14 files changed, 942 insertions, 517 deletions

diff --git a/src/lib/libcrypto/x509/Makefile.ssl b/src/lib/libcrypto/x509/Makefile.ssl
index 48937b43af..4619693733 100644
--- a/src/lib/libcrypto/x509/Makefile.ssl
+++ b/src/lib/libcrypto/x509/Makefile.ssl
@@ -96,15 +96,17 @@ by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+by_dir.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_dir.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_dir.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-by_dir.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+by_dir.o: ../cryptlib.h
 by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -113,52 +115,60 @@ by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_file.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-by_file.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_file.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+by_file.o: ../cryptlib.h
 x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_att.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_att.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_att.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_att.o: ../../include/openssl/opensslconf.h
 x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_att.o: ../cryptlib.h
 x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_cmp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_cmp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_cmp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_cmp.o: ../../include/openssl/opensslconf.h
 x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_cmp.o: ../cryptlib.h
 x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -166,14 +176,16 @@ x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_d2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_d2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_d2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_d2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_d2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_d2.o: ../cryptlib.h
 x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -183,49 +195,57 @@ x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_def.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_def.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_def.o: ../../include/openssl/opensslconf.h
 x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_def.o: ../cryptlib.h
+x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x509_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_err.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-x509_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
 x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_err.o: ../../include/openssl/x509_vfy.h
 x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_ext.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_ext.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_ext.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_ext.o: ../../include/openssl/opensslconf.h
 x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_ext.o: ../cryptlib.h
 x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -234,15 +254,17 @@ x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_lu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_lu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/x509.h
-x509_lu.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_lu.o: ../cryptlib.h
 x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -251,16 +273,17 @@ x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_obj.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_obj.o: ../../include/openssl/opensslconf.h
 x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_obj.o: ../cryptlib.h
+x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -268,16 +291,18 @@ x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_r2x.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_r2x.o: ../../include/openssl/opensslconf.h
 x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_r2x.o: ../cryptlib.h
+x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -285,17 +310,19 @@ x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_req.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_req.o: ../../include/openssl/opensslconf.h
 x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
 x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
 x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_req.o: ../cryptlib.h
+x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -303,34 +330,39 @@ x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_set.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_set.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_set.o: ../../include/openssl/opensslconf.h
 x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_set.o: ../cryptlib.h
+x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_trs.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_trs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_trs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_trs.o: ../../include/openssl/opensslconf.h
 x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_trs.o: ../cryptlib.h
 x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -339,32 +371,35 @@ x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509_txt.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
+x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_txt.o: ../../include/openssl/opensslconf.h
 x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_txt.o: ../cryptlib.h
+x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_v3.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_v3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_v3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_v3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_v3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_v3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_v3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
 x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
@@ -373,18 +408,21 @@ x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509_vfy.o: ../../include/openssl/opensslconf.h
 x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h
+x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+x509_vfy.o: ../cryptlib.h
 x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -392,16 +430,18 @@ x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509name.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509name.o: ../../include/openssl/opensslconf.h
 x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509name.o: ../cryptlib.h
+x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -409,16 +449,18 @@ x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509rset.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509rset.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509rset.o: ../../include/openssl/opensslconf.h
 x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509rset.o: ../cryptlib.h
+x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
 x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -427,16 +469,17 @@ x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
 x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
 x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md5.h
-x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/objects.h
-x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+x509spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509spki.o: ../cryptlib.h
+x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -444,16 +487,18 @@ x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509type.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509type.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509type.o: ../../include/openssl/opensslconf.h
 x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
 x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509type.o: ../cryptlib.h
+x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
 x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
@@ -461,13 +506,15 @@ x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_all.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
+x_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+x_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 x_all.o: ../cryptlib.h
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 14d12c56bd..cac64a6f40 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -146,11 +146,11 @@ static int new_dir(X509_LOOKUP *lu)
         {
         BY_DIR *a;
 
-        if ((a=(BY_DIR *)Malloc(sizeof(BY_DIR))) == NULL)
+        if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL)
                 return(0);
         if ((a->buffer=BUF_MEM_new()) == NULL)
                 {
-                Free(a);
+                OPENSSL_free(a);
                 return(0);
                 }
         a->num_dirs=0;
@@ -168,11 +168,11 @@ static void free_dir(X509_LOOKUP *lu)
 
         a=(BY_DIR *)lu->method_data;
         for (i=0; i<a->num_dirs; i++)
-                if (a->dirs[i] != NULL) Free(a->dirs[i]);
-        if (a->dirs != NULL) Free(a->dirs);
-        if (a->dirs_type != NULL) Free(a->dirs_type);
+                if (a->dirs[i] != NULL) OPENSSL_free(a->dirs[i]);
+        if (a->dirs != NULL) OPENSSL_free(a->dirs);
+        if (a->dirs_type != NULL) OPENSSL_free(a->dirs_type);
         if (a->buffer != NULL) BUF_MEM_free(a->buffer);
-        Free(a);
+        OPENSSL_free(a);
         }
 
 static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
@@ -204,9 +204,9 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
                         if (ctx->num_dirs_alloced < (ctx->num_dirs+1))
                                 {
                                 ctx->num_dirs_alloced+=10;
-                                pp=(char **)Malloc(ctx->num_dirs_alloced*
+                                pp=(char **)OPENSSL_malloc(ctx->num_dirs_alloced*
                                         sizeof(char *));
-                                ip=(int *)Malloc(ctx->num_dirs_alloced*
+                                ip=(int *)OPENSSL_malloc(ctx->num_dirs_alloced*
                                         sizeof(int));
                                 if ((pp == NULL) || (ip == NULL))
                                         {
@@ -218,14 +218,14 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
                                 memcpy(ip,ctx->dirs_type,(ctx->num_dirs_alloced-10)*
                                         sizeof(int));
                                 if (ctx->dirs != NULL)
-                                        Free(ctx->dirs);
+                                        OPENSSL_free(ctx->dirs);
                                 if (ctx->dirs_type != NULL)
-                                        Free(ctx->dirs_type);
+                                        OPENSSL_free(ctx->dirs_type);
                                 ctx->dirs=pp;
                                 ctx->dirs_type=ip;
                                 }
                         ctx->dirs_type[ctx->num_dirs]=type;
-                        ctx->dirs[ctx->num_dirs]=(char *)Malloc((unsigned int)len+1);
+                        ctx->dirs[ctx->num_dirs]=(char *)OPENSSL_malloc((unsigned int)len+1);
                         if (ctx->dirs[ctx->num_dirs] == NULL) return(0);
                         strncpy(ctx->dirs[ctx->num_dirs],ss,(unsigned int)len);
                         ctx->dirs[ctx->num_dirs][len]='\0';
@@ -326,7 +326,9 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
                 /* we have added it to the cache so now pull
                  * it out again */
                 CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
-                tmp=(X509_OBJECT *)lh_retrieve(xl->store_ctx->certs,&stmp);
+                j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
+                if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
+                else tmp = NULL;
                 CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
 
                 if (tmp != NULL)
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 0192272e7c..813c8adffd 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -59,15 +59,16 @@
 #ifndef HEADER_X509_H
 #define HEADER_X509_H
 
-#ifdef  __cplusplus
-extern "C" {
+#include <openssl/symhacks.h>
+#ifndef NO_BUFFER
+#include <openssl/buffer.h>
 #endif
-
-#ifdef VMS
-#undef X509_REVOKED_get_ext_by_critical
-#define X509_REVOKED_get_ext_by_critical X509_REVOKED_get_ext_by_critic
+#ifndef NO_EVP
+#include <openssl/evp.h>
+#endif
+#ifndef NO_BIO
+#include <openssl/bio.h>
 #endif
-
 #include <openssl/stack.h>
 #include <openssl/asn1.h>
 #include <openssl/safestack.h>
@@ -87,11 +88,19 @@ extern "C" {
 #include <openssl/evp.h>
 
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 #ifdef WIN32
 /* Under Win32 this is defined in wincrypt.h */
 #undef X509_NAME
 #endif
 
+  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
+
 #define X509_FILETYPE_PEM       1
 #define X509_FILETYPE_ASN1      2
 #define X509_FILETYPE_DEFAULT   3
@@ -125,8 +134,8 @@ DECLARE_ASN1_SET_OF(X509_ALGOR)
 
 typedef struct X509_val_st
         {
-        ASN1_UTCTIME *notBefore;
-        ASN1_UTCTIME *notAfter;
+        ASN1_TIME *notBefore;
+        ASN1_TIME *notAfter;
         } X509_VAL;
 
 typedef struct X509_pubkey_st
@@ -158,7 +167,7 @@ typedef struct X509_name_st
         {
         STACK_OF(X509_NAME_ENTRY) *entries;
         int modified;   /* true if 'bytes' needs to be built */
-#ifdef HEADER_BUFFER_H
+#ifndef NO_BUFFER
         BUF_MEM *bytes;
 #else
         char *bytes;
@@ -200,6 +209,8 @@ DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
 typedef struct X509_req_info_st
         {
+        unsigned char *asn1;
+        int length;
         ASN1_INTEGER *version;
         X509_NAME *subject;
         X509_PUBKEY *pubkey;
@@ -260,6 +271,8 @@ typedef struct x509_st
         unsigned long ex_kusage;
         unsigned long ex_xkusage;
         unsigned long ex_nscert;
+        ASN1_OCTET_STRING *skid;
+        struct AUTHORITY_KEYID_st *akid;
 #ifndef NO_SHA
         unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
@@ -307,10 +320,65 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_REJECTED     2
 #define X509_TRUST_UNTRUSTED    3
 
+/* Flags specific to X509_NAME_print_ex() */    
+
+/* The field separator information */
+
+#define XN_FLAG_SEP_MASK        (0xf << 16)
+
+#define XN_FLAG_COMPAT          0               /* Traditional SSLeay: use old X509_NAME_print */
+#define XN_FLAG_SEP_COMMA_PLUS  (1 << 16)       /* RFC2253 ,+ */
+#define XN_FLAG_SEP_CPLUS_SPC   (2 << 16)       /* ,+ spaced: more readable */
+#define XN_FLAG_SEP_SPLUS_SPC   (3 << 16)       /* ;+ spaced */
+#define XN_FLAG_SEP_MULTILINE   (4 << 16)       /* One line per field */
+
+#define XN_FLAG_DN_REV          (1 << 20)       /* Reverse DN order */
+
+/* How the field name is shown */
+
+#define XN_FLAG_FN_MASK         (0x3 << 21)
+
+#define XN_FLAG_FN_SN           0               /* Object short name */
+#define XN_FLAG_FN_LN           (1 << 21)       /* Object long name */
+#define XN_FLAG_FN_OID          (2 << 21)       /* Always use OIDs */
+#define XN_FLAG_FN_NONE         (3 << 21)       /* No field names */
+
+#define XN_FLAG_SPC_EQ          (1 << 23)       /* Put spaces round '=' */
+
+/* This determines if we dump fields we don't recognise:
+ * RFC2253 requires this.
+ */
+
+#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
+
+/* Complete set of RFC2253 flags */
+
+#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
+                        XN_FLAG_SEP_COMMA_PLUS | \
+                        XN_FLAG_DN_REV | \
+                        XN_FLAG_FN_SN | \
+                        XN_FLAG_DUMP_UNKNOWN_FIELDS)
+
+/* readable oneline form */
+
+#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
+                        ASN1_STRFLGS_ESC_QUOTE | \
+                        XN_FLAG_SEP_CPLUS_SPC | \
+                        XN_FLAG_SPC_EQ | \
+                        XN_FLAG_FN_SN)
+
+/* readable multiline form */
+
+#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
+                        ASN1_STRFLGS_ESC_MSB | \
+                        XN_FLAG_SEP_MULTILINE | \
+                        XN_FLAG_SPC_EQ | \
+                        XN_FLAG_FN_LN)
+
 typedef struct X509_revoked_st
         {
         ASN1_INTEGER *serialNumber;
-        ASN1_UTCTIME *revocationDate;
+        ASN1_TIME *revocationDate;
         STACK_OF(X509_EXTENSION) /* optional */ *extensions;
         int sequence; /* load sequence */
         } X509_REVOKED;
@@ -323,8 +391,8 @@ typedef struct X509_crl_info_st
         ASN1_INTEGER *version;
         X509_ALGOR *sig_alg;
         X509_NAME *issuer;
-        ASN1_UTCTIME *lastUpdate;
-        ASN1_UTCTIME *nextUpdate;
+        ASN1_TIME *lastUpdate;
+        ASN1_TIME *nextUpdate;
         STACK_OF(X509_REVOKED) *revoked;
         STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
         } X509_CRL_INFO;
@@ -362,7 +430,7 @@ typedef struct private_key_st
         int references;
         } X509_PKEY;
 
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 typedef struct X509_info_st
         {
         X509 *x509;
@@ -445,9 +513,17 @@ typedef struct pkcs8_priv_key_info_st
         STACK_OF(X509_ATTRIBUTE) *attributes;
         } PKCS8_PRIV_KEY_INFO;
 
+#ifdef  __cplusplus
+}
+#endif
+
 #include <openssl/x509_vfy.h>
 #include <openssl/pkcs7.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 #ifdef SSLEAY_MACROS
 #define X509_verify(a,r) ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,\
         a->signature,(char *)a->cert_info,r)
@@ -610,7 +686,7 @@ typedef struct pkcs8_priv_key_info_st
 const char *X509_verify_cert_error_string(long n);
 
 #ifndef SSLEAY_MACROS
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 int X509_verify(X509 *a, EVP_PKEY *r);
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@@ -629,9 +705,14 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
-int X509_digest(X509 *data,const EVP_MD *type,unsigned char *md,unsigned int *len);
-int X509_NAME_digest(X509_NAME *data,const EVP_MD *type,
-        unsigned char *md,unsigned int *len);
+int X509_digest(const X509 *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
+int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
 #endif
 
 #ifndef NO_FP_API
@@ -663,9 +744,11 @@ int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
 int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
+int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 #endif
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 X509 *d2i_X509_bio(BIO *bp,X509 **x509);
 int i2d_X509_bio(BIO *bp,X509 *x509);
 X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
@@ -694,6 +777,8 @@ int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
 int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
+int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
+EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
 #endif
 
 X509 *X509_dup(X509 *x509);
@@ -711,8 +796,10 @@ RSA *RSAPrivateKey_dup(RSA *rsa);
 
 #endif /* !SSLEAY_MACROS */
 
-int             X509_cmp_current_time(ASN1_UTCTIME *s);
-ASN1_UTCTIME *  X509_gmtime_adj(ASN1_UTCTIME *s, long adj);
+int             X509_cmp_time(ASN1_TIME *s, time_t *t);
+int             X509_cmp_current_time(ASN1_TIME *s);
+ASN1_TIME *     X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
+ASN1_TIME *     X509_gmtime_adj(ASN1_TIME *s, long adj);
 
 const char *    X509_get_default_cert_area(void );
 const char *    X509_get_default_cert_dir(void );
@@ -825,6 +912,7 @@ int		i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
 X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
                                                                 long length);
 int X509_alias_set1(X509 *x, unsigned char *name, int len);
+int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
@@ -871,7 +959,7 @@ NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void);
 NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, unsigned char **pp, long length);
 void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a);
 
-#ifdef HEADER_ENVELOPE_H
+#ifndef NO_EVP
 X509_INFO *     X509_INFO_new(void);
 void            X509_INFO_free(X509_INFO *a);
 char *          X509_NAME_oneline(X509_NAME *a,char *buf,int size);
@@ -894,8 +982,8 @@ int 		X509_set_issuer_name(X509 *x, X509_NAME *name);
 X509_NAME *     X509_get_issuer_name(X509 *a);
 int             X509_set_subject_name(X509 *x, X509_NAME *name);
 X509_NAME *     X509_get_subject_name(X509 *a);
-int             X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm);
-int             X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm);
+int             X509_set_notBefore(X509 *x, ASN1_TIME *tm);
+int             X509_set_notAfter(X509 *x, ASN1_TIME *tm);
 int             X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 EVP_PKEY *      X509_get_pubkey(X509 *x);
 int             X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
@@ -931,28 +1019,30 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
 
 int             X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
-int             X509_issuer_and_serial_cmp(X509 *a, X509 *b);
+int             X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_issuer_and_serial_hash(X509 *a);
 
-int             X509_issuer_name_cmp(X509 *a, X509 *b);
+int             X509_issuer_name_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_issuer_name_hash(X509 *a);
 
-int             X509_subject_name_cmp(X509 *a,X509 *b);
+int             X509_subject_name_cmp(const X509 *a, const X509 *b);
 unsigned long   X509_subject_name_hash(X509 *x);
 
-int             X509_cmp (X509 *a, X509 *b);
-int             X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
+int             X509_cmp(const X509 *a, const X509 *b);
+int             X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long   X509_NAME_hash(X509_NAME *x);
 
-int             X509_CRL_cmp(X509_CRL *a,X509_CRL *b);
+int             X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 #ifndef NO_FP_API
 int             X509_print_fp(FILE *bp,X509 *x);
 int             X509_CRL_print_fp(FILE *bp,X509_CRL *x);
 int             X509_REQ_print_fp(FILE *bp,X509_REQ *req);
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
 #endif
 
-#ifdef HEADER_BIO_H
+#ifndef NO_BIO
 int             X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
 int             X509_print(BIO *bp,X509 *x);
 int             X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int             X509_CRL_print(BIO *bp,X509_CRL *x);
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index a8a5ca8b03..b147d573d2 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
+int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
         {
         int i;
         X509_CINF *ai,*bi;
@@ -97,17 +97,17 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         }
 #endif
         
-int X509_issuer_name_cmp(X509 *a, X509 *b)
+int X509_issuer_name_cmp(const X509 *a, const X509 *b)
         {
         return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
         }
 
-int X509_subject_name_cmp(X509 *a, X509 *b)
+int X509_subject_name_cmp(const X509 *a, const X509 *b)
         {
         return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
         }
 
-int X509_CRL_cmp(X509_CRL *a, X509_CRL *b)
+int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
         {
         return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
         }
@@ -139,19 +139,25 @@ unsigned long X509_subject_name_hash(X509 *x)
 
 #ifndef NO_SHA
 /* Compare two certificates: they must be identical for
- * this to work.
+ * this to work. NB: Although "cmp" operations are generally
+ * prototyped to take "const" arguments (eg. for use in
+ * STACKs), the way X509 handling is - these operations may
+ * involve ensuring the hashes are up-to-date and ensuring
+ * certain cert information is cached. So this is the point
+ * where the "depth-first" constification tree has to halt
+ * with an evil cast.
  */
-int X509_cmp(X509 *a, X509 *b)
+int X509_cmp(const X509 *a, const X509 *b)
 {
         /* ensure hash is valid */
-        X509_check_purpose(a, -1, 0);
-        X509_check_purpose(b, -1, 0);
+        X509_check_purpose((X509 *)a, -1, 0);
+        X509_check_purpose((X509 *)b, -1, 0);
 
         return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
 }
 #endif
 
-int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
+int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
         {
         int i,j;
         X509_NAME_ENTRY *na,*nb;
@@ -198,14 +204,14 @@ unsigned long X509_NAME_hash(X509_NAME *x)
 
         i=i2d_X509_NAME(x,NULL);
         if (i > sizeof(str))
-                p=Malloc(i);
+                p=OPENSSL_malloc(i);
         else
                 p=str;
 
         pp=p;
         i2d_X509_NAME(x,&pp);
         MD5((unsigned char *)p,i,&(md[0]));
-        if (p != str) Free(p);
+        if (p != str) OPENSSL_free(p);
 
         ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index a20006d67e..863c738cad 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -62,14 +62,13 @@
 #include <openssl/x509.h>
 
 static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_meth=NULL;
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
         {
         X509_LOOKUP *ret;
 
-        ret=(X509_LOOKUP *)Malloc(sizeof(X509_LOOKUP));
-        if (ret == NULL) return(NULL);
+        ret=(X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
+        if (ret == NULL) return NULL;
 
         ret->init=0;
         ret->skip=0;
@@ -78,10 +77,10 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
         ret->store_ctx=NULL;
         if ((method->new_item != NULL) && !method->new_item(ret))
                 {
-                Free(ret);
-                return(NULL);
+                OPENSSL_free(ret);
+                return NULL;
                 }
-        return(ret);
+        return ret;
         }
 
 void X509_LOOKUP_free(X509_LOOKUP *ctx)
@@ -90,44 +89,44 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
         if (    (ctx->method != NULL) &&
                 (ctx->method->free != NULL))
                 ctx->method->free(ctx);
-        Free(ctx);
+        OPENSSL_free(ctx);
         }
 
 int X509_LOOKUP_init(X509_LOOKUP *ctx)
         {
-        if (ctx->method == NULL) return(0);
+        if (ctx->method == NULL) return 0;
         if (ctx->method->init != NULL)
-                return(ctx->method->init(ctx));
+                return ctx->method->init(ctx);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
         {
-        if (ctx->method == NULL) return(0);
+        if (ctx->method == NULL) return 0;
         if (ctx->method->shutdown != NULL)
-                return(ctx->method->shutdown(ctx));
+                return ctx->method->shutdown(ctx);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
              char **ret)
         {
-        if (ctx->method == NULL) return(-1);
+        if (ctx->method == NULL) return -1;
         if (ctx->method->ctrl != NULL)
-                return(ctx->method->ctrl(ctx,cmd,argc,argl,ret));
+                return ctx->method->ctrl(ctx,cmd,argc,argl,ret);
         else
-                return(1);
+                return 1;
         }
 
 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
              X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
-                return(X509_LU_FAIL);
-        if (ctx->skip) return(0);
-        return(ctx->method->get_by_subject(ctx,type,name,ret));
+                return X509_LU_FAIL;
+        if (ctx->skip) return 0;
+        return ctx->method->get_by_subject(ctx,type,name,ret);
         }
 
 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
@@ -135,71 +134,55 @@ int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
         {
         if ((ctx->method == NULL) ||
                 (ctx->method->get_by_issuer_serial == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_issuer_serial(ctx,type,name,serial,ret);
         }
 
 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
              unsigned char *bytes, int len, X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_fingerprint(ctx,type,bytes,len,ret);
         }
 
 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
              X509_OBJECT *ret)
         {
         if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
-                return(X509_LU_FAIL);
-        return(ctx->method->get_by_alias(ctx,type,str,len,ret));
+                return X509_LU_FAIL;
+        return ctx->method->get_by_alias(ctx,type,str,len,ret);
         }
 
-static unsigned long x509_object_hash(X509_OBJECT *a)
-        {
-        unsigned long h;
-
-        switch (a->type)
-                {
-        case X509_LU_X509:
-                h=X509_NAME_hash(a->data.x509->cert_info->subject);
-                break;
-        case X509_LU_CRL:
-                h=X509_NAME_hash(a->data.crl->crl->issuer);
-                break;
-        default:
-                abort();
-                }
-        return(h);
-        }
-
-static int x509_object_cmp(X509_OBJECT *a, X509_OBJECT *b)
-        {
-        int ret;
-
-        ret=(a->type - b->type);
-        if (ret) return(ret);
-        switch (a->type)
-                {
-        case X509_LU_X509:
-                ret=X509_subject_name_cmp(a->data.x509,b->data.x509);
-                break;
-        case X509_LU_CRL:
-                ret=X509_CRL_cmp(a->data.crl,b->data.crl);
-                break;
+  
+static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
+        {
+        int ret;
+
+        ret=((*a)->type - (*b)->type);
+        if (ret) return ret;
+        switch ((*a)->type)
+                {
+        case X509_LU_X509:
+                ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
+                break;
+        case X509_LU_CRL:
+                ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
+                break;
         default:
-                abort();
+                /* abort(); */
+                return 0;
                 }
-        return(ret);
+        return ret;
         }
 
 X509_STORE *X509_STORE_new(void)
         {
         X509_STORE *ret;
 
-        if ((ret=(X509_STORE *)Malloc(sizeof(X509_STORE))) == NULL)
-                return(NULL);
-        ret->certs=lh_new(x509_object_hash,x509_object_cmp);
+        if ((ret=(X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
+                return NULL;
+        ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
         ret->cache=1;
         ret->get_cert_methods=sk_X509_LOOKUP_new_null();
         ret->verify=NULL;
@@ -207,7 +190,7 @@ X509_STORE *X509_STORE_new(void)
         memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
         ret->references=1;
         ret->depth=0;
-        return(ret);
+        return ret;
         }
 
 static void cleanup(X509_OBJECT *a)
@@ -221,9 +204,11 @@ static void cleanup(X509_OBJECT *a)
                 X509_CRL_free(a->data.crl);
                 }
         else
-                abort();
+                {
+                /* abort(); */
+                }
 
-        Free(a);
+        OPENSSL_free(a);
         }
 
 void X509_STORE_free(X509_STORE *vfy)
@@ -232,7 +217,7 @@ void X509_STORE_free(X509_STORE *vfy)
         STACK_OF(X509_LOOKUP) *sk;
         X509_LOOKUP *lu;
 
-        if(vfy == NULL)
+        if (vfy == NULL)
             return;
 
         sk=vfy->get_cert_methods;
@@ -243,11 +228,10 @@ void X509_STORE_free(X509_STORE *vfy)
                 X509_LOOKUP_free(lu);
                 }
         sk_X509_LOOKUP_free(sk);
+        sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
         CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
-        lh_doall(vfy->certs,cleanup);
-        lh_free(vfy->certs);
-        Free(vfy);
+        OPENSSL_free(vfy);
         }
 
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
@@ -262,22 +246,22 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
                 lu=sk_X509_LOOKUP_value(sk,i);
                 if (m == lu->method)
                         {
-                        return(lu);
+                        return lu;
                         }
                 }
         /* a new one */
         lu=X509_LOOKUP_new(m);
         if (lu == NULL)
-                return(NULL);
+                return NULL;
         else
                 {
                 lu->store_ctx=v;
                 if (sk_X509_LOOKUP_push(v->get_cert_methods,lu))
-                        return(lu);
+                        return lu;
                 else
                         {
                         X509_LOOKUP_free(lu);
-                        return(NULL);
+                        return NULL;
                         }
                 }
         }
@@ -290,7 +274,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
         X509_OBJECT stmp,*tmp;
         int i,j;
 
-        tmp=X509_OBJECT_retrieve_by_subject(ctx->certs,type,name);
+        tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
 
         if (tmp == NULL)
                 {
@@ -301,7 +285,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
                         if (j < 0)
                                 {
                                 vs->current_method=j;
-                                return(j);
+                                return j;
                                 }
                         else if (j)
                                 {
@@ -311,7 +295,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
                         }
                 vs->current_method=0;
                 if (tmp == NULL)
-                        return(0);
+                        return 0;
                 }
 
 /*      if (ret->data.ptr != NULL)
@@ -322,7 +306,74 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
 
         X509_OBJECT_up_ref_count(ret);
 
-        return(1);
+        return 1;
+        }
+
+int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
+        {
+        X509_OBJECT *obj;
+        int ret=1;
+
+        if (x == NULL) return 0;
+        obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        obj->type=X509_LU_X509;
+        obj->data.x509=x;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+        X509_OBJECT_up_ref_count(obj);
+
+
+        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
+                {
+                X509_OBJECT_free_contents(obj);
+                OPENSSL_free(obj);
+                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                } 
+        else sk_X509_OBJECT_push(ctx->objs, obj);
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+        return ret;
+        }
+
+int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
+        {
+        X509_OBJECT *obj;
+        int ret=1;
+
+        if (x == NULL) return 0;
+        obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+        if (obj == NULL)
+                {
+                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        obj->type=X509_LU_CRL;
+        obj->data.crl=x;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+        X509_OBJECT_up_ref_count(obj);
+
+        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
+                {
+                X509_OBJECT_free_contents(obj);
+                OPENSSL_free(obj);
+                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
+                ret=0;
+                }
+        else sk_X509_OBJECT_push(ctx->objs, obj);
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+
+        return ret;
         }
 
 void X509_OBJECT_up_ref_count(X509_OBJECT *a)
@@ -351,10 +402,10 @@ void X509_OBJECT_free_contents(X509_OBJECT *a)
                 }
         }
 
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
              X509_NAME *name)
         {
-        X509_OBJECT stmp,*tmp;
+        X509_OBJECT stmp;
         X509 x509_s;
         X509_CINF cinf_s;
         X509_CRL crl_s;
@@ -374,54 +425,105 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h, int type,
                 crl_info_s.issuer=name;
                 break;
         default:
-                abort();
+                /* abort(); */
+                return -1;
                 }
 
-        tmp=(X509_OBJECT *)lh_retrieve(h,&stmp);
-        return(tmp);
+        return sk_X509_OBJECT_find(h,&stmp);
         }
 
-X509_STORE_CTX *X509_STORE_CTX_new(void)
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+             X509_NAME *name)
 {
-        X509_STORE_CTX *ctx;
-        ctx = (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));
-        if(ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
-        return ctx;
+        int idx;
+        idx = X509_OBJECT_idx_by_subject(h, type, name);
+        if (idx==-1) return NULL;
+        return sk_X509_OBJECT_value(h, idx);
 }
 
-void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
 {
-        X509_STORE_CTX_cleanup(ctx);
-        Free(ctx);
+        int idx, i;
+        X509_OBJECT *obj;
+        idx = sk_X509_OBJECT_find(h, x);
+        if (idx == -1) return NULL;
+        if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+        for (i = idx; i < sk_X509_OBJECT_num(h); i++)
+                {
+                obj = sk_X509_OBJECT_value(h, i);
+                if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
+                        return NULL;
+                if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+                        return obj;
+                }
+        return NULL;
 }
 
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
-             STACK_OF(X509) *chain)
-        {
-        ctx->ctx=store;
-        ctx->current_method=0;
-        ctx->cert=x509;
-        ctx->untrusted=chain;
-        ctx->last_untrusted=0;
-        ctx->purpose=0;
-        ctx->trust=0;
-        ctx->valid=0;
-        ctx->chain=NULL;
-        ctx->depth=9;
-        ctx->error=0;
-        ctx->current_cert=NULL;
-        memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
-        }
 
-void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
-        {
-        if (ctx->chain != NULL)
+/* Try to get issuer certificate from store. Due to limitations
+ * of the API this can only retrieve a single certificate matching
+ * a given subject name. However it will fill the cache with all
+ * matching certificates, so we can examine the cache for all 
+ * matches.
+ *
+ * Return values are:
+ *  1 lookup successful.
+ *  0 certificate not found.
+ * -1 some other error.
+ */
+
+
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+{
+        X509_NAME *xn;
+        X509_OBJECT obj, *pobj;
+        int i, ok, idx;
+        xn=X509_get_issuer_name(x);
+        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
+        if (ok != X509_LU_X509)
+                {
+                if (ok == X509_LU_RETRY)
+                        {
+                        X509_OBJECT_free_contents(&obj);
+                        X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
+                        return -1;
+                        }
+                else if (ok != X509_LU_FAIL)
+                        {
+                        X509_OBJECT_free_contents(&obj);
+                        /* not good :-(, break anyway */
+                        return -1;
+                        }
+                return 0;
+                }
+        /* If certificate matches all OK */
+        if (ctx->check_issued(ctx, x, obj.data.x509))
                 {
-                sk_X509_pop_free(ctx->chain,X509_free);
-                ctx->chain=NULL;
+                *issuer = obj.data.x509;
+                return 1;
                 }
-        CRYPTO_free_ex_data(x509_store_ctx_meth,ctx,&(ctx->ex_data));
-        memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
-        }
+        X509_OBJECT_free_contents(&obj);
+        /* Else find index of first matching cert */
+        idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+        /* This shouldn't normally happen since we already have one match */
+        if (idx == -1) return 0;
+
+        /* Look through all matching certificates for a suitable issuer */
+        for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+                {
+                pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+                /* See if we've ran out of matches */
+                if (pobj->type != X509_LU_X509) return 0;
+                if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
+                if (ctx->check_issued(ctx, x, pobj->data.x509))
+                        {
+                        *issuer = pobj->data.x509;
+                        X509_OBJECT_up_ref_count(pobj);
+                        return 1;
+                        }
+                }
+        return 0;
+}
 
 IMPLEMENT_STACK_OF(X509_LOOKUP)
+IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
index 691b71f031..6a3ba8eb15 100644
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ b/src/lib/libcrypto/x509/x509_obj.c
@@ -91,7 +91,7 @@ int i;
             if(b)
                 {
                 buf=b->data;
-                Free(b);
+                OPENSSL_free(b);
                 }
             strncpy(buf,"NO X509_NAME",len);
             return buf;
@@ -210,7 +210,7 @@ int i;
         if (b != NULL)
                 {
                 p=b->data;
-                Free(b);
+                OPENSSL_free(b);
                 }
         else
                 p=buf;
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index baef8790eb..7eca1bd57a 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -83,7 +83,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
         ri=ret->req_info;
 
         ri->version->length=1;
-        ri->version->data=(unsigned char *)Malloc(1);
+        ri->version->data=(unsigned char *)OPENSSL_malloc(1);
         if (ri->version->data == NULL) goto err;
         ri->version->data[0]=0; /* version == 0 */
 
@@ -188,7 +188,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
         /* Generate encoding of extensions */
         len = i2d_ASN1_SET_OF_X509_EXTENSION(exts, NULL, i2d_X509_EXTENSION,
                         V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
-        if(!(p = Malloc(len))) goto err;
+        if(!(p = OPENSSL_malloc(len))) goto err;
         q = p;
         i2d_ASN1_SET_OF_X509_EXTENSION(exts, &q, i2d_X509_EXTENSION,
                         V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
@@ -204,7 +204,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
         if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
         return 1;
         err:
-        if(p) Free(p);
+        if(p) OPENSSL_free(p);
         X509_ATTRIBUTE_free(attr);
         ASN1_TYPE_free(at);
         return 0;
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index add842d17a..aaf61ca062 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -104,36 +104,36 @@ int X509_set_subject_name(X509 *x, X509_NAME *name)
         return(X509_NAME_set(&x->cert_info->subject,name));
         }
 
-int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm)
+int X509_set_notBefore(X509 *x, ASN1_TIME *tm)
         {
-        ASN1_UTCTIME *in;
+        ASN1_TIME *in;
 
         if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
         in=x->cert_info->validity->notBefore;
         if (in != tm)
                 {
-                in=M_ASN1_UTCTIME_dup(tm);
+                in=M_ASN1_TIME_dup(tm);
                 if (in != NULL)
                         {
-                        M_ASN1_UTCTIME_free(x->cert_info->validity->notBefore);
+                        M_ASN1_TIME_free(x->cert_info->validity->notBefore);
                         x->cert_info->validity->notBefore=in;
                         }
                 }
         return(in != NULL);
         }
 
-int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm)
+int X509_set_notAfter(X509 *x, ASN1_TIME *tm)
         {
-        ASN1_UTCTIME *in;
+        ASN1_TIME *in;
 
         if ((x == NULL) || (x->cert_info->validity == NULL)) return(0);
         in=x->cert_info->validity->notAfter;
         if (in != tm)
                 {
-                in=M_ASN1_UTCTIME_dup(tm);
+                in=M_ASN1_TIME_dup(tm);
                 if (in != NULL)
                         {
-                        M_ASN1_UTCTIME_free(x->cert_info->validity->notAfter);
+                        M_ASN1_TIME_free(x->cert_info->validity->notAfter);
                         x->cert_info->validity->notAfter=in;
                         }
                 }
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index c779aaf94d..a7b1543461 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -61,7 +61,8 @@
 #include <openssl/x509v3.h>
 
 
-static int tr_cmp(X509_TRUST **a, X509_TRUST **b);
+static int tr_cmp(const X509_TRUST * const *a,
+                const X509_TRUST * const *b);
 static void trtable_free(X509_TRUST *p);
 
 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
@@ -88,7 +89,8 @@ IMPLEMENT_STACK_OF(X509_TRUST)
 
 static STACK_OF(X509_TRUST) *trtable = NULL;
 
-static int tr_cmp(X509_TRUST **a, X509_TRUST **b)
+static int tr_cmp(const X509_TRUST * const *a,
+                const X509_TRUST * const *b)
 {
         return (*a)->trust - (*b)->trust;
 }
@@ -152,15 +154,15 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
         idx = X509_TRUST_get_by_id(id);
         /* Need a new entry */
         if(idx == -1) {
-                if(!(trtmp = Malloc(sizeof(X509_TRUST)))) {
+                if(!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
                         X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
                 trtmp->flags = X509_TRUST_DYNAMIC;
         } else trtmp = X509_TRUST_get0(idx);
 
-        /* Free existing name if dynamic */
-        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) Free(trtmp->name);
+        /* OPENSSL_free existing name if dynamic */
+        if(trtmp->flags & X509_TRUST_DYNAMIC_NAME) OPENSSL_free(trtmp->name);
         /* dup supplied name */
         if(!(trtmp->name = BUF_strdup(name))) {
                 X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE);
@@ -196,8 +198,8 @@ static void trtable_free(X509_TRUST *p)
         if (p->flags & X509_TRUST_DYNAMIC) 
                 {
                 if (p->flags & X509_TRUST_DYNAMIC_NAME)
-                        Free(p->name);
-                Free(p);
+                        OPENSSL_free(p->name);
+                OPENSSL_free(p);
                 }
         }
 
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index 209cf53191..cfb478d4bc 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -132,6 +132,15 @@ const char *X509_verify_cert_error_string(long n)
                 return ("certificate rejected");
         case X509_V_ERR_APPLICATION_VERIFICATION:
                 return("application verification failure");
+        case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+                return("subject issuer mismatch");
+        case X509_V_ERR_AKID_SKID_MISMATCH:
+                return("authority and subject key identifier mismatch");
+        case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+                return("authority and issuer serial number mismatch");
+        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+                return("key usage does not include certificate signing");
+
         default:
                 sprintf(buf,"error number %ld",n);
                 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 3ddb2303d3..0f4110cc64 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -71,6 +71,8 @@
 #include <openssl/objects.h>
 
 static int null_callback(int ok,X509_STORE_CTX *e);
+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_purpose(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
@@ -85,13 +87,13 @@ static STACK *x509_store_method=NULL;
 
 static int null_callback(int ok, X509_STORE_CTX *e)
         {
-        return(ok);
+        return ok;
         }
 
 #if 0
 static int x509_subject_cmp(X509 **a, X509 **b)
         {
-        return(X509_subject_name_cmp(*a,*b));
+        return X509_subject_name_cmp(*a,*b);
         }
 #endif
 
@@ -99,7 +101,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         {
         X509 *x,*xtmp,*chain_ss=NULL;
         X509_NAME *xn;
-        X509_OBJECT obj;
         int depth,i,ok=0;
         int num;
         int (*cb)();
@@ -108,10 +109,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         if (ctx->cert == NULL)
                 {
                 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
-                return(-1);
+                return -1;
                 }
 
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 
         /* first we make sure the chain we are going to build is
@@ -152,13 +153,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
                 /* If we are self signed, we break */
                 xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
+                if (ctx->check_issued(ctx, x,x)) break;
 
                 /* If we were passed a cert chain, use it first */
                 if (ctx->untrusted != NULL)
                         {
-                        xtmp=X509_find_by_subject(sktmp,xn);
+                        xtmp=find_issuer(ctx, sktmp,x);
                         if (xtmp != NULL)
                                 {
                                 if (!sk_X509_push(ctx->chain,xtmp))
@@ -183,11 +183,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
          * certificates.  We now need to add at least one trusted one,
          * if possible, otherwise we complain. */
 
+        /* Examine last certificate in chain and see if it
+         * is self signed.
+         */
+
         i=sk_X509_num(ctx->chain);
         x=sk_X509_value(ctx->chain,i-1);
         xn = X509_get_subject_name(x);
-        if (X509_NAME_cmp(xn,X509_get_issuer_name(x))
-                == 0)
+        if (ctx->check_issued(ctx, x, x))
                 {
                 /* we have a self signed certificate */
                 if (sk_X509_num(ctx->chain) == 1)
@@ -196,13 +199,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                          * we can find it in the store. We must have an exact
                          * match to avoid possible impersonation.
                          */
-                        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
-                        if ((ok != X509_LU_X509) || X509_cmp(x, obj.data.x509)) 
+                        ok = ctx->get_issuer(&xtmp, ctx, x);
+                        if ((ok <= 0) || X509_cmp(x, xtmp)) 
                                 {
                                 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
                                 ctx->current_cert=x;
                                 ctx->error_depth=i-1;
-                                if(ok == X509_LU_X509) X509_OBJECT_free_contents(&obj);
+                                if (ok == 1) X509_free(xtmp);
                                 ok=cb(0,ctx);
                                 if (!ok) goto end;
                                 }
@@ -212,14 +215,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                                  * so we get any trust settings.
                                  */
                                 X509_free(x);
-                                x = obj.data.x509;
+                                x = xtmp;
                                 sk_X509_set(ctx->chain, i - 1, x);
                                 ctx->last_untrusted=0;
                                 }
                         }
                 else
                         {
-                        /* worry more about this one elsewhere */
+                        /* extract and save self signed certificate for later use */
                         chain_ss=sk_X509_pop(ctx->chain);
                         ctx->last_untrusted--;
                         num--;
@@ -235,41 +238,30 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
                 /* If we are self signed, we break */
                 xn=X509_get_issuer_name(x);
-                if (X509_NAME_cmp(X509_get_subject_name(x),xn) == 0)
-                        break;
+                if (ctx->check_issued(ctx,x,x)) break;
 
-                ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
-                if (ok != X509_LU_X509)
-                        {
-                        if (ok == X509_LU_RETRY)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                X509err(X509_F_X509_VERIFY_CERT,X509_R_SHOULD_RETRY);
-                                return(ok);
-                                }
-                        else if (ok != X509_LU_FAIL)
-                                {
-                                X509_OBJECT_free_contents(&obj);
-                                /* not good :-(, break anyway */
-                                return(ok);
-                                }
-                        break;
-                        }
-                x=obj.data.x509;
-                if (!sk_X509_push(ctx->chain,obj.data.x509))
+                ok = ctx->get_issuer(&xtmp, ctx, x);
+
+                if (ok < 0) return ok;
+                if (ok == 0) break;
+
+                x = xtmp;
+                if (!sk_X509_push(ctx->chain,x))
                         {
-                        X509_OBJECT_free_contents(&obj);
+                        X509_free(xtmp);
                         X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-                        return(0);
+                        return 0;
                         }
                 num++;
                 }
 
         /* we now have our chain, lets check it... */
         xn=X509_get_issuer_name(x);
-        if (X509_NAME_cmp(X509_get_subject_name(x),xn) != 0)
+
+        /* Is last certificate looked up self signed? */
+        if (!ctx->check_issued(ctx,x,x))
                 {
-                if ((chain_ss == NULL) || (X509_NAME_cmp(X509_get_subject_name(chain_ss),xn) != 0))
+                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
                         {
                         if (ctx->last_untrusted >= num)
                                 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
@@ -294,22 +286,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 }
 
         /* We have the chain complete: now we need to check its purpose */
-        if(ctx->purpose > 0) ok = check_chain_purpose(ctx);
+        if (ctx->purpose > 0) ok = check_chain_purpose(ctx);
 
-        if(!ok) goto end;
+        if (!ok) goto end;
 
         /* The chain extensions are OK: check trust */
 
-        if(ctx->trust > 0) ok = check_trust(ctx);
+        if (ctx->trust > 0) ok = check_trust(ctx);
 
-        if(!ok) goto end;
+        if (!ok) goto end;
 
         /* We may as well copy down any DSA parameters that are required */
         X509_get_pubkey_parameters(NULL,ctx->chain);
 
         /* At this point, we have a chain and just need to verify it */
-        if (ctx->ctx->verify != NULL)
-                ok=ctx->ctx->verify(ctx);
+        if (ctx->verify != NULL)
+                ok=ctx->verify(ctx);
         else
                 ok=internal_verify(ctx);
         if (0)
@@ -319,9 +311,61 @@ end:
                 }
         if (sktmp != NULL) sk_X509_free(sktmp);
         if (chain_ss != NULL) X509_free(chain_ss);
-        return(ok);
+        return ok;
         }
 
+
+/* Given a STACK_OF(X509) find the issuer of cert (if any)
+ */
+
+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+{
+        int i;
+        X509 *issuer;
+        for (i = 0; i < sk_X509_num(sk); i++)
+                {
+                issuer = sk_X509_value(sk, i);
+                if (ctx->check_issued(ctx, x, issuer))
+                        return issuer;
+                }
+        return NULL;
+}
+
+/* Given a possible certificate and issuer check them */
+
+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
+{
+        int ret;
+        ret = X509_check_issued(issuer, x);
+        if (ret == X509_V_OK)
+                return 1;
+        /* If we haven't asked for issuer errors don't set ctx */
+        if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+                return 0;
+
+        ctx->error = ret;
+        ctx->current_cert = x;
+        ctx->current_issuer = issuer;
+        if (ctx->verify_cb)
+                return ctx->verify_cb(0, ctx);
+        return 0;
+}
+
+/* Alternative lookup method: look from a STACK stored in other_ctx */
+
+static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+{
+        *issuer = find_issuer(ctx, ctx->other_ctx, x);
+        if (*issuer)
+                {
+                CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
+                return 1;
+                }
+        else
+                return 0;
+}
+        
+
 /* Check a certificate chains extensions for consistency
  * with the supplied purpose
  */
@@ -334,32 +378,37 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
         int i, ok=0;
         X509 *x;
         int (*cb)();
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
         /* Check all untrusted certificates */
-        for(i = 0; i < ctx->last_untrusted; i++) {
+        for (i = 0; i < ctx->last_untrusted; i++)
+                {
                 x = sk_X509_value(ctx->chain, i);
-                if(!X509_check_purpose(x, ctx->purpose, i)) {
-                        if(i) ctx->error = X509_V_ERR_INVALID_CA;
-                        else ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                if (!X509_check_purpose(x, ctx->purpose, i))
+                        {
+                        if (i)
+                                ctx->error = X509_V_ERR_INVALID_CA;
+                        else
+                                ctx->error = X509_V_ERR_INVALID_PURPOSE;
                         ctx->error_depth = i;
                         ctx->current_cert = x;
                         ok=cb(0,ctx);
-                        if(!ok) goto end;
-                }
+                        if (!ok) goto end;
+                        }
                 /* Check pathlen */
-                if((i > 1) && (x->ex_pathlen != -1)
-                                        && (i > (x->ex_pathlen + 1))) {
+                if ((i > 1) && (x->ex_pathlen != -1)
+                           && (i > (x->ex_pathlen + 1)))
+                        {
                         ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                         ctx->error_depth = i;
                         ctx->current_cert = x;
                         ok=cb(0,ctx);
-                        if(!ok) goto end;
+                        if (!ok) goto end;
+                        }
                 }
-        }
         ok = 1;
-        end:
-        return(ok);
+ end:
+        return ok;
 #endif
 }
 
@@ -371,19 +420,22 @@ static int check_trust(X509_STORE_CTX *ctx)
         int i, ok;
         X509 *x;
         int (*cb)();
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 /* For now just check the last certificate in the chain */
         i = sk_X509_num(ctx->chain) - 1;
         x = sk_X509_value(ctx->chain, i);
         ok = X509_check_trust(x, ctx->trust, 0);
-        if(ok == X509_TRUST_TRUSTED) return 1;
+        if (ok == X509_TRUST_TRUSTED)
+                return 1;
         ctx->error_depth = sk_X509_num(ctx->chain) - 1;
         ctx->current_cert = x;
-        if(ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED;
-        else ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+        if (ok == X509_TRUST_REJECTED)
+                ctx->error = X509_V_ERR_CERT_REJECTED;
+        else
+                ctx->error = X509_V_ERR_CERT_UNTRUSTED;
         ok = cb(0, ctx);
-        return(ok);
+        return ok;
 #endif
 }
 
@@ -392,17 +444,21 @@ static int internal_verify(X509_STORE_CTX *ctx)
         int i,ok=0,n;
         X509 *xs,*xi;
         EVP_PKEY *pkey=NULL;
+        time_t *ptime;
         int (*cb)();
 
-        cb=ctx->ctx->verify_cb;
+        cb=ctx->verify_cb;
         if (cb == NULL) cb=null_callback;
 
         n=sk_X509_num(ctx->chain);
         ctx->error_depth=n-1;
         n--;
         xi=sk_X509_value(ctx->chain,n);
-        if (X509_NAME_cmp(X509_get_subject_name(xi),
-                X509_get_issuer_name(xi)) == 0)
+        if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+                ptime = &ctx->check_time;
+        else
+                ptime = NULL;
+        if (ctx->check_issued(ctx, xi, xi))
                 xs=xi;
         else
                 {
@@ -448,7 +504,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                         EVP_PKEY_free(pkey);
                         pkey=NULL;
 
-                        i=X509_cmp_current_time(X509_get_notBefore(xs));
+                        i=X509_cmp_time(X509_get_notBefore(xs), ptime);
                         if (i == 0)
                                 {
                                 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
@@ -466,7 +522,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
                         xs->valid=1;
                         }
 
-                i=X509_cmp_current_time(X509_get_notAfter(xs));
+                i=X509_cmp_time(X509_get_notAfter(xs), ptime);
                 if (i == 0)
                         {
                         ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
@@ -499,13 +555,18 @@ static int internal_verify(X509_STORE_CTX *ctx)
                 }
         ok=1;
 end:
-        return(ok);
+        return ok;
         }
 
-int X509_cmp_current_time(ASN1_UTCTIME *ctm)
+int X509_cmp_current_time(ASN1_TIME *ctm)
+{
+        return X509_cmp_time(ctm, NULL);
+}
+
+int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
         {
         char *str;
-        ASN1_UTCTIME atm;
+        ASN1_TIME atm;
         time_t offset;
         char buff1[24],buff2[24],*p;
         int i,j;
@@ -513,14 +574,35 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
         p=buff1;
         i=ctm->length;
         str=(char *)ctm->data;
-        if ((i < 11) || (i > 17)) return(0);
-        memcpy(p,str,10);
-        p+=10;
-        str+=10;
+        if (ctm->type == V_ASN1_UTCTIME)
+                {
+                if ((i < 11) || (i > 17)) return 0;
+                memcpy(p,str,10);
+                p+=10;
+                str+=10;
+                }
+        else
+                {
+                if (i < 13) return 0;
+                memcpy(p,str,12);
+                p+=12;
+                str+=12;
+                }
 
         if ((*str == 'Z') || (*str == '-') || (*str == '+'))
                 { *(p++)='0'; *(p++)='0'; }
-        else    { *(p++)= *(str++); *(p++)= *(str++); }
+        else
+                { 
+                *(p++)= *(str++);
+                *(p++)= *(str++);
+                /* Skip any fractional seconds... */
+                if (*str == '.')
+                        {
+                        str++;
+                        while ((*str >= '0') && (*str <= '9')) str++;
+                        }
+                
+                }
         *(p++)='Z';
         *(p++)='\0';
 
@@ -529,39 +611,51 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm)
         else
                 {
                 if ((*str != '+') && (str[5] != '-'))
-                        return(0);
+                        return 0;
                 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
                 offset+=(str[3]-'0')*10+(str[4]-'0');
                 if (*str == '-')
                         offset= -offset;
                 }
-        atm.type=V_ASN1_UTCTIME;
+        atm.type=ctm->type;
         atm.length=sizeof(buff2);
         atm.data=(unsigned char *)buff2;
 
-        X509_gmtime_adj(&atm,-offset*60);
+        X509_time_adj(&atm,-offset*60, cmp_time);
 
-        i=(buff1[0]-'0')*10+(buff1[1]-'0');
-        if (i < 50) i+=100; /* cf. RFC 2459 */
-        j=(buff2[0]-'0')*10+(buff2[1]-'0');
-        if (j < 50) j+=100;
+        if (ctm->type == V_ASN1_UTCTIME)
+                {
+                i=(buff1[0]-'0')*10+(buff1[1]-'0');
+                if (i < 50) i+=100; /* cf. RFC 2459 */
+                j=(buff2[0]-'0')*10+(buff2[1]-'0');
+                if (j < 50) j+=100;
 
-        if (i < j) return (-1);
-        if (i > j) return (1);
+                if (i < j) return -1;
+                if (i > j) return 1;
+                }
         i=strcmp(buff1,buff2);
         if (i == 0) /* wait a second then return younger :-) */
-                return(-1);
+                return -1;
         else
-                return(i);
+                return i;
         }
 
-ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj)
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
+{
+        return X509_time_adj(s, adj, NULL);
+}
+
+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
         {
         time_t t;
 
-        time(&t);
+        if (in_tm) t = *in_tm;
+        else time(&t);
+
         t+=adj;
-        return(ASN1_UTCTIME_set(s,t));
+        if (!s) return ASN1_TIME_set(s, t);
+        if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
+        return ASN1_GENERALIZEDTIME_set(s, t);
         }
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
@@ -569,7 +663,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         EVP_PKEY *ktmp=NULL,*ktmp2;
         int i,j;
 
-        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return(1);
+        if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
 
         for (i=0; i<sk_X509_num(chain); i++)
                 {
@@ -577,7 +671,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
                 if (ktmp == NULL)
                         {
                         X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
-                        return(0);
+                        return 0;
                         }
                 if (!EVP_PKEY_missing_parameters(ktmp))
                         break;
@@ -590,7 +684,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         if (ktmp == NULL)
                 {
                 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
-                return(0);
+                return 0;
                 }
 
         /* first, populate the other certs */
@@ -603,101 +697,31 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         
         if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
         EVP_PKEY_free(ktmp);
-        return(1);
-        }
-
-int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CERT,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_X509;
-        obj->data.x509=x;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-
-        X509_OBJECT_up_ref_count(obj);
-
-        r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,r);
-                X509err(X509_F_X509_STORE_ADD_CERT,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-
-        return(ret);    
-        }
-
-int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
-        {
-        X509_OBJECT *obj,*r;
-        int ret=1;
-
-        if (x == NULL) return(0);
-        obj=(X509_OBJECT *)Malloc(sizeof(X509_OBJECT));
-        if (obj == NULL)
-                {
-                X509err(X509_F_X509_STORE_ADD_CRL,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        obj->type=X509_LU_CRL;
-        obj->data.crl=x;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-
-        X509_OBJECT_up_ref_count(obj);
-
-        r=(X509_OBJECT *)lh_insert(ctx->certs,obj);
-        if (r != NULL)
-                { /* oops, put it back */
-                lh_delete(ctx->certs,obj);
-                X509_OBJECT_free_contents(obj);
-                Free(obj);
-                lh_insert(ctx->certs,r);
-                X509err(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);
-                ret=0;
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-
-        return(ret);    
+        return 1;
         }
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
         x509_store_ctx_num++;
-        return(CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
+        return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
                 &x509_store_ctx_method,
-                argl,argp,new_func,dup_func,free_func));
+                argl,argp,new_func,dup_func,free_func);
         }
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
         {
-        return(CRYPTO_set_ex_data(&ctx->ex_data,idx,data));
+        return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
         }
 
 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
         {
-        return(CRYPTO_get_ex_data(&ctx->ex_data,idx));
+        return CRYPTO_get_ex_data(&ctx->ex_data,idx);
         }
 
 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
         {
-        return(ctx->error);
+        return ctx->error;
         }
 
 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
@@ -707,17 +731,17 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
 
 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
         {
-        return(ctx->error_depth);
+        return ctx->error_depth;
         }
 
 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
         {
-        return(ctx->current_cert);
+        return ctx->current_cert;
         }
 
 STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
         {
-        return(ctx->chain);
+        return ctx->chain;
         }
 
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
@@ -725,12 +749,13 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
         int i;
         X509 *x;
         STACK_OF(X509) *chain;
-        if(!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
-        for(i = 0; i < sk_X509_num(chain); i++) {
+        if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
+        for (i = 0; i < sk_X509_num(chain); i++)
+                {
                 x = sk_X509_value(chain, i);
                 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-        }
-        return(chain);
+                }
+        return chain;
         }
 
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
@@ -768,43 +793,123 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 {
         int idx;
         /* If purpose not set use default */
-        if(!purpose) purpose = def_purpose;
+        if (!purpose) purpose = def_purpose;
         /* If we have a purpose then check it is valid */
-        if(purpose) {
+        if (purpose)
+                {
                 X509_PURPOSE *ptmp;
                 idx = X509_PURPOSE_get_by_id(purpose);
-                if(idx == -1) {
+                if (idx == -1)
+                        {
                         X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_PURPOSE_ID);
                         return 0;
-                }
+                        }
                 ptmp = X509_PURPOSE_get0(idx);
-                if(ptmp->trust == X509_TRUST_DEFAULT) {
+                if (ptmp->trust == X509_TRUST_DEFAULT)
+                        {
                         idx = X509_PURPOSE_get_by_id(def_purpose);
-                        if(idx == -1) {
+                        if (idx == -1)
+                                {
                                 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_PURPOSE_ID);
                                 return 0;
-                        }
+                                }
                         ptmp = X509_PURPOSE_get0(idx);
-                }
+                        }
                 /* If trust not set then get from purpose default */
-                if(!trust) trust = ptmp->trust;
-        }
-        if(trust) {
+                if (!trust) trust = ptmp->trust;
+                }
+        if (trust)
+                {
                 idx = X509_TRUST_get_by_id(trust);
-                if(idx == -1) {
+                if (idx == -1)
+                        {
                         X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                                                 X509_R_UNKNOWN_TRUST_ID);
                         return 0;
+                        }
                 }
-        }
 
-        if(purpose) ctx->purpose = purpose;
-        if(trust) ctx->trust = trust;
+        if (purpose) ctx->purpose = purpose;
+        if (trust) ctx->trust = trust;
         return 1;
 }
 
+X509_STORE_CTX *X509_STORE_CTX_new(void)
+{
+        X509_STORE_CTX *ctx;
+        ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
+        if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+        return ctx;
+}
+
+void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
+{
+        X509_STORE_CTX_cleanup(ctx);
+        OPENSSL_free(ctx);
+}
+
+void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+             STACK_OF(X509) *chain)
+        {
+        ctx->ctx=store;
+        ctx->current_method=0;
+        ctx->cert=x509;
+        ctx->untrusted=chain;
+        ctx->last_untrusted=0;
+        ctx->purpose=0;
+        ctx->trust=0;
+        ctx->check_time=0;
+        ctx->flags=0;
+        ctx->other_ctx=NULL;
+        ctx->valid=0;
+        ctx->chain=NULL;
+        ctx->depth=9;
+        ctx->error=0;
+        ctx->error_depth=0;
+        ctx->current_cert=NULL;
+        ctx->current_issuer=NULL;
+        ctx->check_issued = check_issued;
+        ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+        ctx->verify_cb = store->verify_cb;
+        ctx->verify = store->verify;
+        ctx->cleanup = 0;
+        memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+        }
+
+/* Set alternative lookup method: just a STACK of trusted certificates.
+ * This avoids X509_STORE nastiness where it isn't needed.
+ */
+
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+        ctx->other_ctx = sk;
+        ctx->get_issuer = get_issuer_sk;
+}
+
+void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
+        {
+        if (ctx->cleanup) ctx->cleanup(ctx);
+        if (ctx->chain != NULL)
+                {
+                sk_X509_pop_free(ctx->chain,X509_free);
+                ctx->chain=NULL;
+                }
+        CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
+        memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+        }
+
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)
+        {
+        ctx->flags |= flags;
+        }
+
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
+        {
+        ctx->check_time = t;
+        ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
+        }
 
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 4637aecedf..e289d5309a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -65,13 +65,16 @@
 #ifndef HEADER_X509_VFY_H
 #define HEADER_X509_VFY_H
 
-#ifdef  __cplusplus
-extern "C" {
+#ifndef NO_LHASH
+#include <openssl/lhash.h>
 #endif
-
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 /* Outer object */
 typedef struct x509_hash_dir_st
         {
@@ -128,6 +131,7 @@ typedef struct x509_object_st
 typedef struct x509_lookup_st X509_LOOKUP;
 
 DECLARE_STACK_OF(X509_LOOKUP)
+DECLARE_STACK_OF(X509_OBJECT)
 
 /* This is a static that defines the function interface */
 typedef struct x509_lookup_method_st
@@ -150,7 +154,7 @@ typedef struct x509_lookup_method_st
                             X509_OBJECT *ret);
         } X509_LOOKUP_METHOD;
 
-typedef struct x509_store_state_st X509_STORE_CTX;
+typedef struct x509_store_ctx_st X509_STORE_CTX;
 
 /* This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify'
@@ -159,11 +163,7 @@ typedef struct x509_store_st
         {
         /* The following is a cache of trusted certs */
         int cache;      /* if true, stash any hits */
-#ifdef HEADER_LHASH_H
-        LHASH *certs;   /* cached certs; */ 
-#else
-        char *certs;
-#endif
+        STACK_OF(X509_OBJECT) *objs;    /* Cache of all objects */
 
         /* These are external lookup methods */
         STACK_OF(X509_LOOKUP) *get_cert_methods;
@@ -191,10 +191,10 @@ struct x509_lookup_st
         X509_STORE *store_ctx;  /* who owns us */
         };
 
-/* This is a temporary used when processing cert chains.  Since the
+/* This is a used when verifying cert chains.  Since the
  * gathering of the cert chain can take some time (and have to be
  * 'retried', this needs to be kept and passed around. */
-struct x509_store_state_st      /* X509_STORE_CTX */
+struct x509_store_ctx_st      /* X509_STORE_CTX */
         {
         X509_STORE *ctx;
         int current_method;     /* used when looking up certs */
@@ -204,6 +204,16 @@ struct x509_store_state_st      /* X509_STORE_CTX */
         STACK_OF(X509) *untrusted;      /* chain of X509s - untrusted - passed in */
         int purpose;            /* purpose to check untrusted certificates */
         int trust;              /* trust setting to check */
+        time_t  check_time;     /* time to make verify at */
+        unsigned long flags;    /* Various verify flags */
+        void *other_ctx;        /* Other info for use with get_issuer() */
+
+        /* Callbacks for various operations */
+        int (*verify)(X509_STORE_CTX *ctx);     /* called to verify a certificate */
+        int (*verify_cb)(int ok,X509_STORE_CTX *ctx);           /* error callback */
+        int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
+        int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*cleanup)(X509_STORE_CTX *ctx);
 
         /* The following is built up */
         int depth;              /* how far to go looking up certs */
@@ -215,6 +225,7 @@ struct x509_store_state_st      /* X509_STORE_CTX */
         int error_depth;
         int error;
         X509 *current_cert;
+        X509 *current_issuer;   /* cert currently being tested as valid issuer */
 
         CRYPTO_EX_DATA ex_data;
         };
@@ -265,10 +276,20 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_INVALID_PURPOSE                      26
 #define         X509_V_ERR_CERT_UNTRUSTED                       27
 #define         X509_V_ERR_CERT_REJECTED                        28
+/* These are 'informational' when looking for issuer cert */
+#define         X509_V_ERR_SUBJECT_ISSUER_MISMATCH              29
+#define         X509_V_ERR_AKID_SKID_MISMATCH                   30
+#define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
+#define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
 
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
 
+/* Certificate verify flags */
+
+#define X509_V_FLAG_CB_ISSUER_CHECK             0x1     /* Send issuer+subject checks to verify_cb */
+#define X509_V_FLAG_USE_CHECK_TIME              0x2     /* Use check time instead of current time */
+
                   /* These functions are being redefined in another directory,
                      and clash when the linker is case-insensitive, so let's
                      hide them a little, by giving them an extra 'o' at the
@@ -284,18 +305,23 @@ struct x509_store_state_st      /* X509_STORE_CTX */
 #define X509v3_add_standard_extensions oX509v3_add_standard_extensions
 #endif
 
-#ifdef HEADER_LHASH_H
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(LHASH *h,int type,X509_NAME *name);
-#endif
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
+             X509_NAME *name);
+X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name);
+X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x);
 void X509_OBJECT_up_ref_count(X509_OBJECT *a);
 void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
 X509_STORE_CTX *X509_STORE_CTX_new(void);
+
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
                          X509 *x509, STACK_OF(X509) *chain);
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
@@ -354,6 +380,8 @@ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
                                 int purpose, int trust);
+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index b35c3f92e7..fd0a534d88 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -82,7 +82,7 @@ NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
         int spki_len;
         NETSCAPE_SPKI *spki;
         if(len <= 0) len = strlen(str);
-        if (!(spki_der = Malloc(len + 1))) {
+        if (!(spki_der = OPENSSL_malloc(len + 1))) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -90,12 +90,12 @@ NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len)
         if(spki_len < 0) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_DECODE,
                                                 X509_R_BASE64_DECODE_ERROR);
-                Free(spki_der);
+                OPENSSL_free(spki_der);
                 return NULL;
         }
         p = spki_der;
         spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);
-        Free(spki_der);
+        OPENSSL_free(spki_der);
         return spki;
 }
 
@@ -107,8 +107,8 @@ char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
         char *b64_str;
         int der_len;
         der_len = i2d_NETSCAPE_SPKI(spki, NULL);
-        der_spki = Malloc(der_len);
-        b64_str = Malloc(der_len * 2);
+        der_spki = OPENSSL_malloc(der_len);
+        b64_str = OPENSSL_malloc(der_len * 2);
         if(!der_spki || !b64_str) {
                 X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
                 return NULL;
@@ -116,6 +116,6 @@ char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
         p = der_spki;
         i2d_NETSCAPE_SPKI(spki, &p);
         EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);
-        Free(der_spki);
+        OPENSSL_free(der_spki);
         return b64_str;
 }
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index d2bf3c8e1c..9bd6e2a39b 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -411,13 +411,25 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
                 (char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
         }
 
-int X509_digest(X509 *data, const EVP_MD *type, unsigned char *md,
+int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
         return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
         }
 
-int X509_NAME_digest(X509_NAME *data, const EVP_MD *type, unsigned char *md,
+int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
+             unsigned int *len)
+        {
+        return(ASN1_digest((int (*)())i2d_X509_CRL,type,(char *)data,md,len));
+        }
+
+int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
+             unsigned int *len)
+        {
+        return(ASN1_digest((int (*)())i2d_X509_REQ,type,(char *)data,md,len));
+        }
+
+int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
         return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
@@ -492,6 +504,17 @@ EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
                 (char *(*)())d2i_AutoPrivateKey, (fp),(unsigned char **)(a)));
 }
 
+int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey)
+        {
+        return(ASN1_i2d_fp(i2d_PUBKEY,fp,(unsigned char *)pkey));
+        }
+
+EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a)
+{
+        return((EVP_PKEY *)ASN1_d2i_fp((char *(*)())EVP_PKEY_new,
+                (char *(*)())d2i_PUBKEY, (fp),(unsigned char **)(a)));
+}
+
 #endif
 
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -529,3 +552,14 @@ EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
         return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
                 (char *(*)())d2i_AutoPrivateKey, (bp),(unsigned char **)(a)));
         }
+
+int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey)
+        {
+        return(ASN1_i2d_bio(i2d_PUBKEY,bp,(unsigned char *)pkey));
+        }
+
+EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a)
+        {
+        return((EVP_PKEY *)ASN1_d2i_bio((char *(*)())EVP_PKEY_new,
+                (char *(*)())d2i_PUBKEY, (bp),(unsigned char **)(a)));
+        }