32 files changed, 1493 insertions, 838 deletions

diff --git a/src/lib/libcrypto/x509/Makefile.ssl b/src/lib/libcrypto/x509/Makefile.ssl
index 48937b43af..4619693733 100644
--- a/src/lib/libcrypto/x509/Makefile.ssl
+++ b/src/lib/libcrypto/x509/Makefile.ssl
@@ -96,15 +96,17 @@ by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+by_dir.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_dir.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_dir.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+by_dir.o: ../cryptlib.h
 by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -113,52 +115,60 @@ by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_file.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-by_file.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_file.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+by_file.o: ../cryptlib.h
 x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_att.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_att.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_att.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_att.o: ../../include/openssl/opensslconf.h
 x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_att.o: ../cryptlib.h
 x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_cmp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_cmp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_cmp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_cmp.o: ../../include/openssl/opensslconf.h
 x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_cmp.o: ../cryptlib.h
 x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -166,14 +176,16 @@ x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_d2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_d2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_d2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_d2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_d2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_d2.o: ../cryptlib.h
 x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -183,49 +195,57 @@ x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_def.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_def.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_def.o: ../../include/openssl/opensslconf.h
 x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_def.o: ../cryptlib.h
+x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x509_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-x509_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
 x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_err.o: ../../include/openssl/x509_vfy.h
 x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_ext.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_ext.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_ext.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_ext.o: ../../include/openssl/opensslconf.h
 x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_ext.o: ../cryptlib.h
 x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -234,15 +254,17 @@ x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_lu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_lu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-x509_lu.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_lu.o: ../cryptlib.h
 x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -251,16 +273,17 @@ x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_obj.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_obj.o: ../../include/openssl/opensslconf.h
 x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_obj.o: ../cryptlib.h
+x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -268,16 +291,18 @@ x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_r2x.o: ../../include/openssl/opensslconf.h
 x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_r2x.o: ../cryptlib.h
+x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -285,17 +310,19 @@ x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_req.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_req.o: ../../include/openssl/opensslconf.h
 x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
 x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
 x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_req.o: ../cryptlib.h
+x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -303,34 +330,39 @@ x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_set.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_set.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_set.o: ../../include/openssl/opensslconf.h
 x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_set.o: ../cryptlib.h
+x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_trs.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_trs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_trs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_trs.o: ../../include/openssl/opensslconf.h
 x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_trs.o: ../cryptlib.h
 x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -339,32 +371,35 @@ x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_txt.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_txt.o: ../../include/openssl/opensslconf.h
 x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_txt.o: ../cryptlib.h
+x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_v3.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_v3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_v3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_v3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -373,18 +408,21 @@ x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_vfy.o: ../../include/openssl/opensslconf.h
 x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_vfy.o: ../cryptlib.h
 x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -392,16 +430,18 @@ x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509name.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509name.o: ../../include/openssl/opensslconf.h
 x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509name.o: ../cryptlib.h
+x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -409,16 +449,18 @@ x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509rset.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509rset.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509rset.o: ../../include/openssl/opensslconf.h
 x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509rset.o: ../cryptlib.h
+x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -427,16 +469,17 @@ x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
 x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509spki.o: ../cryptlib.h
+x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -444,16 +487,18 @@ x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509type.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509type.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509type.o: ../../include/openssl/opensslconf.h
 x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509type.o: ../cryptlib.h
+x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -461,13 +506,15 @@ x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_all.o: ../cryptlib.h
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 14d12c56bd..cac64a6f40 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -146,11 +146,11 @@ static int new_dir(X509_LOOKUP *lu)
         {
         BY_DIR *a;
 
-        if ((a=(BY_DIR *)Malloc(sizeof(BY_DIR))) == NULL)
+        if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
                 return(0);
         if ((a->buffer=BUF_MEM_new()) == NULL)
                 {
-                Free(a);
+                OPENSSL_free(a);
                 return(0);
                 }
         a->num_dirs=0;
@@ -168,11 +168,11 @@ static void free_dir(X509_LOOKUP *lu)
 
         a=(BY_DIR *)lu->method_data;
         for (i=0; i<a->num_dirs; i++)
-                if (a->dirs[i] != NULL) Free(a->dirs[i]);
-        if (a->dirs != NULL) Free(a->dirs);
-        if (a->dirs_type != NULL) Free(a->dirs_type);
+                if (a->dirs[i] != NULL) OPENSSL_free(a->dirs[i]);
+        if (a->dirs != NULL) OPENSSL_free(a->dirs);
+        if (a->dirs_type != NULL) OPENSSL_free(a->dirs_type);
         if (a->buffer != NULL) BUF_MEM_free(a->buffer);
-        Free(a);
+        OPENSSL_free(a);
         }
 
 static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
@@ -204,9 +204,9 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
                         if (ctx->num_dirs_alloced < (ctx->num_dirs+1))
                                 {
                                 ctx->num_dirs_alloced+=10;
-                                pp=(char **)Malloc(ctx->num_dirs_alloced*
+                                pp=(char **)OPENSSL_malloc(ctx->num_dirs_alloced*
                                         sizeof(char *));
-                                ip=(int *)Malloc(ctx->num_dirs_alloced*
+                                ip=(int *)OPENSSL_malloc(ctx->num_dirs_alloced*
                                         sizeof(int));
                                 if ((pp == NULL) || (ip == NULL))
                                         {
@@ -218,14 +218,14 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
                                 memcpy(ip,ctx->dirs_type,(ctx->num_dirs_alloced-10)*
                                         sizeof(int));
                                 if (ctx->dirs != NULL)
-                                        Free(ctx->dirs);
+                                        OPENSSL_free(ctx->dirs);
                                 if (ctx->dirs_type != NULL)
-                                        Free(ctx->dirs_type);
+                                        OPENSSL_free(ctx->dirs_type);
                                 ctx->dirs=pp;
                                 ctx->dirs_type=ip;
                                 }
                         ctx->dirs_type[ctx->num_dirs]=type;
-                        ctx->dirs[ctx->num_dirs]=(char *)Malloc((unsigned int)len+1);
+                        ctx->dirs[ctx->num_dirs]=(char *)OPENSSL_malloc((unsigned int)len+1);
                         if (ctx->dirs[ctx->num_dirs] == NULL) return(0);
                         strncpy(ctx->dirs[ctx->num_dirs],ss,(unsigned int)len);
                         ctx->dirs[ctx->num_dirs][len]='\0';
@@ -326,7 +326,9 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
                 /* we have added it to the cache so now pull
                  * it out again */
                 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
-                tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,&stmp);
+                j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
+                if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
+                else tmp = NULL;
                 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
 
                 if (tmp != NULL)
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 0192272e7c..813c8adffd 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -59,15 +59,16 @@
 #ifndef HEADER_X509_H
 #define HEADER_X509_H
 
-#ifdef  __cplusplus
-extern "C" {
+#include <openssl/symhacks.h>
+#ifndef NO_BUFFER
+#include <openssl/buffer.h>
 #endif
-
-#ifdef VMS
-#undef X509_REVOKED_get_ext_by_critical
-#define X509_REVOKED_get_ext_by_critical X509_REVOKED_get_ext_by_critic
+#ifndef NO_EVP
+#include <openssl/evp.h>
+#endif
+#ifndef NO_BIO
+#include <openssl/bio.h>
 #endif
-
 #include <openssl/stack.h>
 #include <openssl/asn1.h>
 #include <openssl/safestack.h>
@@ -87,11 +88,19 @@ extern "C" {
 #include <openssl/evp.h>
 
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 #ifdef WIN32
 /* Under Win32 this is defined in wincrypt.h */
 #undef X509_NAME
 #endif
 
+  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
+
 #define X509_FILETYPE_PEM       1
 #define X509_FILETYPE_ASN1      2
 #define X509_FILETYPE_DEFAULT   3
@@ -125,8 +134,8 @@ DECLARE_ASN1_SET_OF(X509_ALGOR)
 
 typedef struct X509_val_st
         {
-        ASN1_UTCTIME *notBefore;
-        ASN1_UTCTIME *notAfter;
+        ASN1_TIME *notBefore;
+        ASN1_TIME *notAfter;
         } X509_VAL;
 
 typedef struct X509_pubkey_st
@@ -158,7 +167,7 @@ typedef struct X509_name_st
         {
         STACK_OF(X509_NAME_ENTRY) *entries;
         int modified;   /* true if 'bytes' needs to be built */
-#ifdef HEADER_BUFFER_H
+#ifndef NO_BUFFER
         BUF_MEM *bytes;
 #else
         char *bytes;
@@ -200,6 +209,8 @@ DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
 typedef struct X509_req_info_st
         {
+        unsigned char *asn1;
+        int length;
         ASN1_INTEGER *version;
         X509_NAME *subject;
         X509_PUBKEY *pubkey;
@@ -260,6 +271,8 @@ typedef struct x509_st
         unsigned long ex_kusage;
         unsigned long ex_xkusage;
         unsigned long ex_nscert;
+        ASN1_OCTET_STRING *skid;
+        struct AUTHORITY_KEYID_st *akid;
 #ifndef NO_SHA
         unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
@@ -307,10 +320,65 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_REJECTED     2
 #define X509_TRUST_UNTRUSTED    3
 
+/* Flags specific to X509_NAME_print_ex() */    
+
+/* The field separator information */
+
+#define XN_FLAG_SEP_MASK        (0xf << 16)
+
+#define XN_FLAG_COMPAT          0               /* Traditional SSLeay: use old X509_NAME_print */
+#define XN_FLAG_SEP_COMMA_PLUS  (1 << 16)       /* RFC2253 ,+ */
+#define XN_FLAG_SEP_CPLUS_SPC   (2 << 16)       /* ,+ spaced: more readable */
+#define XN_FLAG_SEP_SPLUS_SPC   (3 << 16)       /* ;+ spaced */
+#define XN_FLAG_SEP_MULTILINE   (4 << 16)       /* One line per field */
+
+#define XN_FLAG_DN_REV          (1 << 20)       /* Reverse DN order */
+
+/* How the field name is shown */
+
+#define XN_FLAG_FN_MASK         (0x3 << 21)
+
+#define XN_FLAG_FN_SN           0               /* Object short name */
+#define XN_FLAG_FN_LN           (1 << 21)       /* Object long name */
+#define XN_FLAG_FN_OID          (2 << 21)       /* Always use OIDs */
+#define XN_FLAG_FN_NONE         (3 << 21)       /* No field names */
+
+#define XN_FLAG_SPC_EQ          (1 << 23)       /* Put spaces round '=' */
+
+/* This determines if we dump fields we don't recognise:
+ * RFC2253 requires this.
+ */
+
+#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
+
+/* Complete set of RFC2253 flags */
+
+#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
+                        XN_FLAG_SEP_COMMA_PLUS | \
+                        XN_FLAG_DN_REV | \
+                        XN_FLAG_FN_SN | \
+                        XN_FLAG_DUMP_UNKNOWN_FIELDS)
+
+/* readable oneline form */
+
+#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
+                        ASN1_STRFLGS_ESC_QUOTE | \
+                        XN_FLAG_SEP_CPLUS_SPC | \
+                        XN_FLAG_SPC_EQ | \
+                        XN_FLAG_FN_SN)
+
+/* readable multiline form */
+
+#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
+                        ASN1_STRFLGS_ESC_MSB | \
+                        XN_FLAG_SEP_MULTILINE | \
+                        XN_FLAG_SPC_EQ | \
+                        XN_FLAG_FN_LN)
+
 typedef struct X509_revoked_st
         {
         ASN1_INTEGER *serialNumber;
-        ASN1_UTCTIME *revocationDate;
+        ASN1_TIME *revocationDate;
         STACK_OF(X509_EXTENSION) /* optional */ *extensions;
         int sequence; /* load sequence */
         } X509_REVOKED;
@@ -323,8 +391,8 @@ typedef struct X509_crl_info_st
         ASN1_INTEGER *version;
         X509_ALGOR *sig_alg;
         X509_NAME *issuer;
-        ASN1_UTCTIME *lastUpdate;
-        ASN1_UTCTIME *nextUpdate;
+        ASN1_TIME *lastUpdate;
+        ASN1_TIME *nextUpdate;
         STACK_OF(X509_REVOKED) *revoked;
         STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
         } X509_CRL_INFO;
@@ -362,7 +430,7 @@ typedef struct private_key_st
         int references;
         } X509_PKEY;
 
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 typedef struct X509_info_st
         {
         X509 *x509;
@@ -445,9 +513,17 @@ typedef struct pkcs8_priv_key_info_st
         STACK_OF(X509_ATTRIBUTE) *attributes;
         } PKCS8_PRIV_KEY_INFO;
 
+#ifdef  __cplusplus
+}
+#endif
+
 #include <openssl/x509_vfy.h>
 #include <openssl/pkcs7.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 #ifdef SSLEAY_MACROS
 #define X509_verify(a,r) ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,\
         a->signature,(char *)a->cert_info,r)
@@ -610,7 +686,7 @@ typedef struct pkcs8_priv_key_info_st
 const char *X509_verify_cert_error_string(long n);
 
 #ifndef SSLEAY_MACROS
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 int X509_verify(X509 *a, EVP_PKEY *r);
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@@ -629,9 +705,14 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
-int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
-int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
-        unsigned char *md,unsigned int *len);
+int X509_digest(const X509 *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
 #endif
 
 #ifndef NO_FP_API
@@ -663,9 +744,11 @@ int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
 int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
+int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 #endif
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 X509 *d2i_X509_bio(BIO *bp,X509 **x509);
 int i2d_X509_bio(BIO *bp,X509 *x509);
 X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
@@ -694,6 +777,8 @@ int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
 int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
+int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
 #endif
 
 X509 *X509_dup(X509 *x509);
@@ -711,8 +796,10 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
 
 #endif /* !SSLEAY_MACROS */
 
-int             X509_cmp_current_time(ASN1_UTCTIME *s);
-ASN1_UTCTIME *  X509_gmtime_adj(ASN1_UTCTIME *s, long adj);
+int             X509_cmp_time(ASN1_TIME *s, time_t *t);
+int             X509_cmp_current_time(ASN1_TIME *s);
+ASN1_TIME *     X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
+ASN1_TIME *     X509_gmtime_adj(ASN1_TIME *s, long adj);
 
 const char *    X509_get_default_cert_area(void );
 const char *    X509_get_default_cert_dir(void );
@@ -825,6 +912,7 @@ int		i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
 X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
                                                                 long length);
 int X509_alias_set1(X509 *x, unsigned char *name, int len);
+int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
@@ -871,7 +959,7 @@ NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void);
 NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, unsigned char **pp, long length);
 void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a);
 
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 X509_INFO *     X509_INFO_new(void);
 void            X509_INFO_free(X509_INFO *a);
 char *          X509_NAME_oneline(X509_NAME *a,char *buf,int size);
@@ -894,8 +982,8 @@ int 		X509_set_issuer_name(X509 *x, X509_NAME *name);
 X509_NAME *     X509_get_issuer_name(X509 *a);
 int             X509_set_subject_name(X509 *x, X509_NAME *name);
 X509_NAME *     X509_get_subject_name(X509 *a);
-int             X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm);
-int             X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm);
+int             X509_set_notBefore(X509 *x, ASN1_TIME *tm);
+int             X509_set_notAfter(X509 *x, ASN1_TIME *tm);
 int             X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 EVP_PKEY *      X509_get_pubkey(X509 *x);
 int             X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
@@ -931,28 +1019,30 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
 
 int             X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
-int             X509_issuer_and_serial_cmp(X509 *a, X509 *b);
+int             X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_issuer_and_serial_hash(X509 *a);
 
-int             X509_issuer_name_cmp(X509 *a, X509 *b);
+int             X509_issuer_name_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_issuer_name_hash(X509 *a);
 
-int             X509_subject_name_cmp(X509 *a,X509 *b);
+int             X509_subject_name_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_subject_name_hash(X509 *x);
 
-int             X509_cmp (X509 *a, X509 *b);
-int             X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
+int             X509_cmp(const X509 *a, const X509 *b);
+int             X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long   X509_NAME_hash(X509_NAME *x);
 
-int             X509_CRL_cmp(X509_CRL *a,X509_CRL *b);
+int             X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 #ifndef NO_FP_API
 int             X509_print_fp(FILE *bp,X509 *x);
 int             X509_CRL_print_fp(FILE *bp,X509_CRL *x);
 int             X509_REQ_print_fp(FILE *bp,X509_REQ *req);
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
 #endif
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 int             X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
 int             X509_print(BIO *bp,X509 *x);
 int             X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int             X509_CRL_print(BIO *bp,X509_CRL *x);
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index a8a5ca8b03..b147d573d2 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
+int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
         {
         int i;
         X509_CINF *ai,*bi;
@@ -97,17 +97,17 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         }
 #endif
         
-int X509_issuer_name_cmp(X509 *a, X509 *b)
+int X509_issuer_name_cmp(const X509 *a, const X509 *b)
         {
         return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
         }
 
-int X509_subject_name_cmp(X509 *a, X509 *b)
+int X509_subject_name_cmp(const X509 *a, const X509 *b)
         {
         return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
         }
 
-int X509_CRL_cmp(X509_CRL *a, X509_CRL *b)
+int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
         {
         return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
         }
@@ -139,19 +139,25 @@ unsigned long X509_subject_name_hash(X509 *x)
 
 #ifndef NO_SHA
 /* Compare two certificates: they must be identical for
- * this to work.
+ * this to work. NB: Although "cmp" operations are generally
+ * prototyped to take "const" arguments (eg. for use in
+ * STACKs), the way X509 handling is - these operations may
+ * involve ensuring the hashes are up-to-date and ensuring
+ * certain cert information is cached. So this is the point
+ * where the "depth-first" constification tree has to halt
+ * with an evil cast.
  */
-int X509_cmp(X509 *a, X509 *b)
+int X509_cmp(const X509 *a, const X509 *b)
 {
         /* ensure hash is valid */
-        X509_check_purpose(a, -1, 0);
-        X509_check_purpose(b, -1, 0);
+        X509_check_purpose((X509 *)a, -1, 0);
+        X509_check_purpose((X509 *)b, -1, 0);
 
         return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
 }
 #endif
 
-int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
+int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
         {
         int i,j;
         X509_NAME_ENTRY *na,*nb;
@@ -198,14 +204,14 @@ unsigned long X509_NAME_hash(X509_NAME *x)
 
         i=i2d_X509_NAME(x,NULL);
         if (i > sizeof(str))
-                p=Malloc(i);
+                p=OPENSSL_malloc(i);
         else
                 p=str;
 
         pp=p;
         i2d_X509_NAME(x,&pp);
         MD5((unsigned char *)p,i,&(md[0]));
-        if (p != str) Free(p);
+        if (p != str) OPENSSL_free(p);
 
         ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index a20006d67e..863c738cad 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -62,14 +62,13 @@
 #include <openssl/x509.h>
 
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_meth=NULL;
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
         {
         X509_LOOKUP *ret;
 
-        ret=(X509_LOOKUP *)Malloc(sizeof(X509_LOOKUP));
-        if (ret == NULL) return(NULL);
+        ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
+        if (ret == NULL) return NULL;
 
         ret->init=0;
         ret->skip=0;
@@ -78,10 +77,10 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
         ret->store_ctx=NULL;
         if ((method->new_item != NULL) && !method->new_item(ret))
                 {
-                Free(ret);
-                return(NULL);
+                OPENSSL_free(ret);
+                return NULL;
                 }
-        return(ret);
+        return ret;
         }
 
 void X509_LOOKUP_free(X509_LOOKUP *ctx)
@@ -90,44 +89,44 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
         if (    (ctx->method != NULL) &&
                 (ctx->method->free != NULL))
                 ctx->method->free(ctx);
-        Free(ctx);
+        OPENSSL_free(ctx);
         }
 
 int X509_LOOKUP_init(X509_LOOKUP *ctx)
         {
-        if (ctx->method == NULL) return(0);
+        if (ctx->method == NULL) return 0;
         if (ctx->method->init != NULL)
-                return(ctx->method->init(ctx));
+                return ctx->method->init(ctx);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
         {
-        if (ctx->method == NULL) return(0);
+        if (ctx->method == NULL) return 0;
         if (ctx->method->shutdown != NULL)
-                return(ctx->method->shutdown(ctx));
+                return ctx->method->shutdown(ctx);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
              char **ret)
         {
-        if (ctx->method == NULL) return(-1);
+        if (ctx->method == NULL) return -1;
         if (ctx->method->ctrl != NULL)
-                return(ctx->method->ctrl(ctx,cmd,argc,argl,ret));
+                return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
              X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
-                return(X509_LU_FAIL);
-        if (ctx->skip) return(0);
-        return(ctx->method->get_by_subject(ctx,type,name,ret));
+                return X509_LU_FAIL;
+        if (ctx->skip) return 0;
+        return ctx->method->get_by_subject(ctx,type,name,ret);
         }
 
 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
@@ -135,71 +134,55 @@ int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
         {
         if ((ctx->method == NULL) ||
                 (ctx->method->get_by_issuer_serial == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
         }
 
 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
              unsigned char *bytes, int len, X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
         }
 
 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
              X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_alias(ctx,type,str,len,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_alias(ctx,type,str,len,ret);
         }
 
-static unsigned long x509_object_hash(X509_OBJECT *a)
-        {
-        unsigned long h;
-
-        switch (a->type)
-                {
-        case X509_LU_X509:
-                h=X509_NAME_hash(a->data.x509->cert_info->subject);
-                break;
-        case X509_LU_CRL:
-                h=X509_NAME_hash(a->data.crl->crl->issuer);
-                break;
-        default:
-                abort();
-                }
-        return(h);
-        }
-
-static int x509_object_cmp(X509_OBJECT *a, X509_OBJECT *b)
-        {
-        int ret;
-
-        ret=(a->type - b->type);
-        if (ret) return(ret);
-        switch (a->type)
-                {
-        case X509_LU_X509:
-                ret=X509_subject_name_cmp(a->data.x509,b->data.x509);
-                break;
-        case X509_LU_CRL:
-                ret=X509_CRL_cmp(a->data.crl,b->data.crl);
-                break;
+  
+static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
+        {
+        int ret;
+
+        ret=((*a)->type - (*b)->type);
+        if (ret) return ret;
+        switch ((*a)->type)
+                {
+        case X509_LU_X509:
+                ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
+                break;
+        case X509_LU_CRL:
+                ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
+                break;
         default:
-                abort();
+                /* abort(); */
+                return 0;
                 }
-        return(ret);
+        return ret;
         }
 
 X509_STORE *X509_STORE_new(void)
         {
         X509_STORE *ret;
 
-        if ((ret=(X509_STORE *)Malloc(sizeof(X509_STORE))) == NULL)
-                return(NULL);
-        ret->certs=lh_new(x509_object_hash,x509_object_cmp);
+        if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
+                return NULL;
+        ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
         ret->cache=1;
         ret->get_cert_methods=sk_X509_LOOKUP_new_null();
         ret->verify=NULL;
@@ -207,7 +190,7 @@ X509_STORE *X509_STORE_new(void)
         memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
         ret->references=1;
         ret->depth=0;
-        return(ret);
+        return ret;
         }
 
 static void cleanup(X509_OBJECT *a)
@@ -221,9 +204,11 @@ static void cleanup(X509_OBJECT *a)
                 X509_CRL_free(a->data.crl);
                 }
         else
-                abort();
+                {
+                /* abort(); */
+                }
 
-        Free(a);
+        OPENSSL_free(a);
         }
 
 void X509_STORE_free(X509_STORE *vfy)
@@ -232,7 +217,7 @@ void X509_STORE_free(X509_STORE *vfy)
         STACK_OF(X509_LOOKUP) *sk;
         X509_LOOKUP *lu;
 
-        if(vfy == NULL)
+        if (vfy == NULL)
             return;
 
         sk=vfy->get_cert_methods;
@@ -243,11 +228,10 @@ void X509_STORE_free(X509_STORE *vfy)
                 X509_LOOKUP_free(lu);
                 }
         sk_X509_LOOKUP_free(sk);
+        sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
         CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
-        lh_doall(vfy->certs,cleanup);
-        lh_free(vfy->certs);
-        Free(vfy);
+        OPENSSL_free(vfy);
         }
 
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
@@ -262,22 +246,22 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
                 lu=sk_X509_LOOKUP_value(sk,i);
                 if (m == lu->method)
                         {
-                        return(lu);
+                        return lu;
                         }
                 }
         /* a new one */
         lu=X509_LOOKUP_new(m);
         if (lu == NULL)
-                return(NULL);
+                return NULL;
         else
                 {
                 lu->store_ctx=v;
                 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
-                        return(lu);
+                        return lu;
                 else
                         {
                         X509_LOOKUP_free(lu);
-                        return(NULL);
+                        return NULL;
                         }
                 }
         }
@@ -290,7 +274,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
         X509_OBJECT stmp,*tmp;
         int i,j;
 
-        tmp=X509_OBJECT_retrieve_by_subject(ctx->certs,type,name);
+        tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
 
         if (tmp == NULL)
                 {
@@ -301,7 +285,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
                         if (j < 0)
                                 {
                                 vs->current_method=j;
-                                return(j);
+                                return j;
                                 }
                         else if (j)
                                 {
@@ -311,7 +295,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
                         }
                 vs->current_method=0;
                 if (tmp == NULL)
-                        return(0);
+                        return 0;
                 }
 
 /*      if (ret->data.ptr != NULL)
@@ -322,7 +306,74 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
 
         X509_OBJECT_up_ref_count(ret);
 
-        return(1);
+        return 1;
+        }
+
+int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
+        {
+        X509_OBJECT *obj;
+        int ret=1;
+
+        if (x == NULL) return 0;
+        obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        obj->type=X509_LU_X509;
+        obj->data.x509=x;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+        X509_OBJECT_up_ref_count(obj);
+
+
+        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
+                {
+                X509_OBJECT_free_contents(obj);
+                OPENSSL_free(obj);
+                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                } 
+        else sk_X509_OBJECT_push(ctx->objs, obj);
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+        return ret;
+        }
+
+int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
+        {
+        X509_OBJECT *obj;
+        int ret=1;
+
+        if (x == NULL) return 0;
+        obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        obj->type=X509_LU_CRL;
+        obj->data.crl=x;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+        X509_OBJECT_up_ref_count(obj);
+
+        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
+                {
+                X509_OBJECT_free_contents(obj);
+                OPENSSL_free(obj);
+                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                }
+        else sk_X509_OBJECT_push(ctx->objs, obj);
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+        return ret;
         }
 
 void X509_OBJECT_up_ref_count(X509_OBJECT *a)
@@ -351,10 +402,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a)
                 }
         }
 
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
              X509_NAME *name)
         {
-        X509_OBJECT stmp,*tmp;
+        X509_OBJECT stmp;
         X509 x509_s;
         X509_CINF cinf_s;
         X509_CRL crl_s;
@@ -374,54 +425,105 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
                 crl_info_s.issuer=name;
                 break;
         default:
-                abort();
+                /* abort(); */
+                return -1;
                 }
 
-        tmp=(X509_OBJECT *)lh_retrieve(h,&stmp);
-        return(tmp);
+        return sk_X509_OBJECT_find(h,&stmp);
         }
 
-X509_STORE_CTX *X509_STORE_CTX_new(void)
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+             X509_NAME *name)
 {
-        X509_STORE_CTX *ctx;
-        ctx = (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
-        if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
-        return ctx;
+        int idx;
+        idx = X509_OBJECT_idx_by_subject(h, type, name);
+        if (idx==-1) return NULL;
+        return sk_X509_OBJECT_value(h, idx);
 }
 
-void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
 {
-        X509_STORE_CTX_cleanup(ctx);
-        Free(ctx);
+        int idx, i;
+        X509_OBJECT *obj;
+        idx = sk_X509_OBJECT_find(h, x);
+        if (idx == -1) return NULL;
+        if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+        for (i = idx; i < sk_X509_OBJECT_num(h); i++)
+                {
+                obj = sk_X509_OBJECT_value(h, i);
+                if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
+                        return NULL;
+                if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+                        return obj;
+                }
+        return NULL;
 }
 
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
-             STACK_OF(X509) *chain)
-        {
-        ctx->ctx=store;
-        ctx->current_method=0;
-        ctx->cert=x509;
-        ctx->untrusted=chain;
-        ctx->last_untrusted=0;
-        ctx->purpose=0;
-        ctx->trust=0;
-        ctx->valid=0;
-        ctx->chain=NULL;
-        ctx->depth=9;
-        ctx->error=0;
-        ctx->current_cert=NULL;
-        memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
-        }
 
-void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
-        {
-        if (ctx->chain != NULL)
+/* Try to get issuer certificate from store. Due to limitations
+ * of the API this can only retrieve a single certificate matching
+ * a given subject name. However it will fill the cache with all
+ * matching certificates, so we can examine the cache for all 
+ * matches.
+ *
+ * Return values are:
+ *  1 lookup successful.
+ *  0 certificate not found.
+ * -1 some other error.
+ */
+
+
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+{
+        X509_NAME *xn;
+        X509_OBJECT obj, *pobj;
+        int i, ok, idx;
+        xn=X509_get_issuer_name(x);
+        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+        if (ok != X509_LU_X509)
+                {
+                if (ok == X509_LU_RETRY)
+                        {
+                        X509_OBJECT_free_contents(&obj);
+                        X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
+                        return -1;
+                        }
+                else if (ok != X509_LU_FAIL)
+                        {
+                        X509_OBJECT_free_contents(&obj);
+                        /* not good :-(, break anyway */
+                        return -1;
+                        }
+                return 0;
+                }
+        /* If certificate matches all OK */
+        if (ctx->check_issued(ctx, x, obj.data.x509))
                 {
-                sk_X509_pop_free(ctx->chain,X509_free);
-                ctx->chain=NULL;
+                *issuer = obj.data.x509;
+                return 1;
                 }
-        CRYPTO_free_ex_data(x509_store_ctx_meth,ctx,&(ctx->ex_data));
-        memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
-        }
+        X509_OBJECT_free_contents(&obj);
+        /* Else find index of first matching cert */
+        idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+        /* This shouldn't normally happen since we already have one match */
+        if (idx == -1) return 0;
+
+        /* Look through all matching certificates for a suitable issuer */
+        for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+                {
+                pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+                /* See if we've ran out of matches */
+                if (pobj->type != X509_LU_X509) return 0;
+                if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
+                if (ctx->check_issued(ctx, x, pobj->data.x509))
+                        {
+                        *issuer = pobj->data.x509;
+                        X509_OBJECT_up_ref_count(pobj);
+                        return 1;
+                        }
+                }
+        return 0;
+}
 
 IMPLEMENT_STACK_OF(X509_LOOKUP)
+IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
index 691b71f031..6a3ba8eb15 100644
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ b/src/lib/libcrypto/x509/x509_obj.c
@@ -91,7 +91,7 @@ int i;
             if(b)
                 {
                 buf=b->data;
-                Free(b);
+                OPENSSL_free(b);
                 }
             strncpy(buf,"NO X509_NAME",len);
             return buf;
@@ -210,7 +210,7 @@ int i;
         if (b != NULL)
                 {
                 p=b->data;
-                Free(b);
+                OPENSSL_free(b);
                 }
         else
                 p=buf;
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index baef8790eb..7eca1bd57a 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -83,7 +83,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
         ri=ret->req_info;
 
         ri->version->length=1;
-        ri->version->data=(unsigned char *)Malloc(1);
+        ri->version->data=(unsigned char *)OPENSSL_malloc(1);
         if (ri->version->data == NULL) goto err;
         ri->version->data[0]=0; /* version == 0 */
 
@@ -188,7 +188,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
         /* Generate encoding of extensions */
         len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
                         V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
-        if(!(p = Malloc(len))) goto err;
+        if(!(p = OPENSSL_malloc(len))) goto err;
         q = p;
         i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
                         V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
@@ -204,7 +204,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
         if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
         return 1;
         err:
-        if(p) Free(p);
+        if(p) OPENSSL_free(p);
         X509_ATTRIBUTE_free(attr);
         ASN1_TYPE_free(at);
         return 0;
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index add842d17a..aaf61ca062 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -104,36 +104,36 @@ int X509_set_subject_name(X509 *x, X509_NAME *name)
         return(X509_NAME_set(&x->cert_info->subject,name));
         }
 
-int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm)
+int X509_set_notBefore(X509 *x, ASN1_TIME *tm)
         {
-        ASN1_UTCTIME *in;
+        ASN1_TIME *in;
 
         if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
         in=x->cert_info->validity->notBefore;
         if (in != tm)
                 {
-                in=M_ASN1_UTCTIME_dup(tm);
+                in=M_ASN1_TIME_dup(tm);
                 if (in != NULL)
                         {
-                        M_ASN1_UTCTIME_free(x->cert_info->validity->notBefore);
+                        M_ASN1_TIME_free(x->cert_info->validity->notBefore);
                         x->cert_info->validity->notBefore=in;
                         }
                 }
         return(in != NULL);
         }
 
-int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm)
+int X509_set_notAfter(X509 *x, ASN1_TIME *tm)
         {
-        ASN1_UTCTIME *in;
+        ASN1_TIME *in;
 
         if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
         in=x->cert_info->validity->notAfter;
         if (in != tm)
                 {
-                in=M_ASN1_UTCTIME_dup(tm);
+                in=M_ASN1_TIME_dup(tm);
                 if (in != NULL)
                         {
-                        M_ASN1_UTCTIME_free(x->cert_info->validity->notAfter);
+                        M_ASN1_TIME_free(x->cert_info->validity->notAfter);
                         x->cert_info->validity->notAfter=in;
                         }
                 }
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index c779aaf94d..a7b1543461 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -61,7 +61,8 @@
 #include <openssl/x509v3.h>
 
 
-static int tr_cmp(X509_TRUST **a, X509_TRUST **b);
+static int tr_cmp(const X509_TRUST * const *a,
+                const X509_TRUST * const *b);
 static void trtable_free(X509_TRUST *p);
 
 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
@@ -88,7 +89,8 @@ IMPLEMENT_STACK_OF(X509_TRUST)
 
 static STACK_OF(X509_TRUST) *trtable = NULL;
 
-static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
+static int tr_cmp(const X509_TRUST * const *a,
+                const X509_TRUST * const *b)
 {
         return (*a)->trust - (*b)->trust;
 }
@@ -152,15 +154,15 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
         idx = X509_TRUST_get_by_id(id);
         /* Need a new entry */
         if(idx == -1) {
-                if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
+                if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
                         X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
                 trtmp->flags = X509_TRUST_DYNAMIC;
         } else trtmp = X509_TRUST_get0(idx);
 
-        /* Free existing name if dynamic */
-        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+        /* OPENSSL_free existing name if dynamic */
+        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
         /* dup supplied name */
         if(!(trtmp->name = BUF_strdup(name))) {
                 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
@@ -196,8 +198,8 @@ static void trtable_free(X509_TRUST *p)
         if (p->flags & X509_TRUST_DYNAMIC) 
                 {
                 if (p->flags & X509_TRUST_DYNAMIC_NAME)
-                        Free(p->name);
-                Free(p);
+                        OPENSSL_free(p->name);
+                OPENSSL_free(p);
                 }
         }
 
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 209cf53191..cfb478d4bc 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -132,6 +132,15 @@ const char *X509_verify_cert_error_string(long n)
                 return ("certificate rejected");
         case X509_V_ERR_APPLICATION_VERIFICATION:
                 return("application verification failure");
+        case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+                return("subject issuer mismatch");
+        case X509_V_ERR_AKID_SKID_MISMATCH:
+                return("authority and subject key identifier mismatch");
+        case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+                return("authority and issuer serial number mismatch");
+        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+                return("key usage does not include certificate signing");
+
         default:
                 sprintf(buf,"error number %ld",n);
                 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 3ddb2303d3..0f4110cc64 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -71,6 +71,8 @@
 #include <openssl/objects.h>
 
 static int null_callback(int ok,X509_STORE_CTX *e);
+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_purpose(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
@@ -85,13 +87,13 @@ static STACK *x509_store_method=NULL;
 
 static int null_callback(int ok, X509_STORE_CTX *e)
         {
-        return(ok);
+        return ok;
         }
 
 #if 0
 static int x509_subject_cmp(X509 **a, X509 **b)
         {
-        return(X509_subject_name_cmp(*a,*b));
+        return X509_subject_name_cmp(*a,*b);
         }
 #endif
 
@@ -99,7 +101,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         {
         X509 *x,*xtmp,*chain_ss=NULL;
         X509_NAME *xn;
-        X509_OBJECT obj;
         int depth,i,ok=0;
         int num;
         int (*cb)();
@@ -108,10 +109,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         if (ctx->cert == NULL)
                 {
                 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
-                return(-1);
+                return -1;
                 }
 
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 
         /* first we make sure the chain we are going to build is
@@ -152,13 +153,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
                 /* If we are self signed, we break */
                 xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
+                if (ctx->check_issued(ctx, x,x)) break;
 
                 /* If we were passed a cert chain, use it first */
                 if (ctx->untrusted != NULL)
                         {
-                        xtmp=X509_find_by_subject(sktmp,xn);
+                        xtmp=find_issuer(ctx, sktmp,x);
                         if (xtmp != NULL)
                                 {
                                 if (!sk_X509_push(ctx->chain,xtmp))
@@ -183,11 +183,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
          * certificates.  We now need to add at least one trusted one,
          * if possible, otherwise we complain. */
 
+        /* Examine last certificate in chain and see if it
+         * is self signed.
+         */
+
         i=sk_X509_num(ctx->chain);
         x=sk_X509_value(ctx->chain,i-1);
         xn = X509_get_subject_name(x);
-        if (X509_NAME_cmp(xn,X509_get_issuer_name(x))
-                == 0)
+        if (ctx->check_issued(ctx, x, x))
                 {
                 /* we have a self signed certificate */
                 if (sk_X509_num(ctx->chain) == 1)
@@ -196,13 +199,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                          * we can find it in the store. We must have an exact
                          * match to avoid possible impersonation.
                          */
-                        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
-                        if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 
+                        ok = ctx->get_issuer(&xtmp, ctx, x);
+                        if ((ok <= 0) || X509_cmp(x, xtmp)) 
                                 {
                                 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
                                 ctx->current_cert=x;
                                 ctx->error_depth=i-1;
-                                if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj);
+                                if (ok == 1) X509_free(xtmp);
                                 ok=cb(0,ctx);
                                 if (!ok) goto end;
                                 }
@@ -212,14 +215,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                  * so we get any trust settings.
                                  */
                                 X509_free(x);
-                                x = obj.data.x509;
+                                x = xtmp;
                                 sk_X509_set(ctx->chain, i - 1, x);
                                 ctx->last_untrusted=0;
                                 }
                         }
                 else
                         {
-                        /* worry more about this one elsewhere */
+                        /* extract and save self signed certificate for later use */
                         chain_ss=sk_X509_pop(ctx->chain);
                         ctx->last_untrusted--;
                         num--;
@@ -235,41 +238,30 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
                 /* If we are self signed, we break */
                 xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
+                if (ctx->check_issued(ctx,x,x)) break;
 
-                ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
-                if (ok != X509_LU_X509)
-                        {
-                        if (ok == X509_LU_RETRY)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
-                                return(ok);
-                                }
-                        else if (ok != X509_LU_FAIL)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                /* not good :-(, break anyway */
-                                return(ok);
-                                }
-                        break;
-                        }
-                x=obj.data.x509;
-                if (!sk_X509_push(ctx->chain,obj.data.x509))
+                ok = ctx->get_issuer(&xtmp, ctx, x);
+
+                if (ok < 0) return ok;
+                if (ok == 0) break;
+
+                x = xtmp;
+                if (!sk_X509_push(ctx->chain,x))
                         {
-                        X509_OBJECT_free_contents(&obj);
+                        X509_free(xtmp);
                         X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                        return(0);
+                        return 0;
                         }
                 num++;
                 }
 
         /* we now have our chain, lets check it... */
         xn=X509_get_issuer_name(x);
-        if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
+
+        /* Is last certificate looked up self signed? */
+        if (!ctx->check_issued(ctx,x,x))
                 {
-                if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
+                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                         {
                         if (ctx->last_untrusted >= num)
                                 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
@@ -294,22 +286,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 }
 
         /* We have the chain complete: now we need to check its purpose */
-        if(ctx->purpose > 0) ok = check_chain_purpose(ctx);
+        if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
 
-        if(!ok) goto end;
+        if (!ok) goto end;
 
         /* The chain extensions are OK: check trust */
 
-        if(ctx->trust > 0) ok = check_trust(ctx);
+        if (ctx->trust > 0) ok = check_trust(ctx);
 
-        if(!ok) goto end;
+        if (!ok) goto end;
 
         /* We may as well copy down any DSA parameters that are required */
         X509_get_pubkey_parameters(NULL,ctx->chain);
 
         /* At this point, we have a chain and just need to verify it */
-        if (ctx->ctx->verify != NULL)
-                ok=ctx->ctx->verify(ctx);
+        if (ctx->verify != NULL)
+                ok=ctx->verify(ctx);
         else
                 ok=internal_verify(ctx);
         if (0)
@@ -319,9 +311,61 @@ end:
                 }
         if (sktmp != NULL) sk_X509_free(sktmp);
         if (chain_ss != NULL) X509_free(chain_ss);
-        return(ok);
+        return ok;
         }
 
+
+/* Given a STACK_OF(X509) find the issuer of cert (if any)
+ */
+
+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+{
+        int i;
+        X509 *issuer;
+        for (i = 0; i < sk_X509_num(sk); i++)
+                {
+                issuer = sk_X509_value(sk, i);
+                if (ctx->check_issued(ctx, x, issuer))
+                        return issuer;
+                }
+        return NULL;
+}
+
+/* Given a possible certificate and issuer check them */
+
+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
+{
+        int ret;
+        ret = X509_check_issued(issuer, x);
+        if (ret == X509_V_OK)
+                return 1;
+        /* If we haven't asked for issuer errors don't set ctx */
+        if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+                return 0;
+
+        ctx->error = ret;
+        ctx->current_cert = x;
+        ctx->current_issuer = issuer;
+        if (ctx->verify_cb)
+                return ctx->verify_cb(0, ctx);
+        return 0;
+}
+
+/* Alternative lookup method: look from a STACK stored in other_ctx */
+
+static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+{
+        *issuer = find_issuer(ctx, ctx->other_ctx, x);
+        if (*issuer)
+                {
+                CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
+                return 1;
+                }
+        else
+                return 0;
+}
+        
+
 /* Check a certificate chains extensions for consistency
  * with the supplied purpose
  */
@@ -334,32 +378,37 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
         int i, ok=0;
         X509 *x;
         int (*cb)();
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
         /* Check all untrusted certificates */
-        for(i = 0; i < ctx->last_untrusted; i++) {
+        for (i = 0; i < ctx->last_untrusted; i++)
+                {
                 x = sk_X509_value(ctx->chain, i);
-                if(!X509_check_purpose(x, ctx->purpose, i)) {
-                        if(i) ctx->error = X509_V_ERR_INVALID_CA;
-                        else ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                if (!X509_check_purpose(x, ctx->purpose, i))
+                        {
+                        if (i)
+                                ctx->error = X509_V_ERR_INVALID_CA;
+                        else
+                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
                         ctx->error_depth = i;
                         ctx->current_cert = x;
                         ok=cb(0,ctx);
-                        if(!ok) goto end;
-                }
+                        if (!ok) goto end;
+                        }
                 /* Check pathlen */
-                if((i > 1) && (x->ex_pathlen != -1)
-                                        && (i > (x->ex_pathlen + 1))) {
+                if ((i > 1) && (x->ex_pathlen != -1)
+                           && (i > (x->ex_pathlen + 1)))
+                        {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
                         ctx->current_cert = x;
                         ok=cb(0,ctx);
-                        if(!ok) goto end;
+                        if (!ok) goto end;
+                        }
                 }
-        }
         ok = 1;
-        end:
-        return(ok);
+ end:
+        return ok;
 #endif
 }
 
@@ -371,19 +420,22 @@ static int check_trust(X509_STORE_CTX *ctx)
         int i, ok;
         X509 *x;
         int (*cb)();
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 /* For now just check the last certificate in the chain */
         i = sk_X509_num(ctx->chain) - 1;
         x = sk_X509_value(ctx->chain, i);
         ok = X509_check_trust(x, ctx->trust, 0);
-        if(ok == X509_TRUST_TRUSTED) return 1;
+        if (ok == X509_TRUST_TRUSTED)
+                return 1;
         ctx->error_depth = sk_X509_num(ctx->chain) - 1;
         ctx->current_cert = x;
-        if(ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED;
-        else ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+        if (ok == X509_TRUST_REJECTED)
+                ctx->error = X509_V_ERR_CERT_REJECTED;
+        else
+                ctx->error = X509_V_ERR_CERT_UNTRUSTED;
         ok = cb(0, ctx);
-        return(ok);
+        return ok;
 #endif
 }
 
@@ -392,17 +444,21 @@ static int internal_verify(X509_STORE_CTX *ctx)
         int i,ok=0,n;
         X509 *xs,*xi;
         EVP_PKEY *pkey=NULL;
+        time_t *ptime;
         int (*cb)();
 
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 
         n=sk_X509_num(ctx->chain);
         ctx->error_depth=n-1;
         n--;
         xi=sk_X509_value(ctx->chain,n);
-        if (X509_NAME_cmp(X509_get_subject_name(xi),
-                X509_get_issuer_name(xi)) == 0)
+        if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+                ptime = &ctx->check_time;
+        else
+                ptime = NULL;
+        if (ctx->check_issued(ctx, xi, xi))
                 xs=xi;
         else
                 {
@@ -448,7 +504,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                         EVP_PKEY_free(pkey);
                         pkey=NULL;
 
-                        i=X509_cmp_current_time(X509_get_notBefore(xs));
+                        i=X509_cmp_time(X509_get_notBefore(xs), ptime);
                         if (i == 0)
                                 {
                                 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
@@ -466,7 +522,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                         xs->valid=1;
                         }
 
-                i=X509_cmp_current_time(X509_get_notAfter(xs));
+                i=X509_cmp_time(X509_get_notAfter(xs), ptime);
                 if (i == 0)
                         {
                         ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
@@ -499,13 +555,18 @@ static int internal_verify(X509_STORE_CTX *ctx)
                 }
         ok=1;
 end:
-        return(ok);
+        return ok;
         }
 
-int X509_cmp_current_time(ASN1_UTCTIME *ctm)
+int X509_cmp_current_time(ASN1_TIME *ctm)
+{
+        return X509_cmp_time(ctm, NULL);
+}
+
+int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
         {
         char *str;
-        ASN1_UTCTIME atm;
+        ASN1_TIME atm;
         time_t offset;
         char buff1[24],buff2[24],*p;
         int i,j;
@@ -513,14 +574,35 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
         p=buff1;
         i=ctm->length;
         str=(char *)ctm->data;
-        if ((i < 11) || (i > 17)) return(0);
-        memcpy(p,str,10);
-        p+=10;
-        str+=10;
+        if (ctm->type == V_ASN1_UTCTIME)
+                {
+                if ((i < 11) || (i > 17)) return 0;
+                memcpy(p,str,10);
+                p+=10;
+                str+=10;
+                }
+        else
+                {
+                if (i < 13) return 0;
+                memcpy(p,str,12);
+                p+=12;
+                str+=12;
+                }
 
         if ((*str == 'Z') || (*str == '-') || (*str == '+'))
                 { *(p++)='0'; *(p++)='0'; }
-        else    { *(p++)= *(str++); *(p++)= *(str++); }
+        else
+                { 
+                *(p++)= *(str++);
+                *(p++)= *(str++);
+                /* Skip any fractional seconds... */
+                if (*str == '.')
+                        {
+                        str++;
+                        while ((*str >= '0') && (*str <= '9')) str++;
+                        }
+                
+                }
         *(p++)='Z';
         *(p++)='\0';
 
@@ -529,39 +611,51 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
         else
                 {
                 if ((*str != '+') && (str[5] != '-'))
-                        return(0);
+                        return 0;
                 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
                 offset+=(str[3]-'0')*10+(str[4]-'0');
                 if (*str == '-')
                         offset= -offset;
                 }
-        atm.type=V_ASN1_UTCTIME;
+        atm.type=ctm->type;
         atm.length=sizeof(buff2);
         atm.data=(unsigned char *)buff2;
 
-        X509_gmtime_adj(&atm,-offset*60);
+        X509_time_adj(&atm,-offset*60, cmp_time);
 
-        i=(buff1[0]-'0')*10+(buff1[1]-'0');
-        if (i < 50) i+=100; /* cf. RFC 2459 */
-        j=(buff2[0]-'0')*10+(buff2[1]-'0');
-        if (j < 50) j+=100;
+        if (ctm->type == V_ASN1_UTCTIME)
+                {
+                i=(buff1[0]-'0')*10+(buff1[1]-'0');
+                if (i < 50) i+=100; /* cf. RFC 2459 */
+                j=(buff2[0]-'0')*10+(buff2[1]-'0');
+                if (j < 50) j+=100;
 
-        if (i < j) return (-1);
-        if (i > j) return (1);
+                if (i < j) return -1;
+                if (i > j) return 1;
+                }
         i=strcmp(buff1,buff2);
         if (i == 0) /* wait a second then return younger :-) */
-                return(-1);
+                return -1;
         else
-                return(i);
+                return i;
         }
 
-ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
+{
+        return X509_time_adj(s, adj, NULL);
+}
+
+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
         {
         time_t t;
 
-        time(&t);
+        if (in_tm) t = *in_tm;
+        else time(&t);
+
         t+=adj;
-        return(ASN1_UTCTIME_set(s,t));
+        if (!s) return ASN1_TIME_set(s, t);
+        if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
+        return ASN1_GENERALIZEDTIME_set(s, t);
         }
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
@@ -569,7 +663,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         EVP_PKEY *ktmp=NULL,*ktmp2;
         int i,j;
 
-        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
+        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
 
         for (i=0; i<sk_X509_num(chain); i++)
                 {
@@ -577,7 +671,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
                 if (ktmp == NULL)
                         {
                         X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
-                        return(0);
+                        return 0;
                         }
                 if (!EVP_PKEY_missing_parameters(ktmp))
                         break;
@@ -590,7 +684,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         if (ktmp == NULL)
                 {
                 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
-                return(0);
+                return 0;
                 }
 
         /* first, populate the other certs */
@@ -603,101 +697,31 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         
         if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
         EVP_PKEY_free(ktmp);
-        return(1);
-        }
-
-int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_X509;
-        obj->data.x509=x;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-
-        X509_OBJECT_up_ref_count(obj);
-
-        r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,r);
-                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-
-        return(ret);    
-        }
-
-int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_CRL;
-        obj->data.crl=x;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-
-        X509_OBJECT_up_ref_count(obj);
-
-        r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,r);
-                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-
-        return(ret);    
+        return 1;
         }
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
         x509_store_ctx_num++;
-        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+        return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
                 &x509_store_ctx_method,
-                argl,argp,new_func,dup_func,free_func));
+                argl,argp,new_func,dup_func,free_func);
         }
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
         {
-        return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
+        return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
         }
 
 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
         {
-        return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
+        return CRYPTO_get_ex_data(&ctx->ex_data,idx);
         }
 
 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
         {
-        return(ctx->error);
+        return ctx->error;
         }
 
 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
@@ -707,17 +731,17 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
 
 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
         {
-        return(ctx->error_depth);
+        return ctx->error_depth;
         }
 
 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
         {
-        return(ctx->current_cert);
+        return ctx->current_cert;
         }
 
 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
         {
-        return(ctx->chain);
+        return ctx->chain;
         }
 
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
@@ -725,12 +749,13 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
         int i;
         X509 *x;
         STACK_OF(X509) *chain;
-        if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
-        for(i = 0; i < sk_X509_num(chain); i++) {
+        if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+        for (i = 0; i < sk_X509_num(chain); i++)
+                {
                 x = sk_X509_value(chain, i);
                 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-        }
-        return(chain);
+                }
+        return chain;
         }
 
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
@@ -768,43 +793,123 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 {
         int idx;
         /* If purpose not set use default */
-        if(!purpose) purpose = def_purpose;
+        if (!purpose) purpose = def_purpose;
         /* If we have a purpose then check it is valid */
-        if(purpose) {
+        if (purpose)
+                {
                 X509_PURPOSE *ptmp;
                 idx = X509_PURPOSE_get_by_id(purpose);
-                if(idx == -1) {
+                if (idx == -1)
+                        {
                         X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_PURPOSE_ID);
                         return 0;
-                }
+                        }
                 ptmp = X509_PURPOSE_get0(idx);
-                if(ptmp->trust == X509_TRUST_DEFAULT) {
+                if (ptmp->trust == X509_TRUST_DEFAULT)
+                        {
                         idx = X509_PURPOSE_get_by_id(def_purpose);
-                        if(idx == -1) {
+                        if (idx == -1)
+                                {
                                 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_PURPOSE_ID);
                                 return 0;
-                        }
+                                }
                         ptmp = X509_PURPOSE_get0(idx);
-                }
+                        }
                 /* If trust not set then get from purpose default */
-                if(!trust) trust = ptmp->trust;
-        }
-        if(trust) {
+                if (!trust) trust = ptmp->trust;
+                }
+        if (trust)
+                {
                 idx = X509_TRUST_get_by_id(trust);
-                if(idx == -1) {
+                if (idx == -1)
+                        {
                         X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_TRUST_ID);
                         return 0;
+                        }
                 }
-        }
 
-        if(purpose) ctx->purpose = purpose;
-        if(trust) ctx->trust = trust;
+        if (purpose) ctx->purpose = purpose;
+        if (trust) ctx->trust = trust;
         return 1;
 }
 
+X509_STORE_CTX *X509_STORE_CTX_new(void)
+{
+        X509_STORE_CTX *ctx;
+        ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
+        if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+        return ctx;
+}
+
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+{
+        X509_STORE_CTX_cleanup(ctx);
+        OPENSSL_free(ctx);
+}
+
+void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+             STACK_OF(X509) *chain)
+        {
+        ctx->ctx=store;
+        ctx->current_method=0;
+        ctx->cert=x509;
+        ctx->untrusted=chain;
+        ctx->last_untrusted=0;
+        ctx->purpose=0;
+        ctx->trust=0;
+        ctx->check_time=0;
+        ctx->flags=0;
+        ctx->other_ctx=NULL;
+        ctx->valid=0;
+        ctx->chain=NULL;
+        ctx->depth=9;
+        ctx->error=0;
+        ctx->error_depth=0;
+        ctx->current_cert=NULL;
+        ctx->current_issuer=NULL;
+        ctx->check_issued = check_issued;
+        ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+        ctx->verify_cb = store->verify_cb;
+        ctx->verify = store->verify;
+        ctx->cleanup = 0;
+        memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+        }
+
+/* Set alternative lookup method: just a STACK of trusted certificates.
+ * This avoids X509_STORE nastiness where it isn't needed.
+ */
+
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+        ctx->other_ctx = sk;
+        ctx->get_issuer = get_issuer_sk;
+}
+
+void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
+        {
+        if (ctx->cleanup) ctx->cleanup(ctx);
+        if (ctx->chain != NULL)
+                {
+                sk_X509_pop_free(ctx->chain,X509_free);
+                ctx->chain=NULL;
+                }
+        CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
+        memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+        }
+
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)
+        {
+        ctx->flags |= flags;
+        }
+
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
+        {
+        ctx->check_time = t;
+        ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
+        }
 
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 4637aecedf..e289d5309a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -65,13 +65,16 @@
 #ifndef HEADER_X509_VFY_H
 #define HEADER_X509_VFY_H
 
-#ifdef  __cplusplus
-extern "C" {
+#ifndef NO_LHASH
+#include <openssl/lhash.h>
 #endif
-
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 /* Outer object */
 typedef struct x509_hash_dir_st
         {
@@ -128,6 +131,7 @@ typedef struct x509_object_st
 typedef struct x509_lookup_st X509_LOOKUP;
 
 DECLARE_STACK_OF(X509_LOOKUP)
+DECLARE_STACK_OF(X509_OBJECT)
 
 /* This is a static that defines the function interface */
 typedef struct x509_lookup_method_st
@@ -150,7 +154,7 @@ typedef struct x509_lookup_method_st
                             X509_OBJECT *ret);
         } X509_LOOKUP_METHOD;
 
-typedef struct x509_store_state_st X509_STORE_CTX;
+typedef struct x509_store_ctx_st X509_STORE_CTX;
 
 /* This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify'
@@ -159,11 +163,7 @@ typedef struct x509_store_st
         {
         /* The following is a cache of trusted certs */
         int cache;      /* if true, stash any hits */
-#ifdef HEADER_LHASH_H
-        LHASH *certs;   /* cached certs; */ 
-#else
-        char *certs;
-#endif
+        STACK_OF(X509_OBJECT) *objs;    /* Cache of all objects */
 
         /* These are external lookup methods */
         STACK_OF(X509_LOOKUP) *get_cert_methods;
@@ -191,10 +191,10 @@ struct x509_lookup_st
         X509_STORE *store_ctx;  /* who owns us */
         };
 
-/* This is a temporary used when processing cert chains.  Since the
+/* This is a used when verifying cert chains.  Since the
  * gathering of the cert chain can take some time (and have to be
  * 'retried', this needs to be kept and passed around. */
-struct x509_store_state_st      /* X509_STORE_CTX */
+struct x509_store_ctx_st      /* X509_STORE_CTX */
         {
         X509_STORE *ctx;
         int current_method;     /* used when looking up certs */
@@ -204,6 +204,16 @@ struct x509_store_state_st      /* X509_STORE_CTX */
         STACK_OF(X509) *untrusted;      /* chain of X509s - untrusted - passed in */
         int purpose;            /* purpose to check untrusted certificates */
         int trust;              /* trust setting to check */
+        time_t  check_time;     /* time to make verify at */
+        unsigned long flags;    /* Various verify flags */
+        void *other_ctx;        /* Other info for use with get_issuer() */
+
+        /* Callbacks for various operations */
+        int (*verify)(X509_STORE_CTX *ctx);     /* called to verify a certificate */
+        int (*verify_cb)(int ok,X509_STORE_CTX *ctx);           /* error callback */
+        int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
+        int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*cleanup)(X509_STORE_CTX *ctx);
 
         /* The following is built up */
         int depth;              /* how far to go looking up certs */
@@ -215,6 +225,7 @@ struct x509_store_state_st      /* X509_STORE_CTX */
         int error_depth;
         int error;
         X509 *current_cert;
+        X509 *current_issuer;   /* cert currently being tested as valid issuer */
 
         CRYPTO_EX_DATA ex_data;
         };
@@ -265,10 +276,20 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_INVALID_PURPOSE                      26
 #define         X509_V_ERR_CERT_UNTRUSTED                       27
 #define         X509_V_ERR_CERT_REJECTED                        28
+/* These are 'informational' when looking for issuer cert */
+#define         X509_V_ERR_SUBJECT_ISSUER_MISMATCH              29
+#define         X509_V_ERR_AKID_SKID_MISMATCH                   30
+#define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
+#define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
 
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
 
+/* Certificate verify flags */
+
+#define X509_V_FLAG_CB_ISSUER_CHECK             0x1     /* Send issuer+subject checks to verify_cb */
+#define X509_V_FLAG_USE_CHECK_TIME              0x2     /* Use check time instead of current time */
+
                   /* These functions are being redefined in another directory,
                      and clash when the linker is case-insensitive, so let's
                      hide them a little, by giving them an extra 'o' at the
@@ -284,18 +305,23 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 #define X509v3_add_standard_extensions oX509v3_add_standard_extensions
 #endif
 
-#ifdef HEADER_LHASH_H
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h,int type,X509_NAME *name);
-#endif
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+             X509_NAME *name);
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
+X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
 void X509_OBJECT_up_ref_count(X509_OBJECT *a);
 void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
 X509_STORE_CTX *X509_STORE_CTX_new(void);
+
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
                          X509 *x509, STACK_OF(X509) *chain);
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
@@ -354,6 +380,8 @@ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
                                 int purpose, int trust);
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index b35c3f92e7..fd0a534d88 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -82,7 +82,7 @@ NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
         int spki_len;
         NETSCAPE_SPKI *spki;
         if(len <= 0) len = strlen(str);
-        if (!(spki_der = Malloc(len + 1))) {
+        if (!(spki_der = OPENSSL_malloc(len + 1))) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -90,12 +90,12 @@ NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
         if(spki_len < 0) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
                                                 X509_R_BASE64_DECODE_ERROR);
-                Free(spki_der);
+                OPENSSL_free(spki_der);
                 return NULL;
         }
         p = spki_der;
         spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
-        Free(spki_der);
+        OPENSSL_free(spki_der);
         return spki;
 }
 
@@ -107,8 +107,8 @@ char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
         char *b64_str;
         int der_len;
         der_len = i2d_NETSCAPE_SPKI(spki, NULL);
-        der_spki = Malloc(der_len);
-        b64_str = Malloc(der_len * 2);
+        der_spki = OPENSSL_malloc(der_len);
+        b64_str = OPENSSL_malloc(der_len * 2);
         if(!der_spki || !b64_str) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
                 return NULL;
@@ -116,6 +116,6 @@ char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
         p = der_spki;
         i2d_NETSCAPE_SPKI(spki, &p);
         EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
-        Free(der_spki);
+        OPENSSL_free(der_spki);
         return b64_str;
 }
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index d2bf3c8e1c..9bd6e2a39b 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -411,13 +411,25 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
                 (char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
         }
 
-int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
+int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
         return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
         }
 
-int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
+int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
+             unsigned int *len)
+        {
+        return(ASN1_digest((int (*)())i2d_X509_CRL,type,(char *)data,md,len));
+        }
+
+int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
+             unsigned int *len)
+        {
+        return(ASN1_digest((int (*)())i2d_X509_REQ,type,(char *)data,md,len));
+        }
+
+int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
         return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
@@ -492,6 +504,17 @@ EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
                 (char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
 }
 
+int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
+        {
+        return(ASN1_i2d_fp(i2d_PUBKEY,fp,(unsigned char *)pkey));
+        }
+
+EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
+{
+        return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
+                (char *(*)())d2i_PUBKEY, (fp),(unsigned char **)(a)));
+}
+
 #endif
 
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -529,3 +552,14 @@ EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
         return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
                 (char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
         }
+
+int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
+        {
+        return(ASN1_i2d_bio(i2d_PUBKEY,bp,(unsigned char *)pkey));
+        }
+
+EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
+        {
+        return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
+                (char *(*)())d2i_PUBKEY, (bp),(unsigned char **)(a)));
+        }
diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl
index 1bb746d52d..f7c3a6ca13 100644
--- a/src/lib/libcrypto/x509v3/Makefile.ssl
+++ b/src/lib/libcrypto/x509v3/Makefile.ssl
@@ -88,17 +88,19 @@ v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_akey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_akey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_akey.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_akey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_akey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_akey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_akey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_akey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_akey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_akey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_akey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_akey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_akey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_akey.o: ../cryptlib.h
 v3_alt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -107,16 +109,18 @@ v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_alt.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_alt.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_alt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_alt.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_alt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_alt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_alt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_alt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_alt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_alt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -125,53 +129,60 @@ v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_bcons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_bcons.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_bcons.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_bcons.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_bcons.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_bcons.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_bcons.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_bcons.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3_bcons.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3_bcons.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_bcons.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bcons.o: ../cryptlib.h
 v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_bitst.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bitst.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_bitst.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_bitst.o: ../../include/openssl/opensslconf.h
 v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bitst.o: ../cryptlib.h
 v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_conf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_conf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_conf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_conf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_conf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_conf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_conf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_conf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_conf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_conf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_conf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -180,36 +191,40 @@ v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_cpols.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_cpols.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_cpols.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_cpols.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_cpols.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_cpols.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_cpols.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_cpols.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3_cpols.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3_cpols.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_cpols.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_cpols.o: ../cryptlib.h
 v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_crld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_crld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_crld.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_crld.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_crld.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_crld.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_crld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_crld.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_crld.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_crld.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_crld.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_crld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_crld.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_crld.o: ../cryptlib.h
 v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -218,16 +233,18 @@ v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_enum.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_enum.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_enum.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_enum.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_enum.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_enum.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_enum.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_enum.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_enum.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_enum.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -236,35 +253,40 @@ v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_extku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_extku.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_extku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_extku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_extku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_extku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_extku.o: ../../include/openssl/opensslconf.h
 v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3_extku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3_extku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_extku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_extku.o: ../cryptlib.h
 v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_genn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_genn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_genn.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_genn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_genn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_genn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_genn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_genn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_genn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_genn.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_genn.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_genn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_genn.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_genn.o: ../cryptlib.h
 v3_ia5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -273,16 +295,18 @@ v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_ia5.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_ia5.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_ia5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_ia5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_ia5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_ia5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_ia5.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ia5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_ia5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_ia5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -291,17 +315,19 @@ v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_info.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_info.o: ../cryptlib.h
 v3_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -310,16 +336,18 @@ v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_int.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_int.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_int.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_int.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_int.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_int.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_int.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_int.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_int.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_int.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -328,16 +356,18 @@ v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
 v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -346,17 +376,19 @@ v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_pku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_pku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_pku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_pku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_pku.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
+v3_pku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
+v3_pku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_pku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_pku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_pku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_pku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_pku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
 v3_pku.o: ../cryptlib.h
 v3_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -365,16 +397,18 @@ v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_prn.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_prn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_prn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_prn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_prn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_prn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -383,16 +417,18 @@ v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_purp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_purp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_purp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_purp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_purp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_purp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_purp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_purp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_purp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -401,16 +437,18 @@ v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_skey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_skey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_skey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_skey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_skey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_skey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_skey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_skey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_skey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_skey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
@@ -419,51 +457,57 @@ v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
 v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 v3_sxnet.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_sxnet.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-v3_sxnet.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
+v3_sxnet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_sxnet.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_sxnet.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_sxnet.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_sxnet.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3_sxnet.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3_sxnet.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3_sxnet.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_sxnet.o: ../cryptlib.h
 v3_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 v3_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_utl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_utl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_utl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_utl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_utl.o: ../../include/openssl/x509v3.h ../cryptlib.h
 v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-v3err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3err.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
+v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
 v3err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 v3err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
 v3err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
 v3err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 v3err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3err.o: ../../include/openssl/x509v3.h
+v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
index 96c04fe4f5..0889a18993 100644
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -132,7 +132,7 @@ void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
         M_ASN1_OCTET_STRING_free(a->keyid);
         sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
         M_ASN1_INTEGER_free (a->serial);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
@@ -142,7 +142,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
         if(akeyid->keyid) {
                 tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
                 X509V3_add_value("keyid", tmp, &extlist);
-                Free(tmp);
+                OPENSSL_free(tmp);
         }
         if(akeyid->issuer) 
                 extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
@@ -150,7 +150,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                 tmp = hex_to_string(akeyid->serial->data,
                                                  akeyid->serial->length);
                 X509V3_add_value("serial", tmp, &extlist);
-                Free(tmp);
+                OPENSSL_free(tmp);
         }
         return extlist;
 }
@@ -224,7 +224,7 @@ if((issuer && !ikeyid) || (issuer == 2)) {
 if(!(akeyid = AUTHORITY_KEYID_new())) goto err;
 
 if(isname) {
-        if(!(gens = sk_GENERAL_NAME_new(NULL)) || !(gen = GENERAL_NAME_new())
+        if(!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new())
                 || !sk_GENERAL_NAME_push(gens, gen)) {
                 X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
                 goto err;
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 5ccd1e0e3d..733919f250 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -160,7 +160,7 @@ static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
         STACK_OF(GENERAL_NAME) *gens = NULL;
         CONF_VALUE *cnf;
         int i;
-        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+        if(!(gens = sk_GENERAL_NAME_new_null())) {
                 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -225,7 +225,7 @@ static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
         STACK_OF(GENERAL_NAME) *gens = NULL;
         CONF_VALUE *cnf;
         int i;
-        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+        if(!(gens = sk_GENERAL_NAME_new_null())) {
                 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -304,7 +304,7 @@ STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
         STACK_OF(GENERAL_NAME) *gens = NULL;
         CONF_VALUE *cnf;
         int i;
-        if(!(gens = sk_GENERAL_NAME_new(NULL))) {
+        if(!(gens = sk_GENERAL_NAME_new_null())) {
                 X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
index 1e3edc205f..c576b8e955 100644
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -123,7 +123,7 @@ void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
 {
         if (a == NULL) return;
         M_ASN1_INTEGER_free (a->pathlen);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index b2f03010cc..bdc9c1cbc1 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -167,7 +167,7 @@ static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
         X509_EXTENSION *ext;
         /* Convert internal representation to DER */
         ext_len = method->i2d(ext_struc, NULL);
-        if(!(ext_der = Malloc(ext_len))) goto merr;
+        if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
         p = ext_der;
         method->i2d(ext_struc, &p);
         if(!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
@@ -255,7 +255,7 @@ extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
 err:
 ASN1_OBJECT_free(obj);
 M_ASN1_OCTET_STRING_free(oct);
-if(ext_der) Free(ext_der);
+if(ext_der) OPENSSL_free(ext_der);
 return extension;
 }
 
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 466713b50d..8203ed7571 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -73,7 +73,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                                  STACK_OF(CONF_VALUE) *polstrs, int ia5org);
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
                                         STACK_OF(CONF_VALUE) *unot, int ia5org);
-static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos);
+static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos);
 
 X509V3_EXT_METHOD v3_cpols = {
 NID_certificate_policies, 0,
@@ -282,20 +282,22 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
         return NULL;
 }
 
-static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos)
+static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
 {
-        STACK *nnums;
+        STACK_OF(ASN1_INTEGER) *nnums;
         CONF_VALUE *cnf;
         ASN1_INTEGER *aint;
+
         int i;
-        if(!(nnums = sk_new_null())) goto merr;
+
+        if(!(nnums = sk_ASN1_INTEGER_new_null())) goto merr;
         for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
                 cnf = sk_CONF_VALUE_value(nos, i);
                 if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
                         X509V3err(X509V3_F_NREF_NOS,X509V3_R_INVALID_NUMBER);
                         goto err;
                 }
-                if(!sk_push(nnums, (char *)aint)) goto merr;
+                if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
         }
         return nnums;
 
@@ -303,7 +305,7 @@ static STACK *nref_nos(STACK_OF(CONF_VALUE) *nos)
         X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
 
         err:
-        sk_pop_free(nnums, ASN1_STRING_free);
+        sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
         return NULL;
 }
 
@@ -399,7 +401,7 @@ void POLICYINFO_free(POLICYINFO *a)
         if (a == NULL) return;
         ASN1_OBJECT_free(a->policyid);
         sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
@@ -441,15 +443,15 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
                 BIO_printf(out, "%*sOrganization: %s\n", indent, "",
                                                  ref->organization->data);
                 BIO_printf(out, "%*sNumber%s: ", indent, "",
-                                 (sk_num(ref->noticenos) > 1) ? "s" : "");
-                for(i = 0; i < sk_num(ref->noticenos); i++) {
+                           sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
+                for(i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
                         ASN1_INTEGER *num;
                         char *tmp;
-                        num = (ASN1_INTEGER *)sk_value(ref->noticenos, i);
+                        num = sk_ASN1_INTEGER_value(ref->noticenos, i);
                         if(i) BIO_puts(out, ", ");
                         tmp = i2s_ASN1_INTEGER(NULL, num);
                         BIO_puts(out, tmp);
-                        Free(tmp);
+                        OPENSSL_free(tmp);
                 }
                 BIO_puts(out, "\n");
         }
@@ -551,7 +553,7 @@ void POLICYQUALINFO_free(POLICYQUALINFO *a)
         }
         
         ASN1_OBJECT_free(a->pqualid);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp)
@@ -597,7 +599,7 @@ void USERNOTICE_free(USERNOTICE *a)
         if (a == NULL) return;
         NOTICEREF_free(a->noticeref);
         M_DISPLAYTEXT_free(a->exptext);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
@@ -605,12 +607,14 @@ int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
         M_ASN1_I2D_vars(a);
 
         M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
-        M_ASN1_I2D_len_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_len_SEQUENCE_type(ASN1_INTEGER, a->noticenos,
+                                     i2d_ASN1_INTEGER);
 
         M_ASN1_I2D_seq_total();
 
         M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
-        M_ASN1_I2D_put_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+        M_ASN1_I2D_put_SEQUENCE_type(ASN1_INTEGER, a->noticenos,
+                                     i2d_ASN1_INTEGER);
 
         M_ASN1_I2D_finish();
 }
@@ -639,7 +643,8 @@ NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
         if(!ret->organization) {
                  M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
         }
-        M_ASN1_D2I_get_seq(ret->noticenos, d2i_ASN1_INTEGER, ASN1_STRING_free);
+        M_ASN1_D2I_get_seq_type(ASN1_INTEGER, ret->noticenos, d2i_ASN1_INTEGER,
+                                ASN1_STRING_free);
         M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
 }
 
@@ -647,8 +652,8 @@ void NOTICEREF_free(NOTICEREF *a)
 {
         if (a == NULL) return;
         M_DISPLAYTEXT_free(a->organization);
-        sk_pop_free(a->noticenos, ASN1_STRING_free);
-        Free (a);
+        sk_ASN1_INTEGER_pop_free(a->noticenos, ASN1_STRING_free);
+        OPENSSL_free (a);
 }
 
 IMPLEMENT_STACK_OF(POLICYQUALINFO)
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index e459d2595a..67feea4017 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -87,7 +87,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
         int i;
         for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
                 point = sk_DIST_POINT_value(crld, i);
-                if(point->distpoint->fullname) {
+                if(point->distpoint && point->distpoint->fullname) {
                         exts = i2v_GENERAL_NAMES(NULL,
                                          point->distpoint->fullname, exts);
                 }
@@ -95,7 +95,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
                         X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
                 if(point->CRLissuer)
                         X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
-                if(point->distpoint->relativename)
+                if(point->distpoint && point->distpoint->relativename)
                         X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
         }
         return exts;
@@ -109,7 +109,7 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
         GENERAL_NAME *gen = NULL;
         CONF_VALUE *cnf;
         int i;
-        if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+        if(!(crld = sk_DIST_POINT_new_null())) goto merr;
         for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
                 DIST_POINT *point;
                 cnf = sk_CONF_VALUE_value(nval, i);
@@ -213,7 +213,7 @@ void DIST_POINT_free(DIST_POINT *a)
         DIST_POINT_NAME_free(a->distpoint);
         M_ASN1_BIT_STRING_free(a->reasons);
         sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
@@ -256,7 +256,7 @@ void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
         if (a == NULL) return;
         sk_X509_NAME_ENTRY_pop_free(a->relativename, X509_NAME_ENTRY_free);
         sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index e039d21cbf..53ec40a027 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -129,7 +129,7 @@ ASN1_OBJECT *objtmp;
 CONF_VALUE *val;
 int i;
 
-if(!(extku = sk_ASN1_OBJECT_new(NULL))) {
+if(!(extku = sk_ASN1_OBJECT_new_null())) {
         X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
         return NULL;
 }
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index 894afa7e03..d44751458e 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -211,7 +211,7 @@ void GENERAL_NAME_free(GENERAL_NAME *a)
                 break;
 
         }
-        Free (a);
+        OPENSSL_free (a);
 }
 
 /* Now the GeneralNames versions: a SEQUENCE OF GeneralName. These are needed as
@@ -220,7 +220,7 @@ void GENERAL_NAME_free(GENERAL_NAME *a)
 
 STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
 {
-        return sk_GENERAL_NAME_new(NULL);
+        return sk_GENERAL_NAME_new_null();
 }
 
 void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a)
@@ -286,6 +286,6 @@ void OTHERNAME_free(OTHERNAME *a)
         if (a == NULL) return;
         ASN1_OBJECT_free(a->type_id);
         ASN1_TYPE_free(a->value);
-        Free (a);
+        OPENSSL_free (a);
 }
 
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index af3525f33e..f3bba38269 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -82,7 +82,7 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 {
         char *tmp;
         if(!ia5 || !ia5->length) return NULL;
-        tmp = Malloc(ia5->length + 1);
+        tmp = OPENSSL_malloc(ia5->length + 1);
         memcpy(tmp, ia5->data, ia5->length);
         tmp[ia5->length] = 0;
         return tmp;
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index 78d2135046..a045a629ee 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -94,7 +94,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                 if(!ret) break;
                 vtmp = sk_CONF_VALUE_value(ret, i);
                 i2t_ASN1_OBJECT(objtmp, 80, desc->method);
-                ntmp = Malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
+                ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5);
                 if(!ntmp) {
                         X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
                                         ERR_R_MALLOC_FAILURE);
@@ -103,7 +103,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
                 strcpy(ntmp, objtmp);
                 strcat(ntmp, " - ");
                 strcat(ntmp, vtmp->name);
-                Free(vtmp->name);
+                OPENSSL_free(vtmp->name);
                 vtmp->name = ntmp;
                 
         }
@@ -119,7 +119,7 @@ static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
         ACCESS_DESCRIPTION *acc;
         int i, objlen;
         char *objtmp, *ptmp;
-        if(!(ainfo = sk_ACCESS_DESCRIPTION_new(NULL))) {
+        if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
                 X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -140,7 +140,7 @@ static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
                 ctmp.value = cnf->value;
                 if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp)))
                                                                  goto err; 
-                if(!(objtmp = Malloc(objlen + 1))) {
+                if(!(objtmp = OPENSSL_malloc(objlen + 1))) {
                         X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -150,10 +150,10 @@ static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
                 if(!acc->method) {
                         X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT);
                         ERR_add_error_data(2, "value=", objtmp);
-                        Free(objtmp);
+                        OPENSSL_free(objtmp);
                         goto err;
                 }
-                Free(objtmp);
+                OPENSSL_free(objtmp);
 
         }
         return ainfo;
@@ -204,12 +204,12 @@ void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
         if (a == NULL) return;
         ASN1_OBJECT_free(a->method);
         GENERAL_NAME_free(a->location);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void)
 {
-        return sk_ACCESS_DESCRIPTION_new(NULL);
+        return sk_ACCESS_DESCRIPTION_new_null();
 }
 
 void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a)
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index 4242d130a2..ea86b9ebb9 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -64,25 +64,27 @@
 
 #include "ext_dat.h"
 
-static STACK *ext_list = NULL;
+static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
 
-static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b);
+static int ext_cmp(const X509V3_EXT_METHOD * const *a,
+                const X509V3_EXT_METHOD * const *b);
 static void ext_list_free(X509V3_EXT_METHOD *ext);
 
 int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
 {
-        if(!ext_list && !(ext_list = sk_new(ext_cmp))) {
+        if(!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
                 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
                 return 0;
         }
-        if(!sk_push(ext_list, (char *)ext)) {
+        if(!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
                 X509V3err(X509V3_F_X509V3_EXT_ADD,ERR_R_MALLOC_FAILURE);
                 return 0;
         }
         return 1;
 }
 
-static int ext_cmp(X509V3_EXT_METHOD **a, X509V3_EXT_METHOD **b)
+static int ext_cmp(const X509V3_EXT_METHOD * const *a,
+                const X509V3_EXT_METHOD * const *b)
 {
         return ((*a)->ext_nid - (*b)->ext_nid);
 }
@@ -95,12 +97,12 @@ X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
         tmp.ext_nid = nid;
         ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
                         (char *)standard_exts, STANDARD_EXTENSION_COUNT,
-                        sizeof(X509V3_EXT_METHOD *), (int (*)())ext_cmp);
+                        sizeof(X509V3_EXT_METHOD *), (int (*)(const void *, const void *))ext_cmp);
         if(ret) return *ret;
         if(!ext_list) return NULL;
-        idx = sk_find(ext_list, (char *)&tmp);
+        idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
         if(idx == -1) return NULL;
-        return (X509V3_EXT_METHOD *)sk_value(ext_list, idx);
+        return sk_X509V3_EXT_METHOD_value(ext_list, idx);
 }
 
 X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
@@ -125,7 +127,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
                 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
                 return 0;
         }
-        if(!(tmpext = (X509V3_EXT_METHOD *)Malloc(sizeof(X509V3_EXT_METHOD)))) {
+        if(!(tmpext = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
                 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,ERR_R_MALLOC_FAILURE);
                 return 0;
         }
@@ -137,13 +139,13 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
 
 void X509V3_EXT_cleanup(void)
 {
-        sk_pop_free(ext_list, ext_list_free);
+        sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
         ext_list = NULL;
 }
 
 static void ext_list_free(X509V3_EXT_METHOD *ext)
 {
-        if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
+        if(ext->ext_flags & X509V3_EXT_DYNAMIC) OPENSSL_free(ext);
 }
 
 /* Legacy function: we don't need to add standard extensions
@@ -213,9 +215,11 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
                 if(crit) *crit = found_ex->critical;
                 return X509V3_EXT_d2i(found_ex);
         }
-        
+
         /* Extension not found */
         if(idx) *idx = -1;
         if(crit) *crit = -1;
         return NULL;
 }
+
+IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
index 30a62c6090..47f9e8f123 100644
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -121,7 +121,7 @@ void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
         if (a == NULL) return;
         M_ASN1_GENERALIZEDTIME_free(a->notBefore);
         M_ASN1_GENERALIZEDTIME_free(a->notAfter);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index bee624c6be..dbc4fb1f16 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -133,7 +133,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
 
         err:
                 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-                if(value) Free(value);
+                if(value) OPENSSL_free(value);
                 method->ext_free(ext_str);
                 return ok;
 }
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 5594a1d64f..867699b26f 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -59,21 +59,24 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
 
 
 static void x509v3_cache_extensions(X509 *x);
 
-static int ca_check(X509 *x);
-static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca);
-static int purpose_smime(X509 *x, int ca);
-static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca);
-static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca);
-static int no_check(X509_PURPOSE *xp, X509 *x, int ca);
-
-static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b);
+static int ca_check(const X509 *x);
+static int check_ssl_ca(const X509 *x);
+static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int purpose_smime(const X509 *x, int ca);
+static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
+
+static int xp_cmp(const X509_PURPOSE * const *a,
+                const X509_PURPOSE * const *b);
 static void xptable_free(X509_PURPOSE *p);
 
 static X509_PURPOSE xstandard[] = {
@@ -92,15 +95,19 @@ IMPLEMENT_STACK_OF(X509_PURPOSE)
 
 static STACK_OF(X509_PURPOSE) *xptable = NULL;
 
-static int xp_cmp(X509_PURPOSE **a, X509_PURPOSE **b)
+static int xp_cmp(const X509_PURPOSE * const *a,
+                const X509_PURPOSE * const *b)
 {
         return (*a)->purpose - (*b)->purpose;
 }
 
+/* As much as I'd like to make X509_check_purpose use a "const" X509*
+ * I really can't because it does recalculate hashes and do other non-const
+ * things. */
 int X509_check_purpose(X509 *x, int id, int ca)
 {
         int idx;
-        X509_PURPOSE *pt;
+        const X509_PURPOSE *pt;
         if(!(x->ex_flags & EXFLAG_SET)) {
                 CRYPTO_w_lock(CRYPTO_LOCK_X509);
                 x509v3_cache_extensions(x);
@@ -152,7 +159,7 @@ int X509_PURPOSE_get_by_id(int purpose)
 }
 
 int X509_PURPOSE_add(int id, int trust, int flags,
-                        int (*ck)(X509_PURPOSE *, X509 *, int),
+                        int (*ck)(const X509_PURPOSE *, const X509 *, int),
                                         char *name, char *sname, void *arg)
 {
         int idx;
@@ -165,17 +172,17 @@ int X509_PURPOSE_add(int id, int trust, int flags,
         idx = X509_PURPOSE_get_by_id(id);
         /* Need a new entry */
         if(idx == -1) {
-                if(!(ptmp = Malloc(sizeof(X509_PURPOSE)))) {
+                if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
                         X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
                 ptmp->flags = X509_PURPOSE_DYNAMIC;
         } else ptmp = X509_PURPOSE_get0(idx);
 
-        /* Free existing name if dynamic */
+        /* OPENSSL_free existing name if dynamic */
         if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                Free(ptmp->name);
-                Free(ptmp->sname);
+                OPENSSL_free(ptmp->name);
+                OPENSSL_free(ptmp->sname);
         }
         /* dup supplied name */
         ptmp->name = BUF_strdup(name);
@@ -214,10 +221,10 @@ static void xptable_free(X509_PURPOSE *p)
         if (p->flags & X509_PURPOSE_DYNAMIC) 
                 {
                 if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
-                        Free(p->name);
-                        Free(p->sname);
+                        OPENSSL_free(p->name);
+                        OPENSSL_free(p->sname);
                 }
-                Free(p);
+                OPENSSL_free(p);
                 }
         }
 
@@ -249,16 +256,18 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
         return xp->trust;
 }
 
-#ifndef NO_SHA
 static void x509v3_cache_extensions(X509 *x)
 {
         BASIC_CONSTRAINTS *bs;
         ASN1_BIT_STRING *usage;
         ASN1_BIT_STRING *ns;
         STACK_OF(ASN1_OBJECT) *extusage;
+        
         int i;
         if(x->ex_flags & EXFLAG_SET) return;
+#ifndef NO_SHA
         X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+#endif
         /* Does subject name match issuer ? */
         if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
                          x->ex_flags |= EXFLAG_SS;
@@ -322,9 +331,10 @@ static void x509v3_cache_extensions(X509 *x)
                 x->ex_flags |= EXFLAG_NSCERT;
                 ASN1_BIT_STRING_free(ns);
         }
+        x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
+        x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
         x->ex_flags |= EXFLAG_SET;
 }
-#endif
 
 /* CA checks common to all purposes
  * return codes:
@@ -342,7 +352,7 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
         (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
 
-static int ca_check(X509 *x)
+static int ca_check(const X509 *x)
 {
         /* keyUsage if present should allow cert signing */
         if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -356,22 +366,26 @@ static int ca_check(X509 *x)
         }
 }
 
+/* Check SSL CA: common checks for SSL client and server */
+static int check_ssl_ca(const X509 *x)
+{
+        int ca_ret;
+        ca_ret = ca_check(x);
+        if(!ca_ret) return 0;
+        /* check nsCertType if present */
+        if(x->ex_flags & EXFLAG_NSCERT) {
+                if(x->ex_nscert & NS_SSL_CA) return ca_ret;
+                return 0;
+        }
+        if(ca_ret != 2) return ca_ret;
+        else return 0;
+}
+        
 
-static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
-        if(ca) {
-                int ca_ret;
-                ca_ret = ca_check(x);
-                if(!ca_ret) return 0;
-                /* check nsCertType if present */
-                if(x->ex_flags & EXFLAG_NSCERT) {
-                        if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-                        return 0;
-                }
-                if(ca_ret != 2) return ca_ret;
-                else return 0;
-        }
+        if(ca) return check_ssl_ca(x);
         /* We need to do digital signatures with it */
         if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0;
         /* nsCertType if present should allow SSL client use */ 
@@ -379,11 +393,10 @@ static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
         return 1;
 }
 
-static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
-        /* Otherwise same as SSL client for a CA */
-        if(ca) return check_purpose_ssl_client(xp, x, 1);
+        if(ca) return check_ssl_ca(x);
 
         if(ns_reject(x, NS_SSL_SERVER)) return 0;
         /* Now as for keyUsage: we'll at least need to sign OR encipher */
@@ -393,7 +406,7 @@ static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
 
 }
 
-static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         int ret;
         ret = check_purpose_ssl_server(xp, x, ca);
@@ -404,7 +417,7 @@ static int check_purpose_ns_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
 }
 
 /* common S/MIME checks */
-static int purpose_smime(X509 *x, int ca)
+static int purpose_smime(const X509 *x, int ca)
 {
         if(xku_reject(x,XKU_SMIME)) return 0;
         if(ca) {
@@ -428,7 +441,7 @@ static int purpose_smime(X509 *x, int ca)
         return 1;
 }
 
-static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         int ret;
         ret = purpose_smime(x, ca);
@@ -437,7 +450,7 @@ static int check_purpose_smime_sign(X509_PURPOSE *xp, X509 *x, int ca)
         return ret;
 }
 
-static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         int ret;
         ret = purpose_smime(x, ca);
@@ -446,7 +459,7 @@ static int check_purpose_smime_encrypt(X509_PURPOSE *xp, X509 *x, int ca)
         return ret;
 }
 
-static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
+static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         if(ca) {
                 int ca_ret;
@@ -457,7 +470,64 @@ static int check_purpose_crl_sign(X509_PURPOSE *xp, X509 *x, int ca)
         return 1;
 }
 
-static int no_check(X509_PURPOSE *xp, X509 *x, int ca)
+static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         return 1;
 }
+
+/* Various checks to see if one certificate issued the second.
+ * This can be used to prune a set of possible issuer certificates
+ * which have been looked up using some simple method such as by
+ * subject name.
+ * These are:
+ * 1. Check issuer_name(subject) == subject_name(issuer)
+ * 2. If akid(subject) exists check it matches issuer
+ * 3. If key_usage(issuer) exists check it supports certificate signing
+ * returns 0 for OK, positive for reason for mismatch, reasons match
+ * codes for X509_verify_cert()
+ */
+
+int X509_check_issued(X509 *issuer, X509 *subject)
+{
+        if(X509_NAME_cmp(X509_get_subject_name(issuer),
+                        X509_get_issuer_name(subject)))
+                                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+        x509v3_cache_extensions(issuer);
+        x509v3_cache_extensions(subject);
+        if(subject->akid) {
+                /* Check key ids (if present) */
+                if(subject->akid->keyid && issuer->skid &&
+                 ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
+                                return X509_V_ERR_AKID_SKID_MISMATCH;
+                /* Check serial number */
+                if(subject->akid->serial &&
+                        ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
+                                                subject->akid->serial))
+                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+                /* Check issuer name */
+                if(subject->akid->issuer) {
+                        /* Ugh, for some peculiar reason AKID includes
+                         * SEQUENCE OF GeneralName. So look for a DirName.
+                         * There may be more than one but we only take any
+                         * notice of the first.
+                         */
+                        STACK_OF(GENERAL_NAME) *gens;
+                        GENERAL_NAME *gen;
+                        X509_NAME *nm = NULL;
+                        int i;
+                        gens = subject->akid->issuer;
+                        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+                                gen = sk_GENERAL_NAME_value(gens, i);
+                                if(gen->type == GEN_DIRNAME) {
+                                        nm = gen->d.dirn;
+                                        break;
+                                }
+                        }
+                        if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+                }
+        }
+        if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+        return X509_V_OK;
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
index 20ba8ac8d6..bfecacd336 100644
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -132,7 +132,7 @@ void SXNET_free(SXNET *a)
         if (a == NULL) return;
         M_ASN1_INTEGER_free(a->version);
         sk_SXNETID_pop_free(a->ids, SXNETID_free);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 int i2d_SXNETID(SXNETID *a, unsigned char **pp)
@@ -176,7 +176,7 @@ void SXNETID_free(SXNETID *a)
         if (a == NULL) return;
         M_ASN1_INTEGER_free(a->zone);
         M_ASN1_OCTET_STRING_free(a->user);
-        Free (a);
+        OPENSSL_free (a);
 }
 
 static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
@@ -192,7 +192,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
                 id = sk_SXNETID_value(sx->ids, i);
                 tmp = i2s_ASN1_INTEGER(NULL, id->zone);
                 BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
-                Free(tmp);
+                OPENSSL_free(tmp);
                 M_ASN1_OCTET_STRING_print(out, id->user);
         }
         return 1;
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 4c2c4a9483..619f161b58 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -65,6 +65,10 @@
 #include <openssl/x509v3.h>
 
 static char *strip_spaces(char *name);
+static int sk_strcmp(const char * const *a, const char * const *b);
+static STACK *get_email(X509_NAME *name, STACK_OF(GENERAL_NAME) *gens);
+static void str_free(void *str);
+static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
 
 /* Add a CONF_VALUE name value pair to stack */
 
@@ -75,8 +79,8 @@ int X509V3_add_value(const char *name, const char *value,
         char *tname = NULL, *tvalue = NULL;
         if(name && !(tname = BUF_strdup(name))) goto err;
         if(value && !(tvalue = BUF_strdup(value))) goto err;;
-        if(!(vtmp = (CONF_VALUE *)Malloc(sizeof(CONF_VALUE)))) goto err;
-        if(!*extlist && !(*extlist = sk_CONF_VALUE_new(NULL))) goto err;
+        if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err;
+        if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err;
         vtmp->section = NULL;
         vtmp->name = tname;
         vtmp->value = tvalue;
@@ -84,9 +88,9 @@ int X509V3_add_value(const char *name, const char *value,
         return 1;
         err:
         X509V3err(X509V3_F_X509V3_ADD_VALUE,ERR_R_MALLOC_FAILURE);
-        if(vtmp) Free(vtmp);
-        if(tname) Free(tname);
-        if(tvalue) Free(tvalue);
+        if(vtmp) OPENSSL_free(vtmp);
+        if(tname) OPENSSL_free(tname);
+        if(tvalue) OPENSSL_free(tvalue);
         return 0;
 }
 
@@ -101,10 +105,10 @@ int X509V3_add_value_uchar(const char *name, const unsigned char *value,
 void X509V3_conf_free(CONF_VALUE *conf)
 {
         if(!conf) return;
-        if(conf->name) Free(conf->name);
-        if(conf->value) Free(conf->value);
-        if(conf->section) Free(conf->section);
-        Free(conf);
+        if(conf->name) OPENSSL_free(conf->name);
+        if(conf->value) OPENSSL_free(conf->value);
+        if(conf->section) OPENSSL_free(conf->section);
+        OPENSSL_free(conf);
 }
 
 int X509V3_add_value_bool(const char *name, int asn1_bool,
@@ -176,7 +180,7 @@ int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
         if(!aint) return 1;
         if(!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) return 0;
         ret = X509V3_add_value(name, strtmp, extlist);
-        Free(strtmp);
+        OPENSSL_free(strtmp);
         return ret;
 }
 
@@ -298,11 +302,11 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
                 }
                 X509V3_add_value(ntmp, NULL, &values);
         }
-Free(linebuf);
+OPENSSL_free(linebuf);
 return values;
 
 err:
-Free(linebuf);
+OPENSSL_free(linebuf);
 sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
 return NULL;
 
@@ -325,8 +329,9 @@ static char *strip_spaces(char *name)
 
 /* hex string utilities */
 
-/* Given a buffer of length 'len' return a Malloc'ed string with its
+/* Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
  * hex representation
+ * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
  */
 
 char *hex_to_string(unsigned char *buffer, long len)
@@ -336,7 +341,7 @@ char *hex_to_string(unsigned char *buffer, long len)
         int i;
         static char hexdig[] = "0123456789ABCDEF";
         if(!buffer || !len) return NULL;
-        if(!(tmp = Malloc(len * 3 + 1))) {
+        if(!(tmp = OPENSSL_malloc(len * 3 + 1))) {
                 X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -347,6 +352,10 @@ char *hex_to_string(unsigned char *buffer, long len)
                 *q++ = ':';
         }
         q[-1] = 0;
+#ifdef CHARSET_EBCDIC
+        ebcdic2ascii(tmp, tmp, q - tmp - 1);
+#endif
+
         return tmp;
 }
 
@@ -362,14 +371,20 @@ unsigned char *string_to_hex(char *str, long *len)
                 X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
                 return NULL;
         }
-        if(!(hexbuf = Malloc(strlen(str) >> 1))) goto err;
+        if(!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) goto err;
         for(p = (unsigned char *)str, q = hexbuf; *p;) {
                 ch = *p++;
+#ifdef CHARSET_EBCDIC
+                ch = os_toebcdic[ch];
+#endif
                 if(ch == ':') continue;
                 cl = *p++;
+#ifdef CHARSET_EBCDIC
+                cl = os_toebcdic[cl];
+#endif
                 if(!cl) {
                         X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
-                        Free(hexbuf);
+                        OPENSSL_free(hexbuf);
                         return NULL;
                 }
                 if(isupper(ch)) ch = tolower(ch);
@@ -391,12 +406,12 @@ unsigned char *string_to_hex(char *str, long *len)
         return hexbuf;
 
         err:
-        if(hexbuf) Free(hexbuf);
+        if(hexbuf) OPENSSL_free(hexbuf);
         X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
         return NULL;
 
         badhex:
-        Free(hexbuf);
+        OPENSSL_free(hexbuf);
         X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
         return NULL;
 
@@ -416,3 +431,86 @@ int name_cmp(const char *name, const char *cmp)
         if(!c || (c=='.')) return 0;
         return 1;
 }
+
+static int sk_strcmp(const char * const *a, const char * const *b)
+{
+        return strcmp(*a, *b);
+}
+
+STACK *X509_get1_email(X509 *x)
+{
+        STACK_OF(GENERAL_NAME) *gens;
+        STACK *ret;
+        gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+        ret = get_email(X509_get_subject_name(x), gens);
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        return ret;
+}
+
+STACK *X509_REQ_get1_email(X509_REQ *x)
+{
+        STACK_OF(GENERAL_NAME) *gens;
+        STACK_OF(X509_EXTENSION) *exts;
+        STACK *ret;
+        exts = X509_REQ_get_extensions(x);
+        gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
+        ret = get_email(X509_REQ_get_subject_name(x), gens);
+        sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+        sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+        return ret;
+}
+
+
+static STACK *get_email(X509_NAME *name, STACK_OF(GENERAL_NAME) *gens)
+{
+        STACK *ret = NULL;
+        X509_NAME_ENTRY *ne;
+        ASN1_IA5STRING *email;
+        GENERAL_NAME *gen;
+        int i;
+        /* Now add any email address(es) to STACK */
+        i = -1;
+        /* First supplied X509_NAME */
+        while((i = X509_NAME_get_index_by_NID(name,
+                                         NID_pkcs9_emailAddress, i)) > 0) {
+                ne = X509_NAME_get_entry(name, i);
+                email = X509_NAME_ENTRY_get_data(ne);
+                if(!append_ia5(&ret, email)) return NULL;
+        }
+        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+        {
+                gen = sk_GENERAL_NAME_value(gens, i);
+                if(gen->type != GEN_EMAIL) continue;
+                if(!append_ia5(&ret, gen->d.ia5)) return NULL;
+        }
+        return ret;
+}
+
+static void str_free(void *str)
+{
+        OPENSSL_free(str);
+}
+
+static int append_ia5(STACK **sk, ASN1_IA5STRING *email)
+{
+        char *emtmp;
+        /* First some sanity checks */
+        if(email->type != V_ASN1_IA5STRING) return 1;
+        if(!email->data || !email->length) return 1;
+        if(!*sk) *sk = sk_new(sk_strcmp);
+        if(!*sk) return 0;
+        /* Don't add duplicates */
+        if(sk_find(*sk, (char *)email->data) != -1) return 1;
+        emtmp = BUF_strdup((char *)email->data);
+        if(!emtmp || !sk_push(*sk, emtmp)) {
+                X509_email_free(*sk);
+                *sk = NULL;
+                return 0;
+        }
+        return 1;
+}
+
+void X509_email_free(STACK *sk)
+{
+        sk_pop_free(sk, str_free);
+}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 96ceb7c4fb..0453b12d63 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -58,14 +58,14 @@
 #ifndef HEADER_X509V3_H
 #define HEADER_X509V3_H
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/conf.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* Forward reference */
 struct v3_ext_method;
 struct v3_ext_ctx;
@@ -131,6 +131,8 @@ void *db;
 typedef struct v3_ext_method X509V3_EXT_METHOD;
 typedef struct v3_ext_ctx X509V3_CTX;
 
+DECLARE_STACK_OF(X509V3_EXT_METHOD)
+
 /* ext_flags values */
 #define X509V3_EXT_DYNAMIC      0x1
 #define X509V3_EXT_CTX_DEP      0x2
@@ -227,7 +229,7 @@ typedef struct SXNET_st {
 
 typedef struct NOTICEREF_st {
         ASN1_STRING *organization;
-        STACK *noticenos;
+        STACK_OF(ASN1_INTEGER) *noticenos;
 } NOTICEREF;
 
 typedef struct USERNOTICE_st {
@@ -332,7 +334,8 @@ typedef struct x509_purpose_st {
         int purpose;
         int trust;              /* Default trust ID */
         int flags;
-        int (*check_purpose)(struct x509_purpose_st *, X509 *, int);
+        int (*check_purpose)(const struct x509_purpose_st *,
+                                const X509 *, int);
         char *name;
         char *sname;
         void *usr_data;
@@ -529,12 +532,13 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 
 int X509_check_purpose(X509 *x, int id, int ca);
+int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);
 int X509_PURPOSE_get_by_id(int id);
 int X509_PURPOSE_add(int id, int trust, int flags,
-                        int (*ck)(X509_PURPOSE *, X509 *, int),
+                        int (*ck)(const X509_PURPOSE *, const X509 *, int),
                                 char *name, char *sname, void *arg);
 char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
 char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
@@ -542,6 +546,11 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
 void X509_PURPOSE_cleanup(void);
 int X509_PURPOSE_get_id(X509_PURPOSE *);
 
+STACK *X509_get1_email(X509 *x);
+STACK *X509_REQ_get1_email(X509_REQ *x);
+void X509_email_free(STACK *sk);
+
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.