out > s1-os2.asm
+cd ..\..\..
+
+echo RIPEMD160
+cd crypto\ripemd\asm
+perl rmd-586.pl a.out > rm-os2.asm
+cd ..\..\..
+
+echo RC5\32
+cd crypto\rc5\asm
+perl rc5-586.pl a.out > r5-os2.asm
+cd ..\..\..
diff --git a/src/lib/libssl/src/shlib/Makefile.hpux10-cc b/src/lib/libssl/src/shlib/Makefile.hpux10-cc
new file mode 100644
index 0000000000..4dc62ebd9e
--- /dev/null
+++ b/src/lib/libssl/src/shlib/Makefile.hpux10-cc
@@ -0,0 +1,51 @@
+# Makefile.hpux-cc
+
+major=1
+
+slib=libssl
+sh_slib=$(slib).so.$(major)
+
+clib=libcrypto
+sh_clib=$(clib).so.$(major)
+
+all : $(clib).sl $(slib).sl
+
+
+$(clib)_pic.a : $(clib).a
+        echo "Copying $? to $@"
+        cp -p $? $@
+
+$(slib)_pic.a : $(slib).a
+        echo "Copying $? to $@"
+        cp -p $? $@
+
+$(sh_clib) : $(clib)_pic.a
+        echo "collecting all object files for $@"
+        find . -name \*.o -print > allobjs
+        for obj in `ar t $(clib)_pic.a`; \
+        do \
+                grep /$$obj allobjs; \
+        done >objlist
+        echo "linking $@"
+        ld -b -s -z +h $@ -o $@ `cat objlist` -lc 
+        rm allobjs objlist
+
+$(clib).sl : $(sh_clib)
+        rm -f $@
+        ln -s $? $@
+
+$(sh_slib) : $(slib)_pic.a $(clib).sl
+        echo "collecting all object files for $@"
+        find . -name \*.o -print > allobjs
+        for obj in `ar t $(slib)_pic.a`; \
+        do \
+                grep /$$obj allobjs; \
+        done >objlist
+        echo "linking $@"
+        ld -b -s -z +h $@ +b /usr/local/ssl/lib:/usr/lib -o $@ `cat objlist` \
+                        -L. -lcrypto -lc
+        rm -f allobjs objlist
+        
+$(slib).sl : $(sh_slib)
+        rm -f $@
+        ln -s $? $@
diff --git a/src/lib/libssl/src/shlib/hpux10-cc.sh b/src/lib/libssl/src/shlib/hpux10-cc.sh
new file mode 100644
index 0000000000..903baaa4e7
--- /dev/null
+++ b/src/lib/libssl/src/shlib/hpux10-cc.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/sh
+#
+# Run this script from the OpenSSL root directory:
+# sh shlib/hpux10-cc.sh
+# 
+# HP-UX (10.20) shared library installation:
+# Compile and install OpenSSL with best possible optimization:
+# - shared libraries are compiled and installed with +O4 optimization
+# - executable(s) are compiled and installed with +O4 optimization
+# - static libraries are compiled and installed with +O3 optimization,
+#   to avoid the time consuming +O4 link-time optimization when using
+#   these libraries. (The shared libs are already optimized during build
+#   at +O4.)
+#
+# This script must be run with appropriate privileges to install into
+# /usr/local/ssl. HP-UX prevents used executables and shared libraries
+# from being deleted or overwritten. Stop all processes using already
+# installed items of OpenSSL.
+#
+# WARNING: At high optimization levels, HP's ANSI-C compiler can chew up
+#          large amounts of memory and CPU time. Make sure to have at least
+#          128MB of RAM available and that your kernel is configured to allow
+#          at least 128MB data size (maxdsiz parameter).
+#          The installation process can take several hours, even on fast
+#          machines. +O4 optimization of the libcrypto.sl shared library may
+#          take 1 hour on a C200 (200MHz PA8200 CPU), +O3 compilation of
+#          fcrypt_b.c can take 20 minutes on this machine. Stay patient.
+#
+# SITEFLAGS: site specific flags. I do use +DAportable, since I have to
+# support older PA1.1-type CPUs. Your mileage may vary.
+# +w1 enables enhanced warnings, useful when working with snaphots.
+#
+SITEFLAGS="+DAportable +w1"
+#
+# Set the default additions to build with HP-UX.
+# -D_REENTRANT must/should be defined on HP-UX manually, since we do call
+# Configure directly.
+# +Oall increases the optimization done.
+#
+MYFLAGS="-D_REENTRANT +Oall $SITEFLAGS"
+
+# Configure for pic and build the static pic libraries
+perl5 Configure hpux-parisc-cc-o4 +z ${MYFLAGS}
+make clean
+make DIRS="crypto ssl"
+# Rename the static pic libs and build dynamic libraries from them
+# Be prepared to see a lot of warnings about shared libraries being built
+# with optimizations higher than +O2. When using these libraries, it is
+# not possible to replace internal library functions with functions from
+# the program to be linked.
+#
+make -f shlib/Makefile.hpux10-cc
+
+# Copy the libraries to /usr/local/ssl/lib (they have to be in their
+# final location when linking applications).
+# If the directories are still there, no problem.
+mkdir /usr/local
+mkdir /usr/local/ssl
+mkdir /usr/local/ssl/lib
+chmod 444 lib*_pic.a
+chmod 555 lib*.so.1
+cp -p lib*_pic.a lib*.so.1 /usr/local/ssl/lib
+(cd /usr/local/ssl/lib ; ln -sf libcrypto.so.1 libcrypto.sl ; ln -sf libssl.so.1 libssl.sl)
+
+# Reconfigure without pic to compile the executables. Unfortunately, while
+# performing this task we have to recompile the library components, even
+# though we use the already installed shared libs anyway.
+#
+perl5 Configure hpux-parisc-cc-o4 ${MYFLAGS}
+
+make clean
+
+# Hack the Makefiles to pick up the dynamic libraries during linking
+#
+sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib -Wl,+b,\/usr\/local\/ssl\/lib:\/usr\/lib/' Makefile.ssl >xxx; mv xxx Makefile.ssl
+sed 's/-L\.\.//' apps/Makefile.ssl >xxx; mv xxx apps/Makefile.ssl
+sed 's/-L\.\.//' test/Makefile.ssl >xxx; mv xxx test/Makefile.ssl
+# Build the static libs and the executables in one make.
+make
+# Install everything
+make install
+
+# Finally build the static libs with +O3. This time we only need the libraries,
+# once created, they are simply copied into place.
+#
+perl5 Configure hpux-parisc-cc ${MYFLAGS}
+make clean
+make DIRS="crypto ssl"
+chmod 644 libcrypto.a libssl.a
+cp -p libcrypto.a libssl.a /usr/local/ssl/lib
diff --git a/src/lib/libssl/src/shlib/solaris-sc4.sh b/src/lib/libssl/src/shlib/solaris-sc4.sh
new file mode 100644
index 0000000000..b0766b35f7
--- /dev/null
+++ b/src/lib/libssl/src/shlib/solaris-sc4.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+major="1"
+
+slib=libssl
+sh_slib=$slib.so.$major
+
+clib=libcrypto
+sh_clib=$clib.so.$major
+
+echo collecting all object files for $clib.so
+OBJS=
+find . -name \*.o -print > allobjs
+for obj in `ar t libcrypto.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $clib.so
+cc -G -o $sh_clib -h $sh_clib $OBJS -lnsl -lsocket
+
+rm -f $clib.so
+ln -s $sh_clib $clib.so
+
+echo collecting all object files for $slib.so
+OBJS=
+for obj in `ar t libssl.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $slib.so
+cc -G -o $sh_slib -h $sh_slib $OBJS -L. -lcrypto
+        
+rm -f $slib.so
+ln -s $sh_slib $slib.so
+
+rm -f allobjs
+
+mv libRSAglue.a libRSAglue.a.orig
+mv libcrypto.a  libcrypto.a.orig
+mv libssl.a     libssl.a.orig 
diff --git a/src/lib/libssl/src/shlib/svr5-shared-gcc.sh b/src/lib/libssl/src/shlib/svr5-shared-gcc.sh
new file mode 100644
index 0000000000..b36a0375a6
--- /dev/null
+++ b/src/lib/libssl/src/shlib/svr5-shared-gcc.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/sh
+
+major="0"
+minor="9.7"
+
+slib=libssl
+sh_slib=$slib.so.$major.$minor
+
+clib=libcrypto
+sh_clib=$clib.so.$major.$minor
+
+FLAGS="-O3 -DFILIO_H -fomit-frame-pointer -pthread
+SHFLAGS="-DPIC -fPIC"
+
+touch $sh_clib
+touch $sh_slib
+
+echo collecting all object files for $clib.so
+OBJS=
+find . -name \*.o -print > allobjs
+for obj in `ar t libcrypto.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $clib.so
+gcc -G -o $sh_clib -h $sh_clib $OBJS -lnsl -lsocket
+
+rm -f $clib.so
+ln -s $sh_clib $clib.so
+
+echo collecting all object files for $slib.so
+OBJS=
+for obj in `ar t libssl.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $slib.so
+gcc -G -o $sh_slib -h $sh_slib $OBJS -L. -lcrypto
+
+rm -f $slib.so
+ln -s $sh_slib $slib.so
+
+mv libRSAglue.a libRSAglue.a.orig
+mv libcrypto.a  libcrypto.a.orig
+mv libssl.a     libssl.a.orig
+
diff --git a/src/lib/libssl/src/shlib/svr5-shared-installed b/src/lib/libssl/src/shlib/svr5-shared-installed
new file mode 100644
index 0000000000..544f5a9417
--- /dev/null
+++ b/src/lib/libssl/src/shlib/svr5-shared-installed
@@ -0,0 +1,28 @@
+#!/usr/bin/sh
+
+major="0"
+minor="9.7"
+
+slib=libssl
+sh_slib=$slib.so.$major.$minor
+
+clib=libcrypto
+sh_clib=$clib.so.$major.$minor
+
+# If you want them in /usr/local/lib then change INSTALLTOP to point there.
+#INSTALLTOP=/usr/local/ssl/lib
+INSTALLTOP=/usr/local/lib
+
+cp -p $sh_clib $INSTALLTOP
+cp -p $sh_slib $INSTALLTOP
+
+PWD=`pwd`
+cd $INSTALLTOP
+rm -f $INSTALLTOP/$clib.so
+ln -s $INSTALLTOP/$sh_clib $clib.so
+
+rm -f $INSTALLTOP/$slib.so
+ln -s $INSTALLTOP/$sh_slib $slib.so
+
+cd $PWD
+
diff --git a/src/lib/libssl/src/shlib/svr5-shared.sh b/src/lib/libssl/src/shlib/svr5-shared.sh
new file mode 100644
index 0000000000..a70bb65baa
--- /dev/null
+++ b/src/lib/libssl/src/shlib/svr5-shared.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/sh
+
+major="0"
+minor="9.7"
+
+slib=libssl
+sh_slib=$slib.so.$major.$minor
+
+clib=libcrypto
+sh_clib=$clib.so.$major.$minor
+
+FLAGS="-O -DFILIO_H -Kalloca -Kthread"
+SHFLAGS="-Kpic -DPIC"
+
+touch $sh_clib
+touch $sh_slib
+
+echo collecting all object files for $clib.so
+OBJS=
+find . -name \*.o -print > allobjs
+for obj in `ar t libcrypto.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $clib.so
+cc -G -o $sh_clib -h $sh_clib $OBJS -lnsl -lsocket
+
+rm -f $clib.so
+ln -s $sh_clib $clib.so
+
+echo collecting all object files for $slib.so
+OBJS=
+for obj in `ar t libssl.a`
+do
+        OBJS="$OBJS `grep $obj allobjs`"
+done
+
+echo linking $slib.so
+cc -G -o $sh_slib -h $sh_slib $OBJS -L. -lcrypto
+
+rm -f $slib.so
+ln -s $sh_slib $slib.so
+
+mv libRSAglue.a libRSAglue.a.orig
+mv libcrypto.a  libcrypto.a.orig
+mv libssl.a     libssl.a.orig
+
diff --git a/src/lib/libssl/src/ssl/install.com b/src/lib/libssl/src/ssl/install.com
new file mode 100644
index 0000000000..2b62f4e499
--- /dev/null
+++ b/src/lib/libssl/src/ssl/install.com
@@ -0,0 +1,102 @@
+$! INSTALL.COM -- Installs the files in a given directory tree
+$!
+$! Author: Richard Levitte <richard@levitte.org>
+$! Time of creation: 22-MAY-1998 10:13
+$!
+$! P1   root of the directory tree
+$!
+$       IF P1 .EQS. ""
+$       THEN
+$           WRITE SYS$OUTPUT "First argument missing."
+$           WRITE SYS$OUTPUT "Should be the directory where you want things installed."
+$           EXIT
+$       ENDIF
+$
+$       ROOT = F$PARSE(P1,"[]A.;0",,,"SYNTAX_ONLY,NO_CONCEAL") - "A.;0"
+$       ROOT_DEV = F$PARSE(ROOT,,,"DEVICE","SYNTAX_ONLY")
+$       ROOT_DIR = F$PARSE(ROOT,,,"DIRECTORY","SYNTAX_ONLY") -
+                   - "[000000." - "][" - "[" - "]"
+$       ROOT = ROOT_DEV + "[" + ROOT_DIR
+$
+$       DEFINE/NOLOG WRK_SSLROOT 'ROOT'.] /TRANS=CONC
+$       DEFINE/NOLOG WRK_SSLVLIB WRK_SSLROOT:[VAX_LIB]
+$       DEFINE/NOLOG WRK_SSLALIB WRK_SSLROOT:[ALPHA_LIB]
+$       DEFINE/NOLOG WRK_SSLINCLUDE WRK_SSLROOT:[INCLUDE]
+$       DEFINE/NOLOG WRK_SSLVEXE WRK_SSLROOT:[VAX_EXE]
+$       DEFINE/NOLOG WRK_SSLAEXE WRK_SSLROOT:[ALPHA_EXE]
+$
+$       IF F$PARSE("WRK_SSLROOT:[000000]") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLROOT:[000000]
+$       IF F$PARSE("WRK_SSLVLIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVLIB:
+$       IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLALIB:
+$       IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLINCLUDE:
+$       IF F$PARSE("WRK_SSLVEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLVEXE:
+$       IF F$PARSE("WRK_SSLAEXE:") .EQS. "" THEN -
+           CREATE/DIR/LOG WRK_SSLAEXE:
+$
+$       EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h
+$       E_EXE := ssl_task
+$       LIBS := LIBSSL
+$
+$       VEXE_DIR := [-.VAX.EXE.SSL]
+$       AEXE_DIR := [-.AXP.EXE.SSL]
+$
+$       COPY 'EXHEADER' WRK_SSLINCLUDE:/LOG
+$
+$       I = 0
+$ LOOP_EXE: 
+$       E = F$EDIT(F$ELEMENT(I, ",", E_EXE),"TRIM")
+$       I = I + 1
+$       IF E .EQS. "," THEN GOTO LOOP_EXE_END
+$       SET NOON
+$       IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.EXE WRK_SSLVEXE:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLVEXE:'E'.EXE
+$       ENDIF
+$       IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.EXE WRK_SSLAEXE:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLAEXE:'E'.EXE
+$       ENDIF
+$       SET ON
+$       GOTO LOOP_EXE
+$ LOOP_EXE_END:
+$
+$       I = 0
+$ LOOP_LIB: 
+$       E = F$EDIT(F$ELEMENT(I, ",", LIBS),"TRIM")
+$       I = I + 1
+$       IF E .EQS. "," THEN GOTO LOOP_LIB_END
+$       SET NOON
+$       IF F$SEARCH(VEXE_DIR+E+".OLB") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.OLB WRK_SSLVLIB:'E'.OLB/log
+$         SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.OLB
+$       ENDIF
+$       ! Preparing for the time when we have shareable images
+$       IF F$SEARCH(VEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'VEXE_DIR''E'.EXE WRK_SSLVLIB:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLVLIB:'E'.EXE
+$       ENDIF
+$       IF F$SEARCH(AEXE_DIR+E+".OLB") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.OLB WRK_SSLALIB:'E'.OLB/log
+$         SET FILE/PROT=W:RE WRK_SSLALIB:'E'.OLB
+$       ENDIF
+$       ! Preparing for the time when we have shareable images
+$       IF F$SEARCH(AEXE_DIR+E+".EXE") .NES. ""
+$       THEN
+$         COPY 'AEXE_DIR''E'.EXE WRK_SSLALIB:'E'.EXE/log
+$         SET FILE/PROT=W:RE WRK_SSLALIB:'E'.EXE
+$       ENDIF
+$       SET ON
+$       GOTO LOOP_LIB
+$ LOOP_LIB_END:
+$
+$       EXIT
diff --git a/src/lib/libssl/src/ssl/kssl.c b/src/lib/libssl/src/ssl/kssl.c
new file mode 100644
index 0000000000..d3c7be7581
--- /dev/null
+++ b/src/lib/libssl/src/ssl/kssl.c
@@ -0,0 +1,2195 @@
+/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
+**
+**  19990701    VRS     Started.
+**  200011??    Jeffrey Altman, Richard Levitte
+**                      Generalized for Heimdal, Newer MIT, & Win32.
+**                      Integrated into main OpenSSL 0.9.7 snapshots.
+**  20010413    Simon Wilkinson, VRS
+**                      Real RFC2712 KerberosWrapper replaces AP_REQ.
+*/
+
+#include <openssl/opensslconf.h>
+
+#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+#include <time.h>
+#include <string.h>
+
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/krb5_asn.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+/* 
+ * When OpenSSL is built on Windows, we do not want to require that
+ * the Kerberos DLLs be available in order for the OpenSSL DLLs to
+ * work.  Therefore, all Kerberos routines are loaded at run time
+ * and we do not link to a .LIB file.
+ */
+
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+/* 
+ * The purpose of the following pre-processor statements is to provide
+ * compatibility with different releases of MIT Kerberos for Windows.
+ * All versions up to 1.2 used macros.  But macros do not allow for
+ * a binary compatible interface for DLLs.  Therefore, all macros are
+ * being replaced by function calls.  The following code will allow
+ * an OpenSSL DLL built on Windows to work whether or not the macro
+ * or function form of the routines are utilized.
+ */
+#ifdef  krb5_cc_get_principal
+#define NO_DEF_KRB5_CCACHE
+#undef  krb5_cc_get_principal
+#endif
+#define krb5_cc_get_principal    kssl_krb5_cc_get_principal
+
+#define krb5_free_data_contents  kssl_krb5_free_data_contents   
+#define krb5_free_context        kssl_krb5_free_context         
+#define krb5_auth_con_free       kssl_krb5_auth_con_free        
+#define krb5_free_principal      kssl_krb5_free_principal       
+#define krb5_mk_req_extended     kssl_krb5_mk_req_extended      
+#define krb5_get_credentials     kssl_krb5_get_credentials      
+#define krb5_cc_default          kssl_krb5_cc_default           
+#define krb5_sname_to_principal  kssl_krb5_sname_to_principal   
+#define krb5_init_context        kssl_krb5_init_context         
+#define krb5_free_ticket         kssl_krb5_free_ticket          
+#define krb5_rd_req              kssl_krb5_rd_req               
+#define krb5_kt_default          kssl_krb5_kt_default           
+#define krb5_kt_resolve          kssl_krb5_kt_resolve           
+/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
+#ifndef krb5_kt_close
+#define krb5_kt_close            kssl_krb5_kt_close
+#endif /* krb5_kt_close */
+#ifndef krb5_kt_get_entry
+#define krb5_kt_get_entry        kssl_krb5_kt_get_entry
+#endif /* krb5_kt_get_entry */
+#define krb5_auth_con_init       kssl_krb5_auth_con_init        
+
+#define krb5_principal_compare   kssl_krb5_principal_compare
+#define krb5_decrypt_tkt_part    kssl_krb5_decrypt_tkt_part
+#define krb5_timeofday           kssl_krb5_timeofday
+#define krb5_rc_default           kssl_krb5_rc_default
+
+#ifdef krb5_rc_initialize
+#undef krb5_rc_initialize
+#endif
+#define krb5_rc_initialize   kssl_krb5_rc_initialize
+
+#ifdef krb5_rc_get_lifespan
+#undef krb5_rc_get_lifespan
+#endif
+#define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
+
+#ifdef krb5_rc_destroy
+#undef krb5_rc_destroy
+#endif
+#define krb5_rc_destroy      kssl_krb5_rc_destroy
+
+#define valid_cksumtype      kssl_valid_cksumtype
+#define krb5_checksum_size   kssl_krb5_checksum_size
+#define krb5_kt_free_entry   kssl_krb5_kt_free_entry
+#define krb5_auth_con_setrcache  kssl_krb5_auth_con_setrcache
+#define krb5_auth_con_getrcache  kssl_krb5_auth_con_getrcache
+#define krb5_get_server_rcache   kssl_krb5_get_server_rcache
+
+/* Prototypes for built in stubs */
+void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
+void kssl_krb5_free_principal(krb5_context, krb5_principal );
+krb5_error_code kssl_krb5_kt_resolve(krb5_context,
+                                     krb5_const char *,
+                                     krb5_keytab *);
+krb5_error_code kssl_krb5_kt_default(krb5_context,
+                                     krb5_keytab *);
+krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
+krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 
+                                 krb5_const krb5_data *,
+                                 krb5_const_principal, krb5_keytab, 
+                                 krb5_flags *,krb5_ticket **);
+
+krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal,
+                                         krb5_const_principal);
+krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
+                                          krb5_auth_context  *,
+                                          krb5_const krb5_flags,
+                                          krb5_data  *,
+                                          krb5_creds  *,
+                                          krb5_data  * );
+krb5_error_code kssl_krb5_init_context(krb5_context *);
+void kssl_krb5_free_context(krb5_context);
+krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache  *);
+krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
+                                             krb5_const char  *,
+                                             krb5_const char  *,
+                                             krb5_int32,
+                                             krb5_principal  *);
+krb5_error_code kssl_krb5_get_credentials(krb5_context,
+                                          krb5_const krb5_flags,
+                                          krb5_ccache,
+                                          krb5_creds  *,
+                                          krb5_creds  *  *);
+krb5_error_code kssl_krb5_auth_con_init(krb5_context,
+                                        krb5_auth_context  *);
+krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 
+                                           krb5_ccache cache,
+                                           krb5_principal *principal);
+krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
+size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype);
+krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype);
+krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * );
+krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 
+                                             krb5_auth_context, 
+                                             krb5_rcache);
+krb5_error_code kssl_krb5_get_server_rcache(krb5_context, 
+                                            krb5_const krb5_data *,
+                                            krb5_rcache *);
+krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 
+                                             krb5_auth_context,
+                                             krb5_rcache *);
+
+/* Function pointers (almost all Kerberos functions are _stdcall) */
+static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)
+        =NULL;
+static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )
+        =NULL;
+static krb5_error_code(_stdcall *p_krb5_kt_resolve)
+                        (krb5_context, krb5_const char *, krb5_keytab *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
+                                                     krb5_keytab *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, 
+                                                      krb5_ticket *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, 
+                                                 krb5_auth_context *, 
+                                                 krb5_const krb5_data *,
+                                                 krb5_const_principal, 
+                                                 krb5_keytab, krb5_flags *,
+                                                 krb5_ticket **)=NULL;
+static krb5_error_code (_stdcall *p_krb5_mk_req_extended)
+                        (krb5_context, krb5_auth_context *,
+                         krb5_const krb5_flags, krb5_data *, krb5_creds *,
+                         krb5_data * )=NULL;
+static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
+static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
+static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
+                                                     krb5_ccache  *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_sname_to_principal)
+                        (krb5_context, krb5_const char *, krb5_const char *,
+                         krb5_int32, krb5_principal *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_get_credentials)
+                        (krb5_context, krb5_const krb5_flags, krb5_ccache,
+                         krb5_creds *, krb5_creds **)=NULL;
+static krb5_error_code (_stdcall *p_krb5_auth_con_init)
+                        (krb5_context, krb5_auth_context *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_cc_get_principal)
+                        (krb5_context context, krb5_ccache cache,
+                         krb5_principal *principal)=NULL;
+static krb5_error_code (_stdcall *p_krb5_auth_con_free)
+                        (krb5_context, krb5_auth_context)=NULL;
+static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part)
+                        (krb5_context, krb5_const krb5_keyblock *,
+                                           krb5_ticket *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_timeofday)
+                        (krb5_context context, krb5_int32 *timeret)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_default)
+                        (krb5_context context, krb5_rcache *rc)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_initialize)
+                        (krb5_context context, krb5_rcache rc,
+                                     krb5_deltat lifespan)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan)
+                        (krb5_context context, krb5_rcache rc,
+                                       krb5_deltat *lifespan)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_destroy)
+                        (krb5_context context, krb5_rcache rc)=NULL;
+static krb5_boolean (_stdcall *p_krb5_principal_compare)
+                     (krb5_context, krb5_const_principal, krb5_const_principal)=NULL;
+static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL;
+static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL;
+static krb5_error_code (_stdcall *p_krb5_kt_free_entry)
+                        (krb5_context,krb5_keytab_entry * )=NULL;
+static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, 
+                                                               krb5_auth_context, 
+                                                               krb5_rcache)=NULL;
+static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, 
+                                                              krb5_const krb5_data *, 
+                                                              krb5_rcache *)=NULL;
+static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 
+                                                      krb5_auth_context,
+                                                      krb5_rcache *)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 
+                                                    krb5_keytab keytab)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 
+                                                        krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
+static int krb5_loaded = 0;     /* only attempt to initialize func ptrs once */
+
+/* Function to Load the Kerberos 5 DLL and initialize function pointers */
+void
+load_krb5_dll(void)
+        {
+        HANDLE hKRB5_32;
+    
+        krb5_loaded++;
+        hKRB5_32 = LoadLibrary("KRB5_32");
+        if (!hKRB5_32)
+                return;
+
+        (FARPROC) p_krb5_free_data_contents =
+                GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
+        (FARPROC) p_krb5_free_context =
+                GetProcAddress( hKRB5_32, "krb5_free_context" );
+        (FARPROC) p_krb5_auth_con_free =
+                GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
+        (FARPROC) p_krb5_free_principal =
+                GetProcAddress( hKRB5_32, "krb5_free_principal" );
+        (FARPROC) p_krb5_mk_req_extended =
+                GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
+        (FARPROC) p_krb5_get_credentials =
+                GetProcAddress( hKRB5_32, "krb5_get_credentials" );
+        (FARPROC) p_krb5_cc_get_principal =
+                GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
+        (FARPROC) p_krb5_cc_default =
+                GetProcAddress( hKRB5_32, "krb5_cc_default" );
+        (FARPROC) p_krb5_sname_to_principal =
+                GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
+        (FARPROC) p_krb5_init_context =
+                GetProcAddress( hKRB5_32, "krb5_init_context" );
+        (FARPROC) p_krb5_free_ticket =
+                GetProcAddress( hKRB5_32, "krb5_free_ticket" );
+        (FARPROC) p_krb5_rd_req =
+                GetProcAddress( hKRB5_32, "krb5_rd_req" );
+        (FARPROC) p_krb5_principal_compare =
+                GetProcAddress( hKRB5_32, "krb5_principal_compare" );
+        (FARPROC) p_krb5_decrypt_tkt_part =
+                GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" );
+        (FARPROC) p_krb5_timeofday =
+                GetProcAddress( hKRB5_32, "krb5_timeofday" );
+        (FARPROC) p_krb5_rc_default =
+                GetProcAddress( hKRB5_32, "krb5_rc_default" );
+        (FARPROC) p_krb5_rc_initialize =
+                GetProcAddress( hKRB5_32, "krb5_rc_initialize" );
+        (FARPROC) p_krb5_rc_get_lifespan =
+                GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" );
+        (FARPROC) p_krb5_rc_destroy =
+                GetProcAddress( hKRB5_32, "krb5_rc_destroy" );
+        (FARPROC) p_krb5_kt_default =
+                GetProcAddress( hKRB5_32, "krb5_kt_default" );
+        (FARPROC) p_krb5_kt_resolve =
+                GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
+        (FARPROC) p_krb5_auth_con_init =
+                GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
+        (FARPROC) p_valid_cksumtype =
+                GetProcAddress( hKRB5_32, "valid_cksumtype" );
+        (FARPROC) p_krb5_checksum_size =
+                GetProcAddress( hKRB5_32, "krb5_checksum_size" );
+        (FARPROC) p_krb5_kt_free_entry =
+                GetProcAddress( hKRB5_32, "krb5_kt_free_entry" );
+        (FARPROC) p_krb5_auth_con_setrcache =
+                GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" );
+        (FARPROC) p_krb5_get_server_rcache =
+                GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
+        (FARPROC) p_krb5_auth_con_getrcache =
+                GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
+        (FARPROC) p_krb5_kt_close =
+                GetProcAddress( hKRB5_32, "krb5_kt_close" );
+        (FARPROC) p_krb5_kt_get_entry =
+                GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
+        }
+
+/* Stubs for each function to be dynamicly loaded */
+void
+kssl_krb5_free_data_contents(krb5_context CO, krb5_data  * data)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_free_data_contents )
+                p_krb5_free_data_contents(CO,data);
+        }
+
+krb5_error_code
+kssl_krb5_mk_req_extended (krb5_context CO,
+                          krb5_auth_context  * pACO,
+                          krb5_const krb5_flags F,
+                          krb5_data  * pD1,
+                          krb5_creds  * pC,
+                          krb5_data  * pD2)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_mk_req_extended )
+                return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+krb5_error_code
+kssl_krb5_auth_con_init(krb5_context CO,
+                       krb5_auth_context  * pACO)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_auth_con_init )
+                return(p_krb5_auth_con_init(CO,pACO));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+krb5_error_code
+kssl_krb5_auth_con_free (krb5_context CO,
+                        krb5_auth_context ACO)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_auth_con_free )
+                return(p_krb5_auth_con_free(CO,ACO));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+krb5_error_code
+kssl_krb5_get_credentials(krb5_context CO,
+                         krb5_const krb5_flags F,
+                         krb5_ccache CC,
+                         krb5_creds  * pCR,
+                         krb5_creds  ** ppCR)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_get_credentials )
+                return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+krb5_error_code
+kssl_krb5_sname_to_principal(krb5_context CO,
+                            krb5_const char  * pC1,
+                            krb5_const char  * pC2,
+                            krb5_int32 I,
+                            krb5_principal  * pPR)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_sname_to_principal )
+                return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_cc_default(krb5_context CO,
+                    krb5_ccache  * pCC)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_cc_default )
+                return(p_krb5_cc_default(CO,pCC));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_init_context(krb5_context * pCO)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_init_context )
+                return(p_krb5_init_context(pCO));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+void
+kssl_krb5_free_context(krb5_context CO)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_free_context )
+                p_krb5_free_context(CO);
+        }
+
+void
+kssl_krb5_free_principal(krb5_context c, krb5_principal p)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_free_principal )
+                p_krb5_free_principal(c,p);
+        }
+
+krb5_error_code
+kssl_krb5_kt_resolve(krb5_context con,
+                    krb5_const char * sz,
+                    krb5_keytab * kt)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_kt_resolve )
+                return(p_krb5_kt_resolve(con,sz,kt));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_kt_default(krb5_context con,
+                    krb5_keytab * kt)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_kt_default )
+                return(p_krb5_kt_default(con,kt));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_free_ticket(krb5_context con,
+                     krb5_ticket * kt)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_free_ticket )
+                return(p_krb5_free_ticket(con,kt));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
+                krb5_const krb5_data * data,
+                krb5_const_principal princ, krb5_keytab keytab,
+                krb5_flags * flags, krb5_ticket ** pptkt)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_rd_req )
+                return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_boolean
+krb5_principal_compare(krb5_context con, krb5_const_principal princ1,
+                krb5_const_principal princ2)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_principal_compare )
+                return(p_krb5_principal_compare(con,princ1,princ2));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys,
+                krb5_ticket *ticket)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_decrypt_tkt_part )
+                return(p_krb5_decrypt_tkt_part(con,keys,ticket));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_timeofday(krb5_context con, krb5_int32 *timeret)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_timeofday )
+                return(p_krb5_timeofday(con,timeret));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_rc_default(krb5_context con, krb5_rcache *rc)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_rc_default )
+                return(p_krb5_rc_default(con,rc));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_rc_initialize )
+                return(p_krb5_rc_initialize(con, rc, lifespan));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_rc_get_lifespan )
+                return(p_krb5_rc_get_lifespan(con, rc, lifespanp));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+krb5_rc_destroy(krb5_context con, krb5_rcache rc)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_rc_destroy )
+                return(p_krb5_rc_destroy(con, rc));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+size_t 
+krb5_checksum_size(krb5_context context,krb5_cksumtype ctype)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_checksum_size )
+                return(p_krb5_checksum_size(context, ctype));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_boolean 
+valid_cksumtype(krb5_cksumtype ctype)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_valid_cksumtype )
+                return(p_valid_cksumtype(ctype));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code 
+krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry)
+        {
+        if (!krb5_loaded)
+                load_krb5_dll();
+
+        if ( p_krb5_kt_free_entry )
+                return(p_krb5_kt_free_entry(con,entry));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+                 
+/* Structure definitions  */
+#ifndef NO_DEF_KRB5_CCACHE
+#ifndef krb5_x
+#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
+#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
+#endif 
+
+typedef krb5_pointer    krb5_cc_cursor; /* cursor for sequential lookup */
+
+typedef struct _krb5_ccache
+        {
+        krb5_magic magic;
+        struct _krb5_cc_ops FAR *ops;
+        krb5_pointer data;
+        } *krb5_ccache;
+
+typedef struct _krb5_cc_ops
+        {
+        krb5_magic magic;
+        char  *prefix;
+        char  * (KRB5_CALLCONV *get_name)
+                (krb5_context, krb5_ccache);
+        krb5_error_code (KRB5_CALLCONV *resolve)
+                (krb5_context, krb5_ccache  *, const char  *);
+        krb5_error_code (KRB5_CALLCONV *gen_new)
+                (krb5_context, krb5_ccache  *);
+        krb5_error_code (KRB5_CALLCONV *init)
+                (krb5_context, krb5_ccache, krb5_principal);
+        krb5_error_code (KRB5_CALLCONV *destroy)
+                (krb5_context, krb5_ccache);
+        krb5_error_code (KRB5_CALLCONV *close)
+                (krb5_context, krb5_ccache);
+        krb5_error_code (KRB5_CALLCONV *store)
+                (krb5_context, krb5_ccache, krb5_creds  *);
+        krb5_error_code (KRB5_CALLCONV *retrieve)
+                (krb5_context, krb5_ccache,
+                krb5_flags, krb5_creds  *, krb5_creds  *);
+        krb5_error_code (KRB5_CALLCONV *get_princ)
+                (krb5_context, krb5_ccache, krb5_principal  *);
+        krb5_error_code (KRB5_CALLCONV *get_first)
+                (krb5_context, krb5_ccache, krb5_cc_cursor  *);
+        krb5_error_code (KRB5_CALLCONV *get_next)
+                (krb5_context, krb5_ccache,
+                krb5_cc_cursor  *, krb5_creds  *);
+        krb5_error_code (KRB5_CALLCONV *end_get)
+                (krb5_context, krb5_ccache, krb5_cc_cursor  *);
+        krb5_error_code (KRB5_CALLCONV *remove_cred)
+                (krb5_context, krb5_ccache,
+                krb5_flags, krb5_creds  *);
+        krb5_error_code (KRB5_CALLCONV *set_flags)
+                (krb5_context, krb5_ccache, krb5_flags);
+        } krb5_cc_ops;
+#endif /* NO_DEF_KRB5_CCACHE */
+
+krb5_error_code 
+kssl_krb5_cc_get_principal
+    (krb5_context context, krb5_ccache cache,
+      krb5_principal *principal)
+        {
+        if ( p_krb5_cc_get_principal )
+                return(p_krb5_cc_get_principal(context,cache,principal));
+        else
+                return(krb5_x
+                        ((cache)->ops->get_princ,(context, cache, principal)));
+        }
+
+krb5_error_code
+kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon,
+                             krb5_rcache rcache)
+        {
+        if ( p_krb5_auth_con_setrcache )
+                 return(p_krb5_auth_con_setrcache(con,acon,rcache));
+        else
+                 return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
+                            krb5_rcache * rcache) 
+        {
+        if ( p_krb5_get_server_rcache )
+                return(p_krb5_get_server_rcache(con,data,rcache));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
+                             krb5_rcache * prcache)
+        {
+        if ( p_krb5_auth_con_getrcache )
+                return(p_krb5_auth_con_getrcache(con,acon, prcache));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+ 
+krb5_error_code
+kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
+        {
+        if ( p_krb5_kt_close )
+                return(p_krb5_kt_close(context,keytab));
+        else 
+                return KRB5KRB_ERR_GENERIC;
+        }
+
+krb5_error_code
+kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)
+        {
+        if ( p_krb5_kt_get_entry )
+                return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
+        else
+                return KRB5KRB_ERR_GENERIC;
+        }
+#endif  /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
+
+char
+*kstring(char *string)
+        {
+        static char     *null = "[NULL]";
+
+        return ((string == NULL)? null: string);
+        }
+
+#define MAXKNUM 255
+char
+*knumber(int len, krb5_octet *contents)
+        {
+        static char     buf[MAXKNUM+1];
+        int             i;
+
+        BIO_snprintf(buf, MAXKNUM, "[%d] ", len);
+
+        for (i=0; i < len  &&  MAXKNUM > strlen(buf)+3; i++)
+                {
+                BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]);
+                }
+
+        return (buf);
+        }
+
+
+/*      Given KRB5 enctype (basically DES or 3DES),
+**      return closest match openssl EVP_ encryption algorithm.
+**      Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+**      Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
+*/
+const EVP_CIPHER *
+kssl_map_enc(krb5_enctype enctype)
+        {
+        switch (enctype)
+                {
+        case ENCTYPE_DES_HMAC_SHA1:             /*    EVP_des_cbc();       */
+        case ENCTYPE_DES_CBC_CRC:
+        case ENCTYPE_DES_CBC_MD4:
+        case ENCTYPE_DES_CBC_MD5:
+        case ENCTYPE_DES_CBC_RAW:
+                                return EVP_des_cbc();
+                                break;
+        case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
+        case ENCTYPE_DES3_CBC_SHA:
+        case ENCTYPE_DES3_CBC_RAW:
+                                return EVP_des_ede3_cbc();
+                                break;
+        default:                return NULL;
+                                break;
+                }
+        }
+
+
+/*      Return true:1 if p "looks like" the start of the real authenticator
+**      described in kssl_skip_confound() below.  The ASN.1 pattern is
+**      "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
+**      xx and yy are possibly multi-byte length fields.
+*/
+int     kssl_test_confound(unsigned char *p)
+        {
+        int     len = 2;
+        int     xx = 0, yy = 0;
+
+        if (*p++ != 0x62)  return 0;
+        if (*p > 0x82)  return 0;
+        switch(*p)  {
+                case 0x82:  p++;          xx = (*p++ << 8);  xx += *p++;  break;
+                case 0x81:  p++;          xx =  *p++;  break;
+                case 0x80:  return 0;
+                default:    xx = *p++;  break;
+                }
+        if (*p++ != 0x30)  return 0;
+        if (*p > 0x82)  return 0;
+        switch(*p)  {
+                case 0x82:  p++; len+=2;  yy = (*p++ << 8);  yy += *p++;  break;
+                case 0x81:  p++; len++;   yy =  *p++;  break;
+                case 0x80:  return 0;
+                default:    yy = *p++;  break;
+                }
+
+        return (xx - len == yy)? 1: 0;
+        }
+
+/*      Allocate, fill, and return cksumlens array of checksum lengths.
+**      This array holds just the unique elements from the krb5_cksumarray[].
+**      array[n] == 0 signals end of data.
+**
+**      The krb5_cksumarray[] was an internal variable that has since been
+**      replaced by a more general method for storing the data.  It should
+**      not be used.  Instead we use real API calls and make a guess for 
+**      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
+**      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
+*/
+size_t  *populate_cksumlens(void)
+        {
+        int             i, j, n;
+        static size_t   *cklens = NULL;
+
+#ifdef KRB5_MIT_OLD11
+        n = krb5_max_cksum;
+#else
+        n = 0x0010;
+#endif  /* KRB5_MIT_OLD11 */
+ 
+#ifdef KRB5CHECKAUTH
+        if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1)))  return NULL;
+
+        for (i=0; i < n; i++)  {
+                if (!valid_cksumtype(i))  continue;     /*  array has holes  */
+                for (j=0; j < n; j++)  {
+                        if (cklens[j] == 0)  {
+                                cklens[j] = krb5_checksum_size(NULL,i);
+                                break;          /*  krb5 elem was new: add   */
+                                }
+                        if (cklens[j] == krb5_checksum_size(NULL,i))  {
+                                break;          /*  ignore duplicate elements */
+                                }
+                        }
+                }
+#endif  /* KRB5CHECKAUTH */
+
+        return cklens;
+        }
+
+/*      Return pointer to start of real authenticator within authenticator, or
+**      return NULL on error.
+**      Decrypted authenticator looks like this:
+**              [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
+**      This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
+**      krb5_auth_con_getcksumtype() function advertised in its krb5.h.
+*/
+unsigned char   *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
+        {
+        int             i, conlen;
+        size_t          cklen;
+        static size_t   *cksumlens = NULL;
+        unsigned char   *test_auth;
+
+        conlen = (etype)? 8: 0;
+
+        if (!cksumlens  &&  !(cksumlens = populate_cksumlens()))  return NULL;
+        for (i=0; (cklen = cksumlens[i]) != 0; i++)
+                {
+                test_auth = a + conlen + cklen;
+                if (kssl_test_confound(test_auth))  return test_auth;
+                }
+
+        return NULL;
+        }
+
+
+/*      Set kssl_err error info when reason text is a simple string
+**              kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
+*/
+void
+kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
+        {
+        if (kssl_err == NULL)  return;
+
+        kssl_err->reason = reason;
+        BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text);
+        return;
+        }
+
+
+/*      Display contents of krb5_data struct, for debugging
+*/
+void
+print_krb5_data(char *label, krb5_data *kdata)
+        {
+        int i;
+
+        printf("%s[%d] ", label, kdata->length);
+        for (i=0; i < kdata->length; i++)
+                {
+                if (0 &&  isprint((int) kdata->data[i]))
+                        printf( "%c ",  kdata->data[i]);
+                else
+                        printf( "%02x ", (unsigned char) kdata->data[i]);
+                }
+        printf("\n");
+        }
+
+
+/*      Display contents of krb5_authdata struct, for debugging
+*/
+void
+print_krb5_authdata(char *label, krb5_authdata **adata)
+        {
+        if (adata == NULL)
+                {
+                printf("%s, authdata==0\n", label);
+                return;
+                }
+        printf("%s [%p]\n", label, adata);
+#if 0
+        {
+        int     i;
+        printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+        for (i=0; i < adata->length; i++)
+                {
+                printf((isprint(adata->contents[i]))? "%c ": "%02x",
+                        adata->contents[i]);
+                }
+        printf("\n");
+        }
+#endif
+        }
+
+
+/*      Display contents of krb5_keyblock struct, for debugging
+*/
+void
+print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
+        {
+        int i;
+
+        if (keyblk == NULL)
+                {
+                printf("%s, keyblk==0\n", label);
+                return;
+                }
+#ifdef KRB5_HEIMDAL
+        printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+                                           keyblk->keyvalue->length);
+        for (i=0; i < keyblk->keyvalue->length; i++)
+                {
+                printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+                }
+        printf("\n");
+#else
+        printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+        for (i=0; i < keyblk->length; i++)
+                {
+                printf("%02x",keyblk->contents[i]);
+                }
+        printf("\n");
+#endif
+        }
+
+
+/*      Display contents of krb5_principal_data struct, for debugging
+**      (krb5_principal is typedef'd == krb5_principal_data *)
+*/
+void
+print_krb5_princ(char *label, krb5_principal_data *princ)
+        {
+        int i, ui, uj;
+
+        printf("%s principal Realm: ", label);
+        if (princ == NULL)  return;
+        for (ui=0; ui < princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
+        printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+        for (i=0; i < princ->length; i++)
+                {
+                printf("\t%d [%d]: ", i, princ->data[i].length);
+                for (uj=0; uj < princ->data[i].length; uj++)  {
+                        putchar(princ->data[i].data[uj]);
+                        }
+                printf("\n");
+                }
+        return;
+        }
+
+
+/*      Given krb5 service (typically "kssl") and hostname in kssl_ctx,
+**      Return encrypted Kerberos ticket for service @ hostname.
+**      If authenp is non-NULL, also return encrypted authenticator,
+**      whose data should be freed by caller.
+**      (Originally was: Create Kerberos AP_REQ message for SSL Client.)
+**
+**      19990628        VRS     Started; Returns Kerberos AP_REQ message.
+**      20010409        VRS     Modified for RFC2712; Returns enc tkt.
+**      20010606        VRS     May also return optional authenticator.
+*/
+krb5_error_code
+kssl_cget_tkt(  /* UPDATE */    KSSL_CTX *kssl_ctx,
+                /* OUT    */    krb5_data **enc_ticketp,
+                /* UPDATE */    krb5_data *authenp,
+                /* OUT    */    KSSL_ERR *kssl_err)
+        {
+        krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
+        krb5_context            krb5context = NULL;
+        krb5_auth_context       krb5auth_context = NULL;
+        krb5_ccache             krb5ccdef = NULL;
+        krb5_creds              krb5creds, *krb5credsp = NULL;
+        krb5_data               krb5_app_req;
+
+        kssl_err_set(kssl_err, 0, "");
+        memset((char *)&krb5creds, 0, sizeof(krb5creds));
+
+        if (!kssl_ctx)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "No kssl_ctx defined.\n");
+                goto err;
+                }
+        else if (!kssl_ctx->service_host)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "kssl_ctx service_host undefined.\n");
+                goto err;
+                }
+
+        if ((krb5rc = krb5_init_context(&krb5context)) != 0)
+                {
+                BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
+                        "krb5_init_context() fails: %d\n", krb5rc);
+                kssl_err->reason = SSL_R_KRB5_C_INIT;
+                goto err;
+                }
+
+        if ((krb5rc = krb5_sname_to_principal(krb5context,
+                kssl_ctx->service_host,
+                (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+                KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
+                {
+                BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
+                        "krb5_sname_to_principal() fails for %s/%s\n",
+                        kssl_ctx->service_host,
+                        (kssl_ctx->service_name)? kssl_ctx->service_name:
+                                                  KRB5SVC);
+                kssl_err->reason = SSL_R_KRB5_C_INIT;
+                goto err;
+                }
+
+        if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
+                        "krb5_cc_default fails.\n");
+                goto err;
+                }
+
+        if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
+                &krb5creds.client)) != 0)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
+                        "krb5_cc_get_principal() fails.\n");
+                goto err;
+                }
+
+        if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
+                &krb5creds, &krb5credsp)) != 0)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
+                        "krb5_get_credentials() fails.\n");
+                goto err;
+                }
+
+        *enc_ticketp = &krb5credsp->ticket;
+#ifdef KRB5_HEIMDAL
+        kssl_ctx->enctype = krb5credsp->session.keytype;
+#else
+        kssl_ctx->enctype = krb5credsp->keyblock.enctype;
+#endif
+
+        krb5rc = KRB5KRB_ERR_GENERIC;
+        /*      caller should free data of krb5_app_req  */
+        /*  20010406 VRS deleted for real KerberosWrapper
+        **  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
+        */
+        krb5_app_req.length = 0;
+        if (authenp)
+                {
+                krb5_data       krb5in_data;
+                unsigned char   *p;
+                long            arlen;
+                KRB5_APREQBODY  *ap_req;
+
+                authenp->length = 0;
+                krb5in_data.data = NULL;
+                krb5in_data.length = 0;
+                if ((krb5rc = krb5_mk_req_extended(krb5context,
+                        &krb5auth_context, 0, &krb5in_data, krb5credsp,
+                        &krb5_app_req)) != 0)
+                        {
+                        kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
+                                "krb5_mk_req_extended() fails.\n");
+                        goto err;
+                        }
+
+                arlen = krb5_app_req.length;
+                p = (unsigned char *)krb5_app_req.data;
+                ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
+                if (ap_req)
+                        {
+                        authenp->length = i2d_KRB5_ENCDATA(
+                                        ap_req->authenticator, NULL);
+                        if (authenp->length  && 
+                                (authenp->data = malloc(authenp->length)))
+                                {
+                                unsigned char   *adp = (unsigned char *)authenp->data;
+                                authenp->length = i2d_KRB5_ENCDATA(
+                                                ap_req->authenticator, &adp);
+                                }
+                        }
+
+                if (ap_req)  KRB5_APREQ_free((KRB5_APREQ *) ap_req);
+                if (krb5_app_req.length)  
+                        kssl_krb5_free_data_contents(krb5context,&krb5_app_req);
+                }
+#ifdef KRB5_HEIMDAL
+        if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
+                        "kssl_ctx_setkey() fails.\n");
+                }
+#else
+        if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
+                        "kssl_ctx_setkey() fails.\n");
+                }
+#endif
+        else    krb5rc = 0;
+
+ err:
+#ifdef KSSL_DEBUG
+        kssl_ctx_show(kssl_ctx);
+#endif  /* KSSL_DEBUG */
+
+        if (krb5creds.client)   krb5_free_principal(krb5context,
+                                                        krb5creds.client);
+        if (krb5creds.server)   krb5_free_principal(krb5context,
+                                                        krb5creds.server);
+        if (krb5auth_context)   krb5_auth_con_free(krb5context,
+                                                        krb5auth_context);
+        if (krb5context)        krb5_free_context(krb5context);
+        return (krb5rc);
+        }
+
+
+/*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
+**  Return Kerberos error code and kssl_err struct on error.
+**  Allocates krb5_ticket and krb5_principal; caller should free these.
+**
+**      20010410        VRS     Implemented krb5_decode_ticket() as
+**                              old_krb5_decode_ticket(). Missing from MIT1.0.6.
+**      20010615        VRS     Re-cast as openssl/asn1 d2i_*() functions.
+**                              Re-used some of the old krb5_decode_ticket()
+**                              code here.  This tkt should alloc/free just
+**                              like the real thing.
+*/
+krb5_error_code
+kssl_TKT2tkt(   /* IN     */    krb5_context    krb5context,
+                /* IN     */    KRB5_TKTBODY    *asn1ticket,
+                /* OUT    */    krb5_ticket     **krb5ticket,
+                /* OUT    */    KSSL_ERR *kssl_err  )
+        {
+        krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
+        krb5_ticket                     *new5ticket = NULL;
+        ASN1_GENERALSTRING              *gstr_svc, *gstr_host;
+
+        *krb5ticket = NULL;
+
+        if (asn1ticket == NULL  ||  asn1ticket->realm == NULL  ||
+                asn1ticket->sname == NULL  || 
+                sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
+                {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "Null field in asn1ticket.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                return KRB5KRB_ERR_GENERIC;
+                }
+
+        if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL)
+                {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "Unable to allocate new krb5_ticket.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                return ENOMEM;          /*  or  KRB5KRB_ERR_GENERIC;    */
+                }
+
+        gstr_svc  = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
+        gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
+
+        if ((krb5rc = kssl_build_principal_2(krb5context,
+                        &new5ticket->server,
+                        asn1ticket->realm->length, (char *)asn1ticket->realm->data,
+                        gstr_svc->length,  (char *)gstr_svc->data,
+                        gstr_host->length, (char *)gstr_host->data)) != 0)
+                {
+                free(new5ticket);
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "Error building ticket server principal.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                return krb5rc;          /*  or  KRB5KRB_ERR_GENERIC;    */
+                }
+
+        krb5_princ_type(krb5context, new5ticket->server) =
+                        asn1ticket->sname->nametype->data[0];
+        new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
+        new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
+        new5ticket->enc_part.ciphertext.length =
+                        asn1ticket->encdata->cipher->length;
+        if ((new5ticket->enc_part.ciphertext.data =
+                calloc(1, asn1ticket->encdata->cipher->length)) == NULL)
+                {
+                free(new5ticket);
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "Error allocating cipher in krb5ticket.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                return KRB5KRB_ERR_GENERIC;
+                }
+        else
+                {
+                memcpy(new5ticket->enc_part.ciphertext.data,
+                        asn1ticket->encdata->cipher->data,
+                        asn1ticket->encdata->cipher->length);
+                }
+
+        *krb5ticket = new5ticket;
+        return 0;
+        }
+
+
+/*      Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
+**              and krb5 AP_REQ message & message length,
+**      Return Kerberos session key and client principle
+**              to SSL Server in KSSL_CTX *kssl_ctx.
+**
+**      19990702        VRS     Started.
+*/
+krb5_error_code
+kssl_sget_tkt(  /* UPDATE */    KSSL_CTX                *kssl_ctx,
+                /* IN     */    krb5_data               *indata,
+                /* OUT    */    krb5_ticket_times       *ttimes,
+                /* OUT    */    KSSL_ERR                *kssl_err  )
+        {
+        krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
+        static krb5_context             krb5context = NULL;
+        static krb5_auth_context        krb5auth_context = NULL;
+        krb5_ticket                     *krb5ticket = NULL;
+        KRB5_TKTBODY                    *asn1ticket = NULL;
+        unsigned char                   *p;
+        krb5_keytab                     krb5keytab = NULL;
+        krb5_keytab_entry               kt_entry;
+        krb5_principal                  krb5server;
+        krb5_rcache                     rcache = NULL;
+
+        kssl_err_set(kssl_err, 0, "");
+
+        if (!kssl_ctx)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "No kssl_ctx defined.\n");
+                goto err;
+                }
+
+#ifdef KSSL_DEBUG
+        printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+#endif  /* KSSL_DEBUG */
+
+        if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_init_context() fails.\n");
+                goto err;
+                }
+        if (krb5auth_context  &&
+                (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_auth_con_free() fails.\n");
+                goto err;
+                }
+        else  krb5auth_context = NULL;
+        if (!krb5auth_context  &&
+                (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_auth_con_init() fails.\n");
+                goto err;
+                }
+
+ 
+        if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
+                &rcache)))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_auth_con_getrcache() fails.\n");
+                goto err;
+                }
+ 
+        if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
+                (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+                KRB5_NT_SRV_HST, &krb5server)) != 0)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_sname_to_principal() fails.\n");
+                goto err;
+                }
+
+        if (rcache == NULL) 
+                {
+                if ((krb5rc = krb5_get_server_rcache(krb5context,
+                        krb5_princ_component(krb5context, krb5server, 0),
+                        &rcache)))
+                        {
+                        kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                                "krb5_get_server_rcache() fails.\n");
+                        goto err;
+                        }
+                }
+
+        if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache)))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "krb5_auth_con_setrcache() fails.\n");
+                goto err;
+                }
+
+
+        /*      kssl_ctx->keytab_file == NULL ==> use Kerberos default
+        */
+        if (kssl_ctx->keytab_file)
+                {
+                krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
+                        &krb5keytab);
+                if (krb5rc)
+                        {
+                        kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                                "krb5_kt_resolve() fails.\n");
+                        goto err;
+                        }
+                }
+        else
+                {
+                krb5rc = krb5_kt_default(krb5context,&krb5keytab);
+                if (krb5rc)
+                        {
+                        kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 
+                                "krb5_kt_default() fails.\n");
+                        goto err;
+                        }
+                }
+
+        /*      Actual Kerberos5 krb5_recvauth() has initial conversation here
+        **      o       check KRB5_SENDAUTH_BADAUTHVERS
+        **              unless KRB5_RECVAUTH_SKIP_VERSION
+        **      o       check KRB5_SENDAUTH_BADAPPLVERS
+        **      o       send "0" msg if all OK
+        */
+
+        /*  20010411 was using AP_REQ instead of true KerberosWrapper
+        **
+        **  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
+        **                      &krb5in_data, krb5server, krb5keytab,
+        **                      &ap_option, &krb5ticket)) != 0)  { Error }
+        */
+
+        p = (unsigned char *)indata->data;
+        if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
+                                                (long) indata->length)) == NULL)
+                {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                goto err;
+                }
+        
+        /* Was:  krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
+        if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
+                                        kssl_err)) != 0)
+                {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "Error converting ASN.1 ticket to krb5_ticket.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                goto err;
+                }
+
+        if (! krb5_principal_compare(krb5context, krb5server,
+                                                  krb5ticket->server))  {
+                krb5rc = KRB5_PRINC_NOMATCH;
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "server principal != ticket principal\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                goto err;
+                }
+        if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
+                        krb5ticket->server, krb5ticket->enc_part.kvno,
+                        krb5ticket->enc_part.enctype, &kt_entry)) != 0)  {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "krb5_kt_get_entry() fails with %x.\n", krb5rc);
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                goto err;
+                }
+        if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
+                        krb5ticket)) != 0)  {
+                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+                        "krb5_decrypt_tkt_part() failed.\n");
+                kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+                goto err;
+                }
+        else  {
+                krb5_kt_free_entry(krb5context, &kt_entry);
+#ifdef KSSL_DEBUG
+                {
+                int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
+                printf("Decrypted ticket fields:\n");
+                printf("\tflags: %X, transit-type: %X",
+                        krb5ticket->enc_part2->flags,
+                        krb5ticket->enc_part2->transited.tr_type);
+                print_krb5_data("\ttransit-data: ",
+                        &(krb5ticket->enc_part2->transited.tr_contents));
+                printf("\tcaddrs: %p, authdata: %p\n",
+                        krb5ticket->enc_part2->caddrs,
+                        krb5ticket->enc_part2->authorization_data);
+                if (paddr)
+                        {
+                        printf("\tcaddrs:\n");
+                        for (i=0; paddr[i] != NULL; i++)
+                                {
+                                krb5_data d;
+                                d.length=paddr[i]->length;
+                                d.data=paddr[i]->contents;
+                                print_krb5_data("\t\tIP: ", &d);
+                                }
+                        }
+                printf("\tstart/auth/end times: %d / %d / %d\n",
+                        krb5ticket->enc_part2->times.starttime,
+                        krb5ticket->enc_part2->times.authtime,
+                        krb5ticket->enc_part2->times.endtime);
+                }
+#endif  /* KSSL_DEBUG */
+                }
+
+        krb5rc = KRB5_NO_TKT_SUPPLIED;
+        if (!krb5ticket  ||     !krb5ticket->enc_part2  ||
+                !krb5ticket->enc_part2->client  ||
+                !krb5ticket->enc_part2->client->data  ||
+                !krb5ticket->enc_part2->session)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+                        "bad ticket from krb5_rd_req.\n");
+                }
+        else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
+                &krb5ticket->enc_part2->client->realm,
+                krb5ticket->enc_part2->client->data))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+                        "kssl_ctx_setprinc() fails.\n");
+                }
+        else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+                        "kssl_ctx_setkey() fails.\n");
+                }
+        else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID)
+                {
+                krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+                        "invalid ticket from krb5_rd_req.\n");
+                }
+        else    krb5rc = 0;
+
+        kssl_ctx->enctype       = krb5ticket->enc_part.enctype;
+        ttimes->authtime        = krb5ticket->enc_part2->times.authtime;
+        ttimes->starttime       = krb5ticket->enc_part2->times.starttime;
+        ttimes->endtime         = krb5ticket->enc_part2->times.endtime;
+        ttimes->renew_till      = krb5ticket->enc_part2->times.renew_till;
+
+ err:
+#ifdef KSSL_DEBUG
+        kssl_ctx_show(kssl_ctx);
+#endif  /* KSSL_DEBUG */
+
+        if (asn1ticket)         KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
+        if (krb5keytab)         krb5_kt_close(krb5context, krb5keytab);
+        if (krb5ticket)         krb5_free_ticket(krb5context, krb5ticket);
+        if (krb5server)         krb5_free_principal(krb5context, krb5server);
+        return (krb5rc);
+        }
+
+
+/*      Allocate & return a new kssl_ctx struct.
+*/
+KSSL_CTX        *
+kssl_ctx_new(void)
+        {
+        return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX)));
+        }
+
+
+/*      Frees a kssl_ctx struct and any allocated memory it holds.
+**      Returns NULL.
+*/
+KSSL_CTX        *
+kssl_ctx_free(KSSL_CTX *kssl_ctx)
+        {
+        if (kssl_ctx == NULL)  return kssl_ctx;
+
+        if (kssl_ctx->key)              memset(kssl_ctx->key, 0,
+                                                              kssl_ctx->length);
+        if (kssl_ctx->key)              free(kssl_ctx->key);
+        if (kssl_ctx->client_princ)     free(kssl_ctx->client_princ);
+        if (kssl_ctx->service_host)     free(kssl_ctx->service_host);
+        if (kssl_ctx->service_name)     free(kssl_ctx->service_name);
+        if (kssl_ctx->keytab_file)      free(kssl_ctx->keytab_file);
+
+        free(kssl_ctx);
+        return (KSSL_CTX *) NULL;
+        }
+
+
+/*      Given a (krb5_data *) entity (and optional realm),
+**      set the plain (char *) client_princ or service_host member
+**      of the kssl_ctx struct.
+*/
+krb5_error_code
+kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
+        krb5_data *realm, krb5_data *entity)
+        {
+        char    **princ;
+        int     length;
+
+        if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
+
+        switch (which)
+                {
+        case KSSL_CLIENT:       princ = &kssl_ctx->client_princ;        break;
+        case KSSL_SERVER:       princ = &kssl_ctx->service_host;        break;
+        default:                return KSSL_CTX_ERR;                    break;
+                }
+        if (*princ)  free(*princ);
+
+        length = entity->length + ((realm)? realm->length + 2: 1);
+        if ((*princ = calloc(1, length)) == NULL)
+                return KSSL_CTX_ERR;
+        else
+                {
+                strncpy(*princ, entity->data, entity->length);
+                (*princ)[entity->length]='\0';
+                if (realm)
+                        {
+                        strcat (*princ, "@");
+                        (void) strncat(*princ, realm->data, realm->length);
+                        (*princ)[entity->length+1+realm->length]='\0';
+                        }
+                }
+
+        return KSSL_CTX_OK;
+        }
+
+
+/*      Set one of the plain (char *) string members of the kssl_ctx struct.
+**      Default values should be:
+**              which == KSSL_SERVICE   =>      "khost" (KRB5SVC)
+**              which == KSSL_KEYTAB    =>      "/etc/krb5.keytab" (KRB5KEYTAB)
+*/
+krb5_error_code
+kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
+        {
+        char    **string;
+
+        if (!kssl_ctx)  return KSSL_CTX_ERR;
+
+        switch (which)
+                {
+        case KSSL_SERVICE:      string = &kssl_ctx->service_name;       break;
+        case KSSL_SERVER:       string = &kssl_ctx->service_host;       break;
+        case KSSL_CLIENT:       string = &kssl_ctx->client_princ;       break;
+        case KSSL_KEYTAB:       string = &kssl_ctx->keytab_file;        break;
+        default:                return KSSL_CTX_ERR;                    break;
+                }
+        if (*string)  free(*string);
+
+        if (!text)
+                {
+                *string = '\0';
+                return KSSL_CTX_OK;
+                }
+
+        if ((*string = calloc(1, strlen(text) + 1)) == NULL)
+                return KSSL_CTX_ERR;
+        else
+                strcpy(*string, text);
+
+        return KSSL_CTX_OK;
+        }
+
+
+/*      Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
+**      struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
+*/
+krb5_error_code
+kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
+        {
+        int             length;
+        krb5_enctype    enctype;
+        krb5_octet FAR  *contents = NULL;
+
+        if (!kssl_ctx)  return KSSL_CTX_ERR;
+
+        if (kssl_ctx->key)
+                {
+                memset(kssl_ctx->key, 0, kssl_ctx->length);
+                free(kssl_ctx->key);
+                }
+
+        if (session)
+                {
+
+#ifdef KRB5_HEIMDAL
+                length = session->keyvalue->length;
+                enctype = session->keytype;
+                contents = session->keyvalue->contents;
+#else
+                length = session->length;
+                enctype = session->enctype;
+                contents = session->contents;
+#endif
+                kssl_ctx->enctype = enctype;
+                kssl_ctx->length  = length;
+                }
+        else
+                {
+                kssl_ctx->enctype = ENCTYPE_UNKNOWN;
+                kssl_ctx->length  = 0;
+                return KSSL_CTX_OK;
+                }
+
+        if ((kssl_ctx->key =
+                (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL)
+                {
+                kssl_ctx->length  = 0;
+                return KSSL_CTX_ERR;
+                }
+        else
+                memcpy(kssl_ctx->key, contents, length);
+
+        return KSSL_CTX_OK;
+        }
+
+
+/*      Display contents of kssl_ctx struct
+*/
+void
+kssl_ctx_show(KSSL_CTX *kssl_ctx)
+        {
+        int     i;
+
+        printf("kssl_ctx: ");
+        if (kssl_ctx == NULL)
+                {
+                printf("NULL\n");
+                return;
+                }
+        else
+                printf("%p\n", kssl_ctx);
+
+        printf("\tservice:\t%s\n",
+                (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
+        printf("\tclient:\t%s\n",
+                (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
+        printf("\tserver:\t%s\n",
+                (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
+        printf("\tkeytab:\t%s\n",
+                (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
+        printf("\tkey [%d:%d]:\t",
+                kssl_ctx->enctype, kssl_ctx->length);
+
+        for (i=0; i < kssl_ctx->length  &&  kssl_ctx->key; i++)
+                {
+                printf("%02x", kssl_ctx->key[i]);
+                }
+        printf("\n");
+        return;
+        }
+
+    int 
+    kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
+{
+    krb5_context                krb5context = NULL;
+    krb5_keytab                 krb5keytab = NULL;
+    krb5_keytab_entry           entry;
+    krb5_principal              princ = NULL;
+    krb5_error_code             krb5rc = KRB5KRB_ERR_GENERIC;
+    int rc = 0;
+
+    if ((krb5rc = krb5_init_context(&krb5context)))
+        return(0);
+
+    /*  kssl_ctx->keytab_file == NULL ==> use Kerberos default
+    */
+    if (kssl_ctx->keytab_file)
+    {
+        krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
+                                  &krb5keytab);
+        if (krb5rc)
+            goto exit;
+    }
+    else
+    {
+        krb5rc = krb5_kt_default(krb5context,&krb5keytab);
+        if (krb5rc)
+            goto exit;
+    }
+
+    /* the host key we are looking for */
+    krb5rc = krb5_sname_to_principal(krb5context, NULL, 
+                                     kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
+                                     KRB5_NT_SRV_HST, &princ);
+
+    krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 
+                                princ,
+                                0 /* IGNORE_VNO */,
+                                0 /* IGNORE_ENCTYPE */,
+                                &entry);
+    if ( krb5rc == KRB5_KT_NOTFOUND ) {
+        rc = 1;
+        goto exit;
+    } else if ( krb5rc )
+        goto exit;
+    
+    krb5_kt_free_entry(krb5context, &entry);
+    rc = 1;
+
+  exit:
+    if (krb5keytab)     krb5_kt_close(krb5context, krb5keytab);
+    if (princ)          krb5_free_principal(krb5context, princ);
+    if (krb5context)    krb5_free_context(krb5context);
+    return(rc);
+}
+
+int 
+kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
+        {
+        krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
+        krb5_context            krb5context = NULL;
+        krb5_ccache             krb5ccdef = NULL;
+        krb5_creds              krb5creds, *krb5credsp = NULL;
+        int                     rc = 0;
+
+        memset((char *)&krb5creds, 0, sizeof(krb5creds));
+
+        if (!kssl_ctx)
+            return(0);
+
+        if (!kssl_ctx->service_host)
+            return(0);
+
+        if ((krb5rc = krb5_init_context(&krb5context)) != 0)
+            goto err;
+
+        if ((krb5rc = krb5_sname_to_principal(krb5context,
+                                              kssl_ctx->service_host,
+                                              (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+                                              KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
+            goto err;
+
+        if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
+            goto err;
+
+        if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
+                                             &krb5creds.client)) != 0)
+            goto err;
+
+        if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
+                                            &krb5creds, &krb5credsp)) != 0)
+            goto err;
+
+        rc = 1;
+
+      err:
+#ifdef KSSL_DEBUG
+        kssl_ctx_show(kssl_ctx);
+#endif  /* KSSL_DEBUG */
+
+        if (krb5creds.client)   krb5_free_principal(krb5context, krb5creds.client);
+        if (krb5creds.server)   krb5_free_principal(krb5context, krb5creds.server);
+        if (krb5context)        krb5_free_context(krb5context);
+        return(rc);
+        }
+
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32)
+void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
+        {
+#ifdef KRB5_HEIMDAL
+        data->length = 0;
+        if (data->data)
+            free(data->data);
+#elif defined(KRB5_MIT_OLD11)
+        if (data->data)  {
+                krb5_xfree(data->data);
+                data->data = 0;
+                }
+#else
+        krb5_free_data_contents(NULL, data);
+#endif
+        }
+#endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */
+
+
+/*  Given pointers to KerberosTime and struct tm structs, convert the
+**  KerberosTime string to struct tm.  Note that KerberosTime is a
+**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+**  seconds as defined in RFC 1510.
+**  Return pointer to the (partially) filled in struct tm on success,
+**  return NULL on failure.
+*/
+struct tm       *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
+        {
+        char            c, *p;
+
+        if (!k_tm)  return NULL;
+        if (gtime == NULL  ||  gtime->length < 14)  return NULL;
+        if (gtime->data == NULL)  return NULL;
+
+        p = (char *)&gtime->data[14];
+
+        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_sec  = atoi(p);      *(p+2) = c;
+        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_min  = atoi(p);      *(p+2) = c;
+        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_hour = atoi(p);      *(p+2) = c;
+        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mday = atoi(p);      *(p+2) = c;
+        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mon  = atoi(p)-1;    *(p+2) = c;
+        c = *p;  *p = '\0';  p -= 4;  k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
+
+        return k_tm;
+        }
+
+
+/*  Helper function for kssl_validate_times().
+**  We need context->clockskew, but krb5_context is an opaque struct.
+**  So we try to sneek the clockskew out through the replay cache.
+**      If that fails just return a likely default (300 seconds).
+*/
+krb5_deltat     get_rc_clockskew(krb5_context context)
+        {
+        krb5_rcache     rc;
+        krb5_deltat     clockskew;
+
+        if (krb5_rc_default(context, &rc))  return KSSL_CLOCKSKEW;
+        if (krb5_rc_initialize(context, rc, 0))  return KSSL_CLOCKSKEW;
+        if (krb5_rc_get_lifespan(context, rc, &clockskew))  {
+                clockskew = KSSL_CLOCKSKEW;
+                }
+        (void) krb5_rc_destroy(context, rc);
+        return clockskew;
+        }
+
+
+/*  kssl_validate_times() combines (and more importantly exposes)
+**  the MIT KRB5 internal function krb5_validate_times() and the
+**  in_clock_skew() macro.  The authenticator client time is checked
+**  to be within clockskew secs of the current time and the current
+**  time is checked to be within the ticket start and expire times.
+**  Either check may be omitted by supplying a NULL value.
+**  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
+**  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
+**  20010420 VRS
+*/
+krb5_error_code  kssl_validate_times(   krb5_timestamp atime,
+                                        krb5_ticket_times *ttimes)
+        {
+        krb5_deltat     skew;
+        krb5_timestamp  start, now;
+        krb5_error_code rc;
+        krb5_context    context;
+
+        if ((rc = krb5_init_context(&context)))  return SSL_R_KRB5_S_BAD_TICKET;
+        skew = get_rc_clockskew(context); 
+        if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET;
+        krb5_free_context(context);
+
+        if (atime  &&  labs(atime - now) >= skew)  return SSL_R_KRB5_S_TKT_SKEW;
+
+        if (! ttimes)  return 0;
+
+        start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime;
+        if (start - now > skew)  return SSL_R_KRB5_S_TKT_NYV;
+        if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
+
+#ifdef KSSL_DEBUG
+        printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
+                start, atime, now, skew, ttimes->endtime);
+#endif  /* KSSL_DEBUG */
+
+        return 0;
+        }
+
+
+/*  Decode and decrypt given DER-encoded authenticator, then pass
+**  authenticator ctime back in *atimep (or 0 if time unavailable).
+**  Returns krb5_error_code and kssl_err on error.  A NULL 
+**  authenticator (authentp->length == 0) is not considered an error.
+**  Note that kssl_check_authent() makes use of the KRB5 session key;
+**  you must call kssl_sget_tkt() to get the key before calling this routine.
+*/
+krb5_error_code  kssl_check_authent(
+                        /* IN     */    KSSL_CTX        *kssl_ctx,
+                        /* IN     */    krb5_data       *authentp,
+                        /* OUT    */    krb5_timestamp  *atimep,
+                        /* OUT    */    KSSL_ERR        *kssl_err  )
+        {
+        krb5_error_code         krb5rc = 0;
+        KRB5_ENCDATA            *dec_authent = NULL;
+        KRB5_AUTHENTBODY        *auth = NULL;
+        krb5_enctype            enctype;
+        EVP_CIPHER_CTX          ciph_ctx;
+        const EVP_CIPHER        *enc = NULL;
+        unsigned char           iv[EVP_MAX_IV_LENGTH];
+        unsigned char           *p, *unenc_authent;
+        int                     padl, outl, unencbufsize;
+        struct tm               tm_time, *tm_l, *tm_g;
+        time_t                  now, tl, tg, tr, tz_offset;
+
+        EVP_CIPHER_CTX_init(&ciph_ctx);
+        *atimep = 0;
+        kssl_err_set(kssl_err, 0, "");
+
+#ifndef KRB5CHECKAUTH
+        authentp = NULL;
+#else
+#if     KRB5CHECKAUTH == 0
+        authentp = NULL;
+#endif
+#endif  /* KRB5CHECKAUTH */
+
+        if (authentp == NULL  ||  authentp->length == 0)  return 0;
+
+#ifdef KSSL_DEBUG
+        {
+        unsigned int ui;
+        printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+        p = authentp->data; 
+        for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
+        printf("\n");
+        }
+#endif  /* KSSL_DEBUG */
+
+        unencbufsize = 2 * authentp->length;
+        if ((unenc_authent = calloc(1, unencbufsize)) == NULL)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "Unable to allocate authenticator buffer.\n");
+                krb5rc = KRB5KRB_ERR_GENERIC;
+                goto err;
+                }
+
+        p = (unsigned char *)authentp->data;
+        if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
+                                        (long) authentp->length)) == NULL) 
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "Error decoding authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+
+        enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
+#if !defined(KRB5_MIT_OLD11)
+            switch ( enctype ) {
+            case ENCTYPE_DES3_CBC_SHA1:         /*    EVP_des_ede3_cbc();  */
+            case ENCTYPE_DES3_CBC_SHA:
+            case ENCTYPE_DES3_CBC_RAW:
+                krb5rc = 0;                     /* Skip, can't handle derived keys */
+                goto err;
+            }
+#endif
+        enc = kssl_map_enc(enctype);
+        memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+
+        if (enc == NULL)
+                {
+                /*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
+                **  This enctype indicates the authenticator was encrypted
+                **  using key-usage derived keys which openssl cannot decrypt.
+                */
+                goto err;
+                }
+        if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_DecryptInit_ex error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
+                        dec_authent->cipher->data, dec_authent->cipher->length))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_DecryptUpdate error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        if (outl > unencbufsize)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "Buffer overflow decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        if (!EVP_DecryptFinal_ex(&ciph_ctx, &(unenc_authent[outl]), &padl))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_DecryptFinal_ex error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        outl += padl;
+        if (outl > unencbufsize)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "Buffer overflow decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+#ifdef KSSL_DEBUG
+        printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+        for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
+        printf("\n");
+#endif  /* KSSL_DEBUG */
+
+        if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "confounded by authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        outl -= p - unenc_authent;
+
+        if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p,
+                                                          (long) outl))==NULL)
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "Error decoding authenticator body.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+
+        memset(&tm_time,0,sizeof(struct tm));
+        if (k_gmtime(auth->ctime, &tm_time)  &&
+                ((tr = mktime(&tm_time)) != (time_t)(-1)))
+                {
+                now  = time(&now);
+                tm_l = localtime(&now);         tl = mktime(tm_l);
+                tm_g = gmtime(&now);            tg = mktime(tm_g);
+                tz_offset = tg - tl;
+
+                *atimep = tr - tz_offset;
+                }
+
+#ifdef KSSL_DEBUG
+        printf("kssl_check_authent: returns %d for client time ", *atimep);
+        if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
+                printf("%.*s\n", auth->ctime->length, auth->ctime->data);
+        else    printf("NULL\n");
+#endif  /* KSSL_DEBUG */
+
+ err:
+        if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
+        if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
+        if (unenc_authent)      free(unenc_authent);
+        return krb5rc;
+        }
+
+
+/*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
+**  because I dont't know how to stub varargs.
+**  Returns krb5_error_code == ENOMEM on alloc error, otherwise
+**  passes back newly constructed principal, which should be freed by caller.
+*/
+krb5_error_code  kssl_build_principal_2(
+                        /* UPDATE */    krb5_context    context,
+                        /* OUT    */    krb5_principal  *princ,
+                        /* IN     */    int rlen,  const char *realm,
+                        /* IN     */    int slen,  const char *svc,
+                        /* IN     */    int hlen,  const char *host)
+        {
+        krb5_data               *p_data = NULL;
+        krb5_principal          new_p = NULL;
+        char                    *new_r = NULL;
+
+        if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL  ||
+            (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data)))
+                        == NULL)  goto err;
+        new_p->length = 2;
+        new_p->data = p_data;
+
+        if ((new_r = calloc(1, rlen + 1)) == NULL)  goto err;
+        memcpy(new_r, realm, rlen);
+        krb5_princ_set_realm_length(context, new_p, rlen);
+        krb5_princ_set_realm_data(context, new_p, new_r);
+
+        if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL)  goto err;
+        memcpy(new_p->data[0].data, svc, slen);
+        new_p->data[0].length = slen;
+
+        if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL)  goto err;
+        memcpy(new_p->data[1].data, host, hlen);
+        new_p->data[1].length = hlen;
+        
+        krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN;
+        *princ = new_p;
+        return 0;
+
+ err:
+        if (new_p  &&  new_p[0].data)   free(new_p[0].data);
+        if (new_p  &&  new_p[1].data)   free(new_p[1].data);
+        if (new_p)      free(new_p);
+        if (new_r)      free(new_r);
+        return ENOMEM;
+        }
+
+
+#else /* !OPENSSL_NO_KRB5 */
+
+#if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS)
+static int dummy=(int)&dummy;
+#endif
+
+#endif  /* !OPENSSL_NO_KRB5     */
+
diff --git a/src/lib/libssl/src/ssl/kssl.h b/src/lib/libssl/src/ssl/kssl.h
new file mode 100644
index 0000000000..cf7ebdd168
--- /dev/null
+++ b/src/lib/libssl/src/ssl/kssl.h
@@ -0,0 +1,173 @@
+/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+**      19990701        VRS     Started.
+*/
+
+#ifndef KSSL_H
+#define KSSL_H
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+#include <stdio.h>
+#include <ctype.h>
+#include <krb5.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/*
+**      Depending on which KRB5 implementation used, some types from
+**      the other may be missing.  Resolve that here and now
+*/
+#ifdef KRB5_HEIMDAL
+typedef unsigned char krb5_octet;
+#define FAR
+#endif
+
+/*      Uncomment this to debug kssl problems or
+**      to trace usage of the Kerberos session key
+**
+**      #define         KSSL_DEBUG
+*/
+
+#ifndef KRB5SVC
+#define KRB5SVC "host"
+#endif
+
+#ifndef KRB5KEYTAB
+#define KRB5KEYTAB      "/etc/krb5.keytab"
+#endif
+
+#ifndef KRB5SENDAUTH
+#define KRB5SENDAUTH    1
+#endif
+
+#ifndef KRB5CHECKAUTH
+#define KRB5CHECKAUTH   1
+#endif
+
+#ifndef KSSL_CLOCKSKEW
+#define KSSL_CLOCKSKEW  300;
+#endif
+
+#define KSSL_ERR_MAX    255
+typedef struct kssl_err_st  {
+        int  reason;
+        char text[KSSL_ERR_MAX+1];
+        } KSSL_ERR;
+
+
+/*      Context for passing
+**              (1) Kerberos session key to SSL, and
+**              (2)     Config data between application and SSL lib
+*/
+typedef struct kssl_ctx_st
+        {
+                                /*      used by:    disposition:            */
+        char *service_name;     /*      C,S         default ok (kssl)       */
+        char *service_host;     /*      C           input, REQUIRED         */
+        char *client_princ;     /*      S           output from krb5 ticket */
+        char *keytab_file;      /*      S           NULL (/etc/krb5.keytab) */
+        char *cred_cache;       /*      C           NULL (default)          */
+        krb5_enctype enctype;
+        int length;
+        krb5_octet FAR *key;
+        } KSSL_CTX;
+
+#define KSSL_CLIENT     1
+#define KSSL_SERVER     2
+#define KSSL_SERVICE    3
+#define KSSL_KEYTAB     4
+
+#define KSSL_CTX_OK     0
+#define KSSL_CTX_ERR    1
+#define KSSL_NOMEM      2
+
+/* Public (for use by applications that use OpenSSL with Kerberos 5 support */
+krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
+KSSL_CTX *kssl_ctx_new(void);
+KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
+void kssl_ctx_show(KSSL_CTX *kssl_ctx);
+krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
+        krb5_data *realm, krb5_data *entity);
+krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data **enc_tktp,
+        krb5_data *authenp, KSSL_ERR *kssl_err);
+krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *indata,
+        krb5_ticket_times *ttimes, KSSL_ERR *kssl_err);
+krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
+void    kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
+void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
+krb5_error_code  kssl_build_principal_2(krb5_context context,
+                        krb5_principal *princ, int rlen, const char *realm,
+                        int slen, const char *svc, int hlen, const char *host);
+krb5_error_code  kssl_validate_times(krb5_timestamp atime,
+                                        krb5_ticket_times *ttimes);
+krb5_error_code  kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
+                                    krb5_timestamp *atimep, KSSL_ERR *kssl_err);
+unsigned char   *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif  /* OPENSSL_NO_KRB5      */
+#endif  /* KSSL_H       */
diff --git a/src/lib/libssl/src/ssl/kssl_lcl.h b/src/lib/libssl/src/ssl/kssl_lcl.h
new file mode 100644
index 0000000000..4cd8dd2d7f
--- /dev/null
+++ b/src/lib/libssl/src/ssl/kssl_lcl.h
@@ -0,0 +1,87 @@
+/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef KSSL_LCL_H
+#define KSSL_LCL_H
+
+#include <openssl/kssl.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Private (internal to OpenSSL) */
+void print_krb5_data(char *label, krb5_data *kdata);
+void print_krb5_authdata(char *label, krb5_authdata **adata);
+void print_krb5_keyblock(char *label, krb5_keyblock *keyblk);
+
+char *kstring(char *string);
+char *knumber(int len, krb5_octet *contents);
+
+EVP_CIPHER *kssl_map_enc(krb5_enctype enctype);
+
+int kssl_keytab_is_available(KSSL_CTX *kssl_ctx);
+int kssl_tgt_is_available(KSSL_CTX *kssl_ctx);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif  /* OPENSSL_NO_KRB5      */
+#endif  /* KSSL_LCL_H   */
diff --git a/src/lib/libssl/src/ssl/ssl-lib.com b/src/lib/libssl/src/ssl/ssl-lib.com
new file mode 100644
index 0000000000..75fa89f193
--- /dev/null
+++ b/src/lib/libssl/src/ssl/ssl-lib.com
@@ -0,0 +1,1200 @@
+$!
+$!  SSL-LIB.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!
+$!  This command file compiles and creates the "[.xxx.EXE.SSL]LIBSSL.OLB" 
+$!  library for OpenSSL.  The "xxx" denotes the machine architecture of AXP 
+$!  or VAX.
+$!
+$!  It is written to detect what type of machine you are compiling on
+$!  (i.e. AXP or VAX) and which "C" compiler you have (i.e. VAXC, DECC 
+$!  or GNU C) or you can specify which compiler to use.
+$!
+$!  Specify the following as P1 to build just that part or ALL to just
+$!  build everything.
+$!
+$!              LIBRARY    To just compile the [.xxx.EXE.SSL]LIBSSL.OLB Library.
+$!              SSL_TASK   To just compile the [.xxx.EXE.SSL]SSL_TASK.EXE
+$!
+$!  Specify RSAREF as P2 to compile with the RSAREF library instead of
+$!  the regular one.  If you specify NORSAREF it will compile with the
+$!  regular RSAREF routines.  (Note: If you are in the United States
+$!  you MUST compile with RSAREF unless you have a license from RSA).
+$!
+$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
+$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
+$!        get the ".tar-Z" file as the ".zip" file dosen't have the
+$!        directory structure stored.  You have to extract the file
+$!        into the [.RSAREF] directory under the root directory as that
+$!        is where the scripts will look for the files.
+$!
+$!  Specify DEBUG or NODEBUG as P3 to compile with or without debugger
+$!  information.
+$!
+$!  Specify which compiler at P4 to try to compile under.
+$!
+$!         VAXC  For VAX C.
+$!         DECC  For DEC C.
+$!         GNUC  For GNU C.
+$!
+$!  If you don't speficy a compiler, it will try to determine which
+$!  "C" compiler to use.
+$!
+$!  P5, if defined, sets a TCP/IP library to use, through one of the following
+$!  keywords:
+$!
+$!      UCX             for UCX
+$!      SOCKETSHR       for SOCKETSHR+NETLIB
+$!
+$!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That Is, If We Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$!
+$! Check Which Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128)
+$ THEN
+$!
+$!  The Architecture Is AXP.
+$!
+$   ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The OBJ Directory.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.SSL]
+$!
+$! Check To See If The Architecture Specific OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIR 'OBJ_DIR'
+$!
+$! End The Architecture Specific OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory.
+$!
+$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.SSL]
+$!
+$! Check To See If The Architecture Specific Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  It Dosen't Exist, So Create It.
+$!
+$   CREATE/DIR 'EXE_DIR'
+$!
+$! End The Architecture Specific Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The Library Name.
+$!
+$ SSL_LIB := 'EXE_DIR'LIBSSL.OLB
+$!
+$! Define The CRYPTO-LIB We Are To Use.
+$!
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$!
+$! Define The RSAREF-LIB We Are To Use.
+$!
+$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
+$!
+$! Check To See What We Are To Do.
+$!
+$ IF (BUILDALL.EQS."TRUE")
+$ THEN
+$!
+$!  Since Nothing Special Was Specified, Do Everything.
+$!
+$   GOSUB LIBRARY
+$   GOSUB SSL_TASK
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Build Just What The User Wants Us To Build.
+$!
+$   GOSUB 'BUILDALL'
+$!
+$! End The BUILDALL Check.
+$!
+$ ENDIF
+$!
+$! Time To EXIT.
+$!
+$ EXIT:
+$ GOSUB CLEANUP
+$ EXIT   
+$!
+$! Compile The Library.
+$!
+$ LIBRARY:
+$!
+$! Check To See If We Already Have A "[.xxx.EXE.SSL]LIBSSL.OLB" Library...
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$! Guess Not, Create The Library.
+$!
+$   LIBRARY/CREATE/OBJECT 'SSL_LIB'
+$!
+$! End The Library Exist Check.
+$!
+$ ENDIF
+$!
+$! Define The Different SSL "library" Files.
+$!
+$ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
+            "s3_meth,s3_srvr,s3_clnt,s3_lib,s3_enc,s3_pkt,s3_both,"+ -
+            "s23_meth,s23_srvr,s23_clnt,s23_lib,s23_pkt,"+ -
+            "t1_meth,t1_srvr,t1_clnt,t1_lib,t1_enc,"+ -
+            "ssl_lib,ssl_err2,ssl_cert,ssl_sess,"+ -
+            "ssl_ciph,ssl_stat,ssl_rsa,"+ -
+            "ssl_asn1,ssl_txt,ssl_algs,"+ -
+            "bio_ssl,ssl_err"
+$!
+$! Tell The User That We Are Compiling The Library.
+$!
+$ WRITE SYS$OUTPUT "Building The ",SSL_LIB," Library."
+$!
+$! Define A File Counter And Set It To "0"
+$!
+$ FILE_COUNTER = 0
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",LIB_SSL)
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME.EQS.",") THEN GOTO FILE_DONE
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Create The Source File Name.
+$!
+$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Is Actually There.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The File Exists Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What File We Are Compiling.
+$!
+$ WRITE SYS$OUTPUT "    ",FILE_NAME,".c"
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$!
+$! Add It To The Library.
+$!
+$ LIBRARY/REPLACE/OBJECT 'SSL_LIB' 'OBJECT_FILE'
+$!
+$! Time To Clean Up The Object File.
+$!
+$ DELETE 'OBJECT_FILE';*
+$!
+$! Go Back And Get The Next File Name.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This Library.
+$!
+$ FILE_DONE:
+$!
+$! Tell The User That We Are All Done.
+$!
+$ WRITE SYS$OUTPUT "Library ",SSL_LIB," Compiled."
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$ SSL_TASK:
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Check To See If The File We Want To Compile Is Actually There.
+$!
+$ IF (F$SEARCH("SYS$DISK:[]SSL_TASK.C").EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File SSL_TASK.C Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   EXIT
+$!
+$! End The SSL_TASK.C File Check.
+$!
+$ ENDIF
+$!
+$! Tell The User We Are Creating The SSL_TASK.
+$!
+$ WRITE SYS$OUTPUT "Creating SSL_TASK OSU HTTP SSL Engine."     
+$!
+$! Compile The File.
+$!
+$ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C
+$!
+$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Link With The RSAREF Library And A Specific TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+          'OBJ_DIR'SSL_TASK.OBJ, -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Link With The RSAREF Library And NO TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+          'OBJ_DIR'SSL_TASK.OBJ, -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Don't Link With The RSAREF Routines.
+$!
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+          'OBJ_DIR'SSL_TASK.OBJ, -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE -
+          'OBJ_DIR'SSL_TASK.OBJ,-
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! End The RSAREF Link Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF (ARCH.EQS."VAX")
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The AXP Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The VAX/AXP DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$ LIB_CHECK:
+$!
+$! Look For The VAX Library LIBSSL.OLB.
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBSSL.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",SSL_LIB,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The LIBSSL.OLB Library Check.
+$!
+$ ENDIF
+$!
+$! Look For The Library LIBCRYPTO.OLB.
+$!
+$ IF (F$SEARCH(CRYPTO_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBCRYPTO.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",CRYPTO_LIB,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The LIBCRYPTO.OLB Library Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need The RSAREF Library.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Look For The Library LIBRSAGLUE.OLB.
+$!
+$   IF (F$SEARCH(RSAREF_LIB).EQS."")
+$   THEN
+$!
+$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
+$     WRITE SYS$OUTPUT "We Can't Link Without It."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Since We Can't Link Without It, Exit.
+$!
+$     EXIT
+$!
+$!   End The LIBRSAGLUE.OLB Library Check.
+$!
+$   ENDIF
+$!
+$! End The RSAREF Library Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."ALL")
+$ THEN
+$!
+$!   P1 Is Blank, So Build Everything.
+$!
+$    BUILDALL = "TRUE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Else, Check To See If P1 Has A Valid Arguement.
+$!
+$   IF (P1.EQS."LIBRARY").OR.(P1.EQS."SSL_TASK")
+$   THEN
+$!
+$!    A Valid Arguement.
+$!
+$     BUILDALL = P1
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Tell The User We Don't Know What They Want.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBSSL.OLB Library."
+$     WRITE SYS$OUTPUT "    SSL_TASK :  To Compile Just The [.xxx.EXE.SSL]SSL_TASK.EXE Program."
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "        AXP  :  Alpha Architecture."
+$     WRITE SYS$OUTPUT "        VAX  :  VAX Architecture."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NORSAREF")
+$ THEN
+$!
+$!   P2 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!
+$    RSAREF = "FALSE"
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Use The RSAREF Library.
+$!
+$   IF (P2.EQS."RSAREF")
+$   THEN
+$!
+$!    Check To Make Sure We Have The RSAREF Source Code Directory.
+$!
+$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
+$     THEN
+$!
+$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
+$!      User This.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
+$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
+$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
+$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
+$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
+$       WRITE SYS$OUTPUT ""
+$!
+$!      Time To Exit.
+$!
+$       EXIT
+$!
+$!    Else, Compile Using The RSAREF Library.
+$!
+$     ELSE
+$       RSAREF = "TRUE"
+$     ENDIF
+$   ELSE 
+$!
+$!    They Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
+$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P2 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."NODEBUG")
+$ THEN
+$!
+$!   P3 Is NODEBUG, So Compile Without Debugger Information.
+$!
+$    DEBUGGER  = "NODEBUG"
+$    TRACEBACK = "NOTRACEBACK" 
+$    GCC_OPTIMIZE = "OPTIMIZE"
+$    CC_OPTIMIZE = "OPTIMIZE"
+$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P3.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER  = "DEBUG"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$   ELSE
+$!
+$!    Tell The User Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P3 Check.
+$!
+$ ENDIF
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P6.
+$!
+$ IF (P6.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN :=
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P6 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P4 Is Blank.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P4 = "GNUC"
+$!
+$!  End The GNU C Compiler Check.
+$!
+$   ELSE
+$!
+$!  Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P4 = "DECC"
+$!
+$!      Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P4 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P5.
+$!
+$ IF (P5.EQS."")
+$ THEN
+$!
+$!  Find out what socket library we have available
+$!
+$   IF F$PARSE("SOCKETSHR:") .NES. ""
+$   THEN
+$!
+$!    We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$     P5 = "SOCKETSHR"
+$!
+$!    Tell the user
+$!
+$     WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$!    Else, let's look for something else
+$!
+$   ELSE
+$!
+$!    Like UCX (the reason to do this before Multinet is that the UCX
+$!    emulation is easier to use...)
+$!
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+         .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+         .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$     THEN
+$!
+$!      Last resort: a UCX or UCX-compatible library
+$!
+$       P5 = "UCX"
+$!
+$!      Tell the user
+$!
+$       WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$!      That was all...
+$!
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5'"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+        CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$!  Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P4.EQS."VAXC").OR.(P4.EQS."DECC").OR.(P4.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If The User Wanted DECC.
+$!
+$   IF (P4.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+         THEN CC = "CC/DECC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+           "/NOLIST/PREFIX=ALL" + -
+           "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P4.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$!
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."AXP"
+$     THEN
+$       WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$       EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+           "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$     CCDEFS = CCDEFS + ",""VAXC"""
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P4.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
+$     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+           "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[.SOURCE])" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Check To See If We Are To Compile With RSAREF Routines.
+$!
+$   IF (RSAREF.EQS."TRUE")
+$   THEN
+$!
+$!    Compile With RSAREF.
+$!
+$     CCDEFS = CCDEFS + ",""RSAref=1"""
+$!
+$!    Tell The User This.
+$!
+$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
+$!
+$!    Else, We Don't Care.  Compile Without The RSAREF Library.
+$!
+$   ELSE
+$!
+$!    Tell The User We Are Compile Without The RSAREF Routines.
+$!
+$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
+$!
+$!  End The RSAREF Check.
+$!
+$   ENDIF
+$!
+$!  Finish up the definition of CC.
+$!
+$   IF COMPILER .EQS. "DECC"
+$   THEN
+$     IF CCDISABLEWARNINGS .EQS. ""
+$     THEN
+$       CC4DISABLEWARNINGS = "DOLLARID"
+$     ELSE
+$       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$     ENDIF
+$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$   ELSE
+$     CCDISABLEWARNINGS = ""
+$     CC4DISABLEWARNINGS = ""
+$   ENDIF
+$   CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS
+$   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
+$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$   IF COMPILER .EQS. "DECC"
+$   THEN
+$     CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$     CC5 = CC3 - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$   ELSE
+$     CC4 = CC
+$     CC5 = CC3
+$   ENDIF
+$!
+$!  Show user the result
+$!
+$   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$ ENDIF
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX"
+$ THEN
+$!
+$!  Check to see if SOCKETSHR was chosen
+$!
+$   IF P5.EQS."SOCKETSHR"
+$   THEN
+$!
+$!    Set the library to use SOCKETSHR
+$!
+$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$!
+$!    Done with SOCKETSHR
+$!
+$   ENDIF
+$!
+$!  Check to see if MULTINET was chosen
+$!
+$   IF P5.EQS."MULTINET"
+$   THEN
+$!
+$!    Set the library to use UCX emulation.
+$!
+$     P5 = "UCX"
+$!
+$!    Done with MULTINET
+$!
+$   ENDIF
+$!
+$!  Check to see if UCX was chosen
+$!
+$   IF P5.EQS."UCX"
+$   THEN
+$!
+$!    Set the library to use UCX.
+$!
+$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$     THEN
+$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$     ELSE
+$       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+          TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+$     ENDIF
+$!
+$!    Done with UCX
+$!
+$   ENDIF
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
+$   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$!  Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __TOP = __HERE - "SSL]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the logical name OPENSSL if it had a value
+$!
+$ IF __SAVE_OPENSSL .EQS. ""
+$ THEN
+$   DEASSIGN OPENSSL
+$ ELSE
+$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$ ENDIF
+$!
+$! Done
+$!
+$ RETURN
diff --git a/src/lib/libssl/src/test/VMSca-response.1 b/src/lib/libssl/src/test/VMSca-response.1
new file mode 100644
index 0000000000..8b13789179
--- /dev/null
+++ b/src/lib/libssl/src/test/VMSca-response.1
@@ -0,0 +1 @@
+
diff --git a/src/lib/libssl/src/test/VMSca-response.2 b/src/lib/libssl/src/test/VMSca-response.2
new file mode 100644
index 0000000000..9b48ee4cf9
--- /dev/null
+++ b/src/lib/libssl/src/test/VMSca-response.2
@@ -0,0 +1,2 @@
+y
+y
diff --git a/src/lib/libssl/src/test/bctest b/src/lib/libssl/src/test/bctest
new file mode 100644
index 0000000000..bdb3218f7a
--- /dev/null
+++ b/src/lib/libssl/src/test/bctest
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# is installed.
+# ('make test_bn' should not try to run 'bc' if it does not exist or if
+# it is a broken 'bc' version that is known to cause trouble.)
+#
+# If 'bc' works, we also test if it knows the 'print' command.
+#
+# In any case, output an appropriate command line for running (or not
+# running) bc.
+
+
+IFS=:
+try_without_dir=true
+# First we try "bc", then "$dir/bc" for each item in $PATH.
+for dir in dummy:$PATH; do
+    if [ "$try_without_dir" = true ]; then
+      # first iteration
+      bc=bc
+      try_without_dir=false
+    else
+      # second and later iterations
+      bc="$dir/bc"
+      if [ ! -f "$bc" ]; then  # '-x' is not available on Ultrix
+        bc=''
+      fi
+    fi
+
+    if [ ! "$bc" = '' ]; then
+        failure=none
+
+
+        # Test for SunOS 5.[78] bc bug
+        "$bc" >tmp.bctest <<\EOF
+obase=16
+ibase=16
+a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
+CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
+10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
+C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
+3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
+4FC3CADF855448B24A9D7640BCF473E
+b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
+9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
+8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
+3ED0E2017D60A68775B75481449
+(a/b)*b + (a%b) - a
+EOF
+        if [ 0 != "`cat tmp.bctest`" ]; then
+            failure=SunOStest
+        fi
+
+
+        if [ "$failure" = none ]; then
+            # Test for SCO bc bug.
+            "$bc" >tmp.bctest <<\EOF
+obase=16
+ibase=16
+-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
+9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
+11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
+1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
+AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
+F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
+B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
+02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
+85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
+A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
+E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
+8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
+04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
+89C8D71
+AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
+928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
+8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
+37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
+E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
+F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
+9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
+D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
+5296964
+EOF
+            if [ "0
+0" != "`cat tmp.bctest`" ]; then
+                failure=SCOtest
+            fi
+        fi
+
+
+        if [ "$failure" = none ]; then
+            # bc works; now check if it knows the 'print' command.
+            if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ]
+            then
+                echo "$bc"
+            else
+                echo "sed 's/print.*//' | $bc"
+            fi
+            exit 0
+        fi
+
+        echo "$bc does not work properly ('$failure' failed).  Looking for another bc ..." >&2
+    fi
+done
+
+echo "No working bc found.  Consider installing GNU bc." >&2
+if [ "$1" = ignore ]; then
+  echo "cat >/dev/null"
+  exit 0
+fi
+exit 1
diff --git a/src/lib/libssl/src/test/maketests.com b/src/lib/libssl/src/test/maketests.com
new file mode 100644
index 0000000000..e4b052e688
--- /dev/null
+++ b/src/lib/libssl/src/test/maketests.com
@@ -0,0 +1,1053 @@
+$!
+$!  MAKETESTS.COM
+$!  Written By:  Robert Byer
+$!               Vice-President
+$!               A-Com Computing, Inc.
+$!               byer@mail.all-net.net
+$!
+$!  Changes by Richard Levitte <richard@levitte.org>
+$!
+$!  This command files compiles and creates all the various different
+$!  "test" programs for the different types of encryption for OpenSSL.
+$!  It was written so it would try to determine what "C" compiler to
+$!  use or you can specify which "C" compiler to use.
+$!
+$!  The test "executeables" will be placed in a directory called
+$!  [.xxx.EXE.TEST] where "xxx" denotes AXP or VAX depending on your machines
+$!  architecture.
+$!
+$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  the regular one.  If you specify NORSAREF it will compile with the
+$!  regular RSAREF routines.  (Note: If you are in the United States
+$!  you MUST compile with RSAREF unless you have a license from RSA).
+$!
+$!  Note: The RSAREF libraries are NOT INCLUDED and you have to
+$!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
+$!        get the ".tar-Z" file as the ".zip" file dosen't have the
+$!        directory structure stored.  You have to extract the file
+$!        into the [.RSAREF] directory under the root directory as that
+$!        is where the scripts will look for the files.
+$!
+$!  Specify DEBUG or NODEBUG P2 to compile with or without debugger
+$!  information.
+$!
+$!  Specify which compiler at P3 to try to compile under.
+$!
+$!         VAXC  For VAX C.
+$!         DECC  For DEC C.
+$!         GNUC  For GNU C.
+$!
+$!  If you don't speficy a compiler, it will try to determine which
+$!  "C" compiler to use.
+$!
+$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  keywords:
+$!
+$!      UCX             for UCX
+$!      SOCKETSHR       for SOCKETSHR+NETLIB
+$!
+$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!
+$!
+$! Define A TCP/IP Library That We Will Need To Link To.
+$! (That is, If Wee Need To Link To One.)
+$!
+$ TCPIP_LIB = ""
+$!
+$! Check Which Architecture We Are Using.
+$!
+$ IF (F$GETSYI("CPU").GE.128) 
+$ THEN
+$!
+$!  The Architecture Is AXP.
+$!
+$   ARCH := AXP
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  The Architecture Is VAX.
+$!
+$   ARCH := VAX
+$!
+$! End The Architecture Check.
+$!
+$ ENDIF
+$!
+$! Check To Make Sure We Have Valid Command Line Parameters.
+$!
+$ GOSUB CHECK_OPTIONS
+$!
+$! Initialise logical names and such
+$!
+$ GOSUB INITIALISE
+$!
+$! Tell The User What Kind of Machine We Run On.
+$!
+$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine."
+$!
+$! Define The CRYPTO-LIB We Are To Use.
+$!
+$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
+$!
+$! Define The RSAREF-LIB We Are To Use.
+$!
+$ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
+$!
+$! Define The SSL We Are To Use.
+$!
+$ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
+$!
+$! Define The OBJ Directory.
+$!
+$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.TEST]
+$!
+$! Check To See If The Architecture Specific OBJ Directory Exists.
+$!
+$ IF (F$PARSE(OBJ_DIR).EQS."")
+$ THEN
+$!
+$!  The EXE Directory Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'OBJ_DIR'
+$!
+$! End The Architecture Specific OBJ Directory Check.
+$!
+$ ENDIF
+$!
+$! Define The EXE Directory.
+$!
+$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.TEST]
+$!
+$! Check To See If The Architecture Specific EXE Directory Exists.
+$!
+$ IF (F$PARSE(EXE_DIR).EQS."")
+$ THEN
+$!
+$!  The EXE Directory Dosen't Exist, So Create It.
+$!
+$   CREATE/DIRECTORY 'EXE_DIR'
+$!
+$! End The Architecture Specific EXE Directory Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have The Proper Libraries.
+$!
+$ GOSUB LIB_CHECK
+$!
+$! Check To See If We Have A Linker Option File.
+$!
+$ GOSUB CHECK_OPT_FILE
+$!
+$! Define The TEST Files.
+$!
+$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD5TEST,HMACTEST,"+ -
+               "RC2TEST,RC4TEST,RC5TEST,"+ -
+               "DESTEST,SHATEST,SHA1TEST,MDC2TEST,RMDTEST,"+ -
+               "RANDTEST,DHTEST,"+ -
+               "BFTEST,CASTTEST,SSLTEST,EXPTEST,DSATEST,RSA_OAEP_TEST"
+$ TCPIP_PROGRAMS = ",,"
+$ IF COMPILER .EQS. "VAXC" THEN -
+     TCPIP_PROGRAMS = ",SSLTEST,"
+$!
+$!  Define A File Counter And Set It To "0".
+$!
+$ FILE_COUNTER = 0
+$!
+$! Top Of The File Loop.
+$!
+$ NEXT_FILE:
+$!
+$! O.K, Extract The File Name From The File List.
+$!
+$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",TEST_FILES)
+$!
+$! Check To See If We Are At The End Of The File List.
+$!
+$ IF (FILE_NAME.EQS.",") THEN GOTO FILE_DONE
+$!
+$! Increment The Counter.
+$!
+$ FILE_COUNTER = FILE_COUNTER + 1
+$!
+$! Create The Source File Name.
+$!
+$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$! Create The Object File Name.
+$!
+$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$!
+$! Create The Executable File Name.
+$!
+$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE"
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check To See If The File We Want To Compile Actually Exists.
+$!
+$ IF (F$SEARCH(SOURCE_FILE).EQS."")
+$ THEN
+$!
+$!  Tell The User That The File Dosen't Exist.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Exit The Build.
+$!
+$   GOTO EXIT
+$ ENDIF
+$!
+$! Tell The User What We Are Building.
+$!
+$ WRITE SYS$OUTPUT "Building The ",FILE_NAME," Test Program."
+$!
+$! Compile The File.
+$!
+$ ON ERROR THEN GOTO NEXT_FILE
+$ CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$ ON WARNING THEN GOTO NEXT_FILE
+$!
+$! Check If What We Are About To Compile Works Without A TCP/IP Library.
+$!
+$ IF ((TCPIP_LIB.EQS."").AND.((TCPIP_PROGRAMS-FILE_NAME).NES.TCPIP_PROGRAMS))
+$ THEN
+$!
+$!  Inform The User That A TCP/IP Library Is Needed To Compile This Program.
+$!
+$   WRITE SYS$OUTPUT FILE_NAME," Needs A TCP/IP Library.  Can't Link.  Skipping..."
+$   GOTO NEXT_FILE
+$!
+$! End The TCP/IP Library Check.
+$!
+$ ENDIF
+$!
+$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Link With The RSAREF Library And A Specific TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+          'OBJECT_FILE',-
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Link With The RSAREF Library And NO TCP/IP Library.
+$!
+$     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+          'OBJECT_FILE', -
+          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
+          'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Don't Link With The RSAREF Routines.
+$!
+$!
+$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$!
+$   IF (TCPIP_LIB.NES."")
+$   THEN
+$!
+$!    Don't Link With The RSAREF Routines And TCP/IP Library.
+$!
+$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+        'OBJECT_FILE', -
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'TCPIP_LIB','OPT_FILE'/OPTION
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
+$!
+$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
+        'OBJECT_FILE', -
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
+        'OPT_FILE'/OPTION
+$!
+$!  End The TCP/IP Library Check.
+$!
+$   ENDIF
+$!
+$! End The RSAREF Link Check.
+$!
+$ ENDIF 
+$!
+$! Go Back And Do It Again.
+$!
+$ GOTO NEXT_FILE
+$!
+$! All Done With This Library Part.
+$!
+$ FILE_DONE:
+$!
+$! All Done, Time To Exit.
+$!
+$ EXIT:
+$ GOSUB CLEANUP
+$ EXIT
+$!
+$! Check For The Link Option FIle.
+$!
+$ CHECK_OPT_FILE:
+$!
+$! Check To See If We Need To Make A VAX C Option File.
+$!
+$ IF (COMPILER.EQS."VAXC")
+$ THEN
+$!
+$!  Check To See If We Already Have A VAX C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A VAX C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable VAX C Runtime Library.
+!
+SYS$SHARE:VAXCRTL.EXE/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The VAXC Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A GNU C Option File.
+$!
+$ IF (COMPILER.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If We Already Have A GNU C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    We Need A GNU C Linker Option File.
+$!
+$     CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable C Runtime Library.
+!
+GNU_CC:[000000]GCCLIB/LIBRARY
+SYS$SHARE:VAXCRTL/SHARE
+$EOD
+$!
+$!  End The Option File Check.
+$!
+$   ENDIF
+$!
+$! End The GNU C Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Need A DEC C Option File.
+$!
+$ IF (COMPILER.EQS."DECC")
+$ THEN
+$!
+$!  Check To See If We Already Have A DEC C Linker Option File.
+$!
+$   IF (F$SEARCH(OPT_FILE).EQS."")
+$   THEN
+$!
+$!    Figure Out If We Need An AXP Or A VAX Linker Option File.
+$!
+$     IF (ARCH.EQS."VAX")
+$     THEN
+$!
+$!      We Need A DEC C Linker Option File For VAX.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File To Link Agianst 
+! The Sharable DEC C Runtime Library.
+!
+SYS$SHARE:DECC$SHR.EXE/SHARE
+$EOD
+$!
+$!    Else...
+$!
+$     ELSE
+$!
+$!      Create The AXP Linker Option File.
+$!
+$       CREATE 'OPT_FILE'
+$DECK
+!
+! Default System Options File For AXP To Link Agianst 
+! The Sharable C Runtime Library.
+!
+SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE
+SYS$SHARE:CMA$OPEN_RTL/SHARE
+$EOD
+$!
+$!    End The VAX/AXP DEC C Option File Check.
+$!
+$     ENDIF
+$!
+$!  End The Option File Search.
+$!
+$   ENDIF
+$!
+$! End The DEC C Check.
+$!
+$ ENDIF
+$!
+$!  Tell The User What Linker Option File We Are Using.
+$!
+$ WRITE SYS$OUTPUT "Using Linker Option File ",OPT_FILE,"."     
+$!
+$! Time To RETURN.
+$!
+$ RETURN
+$!
+$! Check To See If We Have The Appropiate Libraries.
+$!
+$ LIB_CHECK:
+$!
+$! Look For The Library LIBCRYPTO.OLB.
+$!
+$ IF (F$SEARCH(CRYPTO_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBCRYPTO.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",CRYPTO_LIB,"."
+$   WRITE SYS$OUTPUT "We Can't Link Without It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The Crypto Library Check.
+$!
+$ ENDIF
+$!
+$! See If We Need The RSAREF Library...
+$!
+$ IF (RSAREF.EQS."TRUE")
+$ THEN
+$!
+$!  Look For The Library LIBRSAGLUE.OLB.
+$!
+$   IF (F$SEARCH(RSAREF_LIB).EQS."")
+$   THEN
+$!
+$!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
+$     WRITE SYS$OUTPUT "We Can't Link Without It."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Since We Can't Link Without It, Exit.
+$!
+$     EXIT
+$   ENDIF
+$!
+$! End The RSAREF Library Check.
+$!
+$ ENDIF
+$!
+$! Look For The Library LIBSSL.OLB.
+$!
+$ IF (F$SEARCH(SSL_LIB).EQS."")
+$ THEN
+$!
+$!  Tell The User We Can't Find The LIBSSL.OLB Library.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "Can't Find The Library ",SSL_LIB,"."
+$   WRITE SYS$OUTPUT "Some Of The Test Programs Need To Link To It."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Since We Can't Link Without It, Exit.
+$!
+$   EXIT
+$!
+$! End The SSL Library Check.
+$!
+$ ENDIF
+$!
+$! Time To Return.
+$!
+$ RETURN
+$!
+$! Check The User's Options.
+$!
+$ CHECK_OPTIONS:
+$!
+$! Check To See If P1 Is Blank.
+$!
+$ IF (P1.EQS."NORSAREF")
+$ THEN
+$!
+$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!
+$    RSAREF = "FALSE"
+$ ELSE
+$!
+$!  Check To See If We Are To Use The RSAREF Library.
+$!
+$   IF (P1.EQS."RSAREF")
+$   THEN
+$!
+$!    Check To Make Sure We Have The RSAREF Source Code Directory.
+$!
+$     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
+$     THEN
+$!
+$!      We Don't Have The RSAREF Souce Code Directory, So Tell The
+$!      User This.
+$!
+$       WRITE SYS$OUTPUT ""
+$       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
+$       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
+$       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
+$       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
+$       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
+$       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
+$       WRITE SYS$OUTPUT ""
+$!
+$!      Time To Exit.
+$!
+$       EXIT
+$!
+$!    Else, Compile Using The RSAREF Library.
+$!
+$     ELSE
+$       RSAREF = "TRUE"
+$     ENDIF
+$   ELSE 
+$!
+$!    They Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
+$     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P1 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P2 Is Blank.
+$!
+$ IF (P2.EQS."NODEBUG")
+$ THEN
+$!
+$!   P2 Is NODEBUG, So Compile Without Debugger Information.
+$!
+$    DEBUGGER  = "NODEBUG"
+$    TRACEBACK = "NOTRACEBACK" 
+$    GCC_OPTIMIZE = "OPTIMIZE"
+$    CC_OPTIMIZE = "OPTIMIZE"
+$    WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile."
+$    WRITE SYS$OUTPUT "Compiling With Compiler Optimization."
+$!
+$! Else...
+$!
+$ ELSE
+$!
+$!  Check To See If We Are To Compile With Debugger Information.
+$!
+$   IF (P2.EQS."DEBUG")
+$   THEN
+$!
+$!    Compile With Debugger Information.
+$!
+$     DEBUGGER  = "DEBUG"
+$     TRACEBACK = "TRACEBACK"
+$     GCC_OPTIMIZE = "NOOPTIMIZE"
+$     CC_OPTIMIZE = "NOOPTIMIZE"
+$     WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile."
+$     WRITE SYS$OUTPUT "Compiling Without Compiler Optimization."
+$!
+$!  Else...
+$!
+$   ELSE
+$!
+$!    Tell The User Entered An Invalid Option..
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
+$     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Time To EXIT.
+$!
+$     EXIT
+$!
+$!  End The Valid Arguement Check.
+$!
+$   ENDIF
+$!
+$! End The P3 Check.
+$!
+$ ENDIF
+$!
+$! Check To See If P3 Is Blank.
+$!
+$ IF (P3.EQS."")
+$ THEN
+$!
+$!  O.K., The User Didn't Specify A Compiler, Let's Try To
+$!  Find Out Which One To Use.
+$!
+$!  Check To See If We Have GNU C.
+$!
+$   IF (F$TRNLNM("GNU_CC").NES."")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     P3 = "GNUC"
+$!
+$!  End The GNU C Compiler Check.
+$!
+$   ELSE
+$!
+$!  Check To See If We Have VAXC Or DECC.
+$!
+$     IF (ARCH.EQS."AXP").OR.(F$TRNLNM("DECC$CC_DEFAULT").NES."")
+$     THEN 
+$!
+$!      Looks Like DECC, Set To Use DECC.
+$!
+$       P3 = "DECC"
+$!
+$!      Else...
+$!
+$     ELSE
+$!
+$!      Looks Like VAXC, Set To Use VAXC.
+$!
+$       P3 = "VAXC"
+$!
+$!    End The VAXC Compiler Check.
+$!
+$     ENDIF
+$!
+$!  End The DECC & VAXC Compiler Check.
+$!
+$   ENDIF
+$!
+$!  End The Compiler Check.
+$!
+$ ENDIF
+$!
+$! Check To See If We Have A Option For P4.
+$!
+$ IF (P4.EQS."")
+$ THEN
+$!
+$!  Find out what socket library we have available
+$!
+$   IF F$PARSE("SOCKETSHR:") .NES. ""
+$   THEN
+$!
+$!    We have SOCKETSHR, and it is my opinion that it's the best to use.
+$!
+$     P4 = "SOCKETSHR"
+$!
+$!    Tell the user
+$!
+$     WRITE SYS$OUTPUT "Using SOCKETSHR for TCP/IP"
+$!
+$!    Else, let's look for something else
+$!
+$   ELSE
+$!
+$!    Like UCX (the reason to do this before Multinet is that the UCX
+$!    emulation is easier to use...)
+$!
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. "" -
+         .OR. F$PARSE("SYS$SHARE:UCX$IPC_SHR.EXE") .NES. "" -
+         .OR. F$PARSE("SYS$LIBRARY:UCX$IPC.OLB") .NES. ""
+$     THEN
+$!
+$!      Last resort: a UCX or UCX-compatible library
+$!
+$       P4 = "UCX"
+$!
+$!      Tell the user
+$!
+$       WRITE SYS$OUTPUT "Using UCX or an emulation thereof for TCP/IP"
+$!
+$!      That was all...
+$!
+$     ENDIF
+$   ENDIF
+$ ENDIF
+$!
+$! Set Up Initial CC Definitions, Possibly With User Ones
+$!
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P4'"
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCEXTRAFLAGS = ""
+$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
+$ CCDISABLEWARNINGS = ""
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+        CCDISABLEWARNINGS = USER_CCDISABLEWARNINGS
+$!
+$!  Check To See If The User Entered A Valid Paramter.
+$!
+$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ THEN
+$!
+$!  Check To See If The User Wanted DECC.
+$!
+$   IF (P3.EQS."DECC")
+$   THEN
+$!
+$!    Looks Like DECC, Set To Use DECC.
+$!
+$     COMPILER = "DECC"
+$!
+$!    Tell The User We Are Using DECC.
+$!
+$     WRITE SYS$OUTPUT "Using DECC 'C' Compiler."
+$!
+$!    Use DECC...
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
+         THEN CC = "CC/DECC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
+           "/NOLIST/PREFIX=ALL" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_DECC_OPTIONS.OPT"
+$!
+$!  End DECC Check.
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use VAXC.
+$!
+$   IF (P3.EQS."VAXC")
+$   THEN
+$!
+$!    Looks Like VAXC, Set To Use VAXC.
+$!
+$     COMPILER = "VAXC"
+$!
+$!    Tell The User We Are Using VAX C.
+$!
+$     WRITE SYS$OUTPUT "Using VAXC 'C' Compiler."
+$!
+$!    Compile Using VAXC.
+$!
+$     CC = "CC"
+$     IF ARCH.EQS."AXP"
+$     THEN
+$       WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
+$       EXIT
+$     ENDIF
+$     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$     CCDEFS = CCDEFS + ",""VAXC"""
+$!
+$!    Define <sys> As SYS$COMMON:[SYSLIB]
+$!
+$     DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB]
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_VAXC_OPTIONS.OPT"
+$!
+$!  End VAXC Check
+$!
+$   ENDIF
+$!
+$!  Check To See If We Are To Use GNU C.
+$!
+$   IF (P3.EQS."GNUC")
+$   THEN
+$!
+$!    Looks Like GNUC, Set To Use GNUC.
+$!
+$     COMPILER = "GNUC"
+$!
+$!    Tell The User We Are Using GNUC.
+$!
+$     WRITE SYS$OUTPUT "Using GNU 'C' Compiler."
+$!
+$!    Use GNU C...
+$!
+$     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + CCEXTRAFLAGS
+$!
+$!    Define The Linker Options File Name.
+$!
+$     OPT_FILE = "SYS$DISK:[]VAX_GNUC_OPTIONS.OPT"
+$!
+$!  End The GNU C Check.
+$!
+$   ENDIF
+$!
+$!  Set up default defines
+$!
+$   CCDEFS = """FLAT_INC=1""," + CCDEFS
+$!
+$!  Check To See If We Are To Compile With RSAREF Routines.
+$!
+$   IF (RSAREF.EQS."TRUE")
+$   THEN
+$!
+$!    Compile With RSAREF.
+$!
+$     CCDEFS = CCDEFS + ",""RSAref=1"""
+$!
+$!    Tell The User This.
+$!
+$     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
+$!
+$!    Else, We Don't Care.  Compile Without The RSAREF Library.
+$!
+$   ELSE
+$!
+$!    Tell The User We Are Compile Without The RSAREF Routines.
+$!
+$     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
+$!
+$!  End The RSAREF Check.
+$!
+$   ENDIF
+$!
+$!  Finish up the definition of CC.
+$!
+$   IF COMPILER .EQS. "DECC"
+$   THEN
+$     IF CCDISABLEWARNINGS .EQS. ""
+$     THEN
+$       CC4DISABLEWARNINGS = "DOLLARID"
+$     ELSE
+$       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
+$     ENDIF
+$     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$   ELSE
+$     CCDISABLEWARNINGS = ""
+$     CC4DISABLEWARNINGS = ""
+$   ENDIF
+$   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
+$!
+$!  Show user the result
+$!
+$   WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
+$   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
+$   WRITE SYS$OUTPUT "    GNUC  :  To Compile With GNU C."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$ ENDIF
+$!
+$! Time to check the contents, and to make sure we get the correct library.
+$!
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ THEN
+$!
+$!  Check to see if SOCKETSHR was chosen
+$!
+$   IF P4.EQS."SOCKETSHR"
+$   THEN
+$!
+$!    Set the library to use SOCKETSHR
+$!
+$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$!
+$!    Done with SOCKETSHR
+$!
+$   ENDIF
+$!
+$!  Check to see if MULTINET was chosen
+$!
+$   IF P4.EQS."MULTINET"
+$   THEN
+$!
+$!    Set the library to use UXC emulation.
+$!
+$     P4 = "UCX"
+$!
+$!    Done with MULTINET
+$!
+$   ENDIF
+$!
+$!  Check to see if UCX was chosen
+$!
+$   IF P4.EQS."UCX"
+$   THEN
+$!
+$!    Set the library to use UCX.
+$!
+$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
+$     THEN
+$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$     ELSE
+$       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
+          TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+$     ENDIF
+$!
+$!    Done with UCX
+$!
+$   ENDIF
+$!
+$!  Print info
+$!
+$   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
+$!
+$!  Else The User Entered An Invalid Arguement.
+$!
+$ ELSE
+$!
+$!  Tell The User We Don't Know What They Want.
+$!
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT ""
+$   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
+$   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT ""
+$!
+$!  Time To EXIT.
+$!
+$   EXIT
+$!
+$!  Done with TCP/IP libraries
+$!
+$ ENDIF
+$!
+$! Special Threads For OpenVMS v7.1 Or Later
+$!
+$! Written By:  Richard Levitte
+$!              richard@levitte.org
+$!
+$!
+$! Check To See If We Have A Option For P5.
+$!
+$ IF (P5.EQS."")
+$ THEN
+$!
+$!  Get The Version Of VMS We Are Using.
+$!
+$   ISSEVEN :=
+$   TMP = F$ELEMENT(0,"-",F$EXTRACT(1,4,F$GETSYI("VERSION")))
+$   TMP = F$INTEGER(F$ELEMENT(0,".",TMP)+F$ELEMENT(1,".",TMP))
+$!
+$!  Check To See If The VMS Version Is v7.1 Or Later.
+$!
+$   IF (TMP.GE.71)
+$   THEN
+$!
+$!    We Have OpenVMS v7.1 Or Later, So Use The Special Threads.
+$!
+$     ISSEVEN := ,PTHREAD_USE_D4
+$!
+$!  End The VMS Version Check.
+$!
+$   ENDIF
+$!
+$! End The P5 Check.
+$!
+$ ENDIF
+$!
+$!  Time To RETURN...
+$!
+$ RETURN
+$!
+$ INITIALISE:
+$!
+$! Save old value of the logical name OPENSSL
+$!
+$ __SAVE_OPENSSL = F$TRNLNM("OPENSSL","LNM$PROCESS_TABLE")
+$!
+$! Save directory information
+$!
+$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __TOP = __HERE - "TEST]"
+$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
+$!
+$! Set up the logical name OPENSSL to point at the include directory
+$!
+$ DEFINE OPENSSL/NOLOG '__INCLUDE'
+$!
+$! Done
+$!
+$ RETURN
+$!
+$ CLEANUP:
+$!
+$! Restore the logical name OPENSSL if it had a value
+$!
+$ IF __SAVE_OPENSSL .EQS. ""
+$ THEN
+$   DEASSIGN OPENSSL
+$ ELSE
+$   DEFINE/NOLOG OPENSSL '__SAVE_OPENSSL'
+$ ENDIF
+$!
+$! Done
+$!
+$ RETURN
diff --git a/src/lib/libssl/src/test/tcrl.com b/src/lib/libssl/src/test/tcrl.com
new file mode 100644
index 0000000000..cef21467bb
--- /dev/null
+++ b/src/lib/libssl/src/test/tcrl.com
@@ -0,0 +1,78 @@
+$! TCRL.COM  --  Tests crl keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl crl
+$
+$       t := testcrl.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing CRL conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in fff.p -inform p -outform t -out f.t
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> d"
+$!      'cmd' -in f.t -inform t -outform d -out ff.d2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$!      write sys$output "d -> t"
+$!      'cmd' -in f.d -inform d -outform t -out ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> t"
+$!      'cmd' -in f.t -inform t -outform t -out ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in f.p -inform p -outform t -out ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> p"
+$!      'cmd' -in f.t -inform t -outform p -out ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: fff.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$!      difference/output=nl: f.t ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/testca.com b/src/lib/libssl/src/test/testca.com
new file mode 100644
index 0000000000..ea75479cd5
--- /dev/null
+++ b/src/lib/libssl/src/test/testca.com
@@ -0,0 +1,76 @@
+$! TESTCA.COM
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       openssl := mcr 'exe_dir'openssl
+$
+$       SSLEAY_CONFIG="-config ""CAss.cnf"""
+$
+$       set noon
+$       if f$search("demoCA.dir") .nes. ""
+$       then
+$           call deltree [.demoCA]*.*
+$           set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) demoCA.dir;*
+$           delete demoCA.dir;*
+$       endif
+$       set on
+$       open/read sys$ca_input VMSca-response.1
+$       @[-.apps]CA.com -input sys$ca_input -newca
+$       close sys$ca_input
+$       if $severity .ne. 1 then exit 3
+$
+$
+$       SSLEAY_CONFIG="-config ""Uss.cnf"""
+$       @[-.apps]CA.com -newreq
+$       if $severity .ne. 1 then exit 3
+$
+$
+$       SSLEAY_CONFIG="-config [-.apps]openssl-vms.cnf"
+$       open/read sys$ca_input VMSca-response.2
+$       @[-.apps]CA.com -input sys$ca_input -sign
+$       close sys$ca_input
+$       if $severity .ne. 1 then exit 3
+$
+$
+$       @[-.apps]CA.com -verify newcert.pem
+$       if $severity .ne. 1 then exit 3
+$
+$       set noon
+$       call deltree [.demoCA]*.*
+$       set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) demoCA.dir;*
+$       delete demoCA.dir;*,newcert.pem;*,newreq.pem;*
+$       set on
+$!      #usage: CA -newcert|-newreq|-newca|-sign|-verify
+$
+$       exit
+$
+$ deltree: subroutine ! P1 is a name of a directory
+$       on control_y then goto dt_STOP
+$       on warning then goto dt_exit
+$       _dt_def = f$trnlnm("SYS$DISK")+f$directory()
+$       if f$parse(p1) .eqs. "" then exit
+$       set default 'f$parse(p1,,,"DEVICE")''f$parse(p1,,,"DIRECTORY")'
+$       p1 = f$parse(p1,,,"NAME") + f$parse(p1,,,"TYPE")
+$       _fp = f$parse(".DIR",p1)
+$ dt_loop:
+$       _f = f$search(_fp)
+$       if _f .eqs. "" then goto dt_loopend
+$       call deltree [.'f$parse(_f,,,"NAME")']*.*
+$       goto dt_loop
+$ dt_loopend:
+$       _fp = f$parse(p1,".;*")
+$       if f$search(_fp) .eqs. "" then goto dt_exit
+$       set noon
+$       set file/prot=(S:RWED,O:RWED,G:RWED,W:RWED) '_fp'
+$       set on
+$       delete/nolog '_fp'
+$ dt_exit:
+$       set default '_dt_def'
+$       exit
+$ dt_STOP:
+$       set default '_dt_def'
+$       stop/id=""
+$       exit
+$       endsubroutine
diff --git a/src/lib/libssl/src/test/testenc.com b/src/lib/libssl/src/test/testenc.com
new file mode 100644
index 0000000000..0756e8bada
--- /dev/null
+++ b/src/lib/libssl/src/test/testenc.com
@@ -0,0 +1,50 @@
+$! TESTENC.COM  --  Test encoding and decoding
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       testsrc := makefile.ssl
+$       test := p.txt
+$       cmd := mcr 'exe_dir'openssl
+$
+$       copy 'testsrc' 'test'
+$
+$       write sys$output "cat"
+$       'cmd' enc -in 'test' -out 'test'-cipher
+$       'cmd' enc -in 'test'-cipher -out 'test'-clear
+$       difference/output=nl: 'test' 'test'-clear
+$       if $severity .ne. 1 then exit 3
+$       delete 'test'-cipher;*,'test'-clear;*
+$
+$       write sys$output "base64"
+$       'cmd' enc -a -e -in 'test' -out 'test'-cipher
+$       'cmd' enc -a -d -in 'test'-cipher -out 'test'-clear
+$       difference/output=nl: 'test' 'test'-clear
+$       if $severity .ne. 1 then exit 3
+$       delete 'test'-cipher;*,'test'-clear;*
+$
+$       define/user sys$output 'test'-cipher-commands
+$       'cmd' list-cipher-commands
+$       open/read f 'test'-cipher-commands
+$ loop_cipher_commands:
+$       read/end=loop_cipher_commands_end f i
+$       write sys$output i
+$       'cmd' 'i' -bufsize 113 -e -k test -in 'test' -out 'test'-'i'-cipher
+$       'cmd' 'i' -bufsize 157 -d -k test -in 'test'-'i'-cipher -out 'test'-'i'-clear
+$       difference/output=nl: 'test' 'test'-'i'-clear
+$       if $severity .ne. 1 then exit 3
+$       delete 'test'-'i'-cipher;*,'test'-'i'-clear;*
+$
+$       write sys$output i," base64"
+$       'cmd' 'i' -bufsize 113 -a -e -k test -in 'test' -out 'test'-'i'-cipher
+$       'cmd' 'i' -bufsize 157 -a -d -k test -in 'test'-'i'-cipher -out 'test'-'i'-clear
+$       difference/output=nl: 'test' 'test'-'i'-clear
+$       if $severity .ne. 1 then exit 3
+$       delete 'test'-'i'-cipher;*,'test'-'i'-clear;*
+$
+$       goto loop_cipher_commands
+$ loop_cipher_commands_end:
+$       close f
+$       delete 'test'-cipher-commands;*
+$       delete 'test';*
diff --git a/src/lib/libssl/src/test/testgen.com b/src/lib/libssl/src/test/testgen.com
new file mode 100644
index 0000000000..ec302f524a
--- /dev/null
+++ b/src/lib/libssl/src/test/testgen.com
@@ -0,0 +1,35 @@
+$! TETSGEN.COM
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       T := testcert
+$       KEY = 512
+$       CA := [-.certs]testca.pem
+$
+$       set noon
+$       if f$search(T+".1;*") .nes. "" then delete 'T'.1;*
+$       if f$search(T+".2;*") .nes. "" then delete 'T'.2;*
+$       if f$search(T+".key;*") .nes. "" then delete 'T'.key;*
+$       set on
+$
+$       write sys$output "generating certificate request"
+$
+$       write sys$output "There should be a 2 sequences of .'s and some +'s."
+$       write sys$output "There should not be more that at most 80 per line"
+$       write sys$output "This could take some time."
+$
+$       mcr 'exe_dir'openssl req -config test.cnf -new -out testreq.pem
+$       if $severity .ne. 1
+$       then
+$           write sys$output "problems creating request"
+$           exit 3
+$       endif
+$
+$       mcr 'exe_dir'openssl req -verify -in testreq.pem -noout
+$       if $severity .ne. 1
+$       then
+$           write sys$output "signature on req is wrong"
+$           exit 3
+$       endif
diff --git a/src/lib/libssl/src/test/tests.com b/src/lib/libssl/src/test/tests.com
new file mode 100644
index 0000000000..147b8aa838
--- /dev/null
+++ b/src/lib/libssl/src/test/tests.com
@@ -0,0 +1,203 @@
+$! TESTS.COM  --  Performs the necessary tests
+$!
+$! P1   tests to be performed.  Empty means all.
+$
+$       __proc = f$element(0,";",f$environment("procedure"))
+$       __here = f$parse(f$parse("A.;",__proc) - "A.;","[]A.;") - "A.;"
+$       __save_default = f$environment("default")
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       texe_dir := sys$disk:[-.'__arch'.exe.test]
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       set default '__here'
+$       on control_y then goto exit
+$       on error then goto exit
+$
+$       if p1 .nes. ""
+$       then
+$           tests = p1
+$       else
+$           tests := -
+        test_des,test_idea,test_sha,test_md5,test_hmac,test_md2,test_mdc2,-
+        test_rc2,test_rc4,test_rc5,test_bf,test_cast,-
+        test_rand,test_bn,test_enc,test_x509,test_rsa,test_crl,test_sid,-
+        test_reqgen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,-
+        test_ss,test_ssl,test_ca
+$       endif
+$       tests = f$edit(tests,"COLLAPSE")
+$
+$       BNTEST :=       bntest
+$       EXPTEST :=      exptest
+$       IDEATEST :=     ideatest
+$       SHATEST :=      shatest
+$       SHA1TEST :=     sha1test
+$       MDC2TEST :=     mdc2test
+$       RMDTEST :=      rmdtest
+$       MD2TEST :=      md2test
+$       MD5TEST :=      md5test
+$       HMACTEST :=     hmactest
+$       RC2TEST :=      rc2test
+$       RC4TEST :=      rc4test
+$       RC5TEST :=      rc5test
+$       BFTEST :=       bftest
+$       CASTTEST :=     casttest
+$       DESTEST :=      destest
+$       RANDTEST :=     randtest
+$       DHTEST :=       dhtest
+$       DSATEST :=      dsatest
+$       METHTEST :=     methtest
+$       SSLTEST :=      ssltest
+$       RSATEST :=      rsa_oaep_test
+$
+$       tests_i = 0
+$ loop_tests:
+$       tests_e = f$element(tests_i,",",tests)
+$       tests_i = tests_i + 1
+$       if tests_e .eqs. "," then goto exit
+$       goto 'tests_e'
+$
+$ test_des:
+$       mcr 'texe_dir''destest'
+$       goto loop_tests
+$ test_idea:
+$       mcr 'texe_dir''ideatest'
+$       goto loop_tests
+$ test_sha:
+$       mcr 'texe_dir''shatest'
+$       mcr 'texe_dir''sha1test'
+$       goto loop_tests
+$ test_mdc2:
+$       mcr 'texe_dir''mdc2test'
+$       goto loop_tests
+$ test_md5:
+$       mcr 'texe_dir''md5test'
+$       goto loop_tests
+$ test_hmac:
+$       mcr 'texe_dir''hmactest'
+$       goto loop_tests
+$ test_md2:
+$       mcr 'texe_dir''md2test'
+$       goto loop_tests
+$ test_rmd:
+$       mcr 'texe_dir''rmdtest'
+$       goto loop_tests
+$ test_bf:
+$       mcr 'texe_dir''bftest'
+$       goto loop_tests
+$ test_cast:
+$       mcr 'texe_dir''casttest'
+$       goto loop_tests
+$ test_rc2:
+$       mcr 'texe_dir''rc2test'
+$       goto loop_tests
+$ test_rc4:
+$       mcr 'texe_dir''rc4test'
+$       goto loop_tests
+$ test_rc5:
+$       mcr 'texe_dir''rc5test'
+$       goto loop_tests
+$ test_rand:
+$       mcr 'texe_dir''randtest'
+$       goto loop_tests
+$ test_enc:
+$       @testenc.com
+$       goto loop_tests
+$ test_x509:
+$       define sys$error nla0:
+$       write sys$output "test normal x509v1 certificate"
+$       @tx509.com
+$       write sys$output "test first x509v3 certificate"
+$       @tx509.com v3-cert1.pem
+$       write sys$output "test second x509v3 certificate"
+$       @tx509.com v3-cert2.pem
+$       deassign sys$error
+$       goto loop_tests
+$ test_rsa:
+$       define sys$error nla0:
+$       @trsa.com
+$       deassign sys$error
+$       mcr 'texe_dir''rsatest'
+$       goto loop_tests
+$ test_crl:
+$       define sys$error nla0:
+$       @tcrl.com
+$       deassign sys$error
+$       goto loop_tests
+$ test_sid:
+$       define sys$error nla0:
+$       @tsid.com
+$       deassign sys$error
+$       goto loop_tests
+$ test_req:
+$       define sys$error nla0:
+$       @treq.com
+$       @treq.com testreq2.pem
+$       deassign sys$error
+$       goto loop_tests
+$ test_pkcs7:
+$       define sys$error nla0:
+$       @tpkcs7.com
+$       @tpkcs7d.com
+$       deassign sys$error
+$       goto loop_tests
+$ test_bn:
+$       write sys$output "starting big number library test, could take a while..."
+$       create bntest-vms.fdl
+FILE
+        ORGANIZATION    sequential
+RECORD
+        FORMAT          stream_lf
+$       create/fdl=bntest-vms.fdl bntest-vms.sh
+$       open/append foo bntest-vms.sh
+$       type/output=foo: sys$input:
+<< __FOO__ bc | awk '{ \
+if ($$0 != "0") {print "error"; exit(1); } \
+if (((NR+1)%64) == 0) print NR+1," tests done"; }'
+$       define/user sys$output bntest-vms.tmp
+$       mcr 'texe_dir''bntest'
+$       copy bntest-vms.tmp foo:
+$       delete bntest-vms.tmp;*
+$       type/output=foo: sys$input:
+__FOO__
+$       close foo
+$       write sys$output "-- copy the [.test]bntest-vms.sh file to a Unix system and run it"
+$       write sys$output "-- through sh or bash to verify that the bignum operations went well."
+$       write sys$output ""
+$       write sys$output "test a^b%c implementations"
+$       mcr 'texe_dir''exptest'
+$       goto loop_tests
+$ test_verify:
+$       write sys$output "The following command should have some OK's and some failures"
+$       write sys$output "There are definitly a few expired certificates"
+$       @tverify.com
+$       goto loop_tests
+$ test_dh:
+$       write sys$output "Generate as set of DH parameters"
+$       mcr 'texe_dir''dhtest'
+$       goto loop_tests
+$ test_dsa:
+$       write sys$output "Generate as set of DSA parameters"
+$       mcr 'texe_dir''dsatest'
+$       goto loop_tests
+$ test_reqgen:
+$       write sys$output "Generate and verify a certificate request"
+$       @testgen.com
+$       goto loop_tests
+$ test_ss:
+$       write sys$output "Generate and certify a test certificate"
+$       @testss.com
+$       goto loop_tests
+$ test_ssl:
+$       write sys$output "test SSL protocol"
+$       @testssl.com
+$       goto loop_tests
+$ test_ca:
+$       write sys$output "Generate and certify a test certificate via the 'ca' program"
+$       @testca.com
+$       goto loop_tests
+$
+$
+$ exit:
+$       set default '__save_default'
+$       exit
diff --git a/src/lib/libssl/src/test/testss.com b/src/lib/libssl/src/test/testss.com
new file mode 100644
index 0000000000..ce2c4b43f6
--- /dev/null
+++ b/src/lib/libssl/src/test/testss.com
@@ -0,0 +1,105 @@
+$! TESTSS.COM
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       digest="-mdc2"
+$       reqcmd := mcr 'exe_dir'openssl req
+$       x509cmd := mcr 'exe_dir'openssl x509 'digest'
+$       verifycmd := mcr 'exe_dir'openssl verify
+$       dummycnf := sys$disk:[-.apps]openssl-vms.cnf
+$
+$       CAkey="""keyCA.ss"""
+$       CAcert="""certCA.ss"""
+$       CAreq="""reqCA.ss"""
+$       CAconf="""CAss.cnf"""
+$       CAreq2="""req2CA.ss"""  ! temp
+$
+$       Uconf="""Uss.cnf"""
+$       Ukey="""keyU.ss"""
+$       Ureq="""reqU.ss"""
+$       Ucert="""certU.ss"""
+$
+$       write sys$output ""
+$       write sys$output "make a certificate request using 'req'"
+$       'reqcmd' -config 'CAconf' -out 'CAreq' -keyout 'CAkey' -new ! -out err.ss
+$       if $severity .ne. 1
+$       then
+$               write sys$output "error using 'req' to generate a certificate request"
+$               exit 3
+$       endif
+$       write sys$output ""
+$       write sys$output "convert the certificate request into a self signed certificate using 'x509'"
+$       define /user sys$output err.ss
+$       'x509cmd' "-CAcreateserial" -in 'CAreq' -days 30 -req -out 'CAcert' -signkey 'CAkey'
+$       if $severity .ne. 1
+$       then
+$               write sys$output "error using 'x509' to self sign a certificate request"
+$               exit 3
+$       endif
+$
+$       write sys$output ""
+$       write sys$output "convert a certificate into a certificate request using 'x509'"
+$       define /user sys$output err.ss
+$       'x509cmd' -in 'CAcert' -x509toreq -signkey 'CAkey' -out 'CAreq2'
+$       if $severity .ne. 1
+$       then
+$               write sys$output "error using 'x509' convert a certificate to a certificate request"
+$               exit 3
+$       endif
+$
+$       'reqcmd' -config 'dummycnf' -verify -in 'CAreq' -noout
+$       if $severity .ne. 1
+$       then
+$               write sys$output "first generated request is invalid"
+$               exit 3
+$       endif
+$
+$       'reqcmd' -config 'dummycnf' -verify -in 'CAreq2' -noout
+$       if $severity .ne. 1
+$       then
+$               write sys$output "second generated request is invalid"
+$               exit 3
+$       endif
+$
+$       'verifycmd' "-CAfile" 'CAcert' 'CAcert'
+$       if $severity .ne. 1
+$       then
+$               write sys$output "first generated cert is invalid"
+$               exit 3
+$       endif
+$
+$       write sys$output ""
+$       write sys$output "make another certificate request using 'req'"
+$       define /user sys$output err.ss
+$       'reqcmd' -config 'Uconf' -out 'Ureq' -keyout 'Ukey' -new
+$       if $severity .ne. 1
+$       then
+$               write sys$output "error using 'req' to generate a certificate request"
+$               exit 3
+$       endif
+$
+$       write sys$output ""
+$       write sys$output "sign certificate request with the just created CA via 'x509'"
+$       define /user sys$output err.ss
+$       'x509cmd' "-CAcreateserial" -in 'Ureq' -days 30 -req -out 'Ucert' "-CA" 'CAcert' "-CAkey" 'CAkey'
+$       if $severity .ne. 1
+$       then
+$               write sys$output "error using 'x509' to sign a certificate request"
+$               exit 3
+$       endif
+$
+$       'verifycmd' "-CAfile" 'CAcert' 'Ucert'
+$       write sys$output ""
+$       write sys$output "Certificate details"
+$       'x509cmd' -subject -issuer -startdate -enddate -noout -in 'Ucert'
+$
+$       write sys$output ""
+$       write sys$output "The generated CA certificate is ",CAcert
+$       write sys$output "The generated CA private key is ",CAkey
+$
+$       write sys$output "The generated user certificate is ",Ucert
+$       write sys$output "The generated user private key is ",Ukey
+$
+$       if f$search("err.ss;*") .nes. "" then delete err.ss;*
diff --git a/src/lib/libssl/src/test/testssl.com b/src/lib/libssl/src/test/testssl.com
new file mode 100644
index 0000000000..93a9aef802
--- /dev/null
+++ b/src/lib/libssl/src/test/testssl.com
@@ -0,0 +1,111 @@
+$! TESTSSL.COM
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.test]
+$
+$       copy/concatenate [-.certs]*.pem certs.tmp
+$
+$       write sys$output "test sslv2"
+$       mcr 'exe_dir'ssltest -ssl2
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with server authentication"
+$       mcr 'exe_dir'ssltest -ssl2 -server_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with client authentication"
+$       mcr 'exe_dir'ssltest -ssl2 -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with both client and server authentication"
+$       mcr 'exe_dir'ssltest -ssl2 -server_auth -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3"
+$       mcr 'exe_dir'ssltest -ssl3
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 with server authentication"
+$       mcr 'exe_dir'ssltest -ssl3 -server_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 with client authentication"
+$       mcr 'exe_dir'ssltest -ssl3 -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 with both client and server authentication"
+$       mcr 'exe_dir'ssltest -ssl3 -server_auth -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3"
+$       mcr 'exe_dir'ssltest
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with server authentication"
+$       mcr 'exe_dir'ssltest -server_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with client authentication"
+$       mcr 'exe_dir'ssltest -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with both client and server authentication"
+$       mcr 'exe_dir'ssltest -server_auth -client_auth "-CAfile" certs.tmp
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl2 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with server authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl2 -server_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with client authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl2 -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2 with both client and server authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl2 -server_auth -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl3 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 with server authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl3 -server_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv3 with client authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl3 -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+ 
+$       write sys$output "test sslv3 with both client and server authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -ssl3 -server_auth -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 via BIO pair"
+$       mcr 'exe_dir'ssltest 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with server authentication"
+$       mcr 'exe_dir'ssltest -bio_pair -server_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with client authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       write sys$output "test sslv2/sslv3 with both client and server authentication via BIO pair"
+$       mcr 'exe_dir'ssltest -bio_pair -server_auth -client_auth "-CAfile" certs.tmp 
+$       if $severity .ne. 1 then goto exit3
+$
+$       RET = 1
+$       goto exit
+$ exit3:
+$       RET = 3
+$ exit:
+$       delete certs.tmp;*
+$       exit 'RET'
diff --git a/src/lib/libssl/src/test/tpkcs7.com b/src/lib/libssl/src/test/tpkcs7.com
new file mode 100644
index 0000000000..5ed920ac34
--- /dev/null
+++ b/src/lib/libssl/src/test/tpkcs7.com
@@ -0,0 +1,49 @@
+$! TPKCS7.COM  --  Tests pkcs7 keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl pkcs7
+$
+$       t := testp7.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing PKCS7 conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/tpkcs7d.com b/src/lib/libssl/src/test/tpkcs7d.com
new file mode 100644
index 0000000000..08d33eaa69
--- /dev/null
+++ b/src/lib/libssl/src/test/tpkcs7d.com
@@ -0,0 +1,42 @@
+$! TPKCS7.COM  --  Tests pkcs7 keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl pkcs7
+$
+$       t := pkcs7-1.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing PKCS7 conversions (2)"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/treq.com b/src/lib/libssl/src/test/treq.com
new file mode 100644
index 0000000000..9eb1d26f6e
--- /dev/null
+++ b/src/lib/libssl/src/test/treq.com
@@ -0,0 +1,78 @@
+$! TREQ.COM  --  Tests req keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl req -config [-.apps]openssl-vms.cnf
+$
+$       t := testreq.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing req conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in fff.p -inform p -outform t -out f.t
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -verify -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> d"
+$!      'cmd' -verify -in f.t -inform t -outform d -out ff.d2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -verify -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$!      write sys$output "d -> t"
+$!      'cmd' -in f.d -inform d -outform t -out ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> t"
+$!      'cmd' -in f.t -inform t -outform t -out ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in f.p -inform p -outform t -out ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> p"
+$!      'cmd' -in f.t -inform t -outform p -out ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: fff.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$!      difference/output=nl: f.t ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/trsa.com b/src/lib/libssl/src/test/trsa.com
new file mode 100644
index 0000000000..9c9083d02b
--- /dev/null
+++ b/src/lib/libssl/src/test/trsa.com
@@ -0,0 +1,78 @@
+$! TRSA.COM  --  Tests rsa keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl rsa
+$
+$       t := testrsa.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing RSA conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in fff.p -inform p -outform t -out f.t
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> d"
+$!      'cmd' -in f.t -inform t -outform d -out ff.d2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$!      write sys$output "d -> t"
+$!      'cmd' -in f.d -inform d -outform t -out ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> t"
+$!      'cmd' -in f.t -inform t -outform t -out ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in f.p -inform p -outform t -out ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> p"
+$!      'cmd' -in f.t -inform t -outform p -out ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: fff.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$!      difference/output=nl: f.t ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/tsid.com b/src/lib/libssl/src/test/tsid.com
new file mode 100644
index 0000000000..28d83e5c4e
--- /dev/null
+++ b/src/lib/libssl/src/test/tsid.com
@@ -0,0 +1,78 @@
+$! TSID.COM  --  Tests sid keys
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl sess_id
+$
+$       t := testsid.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing session-id conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in fff.p -inform p -outform t -out f.t
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> d"
+$!      'cmd' -in f.t -inform t -outform d -out ff.d2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$!      write sys$output "d -> t"
+$!      'cmd' -in f.d -inform d -outform t -out ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> t"
+$!      'cmd' -in f.t -inform t -outform t -out ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      write sys$output "p -> t"
+$!      'cmd' -in f.p -inform p -outform t -out ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      write sys$output "t -> p"
+$!      'cmd' -in f.t -inform t -outform p -out ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: fff.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$!      difference/output=nl: f.t ff.t1
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t2
+$!      if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.t ff.t3
+$!      if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$!      difference/output=nl: f.p ff.p2
+$!      if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/test/tverify.com b/src/lib/libssl/src/test/tverify.com
new file mode 100644
index 0000000000..f97e71478f
--- /dev/null
+++ b/src/lib/libssl/src/test/tverify.com
@@ -0,0 +1,26 @@
+$! TVERIFY.COM
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       copy/concatenate [-.certs]*.pem certs.tmp
+$
+$       old_f :=
+$ loop_certs:
+$       c := NO
+$       certs :=
+$ loop_certs2:
+$       f = f$search("[-.certs]*.pem")
+$       if f .nes. "" .and. f .nes. old_f
+$       then
+$           certs = certs + " [-.certs]" + f$parse(f,,,"NAME") + ".pem"
+$           if f$length(certs) .lt. 180 then goto loop_certs2
+$           c := YES
+$       endif
+$       certs = certs - " "
+$
+$       mcr 'exe_dir'openssl verify "-CAfile" certs.tmp 'certs'
+$       if c then goto loop_certs
+$
+$       delete certs.tmp;*
diff --git a/src/lib/libssl/src/test/tx509.com b/src/lib/libssl/src/test/tx509.com
new file mode 100644
index 0000000000..bbcf0a384b
--- /dev/null
+++ b/src/lib/libssl/src/test/tx509.com
@@ -0,0 +1,78 @@
+$! TX509.COM  --  Tests x509 certificates
+$
+$       __arch := VAX
+$       if f$getsyi("cpu") .ge. 128 then __arch := AXP
+$       exe_dir := sys$disk:[-.'__arch'.exe.apps]
+$
+$       cmd := mcr 'exe_dir'openssl x509
+$
+$       t := testx509.pem
+$       if p1 .nes. "" then t = p1
+$
+$       write sys$output "testing X509 conversions"
+$       copy 't' fff.p
+$
+$       write sys$output "p -> d"
+$       'cmd' -in fff.p -inform p -outform d -out f.d
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> n"
+$       'cmd' -in fff.p -inform p -outform n -out f.n
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in fff.p -inform p -outform p -out f.p
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> d"
+$       'cmd' -in f.d -inform d -outform d -out ff.d1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "n -> d"
+$       'cmd' -in f.n -inform n -outform d -out ff.d2
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> d"
+$       'cmd' -in f.p -inform p -outform d -out ff.d3
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> n"
+$       'cmd' -in f.d -inform d -outform n -out ff.n1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "n -> n"
+$       'cmd' -in f.n -inform n -outform n -out ff.n2
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> n"
+$       'cmd' -in f.p -inform p -outform n -out ff.n3
+$       if $severity .ne. 1 then exit 3
+$
+$       write sys$output "d -> p"
+$       'cmd' -in f.d -inform d -outform p -out ff.p1
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "n -> p"
+$       'cmd' -in f.n -inform n -outform p -out ff.p2
+$       if $severity .ne. 1 then exit 3
+$       write sys$output "p -> p"
+$       'cmd' -in f.p -inform p -outform p -out ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: fff.p f.p
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p2
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: fff.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.n ff.n1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.n ff.n2
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.n ff.n3
+$       if $severity .ne. 1 then exit 3
+$
+$       difference/output=nl: f.p ff.p1
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p2
+$       if $severity .ne. 1 then exit 3
+$       difference/output=nl: f.p ff.p3
+$       if $severity .ne. 1 then exit 3
+$
+$       delete f.*;*,ff.*;*,fff.*;*
diff --git a/src/lib/libssl/src/times/091/486-50.nt b/src/lib/libssl/src/times/091/486-50.nt
new file mode 100644
index 0000000000..84820d9c65
--- /dev/null
+++ b/src/lib/libssl/src/times/091/486-50.nt
@@ -0,0 +1,30 @@
+486-50 NT 4.0
+
+SSLeay 0.9.1a 06-Jul-1998
+built on Sat Jul 18 18:03:20 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
+C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 28.77k       80.30k      108.50k      118.98k      122.47k
+mdc2                51.52k       54.06k       54.54k       54.65k       54.62k
+md5                304.39k     1565.04k     3061.54k     3996.10k     4240.10k
+hmac(md5)          119.53k      793.23k     2061.29k     3454.95k     4121.76k
+sha1               127.51k      596.93k     1055.54k     1313.84k     1413.18k
+rmd160             128.50k      572.49k     1001.03k     1248.01k     1323.63k
+rc4               1224.40k     1545.11k     1590.29k     1600.20k     1576.90k
+des cbc            448.19k      503.45k      512.30k      513.30k      508.23k
+des ede3           148.66k      162.48k      163.68k      163.94k      164.24k
+idea cbc           194.18k      211.10k      212.99k      213.18k      212.64k
+rc2 cbc            245.78k      271.01k      274.12k      274.38k      273.52k
+rc5-32/12 cbc     1252.48k     1625.20k     1700.03k     1711.12k     1677.18k
+blowfish cbc       725.16k      828.26k      850.01k      846.99k      833.79k
+cast cbc           643.30k      717.22k      739.48k      741.57k      735.33k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0904s   0.0104s     11.1     96.2
+rsa 1024 bits   0.5968s   0.0352s      1.7     28.4
+rsa 2048 bits   3.8860s   0.1017s      0.3      9.8
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.1006s   0.1249s      9.9      8.0
+dsa 1024 bits   0.3306s   0.4093s      3.0      2.4
+dsa 2048 bits   0.9454s   1.1707s      1.1      0.9
diff --git a/src/lib/libssl/src/times/091/586-100.lnx b/src/lib/libssl/src/times/091/586-100.lnx
new file mode 100644
index 0000000000..92892a672d
--- /dev/null
+++ b/src/lib/libssl/src/times/091/586-100.lnx
@@ -0,0 +1,32 @@
+Pentium 100mhz, linux
+
+SSLeay 0.9.0a 14-Apr-1998
+built on Fri Apr 17 08:47:07 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 56.65k      153.88k      208.47k      229.03k      237.57k
+mdc2               189.59k      204.95k      206.93k      208.90k      209.56k
+md5               1019.48k     5882.41k    12085.42k    16376.49k    18295.47k
+hmac(md5)          415.86k     2887.85k     7891.29k    13894.66k    17446.23k
+sha1               540.68k     2791.96k     5289.30k     6813.01k     7432.87k
+rmd160             298.37k     1846.87k     3869.10k     5273.94k     5892.78k
+rc4               7870.87k    10438.10k    10857.13k    10729.47k    10788.86k
+des cbc           1960.60k     2226.37k     2241.88k     2054.83k     2181.80k
+des ede3           734.44k      739.69k      779.43k      750.25k      772.78k
+idea cbc           654.07k      711.00k      716.89k      718.51k      720.90k
+rc2 cbc            648.83k      701.91k      708.61k      708.95k      709.97k
+rc5-32/12 cbc     3504.71k     4054.76k     4131.41k     4105.56k     4134.23k
+blowfish cbc      3762.25k     4313.79k     4460.54k     4356.78k     4317.18k
+cast cbc          2755.01k     3038.91k     3076.44k     3027.63k     2998.27k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0195s   0.0019s     51.4    519.9
+rsa 1024 bits   0.1000s   0.0059s     10.0    168.2
+rsa 2048 bits   0.6406s   0.0209s      1.6     47.8
+rsa 4096 bits   4.6100s   0.0787s      0.2     12.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0188s   0.0360s     53.1     27.8
+dsa 1024 bits   0.0570s   0.1126s     17.5      8.9
+dsa 2048 bits   0.1990s   0.3954s      5.0      2.5
+
diff --git a/src/lib/libssl/src/times/091/68000.bsd b/src/lib/libssl/src/times/091/68000.bsd
new file mode 100644
index 0000000000..a3a14e8087
--- /dev/null
+++ b/src/lib/libssl/src/times/091/68000.bsd
@@ -0,0 +1,32 @@
+Motorolla 68020 20mhz, NetBSD
+
+SSLeay 0.9.0t 29-May-1998
+built on Fri Jun  5 12:42:23 EST 1998
+options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,16,long) idea(int) blowfish(idx) 
+C flags:gcc -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2               2176.00      5994.67      8079.73      8845.18      9077.01 
+mdc2              5730.67      6122.67      6167.66      6176.51      6174.87 
+md5                 29.10k      127.31k      209.66k      250.50k      263.99k
+hmac(md5)           12.33k       73.02k      160.17k      228.04k      261.15k
+sha1                11.27k       49.37k       84.31k      102.40k      109.23k
+rmd160              11.69k       48.62k       78.76k       93.15k       98.41k
+rc4                117.96k      148.94k      152.57k      153.09k      152.92k
+des cbc             27.13k       30.06k       30.38k       30.38k       30.53k
+des ede3            10.51k       10.94k       11.01k       11.01k       11.01k
+idea cbc            26.74k       29.23k       29.45k       29.60k       29.74k
+rc2 cbc             34.27k       39.39k       40.03k       40.07k       40.16k
+rc5-32/12 cbc       64.31k       83.18k       85.70k       86.70k       87.09k
+blowfish cbc        48.86k       59.18k       60.07k       60.42k       60.78k
+cast cbc            42.67k       50.01k       50.86k       51.20k       51.37k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.7738s   0.0774s      1.3     12.9
+rsa 1024 bits   4.3967s   0.2615s      0.2      3.8
+rsa 2048 bits  29.5200s   0.9664s      0.0      1.0
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.7862s   0.9709s      1.3      1.0
+dsa 1024 bits   2.5375s   3.1625s      0.4      0.3
+dsa 2048 bits   9.2150s  11.8200s      0.1      0.1
+
+
diff --git a/src/lib/libssl/src/times/091/686-200.lnx b/src/lib/libssl/src/times/091/686-200.lnx
new file mode 100644
index 0000000000..bb857d48d0
--- /dev/null
+++ b/src/lib/libssl/src/times/091/686-200.lnx
@@ -0,0 +1,32 @@
+Pentium Pro 200mhz, linux
+
+SSLeay 0.9.0d 26-Apr-1998
+built on Sun Apr 26 10:25:33 EST 1998
+options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
+C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                130.58k      364.54k      499.24k      545.79k      561.66k
+mdc2               526.68k      579.72k      588.37k      588.80k      589.82k
+md5               1917.71k    11434.69k    22512.21k    29495.30k    32677.89k
+hmac(md5)          749.18k     5264.83k    14227.20k    25018.71k    31760.38k
+sha1              1343.83k     6436.29k    11702.78k    14664.70k    15829.67k
+rmd160            1038.05k     5138.77k     8985.51k    10985.13k    11799.21k
+rc4              14891.04k    21334.06k    22376.79k    22579.54k    22574.42k
+des cbc           4131.97k     4568.31k     4645.29k     4631.21k     4572.73k
+des ede3          1567.17k     1631.13k     1657.32k     1653.08k     1643.86k
+idea cbc          2427.23k     2671.21k     2716.67k     2723.84k     2733.40k
+rc2 cbc           1629.90k     1767.38k     1788.50k     1797.12k     1799.51k
+rc5-32/12 cbc    10290.55k    13161.60k    13744.55k    14011.73k    14123.01k
+blowfish cbc      5896.42k     6920.77k     7122.01k     7151.62k     7146.15k
+cast cbc          6037.71k     6935.19k     7101.35k     7145.81k     7116.12k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0070s   0.0007s    142.6   1502.9
+rsa 1024 bits   0.0340s   0.0019s     29.4    513.3
+rsa 2048 bits   0.2087s   0.0066s      4.8    151.3
+rsa 4096 bits   1.4700s   0.0242s      0.7     41.2
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0064s   0.0121s    156.1     82.9
+dsa 1024 bits   0.0184s   0.0363s     54.4     27.5
+dsa 2048 bits   0.0629s   0.1250s     15.9      8.0
+
diff --git a/src/lib/libssl/src/times/091/alpha064.osf b/src/lib/libssl/src/times/091/alpha064.osf
new file mode 100644
index 0000000000..a8e7fdfd61
--- /dev/null
+++ b/src/lib/libssl/src/times/091/alpha064.osf
@@ -0,0 +1,32 @@
+Alpha EV4.5 (21064) 275mhz, OSF1 V4.0
+SSLeay 0.9.0g 01-May-1998
+built on Mon May  4 17:26:09 CST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx) 
+C flags:cc -tune host -O4 -readonly_strings
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                119.58k      327.48k      443.28k      480.09k      495.16k
+mdc2               436.67k      456.35k      465.42k      466.57k      469.01k
+md5               1459.34k     6566.46k    11111.91k    13375.30k    14072.60k
+hmac(md5)          597.90k     3595.45k     8180.88k    12099.49k    13884.46k
+sha1               707.01k     3253.09k     6131.73k     7798.23k     8439.67k
+rmd160             618.57k     2729.07k     4711.33k     5825.16k     6119.23k
+rc4               8796.43k     9393.62k     9548.88k     9378.77k     9472.57k
+des cbc           2165.97k     2514.90k     2586.27k     2572.93k     2639.08k
+des ede3           945.44k     1004.03k     1005.96k     1017.33k     1020.85k
+idea cbc          1498.81k     1629.11k     1637.28k     1625.50k     1641.11k
+rc2 cbc           1866.00k     2044.92k     2067.12k     2064.00k     2068.96k
+rc5-32/12 cbc     4366.97k     5521.32k     5687.50k     5729.16k     5736.96k
+blowfish cbc      3997.31k     4790.60k     4937.84k     4954.56k     5024.85k
+cast cbc          2900.19k     3673.30k     3803.73k     3823.93k     3890.25k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0069s   0.0006s    144.2   1545.8
+rsa 1024 bits   0.0304s   0.0018s     32.9    552.6
+rsa 2048 bits   0.1887s   0.0062s      5.3    161.4
+rsa 4096 bits   1.3667s   0.0233s      0.7     42.9
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0067s   0.0123s    149.6     81.1
+dsa 1024 bits   0.0177s   0.0332s     56.6     30.1
+dsa 2048 bits   0.0590s   0.1162s     16.9      8.6
+
+
diff --git a/src/lib/libssl/src/times/091/alpha164.lnx b/src/lib/libssl/src/times/091/alpha164.lnx
new file mode 100644
index 0000000000..c994662698
--- /dev/null
+++ b/src/lib/libssl/src/times/091/alpha164.lnx
@@ -0,0 +1,32 @@
+Alpha EV5.6 (21164A) 533mhz, Linux 2.0.32
+
+SSLeay 0.9.0p 22-May-1998
+built on Sun May 27 14:23:38 GMT 2018
+options:bn(64,64) md2(int) rc4(ptr,int) des(idx,risc1,16,long) idea(int) blowfish(idx) 
+C flags:gcc -O3
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                295.78k      825.34k     1116.42k     1225.10k     1262.65k
+mdc2               918.16k     1017.55k     1032.18k     1034.24k     1035.60k
+md5               3574.93k    15517.05k    25482.67k    30434.31k    32210.51k
+hmac(md5)         1261.54k     7757.15k    18025.46k    27081.21k    31653.27k
+sha1              2251.89k    10056.84k    16990.19k    20651.04k    21973.29k
+rmd160            1615.49k     7017.13k    11601.11k    13875.62k    14690.31k
+rc4              22435.16k    24476.40k    24349.95k    23042.36k    24581.53k
+des cbc           5198.38k     6559.04k     6775.43k     6827.87k     6875.82k
+des ede3          2257.73k     2602.18k     2645.60k     2657.12k     2670.59k
+idea cbc          3694.42k     4125.61k     4180.74k     4193.28k     4192.94k
+rc2 cbc           4642.47k     5323.85k     5415.42k     5435.86k     5434.03k
+rc5-32/12 cbc     9705.26k    13277.79k    13843.46k    13989.66k    13987.57k
+blowfish cbc      7861.28k    10852.34k    11447.98k    11616.97k    11667.54k
+cast cbc          6718.13k     8599.98k     8967.17k     9070.81k     9099.28k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0018s   0.0002s    555.9   6299.5
+rsa 1024 bits   0.0081s   0.0005s    123.3   2208.7
+rsa 2048 bits   0.0489s   0.0015s     20.4    648.5
+rsa 4096 bits   0.3402s   0.0057s      2.9    174.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0019s   0.0032s    529.0    310.2
+dsa 1024 bits   0.0047s   0.0086s    214.1    115.7
+dsa 2048 bits   0.0150s   0.0289s     66.7     34.6
+
diff --git a/src/lib/libssl/src/times/091/alpha164.osf b/src/lib/libssl/src/times/091/alpha164.osf
new file mode 100644
index 0000000000..df712c689f
--- /dev/null
+++ b/src/lib/libssl/src/times/091/alpha164.osf
@@ -0,0 +1,31 @@
+Alpha EV5.6 (21164A) 400mhz, OSF1 V4.0
+
+SSLeay 0.9.0 10-Apr-1998
+built on Sun Apr 19 07:54:37 EST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) idea(int) blowfish(idx) 
+C flags:cc -O4 -tune host -fast
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                276.30k      762.07k     1034.35k     1134.07k     1160.53k
+mdc2               814.99k      845.83k      849.09k      850.33k      849.24k
+md5               2468.43k    10945.27k    17963.48k    21430.89k    22544.38k
+hmac(md5)         1002.48k     6023.98k    13430.99k    19344.17k    22351.80k
+sha1              1984.93k     8882.47k    14856.47k    17878.70k    18955.10k
+rmd160            1286.96k     5595.52k     9167.00k    10957.74k    11582.30k
+rc4              15948.15k    16710.29k    16793.20k    17929.50k    18474.56k
+des cbc           3416.04k     4149.37k     4296.25k     4328.89k     4327.57k
+des ede3          1540.14k     1683.36k     1691.14k     1705.90k     1705.22k
+idea cbc          2795.87k     3192.93k     3238.13k     3238.17k     3256.66k
+rc2 cbc           3529.00k     4069.93k     4135.79k     4135.25k     4160.07k
+rc5-32/12 cbc     7212.35k     9849.71k    10260.91k    10423.38k    10439.99k
+blowfish cbc      6061.75k     8363.50k     8706.80k     8779.40k     8784.55k
+cast cbc          5401.75k     6433.31k     6638.18k     6662.40k     6702.80k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0022s   0.0002s    449.6   4916.2
+rsa 1024 bits   0.0105s   0.0006s     95.3   1661.2
+rsa 2048 bits   0.0637s   0.0020s     15.7    495.6
+rsa 4096 bits   0.4457s   0.0075s      2.2    132.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0028s   0.0048s    362.2    210.4
+dsa 1024 bits   0.0064s   0.0123s    155.2     81.6
+dsa 2048 bits   0.0201s   0.0394s     49.7     25.4
diff --git a/src/lib/libssl/src/times/091/mips-rel.pl b/src/lib/libssl/src/times/091/mips-rel.pl
new file mode 100644
index 0000000000..4b2509315a
--- /dev/null
+++ b/src/lib/libssl/src/times/091/mips-rel.pl
@@ -0,0 +1,21 @@
+#!/usr/local/bin/perl
+
+&doit(100,"Pentium   100 32",0.0195,0.1000,0.6406,4.6100);      # pentium-100
+&doit(200,"PPro      200 32",0.0070,0.0340,0.2087,1.4700);      # pentium-100
+&doit( 25,"R3000      25 32",0.0860,0.4825,3.2417,23.8833);     # R3000-25
+&doit(200,"R4400     200 32",0.0137,0.0717,0.4730,3.4367);      # R4400 32bit
+&doit(180,"R10000    180 32",0.0061,0.0311,0.1955,1.3871);      # R10000 32bit
+&doit(180,"R10000    180 64",0.0034,0.0149,0.0880,0.5933);      # R10000 64bit
+&doit(400,"DEC 21164 400 64",0.0022,0.0105,0.0637,0.4457);      # R10000 64bit
+
+sub doit
+        {
+        local($mhz,$label,@data)=@_;
+
+        for ($i=0; $i <= $#data; $i++)
+                {
+                $data[$i]=1/$data[$i]*200/$mhz;
+                }
+        printf("%s %6.1f %6.1f %6.1f %6.1f\n",$label,@data);
+        }
+
diff --git a/src/lib/libssl/src/times/091/r10000.irx b/src/lib/libssl/src/times/091/r10000.irx
new file mode 100644
index 0000000000..237ee5d192
--- /dev/null
+++ b/src/lib/libssl/src/times/091/r10000.irx
@@ -0,0 +1,37 @@
+MIPS R10000 32kI+32kD 180mhz, IRIX 6.4
+
+Using crypto/bn/mips3.s
+
+This is built for n32, which is faster for all benchmarks than the n64
+compilation model
+
+SSLeay 0.9.0b 19-Apr-1998
+built on Sat Apr 25 12:43:14 EST 1998
+options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
+C flags:cc -use_readonly_const -O2 -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                126.38k      349.38k      472.67k      517.01k      529.81k
+mdc2               501.64k      545.87k      551.80k      553.64k      554.41k
+md5               1825.77k     7623.64k    12630.47k    15111.74k    16012.09k
+hmac(md5)          780.81k     4472.86k     9667.22k    13802.67k    15777.89k
+sha1              1375.52k     6213.91k    11037.30k    13682.01k    14714.09k
+rmd160             856.72k     3454.40k     5598.33k     6689.94k     7073.48k
+rc4              11260.93k    13311.50k    13360.05k    13322.17k    13364.39k
+des cbc           2770.78k     3055.42k     3095.18k     3092.48k     3103.03k
+des ede3          1023.22k     1060.58k     1063.81k     1070.37k     1064.54k
+idea cbc          3029.09k     3334.30k     3375.29k     3375.65k     3380.64k
+rc2 cbc           2307.45k     2470.72k     2501.25k     2500.68k     2500.55k
+rc5-32/12 cbc     6770.91k     8629.89k     8909.58k     9009.64k     9044.95k
+blowfish cbc      4796.53k     5598.20k     5717.14k     5755.11k     5749.86k
+cast cbc          3986.20k     4426.17k     4465.04k     4476.84k     4475.08k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0034s   0.0003s    296.1   3225.4
+rsa 1024 bits   0.0139s   0.0008s     71.8   1221.8
+rsa 2048 bits   0.0815s   0.0026s     12.3    380.3
+rsa 4096 bits   0.5656s   0.0096s      1.8    103.7
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0034s   0.0061s    290.8    164.9
+dsa 1024 bits   0.0084s   0.0161s    119.1     62.3
+dsa 2048 bits   0.0260s   0.0515s     38.5     19.4
+
diff --git a/src/lib/libssl/src/times/091/r3000.ult b/src/lib/libssl/src/times/091/r3000.ult
new file mode 100644
index 0000000000..ecd33908bb
--- /dev/null
+++ b/src/lib/libssl/src/times/091/r3000.ult
@@ -0,0 +1,32 @@
+MIPS R3000 64kI+64kD 25mhz, ultrix 4.3
+
+SSLeay 0.9.0b 19-Apr-1998
+built on Thu Apr 23 07:22:31 EST 1998
+options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(idx) 
+C flags:cc -O2 -DL_ENDIAN -DNOPROTO -DNOCONST
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 14.63k       40.65k       54.70k       60.07k       61.78k
+mdc2                29.43k       37.27k       38.23k       38.57k       38.60k
+md5                140.04k      676.59k     1283.84k     1654.10k     1802.24k
+hmac(md5)           60.51k      378.90k      937.82k     1470.46k     1766.74k
+sha1                60.77k      296.79k      525.40k      649.90k      699.05k
+rmd160              48.82k      227.16k      417.19k      530.31k      572.05k
+rc4                904.76k      996.20k     1007.53k     1015.65k     1010.35k
+des cbc            178.87k      209.39k      213.42k      215.55k      214.53k
+des ede3            74.25k       79.30k       80.40k       80.21k       80.14k
+idea cbc           181.02k      209.37k      214.44k      214.36k      213.83k
+rc2 cbc            161.52k      184.98k      187.99k      188.76k      189.05k
+rc5-32/12 cbc      398.99k      582.91k      614.66k      626.07k      621.87k
+blowfish cbc       296.38k      387.69k      405.50k      412.57k      410.05k
+cast cbc           214.76k      260.63k      266.92k      268.63k      258.26k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0870s   0.0089s     11.5    112.4
+rsa 1024 bits   0.4881s   0.0295s      2.0     33.9
+rsa 2048 bits   3.2750s   0.1072s      0.3      9.3
+rsa 4096 bits  23.9833s   0.4093s      0.0      2.4
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0898s   0.1706s     11.1      5.9
+dsa 1024 bits   0.2847s   0.5565s      3.5      1.8
+dsa 2048 bits   1.0267s   2.0433s      1.0      0.5
+
diff --git a/src/lib/libssl/src/times/091/r4400.irx b/src/lib/libssl/src/times/091/r4400.irx
new file mode 100644
index 0000000000..9b96ca110a
--- /dev/null
+++ b/src/lib/libssl/src/times/091/r4400.irx
@@ -0,0 +1,32 @@
+R4400 16kI+16kD 200mhz, Irix 5.3
+
+SSLeay 0.9.0e 27-Apr-1998
+built on Sun Apr 26 07:26:05 PDT 1998
+options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
+C flags:cc -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN
+The 'numbers' are in 1000s of bytes per second processed.
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+md2                 79.80k      220.59k      298.01k      327.06k      338.60k
+mdc2               262.74k      285.30k      289.16k      288.36k      288.49k
+md5                930.35k     4167.13k     7167.91k     8678.23k     9235.86k
+hmac(md5)          399.44k     2367.57k     5370.74k     7884.28k     9076.98k
+sha1               550.96k     2488.17k     4342.76k     5362.50k     5745.40k
+rmd160             424.58k     1752.83k     2909.67k     3486.08k     3702.89k
+rc4               6687.79k     7834.63k     7962.61k     8035.65k     7915.28k
+des cbc           1544.20k     1725.94k     1748.35k     1758.17k     1745.61k
+des ede3           587.29k      637.75k      645.93k      643.17k      646.01k
+idea cbc          1575.52k     1719.75k     1732.41k     1736.69k     1740.11k
+rc2 cbc           1496.21k     1629.90k     1643.19k     1652.14k     1646.62k
+rc5-32/12 cbc     3452.48k     4276.47k     4390.74k     4405.25k     4400.12k
+blowfish cbc      2354.58k     3242.36k     3401.11k     3433.65k     3383.65k
+cast cbc          1942.22k     2152.28k     2187.51k     2185.67k     2177.20k
+                  sign    verify    sign/s verify/s
+rsa  512 bits   0.0130s   0.0014s     76.9    729.8
+rsa 1024 bits   0.0697s   0.0043s     14.4    233.9
+rsa 2048 bits   0.4664s   0.0156s      2.1     64.0
+rsa 4096 bits   3.4067s   0.0586s      0.3     17.1
+                  sign    verify    sign/s verify/s
+dsa  512 bits   0.0140s   0.0261s     71.4     38.4
+dsa 1024 bits   0.0417s   0.0794s     24.0     12.6
+dsa 2048 bits   0.1478s   0.2929s      6.8      3.4
+
diff --git a/src/lib/libssl/src/times/x86/md4s.cpp b/src/lib/libssl/src/times/x86/md4s.cpp
new file mode 100644
index 0000000000..c0ec97fc9f
--- /dev/null
+++ b/src/lib/libssl/src/times/x86/md4s.cpp
@@ -0,0 +1,78 @@
+//
+// gettsc.inl
+//
+// gives access to the Pentium's (secret) cycle counter
+//
+// This software was written by Leonard Janke (janke@unixg.ubc.ca)
+// in 1996-7 and is entered, by him, into the public domain.
+
+#if defined(__WATCOMC__)
+void GetTSC(unsigned long&);
+#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
+#elif defined(__GNUC__)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  asm volatile(".byte 15, 49\n\t"
+               : "=eax" (tsc)
+               :
+               : "%edx", "%eax");
+}
+#elif defined(_MSC_VER)
+inline
+void GetTSC(unsigned long& tsc)
+{
+  unsigned long a;
+  __asm _emit 0fh
+  __asm _emit 31h
+  __asm mov a, eax;
+  tsc=a;
+}
+#endif      
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <openssl/md4.h>
+
+extern "C" {
+void md4_block_x86(MD4_CTX *ctx, unsigned char *buffer,int num);
+}
+
+void main(int argc,char *argv[])
+        {
+        unsigned char buffer[64*256];
+        MD4_CTX ctx;
+        unsigned long s1,s2,e1,e2;
+        unsigned char k[16];
+        unsigned long data[2];
+        unsigned char iv[8];
+        int i,num=0,numm;
+        int j=0;
+
+        if (argc >= 2)
+                num=atoi(argv[1]);
+
+        if (num == 0) num=16;
+        if (num > 250) num=16;
+        numm=num+2;
+        num*=64;
+        numm*=64;
+
+        for (j=0; j<6; j++)
+                {
+                for (i=0; i<10; i++) /**/
+                        {
+                        md4_block_x86(&ctx,buffer,numm);
+                        GetTSC(s1);
+                        md4_block_x86(&ctx,buffer,numm);
+                        GetTSC(e1);
+                        GetTSC(s2);
+                        md4_block_x86(&ctx,buffer,num);
+                        GetTSC(e2);
+                        md4_block_x86(&ctx,buffer,num);
+                        }
+                printf("md4 (%d bytes) %d %d (%.2f)\n",num,
+                        e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
+                }
+        }
+
diff --git a/src/lib/libssl/src/tools/c89.sh b/src/lib/libssl/src/tools/c89.sh
new file mode 100644
index 0000000000..b25c9fda2d
--- /dev/null
+++ b/src/lib/libssl/src/tools/c89.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -k
+#
+# Re-order arguments so that -L comes first
+#
+opts=""
+lopts=""
+        
+for arg in $* ; do
+  case $arg in
+    -L*) lopts="$lopts $arg" ;;
+    *) opts="$opts $arg" ;;
+  esac
+done
+
+c89 $lopts $opts
diff --git a/src/lib/libssl/src/tools/c_rehash.in b/src/lib/libssl/src/tools/c_rehash.in
new file mode 100644
index 0000000000..cc3b65871f
--- /dev/null
+++ b/src/lib/libssl/src/tools/c_rehash.in
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# redo the hashes for the certificates in your cert path or the ones passed
+# on the command line.
+#
+
+if [ "$OPENSSL"x = "x" -o ! -x "$OPENSSL" ]; then
+        OPENSSL='openssl'
+        export OPENSSL
+fi
+DIR=/usr/local/ssl
+PATH=$DIR/bin:$PATH
+
+if [ ! -f "$OPENSSL" ]; then
+    found=0
+    for dir in . `echo $PATH | sed -e 's/:/ /g'`; do
+        if [ -f "$dir/$OPENSSL" ]; then
+            found=1
+            break
+        fi
+    done
+    if [ $found = 0 ]; then
+        echo "c_rehash: rehashing skipped ('openssl' program not available)" 1>&2
+        exit 0
+    fi
+fi
+
+SSL_DIR=$DIR/certs
+
+if [ "$*" = "" ]; then
+        CERTS=${*:-${SSL_CERT_DIR:-$SSL_DIR}}
+else
+        CERTS=$*
+fi
+
+IFS=': '
+for i in $CERTS
+do
+  (
+  IFS=' '
+  if [ -d $i -a -w $i ]; then
+    cd $i
+    echo "Doing $i"
+    for i in *.pem
+    do
+      if [ $i != '*.pem' ]; then
+        h=`$OPENSSL x509 -hash -noout -in $i`
+        if [ "x$h" = "x" ]; then
+          echo $i does not contain a certificate
+        else
+          if [ -f $h.0 ]; then
+            /bin/rm -f $h.0
+          fi
+          echo "$i => $h.0"
+          ln -s $i $h.0
+        fi
+      fi
+    done
+  fi
+  )
+done
diff --git a/src/lib/libssl/src/util/clean-depend.pl b/src/lib/libssl/src/util/clean-depend.pl
new file mode 100644
index 0000000000..af676af751
--- /dev/null
+++ b/src/lib/libssl/src/util/clean-depend.pl
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl -w
+# Clean the dependency list in a makefile of standard includes...
+# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
+
+use strict;
+
+while(<STDIN>) {
+    print;
+    last if /^# DO NOT DELETE THIS LINE/;
+}
+
+my %files;
+
+while(<STDIN>) {
+    my ($file,$deps)=/^(.*): (.*)$/;
+    next if !defined $deps;
+    my @deps=split ' ',$deps;
+    @deps=grep(!/^\/usr\/include/,@deps);
+    @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps);
+    push @{$files{$file}},@deps;
+}
+
+my $file;
+foreach $file (sort keys %files) {
+    my $len=0;
+    my $dep;
+    foreach $dep (sort @{$files{$file}}) {
+        $len=0 if $len+length($dep)+1 >= 80;
+        if($len == 0) {
+            print "\n$file:";
+            $len=length($file)+1;
+        }
+        print " $dep";
+        $len+=length($dep)+1;
+    }
+}
+
+print "\n";
diff --git a/src/lib/libssl/src/util/cygwin.sh b/src/lib/libssl/src/util/cygwin.sh
new file mode 100644
index 0000000000..b607399b02
--- /dev/null
+++ b/src/lib/libssl/src/util/cygwin.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+# This script configures, builds and packs the binary package for
+# the Cygwin net distribution version of OpenSSL
+#
+
+# Uncomment when debugging
+#set -x
+
+CONFIG_OPTIONS="--prefix=/usr shared no-idea no-rc5 no-mdc2"
+INSTALL_PREFIX=/tmp/install
+
+VERSION=
+SUBVERSION=$1
+
+function cleanup()
+{
+  rm -rf ${INSTALL_PREFIX}/etc
+  rm -rf ${INSTALL_PREFIX}/usr
+}
+
+function get_openssl_version()
+{
+  eval `grep '^VERSION=' Makefile.ssl`
+  if [ -z "${VERSION}" ]
+  then
+    echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl."
+    echo "       Check value of variable VERSION in Makefile.ssl."
+    exit 1
+  fi
+}
+
+function base_install()
+{
+  mkdir -p ${INSTALL_PREFIX}
+  cleanup
+  make install INSTALL_PREFIX="${INSTALL_PREFIX}"
+}
+
+function doc_install()
+{
+  DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl
+
+  mkdir -p ${DOC_DIR}
+  cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR}
+
+  create_cygwin_readme
+}
+
+function create_cygwin_readme()
+{
+  README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin
+  README_FILE=${README_DIR}/openssl-${VERSION}.README
+
+  mkdir -p ${README_DIR}
+  cat > ${README_FILE} <<- EOF
+        The Cygwin version has been built using the following configure:
+
+          ./config ${CONFIG_OPTIONS}
+
+        The IDEA, RC5 and MDC2 algorithms are disabled due to patent and/or
+        licensing issues.
+        EOF
+}
+
+function create_profile_files()
+{
+  PROFILE_DIR=${INSTALL_PREFIX}/etc/profile.d
+
+  mkdir -p $PROFILE_DIR
+  cat > ${PROFILE_DIR}/openssl.sh <<- "EOF"
+        export MANPATH="${MANPATH}:/usr/ssl/man"
+        EOF
+  cat > ${PROFILE_DIR}/openssl.csh <<- "EOF"
+        if ( $?MANPATH ) then
+          setenv MANPATH "${MANPATH}:/usr/ssl/man"
+        else
+          setenv MANPATH ":/usr/ssl/man"
+        endif
+        EOF
+}
+
+if [ -z "${SUBVERSION}" ]
+then
+  echo "Usage: $0 subversion"
+  exit 1
+fi
+
+if [ ! -f config ]
+then
+  echo "You must start this script in the OpenSSL toplevel source dir."
+  exit 1
+fi
+
+./config ${CONFIG_OPTIONS}
+
+get_openssl_version
+
+make || exit 1
+
+base_install
+
+doc_install
+
+create_cygwin_readme
+
+create_profile_files
+
+cd ${INSTALL_PREFIX}
+strip usr/bin/*.exe usr/bin/*.dll
+
+# Runtime package
+find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \
+     usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
+tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
+# Development package
+find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d |
+tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
+
+ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2
+ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2
+
+cleanup
+
+exit 0
diff --git a/src/lib/libssl/src/util/domd b/src/lib/libssl/src/util/domd
new file mode 100644
index 0000000000..324051f60b
--- /dev/null
+++ b/src/lib/libssl/src/util/domd
@@ -0,0 +1,11 @@
+#!/bin/sh
+# Do a makedepend, only leave out the standard headers
+# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
+
+TOP=$1
+shift
+
+cp Makefile.ssl Makefile.save
+makedepend -f Makefile.ssl $@
+$TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+mv Makefile.new Makefile.ssl
diff --git a/src/lib/libssl/src/util/mkdir-p.pl b/src/lib/libssl/src/util/mkdir-p.pl
new file mode 100644
index 0000000000..6c69c2daa4
--- /dev/null
+++ b/src/lib/libssl/src/util/mkdir-p.pl
@@ -0,0 +1,33 @@
+#!/usr/local/bin/perl
+
+# mkdir-p.pl
+
+# On some systems, the -p option to mkdir (= also create any missing parent
+# directories) is not available.
+
+my $arg;
+
+foreach $arg (@ARGV) {
+  &do_mkdir_p($arg);
+}
+
+
+sub do_mkdir_p {
+  local($dir) = @_;
+
+  $dir =~ s|/*\Z(?!\n)||s;
+
+  if (-d $dir) {
+    return;
+  }
+
+  if ($dir =~ m|[^/]/|s) {
+    local($parent) = $dir;
+    $parent =~ s|[^/]*\Z(?!\n)||s;
+
+    do_mkdir_p($parent);
+  }
+
+  mkdir($dir, 0777) || die "Cannot create directory $dir: $!\n";
+  print "created directory `$dir'\n";
+}
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
new file mode 100644
index 0000000000..4b3bccb13e
--- /dev/null
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -0,0 +1,503 @@
+#!/usr/local/bin/perl -w
+
+my $config = "crypto/err/openssl.ec";
+my $debug = 0;
+my $rebuild = 0;
+my $static = 1;
+my $recurse = 0;
+my $reindex = 0;
+my $dowrite = 0;
+
+
+while (@ARGV) {
+        my $arg = $ARGV[0];
+        if($arg eq "-conf") {
+                shift @ARGV;
+                $config = shift @ARGV;
+        } elsif($arg eq "-debug") {
+                $debug = 1;
+                shift @ARGV;
+        } elsif($arg eq "-rebuild") {
+                $rebuild = 1;
+                shift @ARGV;
+        } elsif($arg eq "-recurse") {
+                $recurse = 1;
+                shift @ARGV;
+        } elsif($arg eq "-reindex") {
+                $reindex = 1;
+                shift @ARGV;
+        } elsif($arg eq "-nostatic") {
+                $static = 0;
+                shift @ARGV;
+        } elsif($arg eq "-write") {
+                $dowrite = 1;
+                shift @ARGV;
+        } else {
+                last;
+        }
+}
+
+if($recurse) {
+        @source = (<crypto/*.c>, <crypto/*/*.c>, ,<rsaref/*.c>, <ssl/*.c>);
+} else {
+        @source = @ARGV;
+}
+
+# Read in the config file
+
+open(IN, "<$config") || die "Can't open config file $config";
+
+# Parse config file
+
+while(<IN>)
+{
+        if(/^L\s+(\S+)\s+(\S+)\s+(\S+)/) {
+                $hinc{$1} = $2;
+                $cskip{$3} = $1;
+                if($3 ne "NONE") {
+                        $csrc{$1} = $3;
+                        $fmax{$1} = 99;
+                        $rmax{$1} = 99;
+                        $fnew{$1} = 0;
+                        $rnew{$1} = 0;
+                }
+        } elsif (/^F\s+(\S+)/) {
+        # Add extra function with $1
+        } elsif (/^R\s+(\S+)\s+(\S+)/) {
+                $rextra{$1} = $2;
+                $rcodes{$1} = $2;
+        }
+}
+
+close IN;
+
+# Scan each header file in turn and make a list of error codes
+# and function names
+
+while (($lib, $hdr) = each %hinc)
+{
+        next if($hdr eq "NONE");
+        print STDERR "Scanning header file $hdr\n" if $debug; 
+        open(IN, "<$hdr") || die "Can't open Header file $hdr\n";
+        my $line = "", $def= "";
+        while(<IN>) {
+            last if(/BEGIN\s+ERROR\s+CODES/);
+            if ($line ne '') {
+                $_ = $line . $_;
+                $line = '';
+            }
+
+            if (/\\$/) {
+                $line = $_;
+                next;
+            }
+
+            $cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
+            if ($cpp) {
+                $cpp = 0 if /^#.*endif/;
+                next;
+            }
+
+            next if (/^#/);                      # skip preprocessor directives
+
+            s/\/\*.*?\*\///gs;                   # ignore comments
+            s/{[^{}]*}//gs;                      # ignore {} blocks
+
+            if (/{|\/\*/) { # Add a } so editor works...
+                $line = $_;
+            } else {
+                $def .= $_;
+            }
+        }
+
+        foreach (split /;/, $def) {
+            s/^[\n\s]*//g;
+            s/[\n\s]*$//g;
+            next if(/typedef\W/);
+            if (/\(\*(\w*)\([^\)]+/) {
+                my $name = $1;
+                $name =~ tr/[a-z]/[A-Z]/;
+                $ftrans{$name} = $1;
+            } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+                # K&R C
+                next ;
+            } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
+                while (not /\(\)$/s) {
+                    s/[^\(\)]*\)$/\)/s;
+                    s/\([^\(\)]*\)\)$/\)/s;
+                }
+                s/\(void\)//;
+                /(\w+)\W*\(\)/s;
+                my $name = $1;
+                $name =~ tr/[a-z]/[A-Z]/;
+                $ftrans{$name} = $1;
+            } elsif (/\(/ and not (/=/ or /DECLARE_STACK/)) {
+                print STDERR "Header $hdr: cannot parse: $_;\n";
+            }
+        }
+
+        next if $reindex;
+
+        # Scan function and reason codes and store them: keep a note of the
+        # maximum code used.
+
+        while(<IN>) {
+                if(/^#define\s+(\S+)\s+(\S+)/) {
+                        $name = $1;
+                        $code = $2;
+                        unless($name =~ /^${lib}_([RF])_(\w+)$/) {
+                                print STDERR "Invalid error code $name\n";
+                                next;
+                        }
+                        if($1 eq "R") {
+                                $rcodes{$name} = $code;
+                                if(!(exists $rextra{$name}) &&
+                                         ($code > $rmax{$lib}) ) {
+                                        $rmax{$lib} = $code;
+                                }
+                        } else {
+                                if($code > $fmax{$lib}) {
+                                        $fmax{$lib} = $code;
+                                }
+                                $fcodes{$name} = $code;
+                        }
+                }
+        }
+        close IN;
+}
+
+# Scan each C source file and look for function and reason codes
+# This is done by looking for strings that "look like" function or
+# reason codes: basically anything consisting of all upper case and
+# numerics which has _F_ or _R_ in it and which has the name of an
+# error library at the start. This seems to work fine except for the
+# oddly named structure BIO_F_CTX which needs to be ignored.
+# If a code doesn't exist in list compiled from headers then mark it
+# with the value "X" as a place holder to give it a value later.
+# Store all function and reason codes found in %ufcodes and %urcodes
+# so all those unreferenced can be printed out.
+
+
+foreach $file (@source) {
+        # Don't parse the error source file.
+        next if exists $cskip{$file};
+        open(IN, "<$file") || die "Can't open source file $file\n";
+        while(<IN>) {
+                if(/(([A-Z0-9]+)_F_([A-Z0-9_]+))/) {
+                        next unless exists $csrc{$2};
+                        next if($1 eq "BIO_F_BUFFER_CTX");
+                        $ufcodes{$1} = 1;
+                        if(!exists $fcodes{$1}) {
+                                $fcodes{$1} = "X";
+                                $fnew{$2}++;
+                        }
+                        $notrans{$1} = 1 unless exists $ftrans{$3};
+                }
+                if(/(([A-Z0-9]+)_R_[A-Z0-9_]+)/) {
+                        next unless exists $csrc{$2};
+                        $urcodes{$1} = 1;
+                        if(!exists $rcodes{$1}) {
+                                $rcodes{$1} = "X";
+                                $rnew{$2}++;
+                        }
+                } 
+        }
+        close IN;
+}
+
+# Now process each library in turn.
+
+foreach $lib (keys %csrc)
+{
+        my $hfile = $hinc{$lib};
+        my $cfile = $csrc{$lib};
+        if(!$fnew{$lib} && !$rnew{$lib}) {
+                print STDERR "$lib:\t\tNo new error codes\n";
+                next unless $rebuild;
+        } else {
+                print STDERR "$lib:\t\t$fnew{$lib} New Functions,";
+                print STDERR " $rnew{$lib} New Reasons.\n";
+                next unless $dowrite;
+        }
+
+        # If we get here then we have some new error codes so we
+        # need to rebuild the header file and C file.
+
+        # Make a sorted list of error and reason codes for later use.
+
+        my @function = sort grep(/^${lib}_/,keys %fcodes);
+        my @reasons = sort grep(/^${lib}_/,keys %rcodes);
+
+        # Rewrite the header file
+
+        open(IN, "<$hfile") || die "Can't Open Header File $hfile\n";
+
+        # Copy across the old file
+        while(<IN>) {
+                push @out, $_;
+                last if (/BEGIN ERROR CODES/);
+        }
+        close IN;
+
+        open (OUT, ">$hfile") || die "Can't Open File $hfile for writing\n";
+
+        print OUT @out;
+        undef @out;
+        print OUT <<"EOF";
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+/* Error codes for the $lib functions. */
+
+/* Function codes. */
+EOF
+
+        foreach $i (@function) {
+                $z=6-int(length($i)/8);
+                if($fcodes{$i} eq "X") {
+                        $fcodes{$i} = ++$fmax{$lib};
+                        print STDERR "New Function code $i\n" if $debug;
+                }
+                printf OUT "#define $i%s $fcodes{$i}\n","\t" x $z;
+        }
+
+        print OUT "\n/* Reason codes. */\n";
+
+        foreach $i (@reasons) {
+                $z=6-int(length($i)/8);
+                if($rcodes{$i} eq "X") {
+                        $rcodes{$i} = ++$rmax{$lib};
+                        print STDERR "New Reason code   $i\n" if $debug;
+                }
+                printf OUT "#define $i%s $rcodes{$i}\n","\t" x $z;
+        }
+        print OUT <<"EOF";
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
+EOF
+        close OUT;
+
+        # Rewrite the C source file containing the error details.
+
+        my $hincf;
+        if($static) {
+                $hfile =~ /([^\/]+)$/;
+                $hincf = "<openssl/$1>";
+        } else {
+                $hincf = "\"$hfile\"";
+        }
+
+
+        open (OUT,">$cfile") || die "Can't open $cfile for writing";
+
+        print OUT <<"EOF";
+/* $cfile */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core\@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay\@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh\@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include $hincf
+
+/* BEGIN ERROR CODES */
+#ifndef NO_ERR
+static ERR_STRING_DATA ${lib}_str_functs[]=
+        {
+EOF
+        # Add each function code: if a function name is found then use it.
+        foreach $i (@function) {
+                my $fn;
+                $i =~ /^${lib}_F_(\S+)$/;
+                $fn = $1;
+                if(exists $ftrans{$fn}) {
+                        $fn = $ftrans{$fn};
+                }
+                print OUT "{ERR_PACK(0,$i,0),\t\"$fn\"},\n";
+        }
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ${lib}_str_reasons[]=
+        {
+EOF
+        # Add each reason code.
+        foreach $i (@reasons) {
+                my $rn;
+                my $nspc = 0;
+                $i =~ /^${lib}_R_(\S+)$/;
+                $rn = $1;
+                $rn =~ tr/_[A-Z]/ [a-z]/;
+                $nspc = 40 - length($i) unless length($i) > 40;
+                $nspc = " " x $nspc;
+                print OUT "{${i}${nspc},\"$rn\"},\n";
+        }
+if($static) {
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_${lib}_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
+                ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
+#endif
+
+                }
+        }
+EOF
+} else {
+        print OUT <<"EOF";
+{0,NULL}
+        };
+
+#endif
+
+#ifdef ${lib}_LIB_NAME
+static ERR_STRING_DATA ${lib}_lib_name[]=
+        {
+{0      ,${lib}_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+int ${lib}_lib_error_code=0;
+
+void ERR_load_${lib}_strings(void)
+        {
+        static int init=1;
+
+        if (${lib}_lib_error_code == 0)
+                ${lib}_lib_error_code=ERR_get_next_error_library();
+
+        if (init)
+                {
+                init=0;
+#ifndef NO_ERR
+                ERR_load_strings(${lib}_lib_error_code,${lib}_str_functs);
+                ERR_load_strings(${lib}_lib_error_code,${lib}_str_reasons);
+#endif
+
+#ifdef ${lib}_LIB_NAME
+                ${lib}_lib_name->error = ERR_PACK(${lib}_lib_error_code,0,0);
+                ERR_load_strings(0,${lib}_lib_name);
+#endif;
+                }
+        }
+
+void ERR_${lib}_error(int function, int reason, char *file, int line)
+        {
+        if (${lib}_lib_error_code == 0)
+                ${lib}_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(${lib}_lib_error_code,function,reason,file,line);
+        }
+EOF
+
+}
+
+        close OUT;
+
+}
+
+if($debug && defined(%notrans)) {
+        print STDERR "The following function codes were not translated:\n";
+        foreach(sort keys %notrans)
+        {
+                print STDERR "$_\n";
+        }
+}
+
+# Make a list of unreferenced function and reason codes
+
+foreach (keys %fcodes) {
+        push (@funref, $_) unless exists $ufcodes{$_};
+}
+
+foreach (keys %rcodes) {
+        push (@runref, $_) unless exists $urcodes{$_};
+}
+
+if($debug && defined(@funref) ) {
+        print STDERR "The following function codes were not referenced:\n";
+        foreach(sort @funref)
+        {
+                print STDERR "$_\n";
+        }
+}
+
+if($debug && defined(@runref) ) {
+        print STDERR "The following reason codes were not referenced:\n";
+        foreach(sort @runref)
+        {
+                print STDERR "$_\n";
+        }
+}
diff --git a/src/lib/libssl/src/util/mkfiles.pl b/src/lib/libssl/src/util/mkfiles.pl
new file mode 100644
index 0000000000..6fa424bd19
--- /dev/null
+++ b/src/lib/libssl/src/util/mkfiles.pl
@@ -0,0 +1,110 @@
+#!/usr/local/bin/perl
+#
+# This is a hacked version of files.pl for systems that can't do a 'make files'.
+# Do a perl util/mkminfo.pl >MINFO to build MINFO
+# Written by Steve Henson 1999.
+
+# List of directories to process
+
+my @dirs = (
+".",
+"crypto",
+"crypto/md2",
+"crypto/md5",
+"crypto/sha",
+"crypto/mdc2",
+"crypto/hmac",
+"crypto/ripemd",
+"crypto/des",
+"crypto/rc2",
+"crypto/rc4",
+"crypto/rc5",
+"crypto/idea",
+"crypto/bf",
+"crypto/cast",
+"crypto/bn",
+"crypto/rsa",
+"crypto/dsa",
+"crypto/dh",
+"crypto/buffer",
+"crypto/bio",
+"crypto/stack",
+"crypto/lhash",
+"crypto/rand",
+"crypto/err",
+"crypto/objects",
+"crypto/evp",
+"crypto/asn1",
+"crypto/pem",
+"crypto/x509",
+"crypto/x509v3",
+"crypto/conf",
+"crypto/txt_db",
+"crypto/pkcs7",
+"crypto/pkcs12",
+"crypto/comp",
+"ssl",
+"rsaref",
+"apps",
+"test",
+"tools"
+);
+
+foreach (@dirs) {
+        &files_dir ($_, "Makefile.ssl");
+}
+
+exit(0);
+
+sub files_dir
+{
+my ($dir, $makefile) = @_;
+
+my %sym;
+
+open (IN, "$dir/$makefile") || die "Can't open $dir/$makefile";
+
+my $s="";
+
+while (<IN>)
+        {
+        chop;
+        s/#.*//;
+        if (/^(\S+)\s*=\s*(.*)$/)
+                {
+                $o="";
+                ($s,$b)=($1,$2);
+                for (;;)
+                        {
+                        if ($b =~ /\\$/)
+                                {
+                                chop($b);
+                                $o.=$b." ";
+                                $b=<IN>;
+                                chop($b);
+                                }
+                        else
+                                {
+                                $o.=$b." ";
+                                last;
+                                }
+                        }
+                $o =~ s/^\s+//;
+                $o =~ s/\s+$//;
+                $o =~ s/\s+/ /g;
+
+                $o =~ s/\$[({]([^)}]+)[)}]/$sym{$1}/g;
+                $sym{$s}=$o;
+                }
+        }
+
+print "RELATIVE_DIRECTORY=$dir\n";
+
+foreach (sort keys %sym)
+        {
+        print "$_=$sym{$_}\n";
+        }
+print "RELATIVE_DIRECTORY=\n";
+
+close (IN);
+}
diff --git a/src/lib/libssl/src/util/mklink.pl b/src/lib/libssl/src/util/mklink.pl
new file mode 100644
index 0000000000..de555820ec
--- /dev/null
+++ b/src/lib/libssl/src/util/mklink.pl
@@ -0,0 +1,55 @@
+#!/usr/local/bin/perl
+
+# mklink.pl
+
+# The first command line argument is a non-empty relative path
+# specifying the "from" directory.
+# Each other argument is a file name not containing / and
+# names a file in the current directory.
+#
+# For each of these files, we create in the "from" directory a link
+# of the same name pointing to the local file.
+#
+# We assume that the directory structure is a tree, i.e. that it does
+# not contain symbolic links and that the parent of / is never referenced.
+# Apart from this, this script should be able to handle even the most
+# pathological cases.
+
+my $from = shift;
+my @files = @ARGV;
+
+my @from_path = split(/\//, $from);
+my $pwd = `pwd`;
+chop($pwd);
+my @pwd_path = split(/\//, $pwd);
+
+my @to_path = ();
+
+my $dirname;
+foreach $dirname (@from_path) {
+
+    # In this loop, @to_path always is a relative path from
+    # @pwd_path (interpreted is an absolute path) to the original pwd.
+
+    # At the end, @from_path (as a relative path from the original pwd)
+    # designates the same directory as the absolute path @pwd_path,
+    # which means that @to_path then is a path from there to the original pwd.
+
+    next if ($dirname eq "" || $dirname eq ".");
+
+    if ($dirname eq "..") {
+        @to_path = (pop(@pwd_path), @to_path);
+    } else {
+        @to_path = ("..", @to_path);
+        push(@pwd_path, $dirname);
+    }
+}
+
+my $to = join('/', @to_path);
+
+my $file;
+foreach $file (@files) {
+#    print "ln -s $to/$file $from/$file\n";
+    symlink("$to/$file", "$from/$file");
+    print $file . " => $from/$file\n";
+}
diff --git a/src/lib/libssl/src/util/mkstack.pl b/src/lib/libssl/src/util/mkstack.pl
new file mode 100644
index 0000000000..3ee13fe7c9
--- /dev/null
+++ b/src/lib/libssl/src/util/mkstack.pl
@@ -0,0 +1,124 @@
+#!/usr/local/bin/perl -w
+
+# This is a utility that searches out "DECLARE_STACK_OF()"
+# declarations in .h and .c files, and updates/creates/replaces
+# the corresponding macro declarations in crypto/stack/safestack.h.
+# As it's not generally possible to have macros that generate macros,
+# we need to control this from the "outside", here in this script.
+#
+# Geoff Thorpe, June, 2000 (with massive Perl-hacking
+#                           help from Steve Robb)
+
+my $safestack = "crypto/stack/safestack";
+
+my $do_write;
+while (@ARGV) {
+        my $arg = $ARGV[0];
+        if($arg eq "-write") {
+                $do_write = 1;
+        }
+        shift @ARGV;
+}
+
+
+@source = (<crypto/*.[ch]>, <crypto/*/*.[ch]>, <rsaref/*.[ch]>, <ssl/*.[ch]>);
+foreach $file (@source) {
+        next if -l $file;
+
+        # Open the .c/.h file for reading
+        open(IN, "< $file") || die "Can't open $file for reading: $!";
+
+        while(<IN>) {
+                if (/^DECLARE_STACK_OF\(([^)]+)\)/) {
+                        push @stacklst, $1;
+                } if (/^DECLARE_ASN1_SET_OF\(([^)]+)\)/) {
+                        push @asn1setlst, $1;
+                } if (/^DECLARE_PKCS12_STACK_OF\(([^)]+)\)/) {
+                        push @p12stklst, $1;
+                }
+        }
+        close(IN);
+}
+
+
+
+my $old_stackfile = "";
+my $new_stackfile = "";
+my $inside_block = 0;
+my $type_thing;
+
+open(IN, "< $safestack.h") || die "Can't open input file: $!";
+while(<IN>) {
+        $old_stackfile .= $_;
+
+        if (m|^/\* This block of defines is updated by util/mkstack.pl, please do not touch! \*/|) {
+                $inside_block = 1;
+        }
+        if (m|^/\* End of util/mkstack.pl block, you may now edit :-\) \*/|) {
+                $inside_block = 0;
+        } elsif ($inside_block == 0) {
+                $new_stackfile .= $_;
+        }
+        next if($inside_block != 1);
+        $new_stackfile .= "/* This block of defines is updated by util/mkstack.pl, please do not touch! */";
+                
+        foreach $type_thing (sort @stacklst) {
+                $new_stackfile .= <<EOF;
+
+#define sk_${type_thing}_new(st) SKM_sk_new($type_thing, (st))
+#define sk_${type_thing}_new_null() SKM_sk_new_null($type_thing)
+#define sk_${type_thing}_free(st) SKM_sk_free($type_thing, (st))
+#define sk_${type_thing}_num(st) SKM_sk_num($type_thing, (st))
+#define sk_${type_thing}_value(st, i) SKM_sk_value($type_thing, (st), (i))
+#define sk_${type_thing}_set(st, i, val) SKM_sk_set($type_thing, (st), (i), (val))
+#define sk_${type_thing}_zero(st) SKM_sk_zero($type_thing, (st))
+#define sk_${type_thing}_push(st, val) SKM_sk_push($type_thing, (st), (val))
+#define sk_${type_thing}_unshift(st, val) SKM_sk_unshift($type_thing, (st), (val))
+#define sk_${type_thing}_find(st, val) SKM_sk_find($type_thing, (st), (val))
+#define sk_${type_thing}_delete(st, i) SKM_sk_delete($type_thing, (st), (i))
+#define sk_${type_thing}_delete_ptr(st, ptr) SKM_sk_delete_ptr($type_thing, (st), (ptr))
+#define sk_${type_thing}_insert(st, val, i) SKM_sk_insert($type_thing, (st), (val), (i))
+#define sk_${type_thing}_set_cmp_func(st, cmp) SKM_sk_set_cmp_func($type_thing, (st), (cmp))
+#define sk_${type_thing}_dup(st) SKM_sk_dup($type_thing, st)
+#define sk_${type_thing}_pop_free(st, free_func) SKM_sk_pop_free($type_thing, (st), (free_func))
+#define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st))
+#define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st))
+#define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st))
+EOF
+        }
+        foreach $type_thing (sort @asn1setlst) {
+                $new_stackfile .= <<EOF;
+
+#define d2i_ASN1_SET_OF_${type_thing}(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \\
+        SKM_ASN1_SET_OF_d2i($type_thing, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
+#define i2d_ASN1_SET_OF_${type_thing}(st, pp, i2d_func, ex_tag, ex_class, is_set) \\
+        SKM_ASN1_SET_OF_i2d($type_thing, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
+#define ASN1_seq_pack_${type_thing}(st, i2d_func, buf, len) \\
+        SKM_ASN1_seq_pack($type_thing, (st), (i2d_func), (buf), (len))
+#define ASN1_seq_unpack_${type_thing}(buf, len, d2i_func, free_func) \\
+        SKM_ASN1_seq_unpack($type_thing, (buf), (len), (d2i_func), (free_func))
+EOF
+        }
+        foreach $type_thing (sort @p12stklst) {
+                $new_stackfile .= <<EOF;
+
+#define PKCS12_decrypt_d2i_${type_thing}(algor, d2i_func, free_func, pass, passlen, oct, seq) \\
+        SKM_PKCS12_decrypt_d2i($type_thing, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq))
+EOF
+        }
+        $new_stackfile .= "/* End of util/mkstack.pl block, you may now edit :-) */\n";
+        $inside_block = 2;
+}
+
+
+if ($new_stackfile eq $old_stackfile) {
+        print "No changes to $safestack.h.\n";
+        exit 0; # avoid unnecessary rebuild
+}
+
+if ($do_write) {
+        print "Writing new $safestack.h.\n";
+        open OUT, ">$safestack.h" || die "Can't open output file";
+        print OUT $new_stackfile;
+        close OUT;
+}
diff --git a/src/lib/libssl/src/util/pl/Mingw32.pl b/src/lib/libssl/src/util/pl/Mingw32.pl
new file mode 100644
index 0000000000..84c2a22db3
--- /dev/null
+++ b/src/lib/libssl/src/util/pl/Mingw32.pl
@@ -0,0 +1,79 @@
+#!/usr/local/bin/perl
+#
+# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) 
+#
+
+$o='/';
+$cp='cp';
+$rm='rem'; # use 'rm -f' if using GNU file utilities
+$mkdir='gmkdir';
+
+# gcc wouldn't accept backslashes in paths
+#$o='\\';
+#$cp='copy';
+#$rm='del';
+
+# C compiler stuff
+
+$cc='gcc';
+if ($debug)
+        { $cflags="-g2 -ggdb"; }
+else
+        { $cflags="-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall"; }
+
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS}';
+$efile='-o ';
+$exep='';
+$ex_libs="-lwsock32 -lgdi32";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib='ranlib';
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+sub do_lib_rule
+        {
+        local($obj,$target,$name,$shlib)=@_;
+        local($ret,$_,$Name);
+
+        $target =~ s/\//$o/g if $o ne '/';
+        $target="$target";
+        ($Name=$name) =~ tr/a-z/A-Z/;
+
+        $ret.="$target: \$(${Name}OBJ)\n";
+        $ret.="\t\$(RM) $target\n";
+        $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+        $ret.="\t\$(RANLIB) $target\n\n";
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($target);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        return($ret);
+        }
+1;
+
diff --git a/src/lib/libssl/src/util/pl/OS2-EMX.pl b/src/lib/libssl/src/util/pl/OS2-EMX.pl
new file mode 100644
index 0000000000..57180556ca
--- /dev/null
+++ b/src/lib/libssl/src/util/pl/OS2-EMX.pl
@@ -0,0 +1,96 @@
+#!/usr/local/bin/perl
+#
+# OS2-EMX.pl - for EMX GCC on OS/2
+#
+
+$o='\\';
+$cp='copy';
+$rm='rm -f';
+
+# C compiler stuff
+
+$cc='gcc';
+$cflags="-DL_ENDIAN -O3 -fomit-frame-pointer -m486 -Zmt -Wall ";
+
+if ($debug) { 
+        $cflags.="-g "; 
+}
+
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS} -Zbsd-signals';
+$efile='-o ';
+$exep='.exe';
+$ex_libs="-lsocket";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib="ar s";
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+if (!$no_asm)
+        {
+        $bn_asm_obj='crypto\bn\asm\bn-os2.o crypto\bn\asm\co-os2.o';
+        $bn_asm_src='crypto\bn\asm\bn-os2.asm crypto\bn\asm\co-os2.asm';
+        $des_enc_obj='crypto\des\asm\d-os2.o crypto\des\asm\y-os2.o';
+        $des_enc_src='crypto\des\asm\d-os2.asm crypto\des\asm\y-os2.asm';
+        $bf_enc_obj='crypto\bf\asm\b-os2.o';
+        $bf_enc_src='crypto\bf\asm\b-os2.asm';
+        $cast_enc_obj='crypto\cast\asm\c-os2.o';
+        $cast_enc_src='crypto\cast\asm\c-os2.asm';
+        $rc4_enc_obj='crypto\rc4\asm\r4-os2.o';
+        $rc4_enc_src='crypto\rc4\asm\r4-os2.asm';
+        $rc5_enc_obj='crypto\rc5\asm\r5-os2.o';
+        $rc5_enc_src='crypto\rc5\asm\r5-os2.asm';
+        $md5_asm_obj='crypto\md5\asm\m5-os2.o';
+        $md5_asm_src='crypto\md5\asm\m5-os2.asm';
+        $sha1_asm_obj='crypto\sha\asm\s1-os2.o';
+        $sha1_asm_src='crypto\sha\asm\s1-os2.asm';
+        $rmd160_asm_obj='crypto\ripemd\asm\rm-os2.o';
+        $rmd160_asm_src='crypto\ripemd\asm\rm-os2.asm';
+        }
+
+sub do_lib_rule
+        {
+        local($obj,$target,$name,$shlib)=@_;
+        local($ret,$_,$Name);
+
+        $target =~ s/\//$o/g if $o ne '/';
+        $target="$target";
+        ($Name=$name) =~ tr/a-z/A-Z/;
+
+        $ret.="$target: \$(${Name}OBJ)\n";
+        $ret.="\t\$(RM) $target\n";
+        $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+        $ret.="\t\$(RANLIB) $target\n\n";
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($target);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        return($ret);
+        }
+
+1;
diff --git a/src/lib/libssl/src/util/pl/ultrix.pl b/src/lib/libssl/src/util/pl/ultrix.pl
new file mode 100644
index 0000000000..ea370c71f9
--- /dev/null
+++ b/src/lib/libssl/src/util/pl/ultrix.pl
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl
+#
+# linux.pl - the standard unix makefile stuff.
+#
+
+$o='/';
+$cp='/bin/cp';
+$rm='/bin/rm -f';
+
+# C compiler stuff
+
+$cc='cc';
+if ($debug)
+        { $cflags="-g -DREF_CHECK -DCRYPTO_MDEBUG"; }
+else
+        { $cflags="-O2"; }
+
+$cflags.=" -std1 -DL_ENDIAN";
+
+if (!$no_asm)
+        {
+        $bn_asm_obj='$(OBJ_D)/mips1.o';
+        $bn_asm_src='crypto/bn/asm/mips1.s';
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($target);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        return($ret);
+        }
+
+1;
diff --git a/src/lib/libssl/src/util/pod2man.pl b/src/lib/libssl/src/util/pod2man.pl
new file mode 100644
index 0000000000..f5ec0767ed
--- /dev/null
+++ b/src/lib/libssl/src/util/pod2man.pl
@@ -0,0 +1,1181 @@
+: #!/usr/bin/perl-5.005
+    eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
+        if $running_under_some_shell;
+
+$DEF_PM_SECTION = '3pm' || '3';
+
+=head1 NAME
+
+pod2man - translate embedded Perl pod directives into man pages
+
+=head1 SYNOPSIS
+
+B<pod2man>
+[ B<--section=>I<manext> ]
+[ B<--release=>I<relpatch> ]
+[ B<--center=>I<string> ]
+[ B<--date=>I<string> ]
+[ B<--fixed=>I<font> ]
+[ B<--official> ]
+[ B<--lax> ]
+I<inputfile>
+
+=head1 DESCRIPTION
+
+B<pod2man> converts its input file containing embedded pod directives (see
+L<perlpod>) into nroff source suitable for viewing with nroff(1) or
+troff(1) using the man(7) macro set.
+
+Besides the obvious pod conversions, B<pod2man> also takes care of
+func(), func(n), and simple variable references like $foo or @bar so
+you don't have to use code escapes for them; complex expressions like
+C<$fred{'stuff'}> will still need to be escaped, though.  Other nagging
+little roffish things that it catches include translating the minus in
+something like foo-bar, making a long dash--like this--into a real em
+dash, fixing up "paired quotes", putting a little space after the
+parens in something like func(), making C++ and PI look right, making
+double underbars have a little tiny space between them, making ALLCAPS
+a teeny bit smaller in troff(1), and escaping backslashes so you don't
+have to.
+
+=head1 OPTIONS
+
+=over 8
+
+=item center
+
+Set the centered header to a specific string.  The default is
+"User Contributed Perl Documentation", unless the C<--official> flag is
+given, in which case the default is "Perl Programmers Reference Guide".
+
+=item date
+
+Set the left-hand footer string to this value.  By default,
+the modification date of the input file will be used.
+
+=item fixed
+
+The fixed font to use for code refs.  Defaults to CW.
+
+=item official
+
+Set the default header to indicate that this page is of
+the standard release in case C<--center> is not given.
+
+=item release
+
+Set the centered footer.  By default, this is the current
+perl release.
+
+=item section
+
+Set the section for the C<.TH> macro.  The standard conventions on
+sections are to use 1 for user commands,  2 for system calls, 3 for
+functions, 4 for devices, 5 for file formats, 6 for games, 7 for
+miscellaneous information, and 8 for administrator commands.  This works
+best if you put your Perl man pages in a separate tree, like
+F</usr/local/perl/man/>.  By default, section 1 will be used
+unless the file ends in F<.pm> in which case section 3 will be selected.
+
+=item lax
+
+Don't complain when required sections aren't present.
+
+=back
+
+=head1 Anatomy of a Proper Man Page
+
+For those not sure of the proper layout of a man page, here's
+an example of the skeleton of a proper man page.  Head of the
+major headers should be setout as a C<=head1> directive, and
+are historically written in the rather startling ALL UPPER CASE
+format, although this is not mandatory.
+Minor headers may be included using C<=head2>, and are
+typically in mixed case.
+
+=over 10
+
+=item NAME
+
+Mandatory section; should be a comma-separated list of programs or
+functions documented by this podpage, such as:
+
+    foo, bar - programs to do something
+
+=item SYNOPSIS
+
+A short usage summary for programs and functions, which
+may someday be deemed mandatory.
+
+=item DESCRIPTION
+
+Long drawn out discussion of the program.  It's a good idea to break this
+up into subsections using the C<=head2> directives, like
+
+    =head2 A Sample Subection
+
+    =head2 Yet Another Sample Subection
+
+=item OPTIONS
+
+Some people make this separate from the description.
+
+=item RETURN VALUE
+
+What the program or function returns if successful.
+
+=item ERRORS
+
+Exceptions, return codes, exit stati, and errno settings.
+
+=item EXAMPLES
+
+Give some example uses of the program.
+
+=item ENVIRONMENT
+
+Envariables this program might care about.
+
+=item FILES
+
+All files used by the program.  You should probably use the FE<lt>E<gt>
+for these.
+
+=item SEE ALSO
+
+Other man pages to check out, like man(1), man(7), makewhatis(8), or catman(8).
+
+=item NOTES
+
+Miscellaneous commentary.
+
+=item CAVEATS
+
+Things to take special care with; sometimes called WARNINGS.
+
+=item DIAGNOSTICS
+
+All possible messages the program can print out--and
+what they mean.
+
+=item BUGS
+
+Things that are broken or just don't work quite right.
+
+=item RESTRICTIONS
+
+Bugs you don't plan to fix :-)
+
+=item AUTHOR
+
+Who wrote it (or AUTHORS if multiple).
+
+=item HISTORY
+
+Programs derived from other sources sometimes have this, or
+you might keep a modification log here.
+
+=back
+
+=head1 EXAMPLES
+
+    pod2man program > program.1
+    pod2man some_module.pm > /usr/perl/man/man3/some_module.3
+    pod2man --section=7 note.pod > note.7
+
+=head1 DIAGNOSTICS
+
+The following diagnostics are generated by B<pod2man>.  Items
+marked "(W)" are non-fatal, whereas the "(F)" errors will cause
+B<pod2man> to immediately exit with a non-zero status.
+
+=over 4
+
+=item bad option in paragraph %d of %s: ``%s'' should be [%s]<%s>
+
+(W) If you start include an option, you should set it off
+as bold, italic, or code.
+
+=item can't open %s: %s
+
+(F) The input file wasn't available for the given reason.
+
+=item Improper man page - no dash in NAME header in paragraph %d of %s
+
+(W) The NAME header did not have an isolated dash in it.  This is
+considered important.
+
+=item Invalid man page - no NAME line in %s
+
+(F) You did not include a NAME header, which is essential.
+
+=item roff font should be 1 or 2 chars, not `%s'  (F)
+
+(F) The font specified with the C<--fixed> option was not
+a one- or two-digit roff font.
+
+=item %s is missing required section: %s
+
+(W) Required sections include NAME, DESCRIPTION, and if you're
+using a section starting with a 3, also a SYNOPSIS.  Actually,
+not having a NAME is a fatal.
+
+=item Unknown escape: %s in %s
+
+(W) An unknown HTML entity (probably for an 8-bit character) was given via
+a C<EE<lt>E<gt>> directive.  Besides amp, lt, gt, and quot, recognized
+entities are Aacute, aacute, Acirc, acirc, AElig, aelig, Agrave, agrave,
+Aring, aring, Atilde, atilde, Auml, auml, Ccedil, ccedil, Eacute, eacute,
+Ecirc, ecirc, Egrave, egrave, ETH, eth, Euml, euml, Iacute, iacute, Icirc,
+icirc, Igrave, igrave, Iuml, iuml, Ntilde, ntilde, Oacute, oacute, Ocirc,
+ocirc, Ograve, ograve, Oslash, oslash, Otilde, otilde, Ouml, ouml, szlig,
+THORN, thorn, Uacute, uacute, Ucirc, ucirc, Ugrave, ugrave, Uuml, uuml,
+Yacute, yacute, and yuml.
+
+=item Unmatched =back
+
+(W) You have a C<=back> without a corresponding C<=over>.
+
+=item Unrecognized pod directive: %s
+
+(W) You specified a pod directive that isn't in the known list of
+C<=head1>, C<=head2>, C<=item>, C<=over>, C<=back>, or C<=cut>.
+
+
+=back
+
+=head1 NOTES
+
+If you would like to print out a lot of man page continuously, you
+probably want to set the C and D registers to set contiguous page
+numbering and even/odd paging, at least on some versions of man(7).
+Settting the F register will get you some additional experimental
+indexing:
+
+    troff -man -rC1 -rD1 -rF1 perl.1 perldata.1 perlsyn.1 ...
+
+The indexing merely outputs messages via C<.tm> for each
+major page, section, subsection, item, and any C<XE<lt>E<gt>>
+directives.
+
+
+=head1 RESTRICTIONS
+
+None at this time.
+
+=head1 BUGS
+
+The =over and =back directives don't really work right.  They
+take absolute positions instead of offsets, don't nest well, and
+making people count is suboptimal in any event.
+
+=head1 AUTHORS
+
+Original prototype by Larry Wall, but so massively hacked over by
+Tom Christiansen such that Larry probably doesn't recognize it anymore.
+
+=cut
+
+$/ = "";
+$cutting = 1;
+@Indices = ();
+
+# We try first to get the version number from a local binary, in case we're
+# running an installed version of Perl to produce documentation from an
+# uninstalled newer version's pod files.
+if ($^O ne 'plan9' and $^O ne 'dos' and $^O ne 'os2' and $^O ne 'MSWin32') {
+  my $perl = (-x './perl' && -f './perl' ) ?
+                 './perl' :
+                 ((-x '../perl' && -f '../perl') ?
+                      '../perl' :
+                      '');
+  ($version,$patch) = `$perl -e 'print $]'` =~ /^(\d\.\d{3})(\d{2})?/ if $perl;
+}
+# No luck; we'll just go with the running Perl's version
+($version,$patch) = $] =~ /^(.{5})(\d{2})?/ unless $version;
+$DEF_RELEASE  = "perl $version";
+$DEF_RELEASE .= ", patch $patch" if $patch;
+
+
+sub makedate {
+    my $secs = shift;
+    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($secs);
+    my $mname = (qw{Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec})[$mon];
+    $year += 1900;
+    return "$mday/$mname/$year";
+}
+
+use Getopt::Long;
+
+$DEF_SECTION = 1;
+$DEF_CENTER = "User Contributed Perl Documentation";
+$STD_CENTER = "Perl Programmers Reference Guide";
+$DEF_FIXED = 'CW';
+$DEF_LAX = 0;
+
+sub usage {
+    warn "$0: @_\n" if @_;
+    die <<EOF;
+usage: $0 [options] podpage
+Options are:
+        --section=manext      (default "$DEF_SECTION")
+        --release=relpatch    (default "$DEF_RELEASE")
+        --center=string       (default "$DEF_CENTER")
+        --date=string         (default "$DEF_DATE")
+        --fixed=font          (default "$DEF_FIXED")
+        --official            (default NOT)
+        --lax                 (default NOT)
+EOF
+}
+
+$uok = GetOptions( qw(
+        section=s
+        release=s
+        center=s
+        date=s
+        fixed=s
+        official
+        lax
+        help));
+
+$DEF_DATE = makedate((stat($ARGV[0]))[9] || time());
+
+usage("Usage error!") unless $uok;
+usage() if $opt_help;
+usage("Need one and only one podpage argument") unless @ARGV == 1;
+
+$section = $opt_section || ($ARGV[0] =~ /\.pm$/
+                                ? $DEF_PM_SECTION : $DEF_SECTION);
+$RP = $opt_release || $DEF_RELEASE;
+$center = $opt_center || ($opt_official ? $STD_CENTER : $DEF_CENTER);
+$lax = $opt_lax || $DEF_LAX;
+
+$CFont = $opt_fixed || $DEF_FIXED;
+
+if (length($CFont) == 2) {
+    $CFont_embed = "\\f($CFont";
+}
+elsif (length($CFont) == 1) {
+    $CFont_embed = "\\f$CFont";
+}
+else {
+    die "roff font should be 1 or 2 chars, not `$CFont_embed'";
+}
+
+$date = $opt_date || $DEF_DATE;
+
+for (qw{NAME DESCRIPTION}) {
+# for (qw{NAME DESCRIPTION AUTHOR}) {
+    $wanna_see{$_}++;
+}
+$wanna_see{SYNOPSIS}++ if $section =~ /^3/;
+
+
+$name = @ARGV ? $ARGV[0] : "<STDIN>";
+$Filename = $name;
+if ($section =~ /^1/) {
+    require File::Basename;
+    $name = uc File::Basename::basename($name);
+}
+$name =~ s/\.(pod|p[lm])$//i;
+
+# Lose everything up to the first of
+#     */lib/*perl*      standard or site_perl module
+#     */*perl*/lib      from -D prefix=/opt/perl
+#     */*perl*/         random module hierarchy
+# which works.
+$name =~ s-//+-/-g;
+if ($name =~ s-^.*?/lib/[^/]*perl[^/]*/--i
+        or $name =~ s-^.*?/[^/]*perl[^/]*/lib/--i
+        or $name =~ s-^.*?/[^/]*perl[^/]*/--i) {
+    # Lose ^site(_perl)?/.
+    $name =~ s-^site(_perl)?/--;
+    # Lose ^arch/.      (XXX should we use Config? Just for archname?)
+    $name =~ s~^(.*-$^O|$^O-.*)/~~o;
+    # Lose ^version/.
+    $name =~ s-^\d+\.\d+/--;
+}
+
+# Translate Getopt/Long to Getopt::Long, etc.
+$name =~ s(/)(::)g;
+
+if ($name ne 'something') {
+    FCHECK: {
+        open(F, "< $ARGV[0]") || die "can't open $ARGV[0]: $!";
+        while (<F>) {
+            next unless /^=\b/;
+            if (/^=head1\s+NAME\s*$/) {  # an /m would forgive mistakes
+                $_ = <F>;
+                unless (/\s*-+\s+/) {
+                    $oops++;
+                    warn "$0: Improper man page - no dash in NAME header in paragraph $. of $ARGV[0]\n"
+                } else {
+                    my @n = split /\s+-+\s+/;
+                    if (@n != 2) {
+                        $oops++;
+                        warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n"
+                    }
+                    else {
+                        %namedesc = @n;
+                    }
+                }
+                last FCHECK;
+            }
+            next if /^=cut\b/;  # DB_File and Net::Ping have =cut before NAME
+            next if /^=pod\b/;  # It is OK to have =pod before NAME
+            die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
+        }
+        die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
+    }
+    close F;
+}
+
+print <<"END";
+.rn '' }`
+''' \$RCSfile\$\$Revision\$\$Date\$
+'''
+''' \$Log\$
+'''
+.de Sh
+.br
+.if t .Sp
+.ne 5
+.PP
+\\fB\\\\\$1\\fR
+.PP
+..
+.de Sp
+.if t .sp .5v
+.if n .sp
+..
+.de Ip
+.br
+.ie \\\\n(.\$>=3 .ne \\\\\$3
+.el .ne 3
+.IP "\\\\\$1" \\\\\$2
+..
+.de Vb
+.ft $CFont
+.nf
+.ne \\\\\$1
+..
+.de Ve
+.ft R
+
+.fi
+..
+'''
+'''
+'''     Set up \\*(-- to give an unbreakable dash;
+'''     string Tr holds user defined translation string.
+'''     Bell System Logo is used as a dummy character.
+'''
+.tr \\(*W-|\\(bv\\*(Tr
+.ie n \\{\\
+.ds -- \\(*W-
+.ds PI pi
+.if (\\n(.H=4u)&(1m=24u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-12u'-\\" diablo 10 pitch
+.if (\\n(.H=4u)&(1m=20u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-8u'-\\" diablo 12 pitch
+.ds L" ""
+.ds R" ""
+'''   \\*(M", \\*(S", \\*(N" and \\*(T" are the equivalent of
+'''   \\*(L" and \\*(R", except that they are used on ".xx" lines,
+'''   such as .IP and .SH, which do another additional levels of
+'''   double-quote interpretation
+.ds M" """
+.ds S" """
+.ds N" """""
+.ds T" """""
+.ds L' '
+.ds R' '
+.ds M' '
+.ds S' '
+.ds N' '
+.ds T' '
+'br\\}
+.el\\{\\
+.ds -- \\(em\\|
+.tr \\*(Tr
+.ds L" ``
+.ds R" ''
+.ds M" ``
+.ds S" ''
+.ds N" ``
+.ds T" ''
+.ds L' `
+.ds R' '
+.ds M' `
+.ds S' '
+.ds N' `
+.ds T' '
+.ds PI \\(*p
+'br\\}
+END
+
+print <<'END';
+.\"     If the F register is turned on, we'll generate
+.\"     index entries out stderr for the following things:
+.\"             TH      Title 
+.\"             SH      Header
+.\"             Sh      Subsection 
+.\"             Ip      Item
+.\"             X<>     Xref  (embedded
+.\"     Of course, you have to process the output yourself
+.\"     in some meaninful fashion.
+.if \nF \{
+.de IX
+.tm Index:\\$1\t\\n%\t"\\$2"
+..
+.nr % 0
+.rr F
+.\}
+END
+
+print <<"END";
+.TH $name $section "$RP" "$date" "$center"
+.UC
+END
+
+push(@Indices, qq{.IX Title "$name $section"});
+
+while (($name, $desc) = each %namedesc) {
+    for ($name, $desc) { s/^\s+//; s/\s+$//; }
+    push(@Indices, qq(.IX Name "$name - $desc"\n));
+}
+
+print <<'END';
+.if n .hy 0
+.if n .na
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.de CQ          \" put $1 in typewriter font
+END
+print ".ft $CFont\n";
+print <<'END';
+'if n "\c
+'if t \\&\\$1\c
+'if n \\&\\$1\c
+'if n \&"
+\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
+'.ft R
+..
+.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
+.       \" AM - accent mark definitions
+.bd B 3
+.       \" fudge factors for nroff and troff
+.if n \{\
+.       ds #H 0
+.       ds #V .8m
+.       ds #F .3m
+.       ds #[ \f1
+.       ds #] \fP
+.\}
+.if t \{\
+.       ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.       ds #V .6m
+.       ds #F 0
+.       ds #[ \&
+.       ds #] \&
+.\}
+.       \" simple accents for nroff and troff
+.if n \{\
+.       ds ' \&
+.       ds ` \&
+.       ds ^ \&
+.       ds , \&
+.       ds ~ ~
+.       ds ? ?
+.       ds ! !
+.       ds /
+.       ds q
+.\}
+.if t \{\
+.       ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.       ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.       ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.       ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.       ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.       ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
+.       ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
+.       ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.       ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
+.\}
+.       \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
+.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
+.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
+.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.ds oe o\h'-(\w'o'u*4/10)'e
+.ds Oe O\h'-(\w'O'u*4/10)'E
+.       \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.       \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.       ds : e
+.       ds 8 ss
+.       ds v \h'-1'\o'\(aa\(ga'
+.       ds _ \h'-1'^
+.       ds . \h'-1'.
+.       ds 3 3
+.       ds o a
+.       ds d- d\h'-1'\(ga
+.       ds D- D\h'-1'\(hy
+.       ds th \o'bp'
+.       ds Th \o'LP'
+.       ds ae ae
+.       ds Ae AE
+.       ds oe oe
+.       ds Oe OE
+.\}
+.rm #[ #] #H #V #F C
+END
+
+$indent = 0;
+
+$begun = "";
+
+# Unrolling [^A-Z>]|[A-Z](?!<) gives:    // MRE pp 165.
+my $nonest = '(?:[^A-Z>]*(?:[A-Z](?!<)[^A-Z>]*)*)';
+
+while (<>) {
+    if ($cutting) {
+        next unless /^=/;
+        $cutting = 0;
+    }
+    if ($begun) {
+        if (/^=end\s+$begun/) {
+            $begun = "";
+        }
+        elsif ($begun =~ /^(roff|man)$/) {
+            print STDOUT $_;
+        }
+        next;
+    }
+    chomp;
+
+    # Translate verbatim paragraph
+
+    if (/^\s/) {
+        @lines = split(/\n/);
+        for (@lines) {
+            1 while s
+                {^( [^\t]* ) \t ( \t* ) }
+                { $1 . ' ' x (8 - (length($1)%8) + 8 * (length($2))) }ex;
+            s/\\/\\e/g;
+            s/\A/\\&/s;
+        }
+        $lines = @lines;
+        makespace() unless $verbatim++;
+        print ".Vb $lines\n";
+        print join("\n", @lines), "\n";
+        print ".Ve\n";
+        $needspace = 0;
+        next;
+    }
+
+    $verbatim = 0;
+
+    if (/^=for\s+(\S+)\s*/s) {
+        if ($1 eq "man" or $1 eq "roff") {
+            print STDOUT $',"\n\n";
+        } else {
+            # ignore unknown for
+        }
+        next;
+    }
+    elsif (/^=begin\s+(\S+)\s*/s) {
+        $begun = $1;
+        if ($1 eq "man" or $1 eq "roff") {
+            print STDOUT $'."\n\n";
+        }
+        next;
+    }
+
+    # check for things that'll hosed our noremap scheme; affects $_
+    init_noremap();
+
+    if (!/^=item/) {
+
+        # trofficate backslashes; must do it before what happens below
+        s/\\/noremap('\\e')/ge;
+
+        # protect leading periods and quotes against *roff
+        # mistaking them for directives
+        s/^(?:[A-Z]<)?[.']/\\&$&/gm;
+
+        # first hide the escapes in case we need to
+        # intuit something and get it wrong due to fmting
+
+        1 while s/([A-Z]<$nonest>)/noremap($1)/ge;
+
+        # func() is a reference to a perl function
+        s{
+            \b
+            (
+                [:\w]+ \(\)
+            )
+        } {I<$1>}gx;
+
+        # func(n) is a reference to a perl function or a man page
+        s{
+            ([:\w]+)
+            (
+                \( [^\051]+ \)
+            )
+        } {I<$1>\\|$2}gx;
+
+        # convert simple variable references
+        s/(\s+)([\$\@%][\w:]+)(?!\()/${1}C<$2>/g;
+
+        if (m{ (
+                    [\-\w]+
+                    \(
+                        [^\051]*?
+                        [\@\$,]
+                        [^\051]*?
+                    \)
+                )
+            }x && $` !~ /([LCI]<[^<>]*|-)$/ && !/^=\w/)
+        {
+            warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [LCI]<$1>\n";
+            $oops++;
+        }
+
+        while (/(-[a-zA-Z])\b/g && $` !~ /[\w\-]$/) {
+            warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [CB]<$1>\n";
+            $oops++;
+        }
+
+        # put it back so we get the <> processed again;
+        clear_noremap(0); # 0 means leave the E's
+
+    } else {
+        # trofficate backslashes
+        s/\\/noremap('\\e')/ge;
+
+    }
+
+    # need to hide E<> first; they're processed in clear_noremap
+    s/(E<[^<>]+>)/noremap($1)/ge;
+
+
+    $maxnest = 10;
+    while ($maxnest-- && /[A-Z]</) {
+
+        # can't do C font here
+        s/([BI])<($nonest)>/font($1) . $2 . font('R')/eg;
+
+        # files and filelike refs in italics
+        s/F<($nonest)>/I<$1>/g;
+
+        # no break -- usually we want C<> for this
+        s/S<($nonest)>/nobreak($1)/eg;
+
+        # LREF: a la HREF L<show this text|man/section>
+        s:L<([^|>]+)\|[^>]+>:$1:g;
+
+        # LREF: a manpage(3f)
+        s:L<([a-zA-Z][^\s\/]+)(\([^\)]+\))?>:the I<$1>$2 manpage:g;
+
+        # LREF: an =item on another manpage
+        s{
+            L<
+                ([^/]+)
+                /
+                (
+                    [:\w]+
+                    (\(\))?
+                )
+            >
+        } {the C<$2> entry in the I<$1> manpage}gx;
+
+        # LREF: an =item on this manpage
+        s{
+           ((?:
+            L<
+                /
+                (
+                    [:\w]+
+                    (\(\))?
+                )
+            >
+            (,?\s+(and\s+)?)?
+          )+)
+        } { internal_lrefs($1) }gex;
+
+        # LREF: a =head2 (head1?), maybe on a manpage, maybe right here
+        # the "func" can disambiguate
+        s{
+            L<
+                (?:
+                    ([a-zA-Z]\S+?) /
+                )?
+                "?(.*?)"?
+            >
+        }{
+            do {
+                $1      # if no $1, assume it means on this page.
+                    ?  "the section on I<$2> in the I<$1> manpage"
+                    :  "the section on I<$2>"
+            }
+        }gesx; # s in case it goes over multiple lines, so . matches \n
+
+        s/Z<>/\\&/g;
+
+        # comes last because not subject to reprocessing
+        s/C<($nonest)>/noremap("${CFont_embed}${1}\\fR")/eg;
+    }
+
+    if (s/^=//) {
+        $needspace = 0;         # Assume this.
+
+        s/\n/ /g;
+
+        ($Cmd, $_) = split(' ', $_, 2);
+
+        $dotlevel = 1;
+        if ($Cmd eq 'head1') {
+           $dotlevel = 1;
+        }
+        elsif ($Cmd eq 'head2') {
+           $dotlevel = 1;
+        }
+        elsif ($Cmd eq 'item') {
+           $dotlevel = 2;
+        }
+
+        if (defined $_) {
+            &escapes($dotlevel);
+            s/"/""/g;
+        }
+
+        clear_noremap(1);
+
+        if ($Cmd eq 'cut') {
+            $cutting = 1;
+        }
+        elsif ($Cmd eq 'head1') {
+            s/\s+$//;
+            delete $wanna_see{$_} if exists $wanna_see{$_};
+            print qq{.SH "$_"\n};
+      push(@Indices, qq{.IX Header "$_"\n});
+        }
+        elsif ($Cmd eq 'head2') {
+            print qq{.Sh "$_"\n};
+      push(@Indices, qq{.IX Subsection "$_"\n});
+        }
+        elsif ($Cmd eq 'over') {
+            push(@indent,$indent);
+            $indent += ($_ + 0) || 5;
+        }
+        elsif ($Cmd eq 'back') {
+            $indent = pop(@indent);
+            warn "$0: Unmatched =back in paragraph $. of $ARGV\n" unless defined $indent;
+            $needspace = 1;
+        }
+        elsif ($Cmd eq 'item') {
+            s/^\*( |$)/\\(bu$1/g;
+            # if you know how to get ":s please do
+            s/\\\*\(L"([^"]+?)\\\*\(R"/'$1'/g;
+            s/\\\*\(L"([^"]+?)""/'$1'/g;
+            s/[^"]""([^"]+?)""[^"]/'$1'/g;
+            # here do something about the $" in perlvar?
+            print STDOUT qq{.Ip "$_" $indent\n};
+      push(@Indices, qq{.IX Item "$_"\n});
+        }
+        elsif ($Cmd eq 'pod') {
+            # this is just a comment
+        } 
+        else {
+            warn "$0: Unrecognized pod directive in paragraph $. of $ARGV: $Cmd\n";
+        }
+    }
+    else {
+        if ($needspace) {
+            &makespace;
+        }
+        &escapes(0);
+        clear_noremap(1);
+        print $_, "\n";
+        $needspace = 1;
+    }
+}
+
+print <<"END";
+
+.rn }` ''
+END
+
+if (%wanna_see && !$lax) {
+    @missing = keys %wanna_see;
+    warn "$0: $Filename is missing required section"
+        .  (@missing > 1 && "s")
+        .  ": @missing\n";
+    $oops++;
+}
+
+foreach (@Indices) { print "$_\n"; }
+
+exit;
+#exit ($oops != 0);
+
+#########################################################################
+
+sub nobreak {
+    my $string = shift;
+    $string =~ s/ /\\ /g;
+    $string;
+}
+
+sub escapes {
+    my $indot = shift;
+
+    s/X<(.*?)>/mkindex($1)/ge;
+
+    # translate the minus in foo-bar into foo\-bar for roff
+    s/([^0-9a-z-])-([^-])/$1\\-$2/g;
+
+    # make -- into the string version \*(-- (defined above)
+    s/\b--\b/\\*(--/g;
+    s/"--([^"])/"\\*(--$1/g;  # should be a better way
+    s/([^"])--"/$1\\*(--"/g;
+
+    # fix up quotes; this is somewhat tricky
+    my $dotmacroL = 'L';
+    my $dotmacroR = 'R';
+    if ( $indot == 1 ) {
+        $dotmacroL = 'M';
+        $dotmacroR = 'S';
+    }  
+    elsif ( $indot >= 2 ) {
+        $dotmacroL = 'N';
+        $dotmacroR = 'T';
+    }  
+    if (!/""/) {
+        s/(^|\s)(['"])/noremap("$1\\*($dotmacroL$2")/ge;
+        s/(['"])($|[\-\s,;\\!?.])/noremap("\\*($dotmacroR$1$2")/ge;
+    }
+
+    #s/(?!")(?:.)--(?!")(?:.)/\\*(--/g;
+    #s/(?:(?!")(?:.)--(?:"))|(?:(?:")--(?!")(?:.))/\\*(--/g;
+
+
+    # make sure that func() keeps a bit a space tween the parens
+    ### s/\b\(\)/\\|()/g;
+    ### s/\b\(\)/(\\|)/g;
+
+    # make C++ into \*C+, which is a squinched version (defined above)
+    s/\bC\+\+/\\*(C+/g;
+
+    # make double underbars have a little tiny space between them
+    s/__/_\\|_/g;
+
+    # PI goes to \*(PI (defined above)
+    s/\bPI\b/noremap('\\*(PI')/ge;
+
+    # make all caps a teeny bit smaller, but don't muck with embedded code literals
+    my $hidCFont = font('C');
+    if ($Cmd !~ /^head1/) { # SH already makes smaller
+        # /g isn't enough; 1 while or we'll be off
+
+#       1 while s{
+#           (?!$hidCFont)(..|^.|^)
+#           \b
+#           (
+#               [A-Z][\/A-Z+:\-\d_$.]+
+#           )
+#           (s?)                
+#           \b
+#       } {$1\\s-1$2\\s0}gmox;
+
+        1 while s{
+            (?!$hidCFont)(..|^.|^)
+            (
+                \b[A-Z]{2,}[\/A-Z+:\-\d_\$]*\b
+            )
+        } {
+            $1 . noremap( '\\s-1' .  $2 . '\\s0' )
+        }egmox;
+
+    }
+}
+
+# make troff just be normal, but make small nroff get quoted
+# decided to just put the quotes in the text; sigh;
+sub ccvt {
+    local($_,$prev) = @_;
+    noremap(qq{.CQ "$_" \n\\&});
+}
+
+sub makespace {
+    if ($indent) {
+        print ".Sp\n";
+    }
+    else {
+        print ".PP\n";
+    }
+}
+
+sub mkindex {
+    my ($entry) = @_;
+    my @entries = split m:\s*/\s*:, $entry;
+    push @Indices, ".IX Xref " . join ' ', map {qq("$_")} @entries;
+    return '';
+}
+
+sub font {
+    local($font) = shift;
+    return '\\f' . noremap($font);
+}
+
+sub noremap {
+    local($thing_to_hide) = shift;
+    $thing_to_hide =~ tr/\000-\177/\200-\377/;
+    return $thing_to_hide;
+}
+
+sub init_noremap {
+        # escape high bit characters in input stream
+        s/([\200-\377])/"E<".ord($1).">"/ge;
+}
+
+sub clear_noremap {
+    my $ready_to_print = $_[0];
+
+    tr/\200-\377/\000-\177/;
+
+    # trofficate backslashes
+    # s/(?!\\e)(?:..|^.|^)\\/\\e/g;
+
+    # now for the E<>s, which have been hidden until now
+    # otherwise the interative \w<> processing would have
+    # been hosed by the E<gt>
+    s {
+            E<
+            (
+                ( \d + ) 
+                | ( [A-Za-z]+ ) 
+            )
+            >   
+    } {
+         do {
+             defined $2
+                ? chr($2)
+                :       
+             exists $HTML_Escapes{$3}
+                ? do { $HTML_Escapes{$3} }
+                : do {
+                    warn "$0: Unknown escape in paragraph $. of $ARGV: ``$&''\n";
+                    "E<$1>";
+                }
+         }
+    }egx if $ready_to_print;
+}
+
+sub internal_lrefs {
+    local($_) = shift;
+    local $trailing_and = s/and\s+$// ? "and " : "";
+
+    s{L</([^>]+)>}{$1}g;
+    my(@items) = split( /(?:,?\s+(?:and\s+)?)/ );
+    my $retstr = "the ";
+    my $i;
+    for ($i = 0; $i <= $#items; $i++) {
+        $retstr .= "C<$items[$i]>";
+        $retstr .= ", " if @items > 2 && $i != $#items;
+        $retstr .= " and " if $i+2 == @items;
+    }
+
+    $retstr .= " entr" . ( @items > 1  ? "ies" : "y" )
+            .  " elsewhere in this document";
+    # terminal space to avoid words running together (pattern used
+    # strips terminal spaces)
+    $retstr .= " " if length $trailing_and;
+    $retstr .=  $trailing_and;
+
+    return $retstr;
+
+}
+
+BEGIN {
+%HTML_Escapes = (
+    'amp'       =>      '&',    #   ampersand
+    'lt'        =>      '<',    #   left chevron, less-than
+    'gt'        =>      '>',    #   right chevron, greater-than
+    'quot'      =>      '"',    #   double quote
+
+    "Aacute"    =>      "A\\*'",        #   capital A, acute accent
+    "aacute"    =>      "a\\*'",        #   small a, acute accent
+    "Acirc"     =>      "A\\*^",        #   capital A, circumflex accent
+    "acirc"     =>      "a\\*^",        #   small a, circumflex accent
+    "AElig"     =>      '\*(AE',        #   capital AE diphthong (ligature)
+    "aelig"     =>      '\*(ae',        #   small ae diphthong (ligature)
+    "Agrave"    =>      "A\\*`",        #   capital A, grave accent
+    "agrave"    =>      "A\\*`",        #   small a, grave accent
+    "Aring"     =>      'A\\*o',        #   capital A, ring
+    "aring"     =>      'a\\*o',        #   small a, ring
+    "Atilde"    =>      'A\\*~',        #   capital A, tilde
+    "atilde"    =>      'a\\*~',        #   small a, tilde
+    "Auml"      =>      'A\\*:',        #   capital A, dieresis or umlaut mark
+    "auml"      =>      'a\\*:',        #   small a, dieresis or umlaut mark
+    "Ccedil"    =>      'C\\*,',        #   capital C, cedilla
+    "ccedil"    =>      'c\\*,',        #   small c, cedilla
+    "Eacute"    =>      "E\\*'",        #   capital E, acute accent
+    "eacute"    =>      "e\\*'",        #   small e, acute accent
+    "Ecirc"     =>      "E\\*^",        #   capital E, circumflex accent
+    "ecirc"     =>      "e\\*^",        #   small e, circumflex accent
+    "Egrave"    =>      "E\\*`",        #   capital E, grave accent
+    "egrave"    =>      "e\\*`",        #   small e, grave accent
+    "ETH"       =>      '\\*(D-',       #   capital Eth, Icelandic
+    "eth"       =>      '\\*(d-',       #   small eth, Icelandic
+    "Euml"      =>      "E\\*:",        #   capital E, dieresis or umlaut mark
+    "euml"      =>      "e\\*:",        #   small e, dieresis or umlaut mark
+    "Iacute"    =>      "I\\*'",        #   capital I, acute accent
+    "iacute"    =>      "i\\*'",        #   small i, acute accent
+    "Icirc"     =>      "I\\*^",        #   capital I, circumflex accent
+    "icirc"     =>      "i\\*^",        #   small i, circumflex accent
+    "Igrave"    =>      "I\\*`",        #   capital I, grave accent
+    "igrave"    =>      "i\\*`",        #   small i, grave accent
+    "Iuml"      =>      "I\\*:",        #   capital I, dieresis or umlaut mark
+    "iuml"      =>      "i\\*:",        #   small i, dieresis or umlaut mark
+    "Ntilde"    =>      'N\*~',         #   capital N, tilde
+    "ntilde"    =>      'n\*~',         #   small n, tilde
+    "Oacute"    =>      "O\\*'",        #   capital O, acute accent
+    "oacute"    =>      "o\\*'",        #   small o, acute accent
+    "Ocirc"     =>      "O\\*^",        #   capital O, circumflex accent
+    "ocirc"     =>      "o\\*^",        #   small o, circumflex accent
+    "Ograve"    =>      "O\\*`",        #   capital O, grave accent
+    "ograve"    =>      "o\\*`",        #   small o, grave accent
+    "Oslash"    =>      "O\\*/",        #   capital O, slash
+    "oslash"    =>      "o\\*/",        #   small o, slash
+    "Otilde"    =>      "O\\*~",        #   capital O, tilde
+    "otilde"    =>      "o\\*~",        #   small o, tilde
+    "Ouml"      =>      "O\\*:",        #   capital O, dieresis or umlaut mark
+    "ouml"      =>      "o\\*:",        #   small o, dieresis or umlaut mark
+    "szlig"     =>      '\*8',          #   small sharp s, German (sz ligature)
+    "THORN"     =>      '\\*(Th',       #   capital THORN, Icelandic
+    "thorn"     =>      '\\*(th',,      #   small thorn, Icelandic
+    "Uacute"    =>      "U\\*'",        #   capital U, acute accent
+    "uacute"    =>      "u\\*'",        #   small u, acute accent
+    "Ucirc"     =>      "U\\*^",        #   capital U, circumflex accent
+    "ucirc"     =>      "u\\*^",        #   small u, circumflex accent
+    "Ugrave"    =>      "U\\*`",        #   capital U, grave accent
+    "ugrave"    =>      "u\\*`",        #   small u, grave accent
+    "Uuml"      =>      "U\\*:",        #   capital U, dieresis or umlaut mark
+    "uuml"      =>      "u\\*:",        #   small u, dieresis or umlaut mark
+    "Yacute"    =>      "Y\\*'",        #   capital Y, acute accent
+    "yacute"    =>      "y\\*'",        #   small y, acute accent
+    "yuml"      =>      "y\\*:",        #   small y, dieresis or umlaut mark
+);
+}
+
diff --git a/src/lib/libssl/src/util/selftest.pl b/src/lib/libssl/src/util/selftest.pl
new file mode 100644
index 0000000000..91e962a312
--- /dev/null
+++ b/src/lib/libssl/src/util/selftest.pl
@@ -0,0 +1,174 @@
+#!/usr/local/bin/perl -w
+#
+# Run the test suite and generate a report
+#
+
+if (! -f "Configure") {
+    print "Please run perl util/selftest.pl in the OpenSSL directory.\n";
+    exit 1;
+}
+
+my $report="testlog";
+my $os="??";
+my $version="??";
+my $platform0="??";
+my $platform="??";
+my $options="??";
+my $last="??";
+my $ok=0;
+my $cc="cc";
+my $cversion="??";
+my $sep="-----------------------------------------------------------------------------\n";
+
+open(OUT,">$report") or die;
+
+print OUT "OpenSSL self-test report:\n\n";
+
+$uname=`uname -a`;
+$uname="??" if $uname eq "";
+
+$c=`sh config -t`;
+foreach $_ (split("\n",$c)) {
+    $os=$1 if (/Operating system: (.*)$/);
+    $platform0=$1 if (/Configuring for (.*)$/);
+}
+
+system "sh config" if (! -f "Makefile.ssl");
+
+if (open(IN,"<Makefile.ssl")) {
+    while (<IN>) {
+        $version=$1 if (/^VERSION=(.*)$/);
+        $platform=$1 if (/^PLATFORM=(.*)$/);
+        $options=$1 if (/^OPTIONS=(.*)$/);
+        $cc=$1 if (/^CC= *(.*)$/);
+    }
+    close(IN);
+} else {
+    print OUT "Error running config!\n";
+}
+
+$cversion=`$cc -v 2>&1`;
+$cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc --version` if $cversion eq "";
+$cversion =~ s/Reading specs.*\n//;
+$cversion =~ s/usage.*\n//;
+chomp $cversion;
+
+if (open(IN,"<CHANGES")) {
+    while(<IN>) {
+        if (/\*\) (.{0,55})/) {
+            $last=$1;
+            last;
+        }
+    }
+    close(IN);
+}
+
+print OUT "OpenSSL version:  $version\n";
+print OUT "Last change:      $last...\n";
+print OUT "Options:          $options\n" if $options ne "";
+print OUT "OS (uname):       $uname";
+print OUT "OS (config):      $os\n";
+print OUT "Target (default): $platform0\n";
+print OUT "Target:           $platform\n";
+print OUT "Compiler:         $cversion\n";
+print OUT "\n";
+
+print "Checking compiler...\n";
+if (open(TEST,">cctest.c")) {
+    print TEST "#include <stdio.h>\nmain(){printf(\"Hello world\\n\");}\n";
+    close(TEST);
+    system("$cc -o cctest cctest.c");
+    if (`./cctest` !~ /Hello world/) {
+        print OUT "Compiler doesn't work.\n";
+        goto err;
+    }
+} else {
+    print OUT "Can't create cctest.c\n";
+}
+if (open(TEST,">cctest.c")) {
+    print TEST "#include <openssl/opensslv.h>\nmain(){printf(OPENSSL_VERSION_TEXT);}\n";
+    close(TEST);
+    system("$cc -o cctest -Iinclude cctest.c");
+    $cctest = `./cctest`;
+    if ($cctest !~ /OpenSSL $version/) {
+        if ($cctest =~ /OpenSSL/) {
+            print OUT "#include uses headers from different OpenSSL version!\n";
+        } else {
+            print OUT "Can't compile test program!\n";
+        }
+        goto err;
+    }
+} else {
+    print OUT "Can't create cctest.c\n";
+}
+
+print "Running make...\n";
+if (system("make 2>&1 | tee make.log") > 255) {
+
+    print OUT "make failed!\n";
+    if (open(IN,"<make.log")) {
+        print OUT $sep;
+        while (<IN>) {
+            print OUT;
+        }
+        close(IN);
+        print OUT $sep;
+    } else {
+        print OUT "make.log not found!\n";
+    }
+    goto err;
+}
+
+$_=$options;
+s/no-asm//;
+if (/no-/)
+{
+    print OUT "Test skipped.\n";
+    goto err;
+}
+
+print "Running make test...\n";
+if (system("make test 2>&1 | tee make.log") > 255)
+ {
+    print OUT "make test failed!\n";
+} else {
+    $ok=1;
+}
+
+if ($ok and open(IN,"<make.log")) {
+    while (<IN>) {
+        $ok=2 if /^platform: $platform/;
+    }
+    close(IN);
+}
+
+if ($ok != 2) {
+    print OUT "Failure!\n";
+    if (open(IN,"<make.log")) {
+        print OUT $sep;
+        while (<IN>) {
+            print OUT;
+        }
+        close(IN);
+        print OUT $sep;
+    } else {
+        print OUT "make.log not found!\n";
+    }
+} else {
+    print OUT "Test passed.\n";
+}
+err:
+close(OUT);
+
+print "\n";
+open(IN,"<$report") or die;
+while (<IN>) {
+    if (/$sep/) {
+        print "[...]\n";
+        last;
+    }
+    print;
+}
+print "\nTest report in file $report\n";
+