24 files changed, 3967 insertions, 1380 deletions

diff --git a/src/lib/libcrypto/x509v3/Makefile b/src/lib/libcrypto/x509v3/Makefile
new file mode 100644
index 0000000000..556ef351bf
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/Makefile
@@ -0,0 +1,591 @@
+#
+# OpenSSL/crypto/x509v3/Makefile
+#
+
+DIR=    x509v3
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+MAKEFILE=       Makefile
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
+v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
+v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
+v3_asid.c v3_addr.c
+LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
+pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
+v3_asid.o v3_addr.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509v3.h
+HEADER= $(EXHEADER) pcy_int.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+        @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+pcy_cache.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_cache.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_cache.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_cache.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_cache.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_cache.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_cache.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_cache.o: ../../include/openssl/objects.h
+pcy_cache.o: ../../include/openssl/opensslconf.h
+pcy_cache.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_cache.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_cache.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_cache.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_cache.o: ../cryptlib.h pcy_cache.c pcy_int.h
+pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_data.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_data.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_data.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_data.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_data.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_data.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_data.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_data.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_data.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_data.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_data.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_data.o: ../cryptlib.h pcy_data.c pcy_int.h
+pcy_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_lib.o: ../cryptlib.h pcy_int.h pcy_lib.c
+pcy_map.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_map.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_map.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_map.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_map.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_map.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_map.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_map.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_map.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_map.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_map.o: ../cryptlib.h pcy_int.h pcy_map.c
+pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+pcy_node.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+pcy_node.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+pcy_node.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+pcy_node.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+pcy_node.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_node.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_node.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_node.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_node.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_node.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_node.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_node.o: pcy_int.h pcy_node.c
+pcy_tree.o: ../../e_os.h ../../include/openssl/asn1.h
+pcy_tree.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+pcy_tree.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+pcy_tree.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+pcy_tree.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+pcy_tree.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pcy_tree.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pcy_tree.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pcy_tree.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pcy_tree.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c
+v3_addr.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_addr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_addr.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_addr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_addr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_addr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_addr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_addr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_addr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_addr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_addr.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_addr.c
+v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_akey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_akey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_akey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_akey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akey.c
+v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_akeya.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_akeya.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_akeya.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_akeya.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akeya.o: ../../include/openssl/opensslconf.h
+v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_akeya.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_akeya.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_akeya.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_akeya.o: ../cryptlib.h v3_akeya.c
+v3_alt.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_alt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_alt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c
+v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_asid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_asid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_asid.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_asid.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_asid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_asid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_asid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_asid.o: ../cryptlib.h v3_asid.c
+v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_bcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bcons.o: ../cryptlib.h v3_bcons.c
+v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_bitst.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_bitst.o: ../cryptlib.h v3_bitst.c
+v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_conf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_conf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_conf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_conf.o: ../cryptlib.h v3_conf.c
+v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_cpols.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_cpols.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_cpols.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_cpols.o: ../cryptlib.h pcy_int.h v3_cpols.c
+v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_crld.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_crld.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_crld.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_crld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_crld.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_crld.c
+v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_enum.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_enum.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_enum.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_enum.o: ../cryptlib.h v3_enum.c
+v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_extku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_extku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_extku.o: ../../include/openssl/opensslconf.h
+v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_extku.o: ../cryptlib.h v3_extku.c
+v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_genn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_genn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_genn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_genn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_genn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_genn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_genn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_genn.c
+v3_ia5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_ia5.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_ia5.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ia5.c
+v3_info.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_info.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_info.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_info.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_info.c
+v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_int.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_int.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_int.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_int.c
+v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h v3_lib.c
+v3_ncons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_ncons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_ncons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_ncons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_ncons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_ncons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_ncons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_ncons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_ncons.o: ../../include/openssl/opensslconf.h
+v3_ncons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_ncons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ncons.o: ../cryptlib.h v3_ncons.c
+v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
+v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
+v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
+v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pcons.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pcons.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pcons.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcons.o: ../../include/openssl/opensslconf.h
+v3_pcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_pcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_pcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_pcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pcons.o: ../cryptlib.h v3_pcons.c
+v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pku.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pku.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pku.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
+v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pmaps.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pmaps.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pmaps.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pmaps.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pmaps.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pmaps.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pmaps.o: ../../include/openssl/opensslconf.h
+v3_pmaps.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_pmaps.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_pmaps.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_pmaps.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_pmaps.o: ../cryptlib.h v3_pmaps.c
+v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_prn.c
+v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_purp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_purp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_purp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_purp.o: ../cryptlib.h v3_purp.c
+v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_skey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_skey.o: ../cryptlib.h v3_skey.c
+v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_sxnet.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_sxnet.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_sxnet.o: ../cryptlib.h v3_sxnet.c
+v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_utl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_utl.o: ../cryptlib.h v3_utl.c
+v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3err.o: ../../include/openssl/x509v3.h v3err.c
diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl
new file mode 100644
index 0000000000..66df90c346
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/Makefile.ssl
@@ -0,0 +1,603 @@
+#
+# SSLeay/crypto/x509v3/Makefile
+#
+
+DIR=    x509v3
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
+v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
+v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
+v3_ocsp.c v3_akeya.c
+LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
+v3_ocsp.o v3_akeya.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= x509v3.h
+HEADER= $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        @sh $(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+v3_akey.o: ../../e_os.h ../../include/openssl/aes.h
+v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_akey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_akey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_akey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_akey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_akey.o: ../cryptlib.h v3_akey.c
+v3_akeya.o: ../../e_os.h ../../include/openssl/aes.h
+v3_akeya.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_akeya.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_akeya.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_akeya.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_akeya.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_akeya.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_akeya.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_akeya.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_akeya.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_akeya.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akeya.o: ../../include/openssl/opensslconf.h
+v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_akeya.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_akeya.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_akeya.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akeya.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_akeya.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_akeya.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_akeya.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akeya.c
+v3_alt.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_alt.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_alt.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_alt.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_alt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_alt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_alt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_alt.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_alt.o: ../cryptlib.h v3_alt.c
+v3_bcons.o: ../../e_os.h ../../include/openssl/aes.h
+v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_bcons.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_bcons.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_bcons.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_bcons.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_bcons.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_bcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_bcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_bcons.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bcons.c
+v3_bitst.o: ../../e_os.h ../../include/openssl/aes.h
+v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bitst.c
+v3_conf.o: ../../e_os.h ../../include/openssl/aes.h
+v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_conf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_conf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_conf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_conf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_conf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_conf.c
+v3_cpols.o: ../../e_os.h ../../include/openssl/aes.h
+v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_cpols.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_cpols.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_cpols.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_cpols.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_cpols.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_cpols.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_cpols.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_cpols.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_cpols.c
+v3_crld.o: ../../e_os.h ../../include/openssl/aes.h
+v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_crld.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_crld.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_crld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_crld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_crld.o: ../cryptlib.h v3_crld.c
+v3_enum.o: ../../e_os.h ../../include/openssl/aes.h
+v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_enum.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_enum.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_enum.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_enum.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_enum.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_enum.c
+v3_extku.o: ../../e_os.h ../../include/openssl/aes.h
+v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_extku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_extku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_extku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_extku.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_extku.o: ../../include/openssl/opensslconf.h
+v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_extku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_extku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_extku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_extku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_extku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_extku.c
+v3_genn.o: ../../e_os.h ../../include/openssl/aes.h
+v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_genn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_genn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_genn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_genn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_genn.o: ../cryptlib.h v3_genn.c
+v3_ia5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_ia5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_ia5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_ia5.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_ia5.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ia5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_ia5.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_ia5.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ia5.o: ../cryptlib.h v3_ia5.c
+v3_info.o: ../../e_os.h ../../include/openssl/aes.h
+v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_info.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_info.o: ../cryptlib.h v3_info.c
+v3_int.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_int.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_int.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_int.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_int.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_int.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_int.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_int.o: ../cryptlib.h v3_int.c
+v3_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_lib.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_lib.o: ../cryptlib.h ext_dat.h v3_lib.c
+v3_ocsp.o: ../../e_os.h ../../include/openssl/aes.h
+v3_ocsp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ocsp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_ocsp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_ocsp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_ocsp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_ocsp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_ocsp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ocsp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_ocsp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_ocsp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ocsp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_ocsp.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ocsp.o: ../cryptlib.h v3_ocsp.c
+v3_pku.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_pku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_pku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_pku.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c
+v3_prn.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_prn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_prn.o: ../cryptlib.h v3_prn.c
+v3_purp.o: ../../e_os.h ../../include/openssl/aes.h
+v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_purp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_purp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_purp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_purp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_purp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_purp.c
+v3_skey.o: ../../e_os.h ../../include/openssl/aes.h
+v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_skey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+v3_skey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+v3_skey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+v3_skey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_skey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_skey.c
+v3_sxnet.o: ../../e_os.h ../../include/openssl/aes.h
+v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_sxnet.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_sxnet.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_sxnet.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+v3_sxnet.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+v3_sxnet.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_sxnet.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_sxnet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_sxnet.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_sxnet.c
+v3_utl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3_utl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_utl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3_utl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_utl.o: ../cryptlib.h v3_utl.c
+v3err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+v3err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+v3err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+v3err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3err.o: v3err.c
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 76daee6fcd..3eaec46f8a 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -61,19 +61,21 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
+#ifndef OPENSSL_NO_RFC3779
 extern X509V3_EXT_METHOD v3_addr, v3_asid;
+#endif
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
  */
 
-static const X509V3_EXT_METHOD *standard_exts[] = {
+static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_nscert,
 &v3_ns_ia5_list[0],
 &v3_ns_ia5_list[1],
@@ -120,10 +122,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 &v3_pci,
 &v3_name_constraints,
 &v3_policy_mappings,
-&v3_inhibit_anyp,
-&v3_idp,
-&v3_alt[2],
-&v3_freshest_crl,
+&v3_inhibit_anyp
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 3444b03195..fb392b901f 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -82,21 +82,17 @@ void policy_data_free(X509_POLICY_DATA *data)
  * another source.
  */
 
-X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
-                                        const ASN1_OBJECT *cid, int crit)
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
         {
         X509_POLICY_DATA *ret;
-        ASN1_OBJECT *id;
-        if (!policy && !cid)
+        if (!policy && !id)
                 return NULL;
-        if (cid)
+        if (id)
                 {
-                id = OBJ_dup(cid);
+                id = OBJ_dup(id);
                 if (!id)
                         return NULL;
                 }
-        else
-                id = NULL;
         ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
         if (!ret)
                 return NULL;
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index 92f6b24556..6c87a7f506 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -62,75 +62,6 @@
 
 #include "pcy_int.h"
 
-/* Enable this to print out the complete policy tree at various point during
- * evaluation.
- */
-
-/*#define OPENSSL_POLICY_DEBUG*/
-
-#ifdef OPENSSL_POLICY_DEBUG
-
-static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
-                                X509_POLICY_NODE *node, int indent)
-        {
-        if (        (lev->flags & X509_V_FLAG_INHIBIT_MAP)
-                || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
-                BIO_puts(err, "  Not Mapped\n");
-        else
-                {
-                int i;
-                STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
-                ASN1_OBJECT *oid;
-                BIO_puts(err, "  Expected: ");
-                for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
-                        {
-                        oid = sk_ASN1_OBJECT_value(pset, i);
-                        if (i)
-                                BIO_puts(err, ", ");
-                        i2a_ASN1_OBJECT(err, oid);
-                        }
-                BIO_puts(err, "\n");
-                }
-        }
-
-static void tree_print(char *str, X509_POLICY_TREE *tree,
-                        X509_POLICY_LEVEL *curr)
-        {
-        X509_POLICY_LEVEL *plev;
-        X509_POLICY_NODE *node;
-        int i;
-        BIO *err;
-        err = BIO_new_fp(stderr, BIO_NOCLOSE);
-        if (!curr)
-                curr = tree->levels + tree->nlevel;
-        else
-                curr++;
-        BIO_printf(err, "Level print after %s\n", str);
-        BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
-        for (plev = tree->levels; plev != curr; plev++)
-                {
-                BIO_printf(err, "Level %ld, flags = %x\n",
-                                plev - tree->levels, plev->flags);
-                for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
-                        {
-                        node = sk_X509_POLICY_NODE_value(plev->nodes, i);
-                        X509_POLICY_NODE_print(err, node, 2);
-                        expected_print(err, plev, node, 2);
-                        BIO_printf(err, "  Flags: %x\n", node->data->flags);
-                        }
-                if (plev->anyPolicy)
-                        X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
-                }
-
-        BIO_free(err);
-
-        }
-#else
-
-#define tree_print(a,b,c) /* */
-
-#endif
-
 /* Initialize policy tree. Return values:
  *  0 Some internal error occured.
  * -1 Inconsistent or invalid extensions in certificates.
@@ -156,10 +87,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         *ptree = NULL;
         n = sk_X509_num(certs);
 
-#if 0
         /* Disable policy mapping for now... */
         flags |= X509_V_FLAG_INHIBIT_MAP;
-#endif
 
         if (flags & X509_V_FLAG_EXPLICIT_POLICY)
                 explicit_policy = 0;
@@ -231,7 +160,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         tree->auth_policies = NULL;
         tree->user_policies = NULL;
 
-        if (!tree->levels)
+        if (!tree)
                 {
                 OPENSSL_free(tree);
                 return 0;
@@ -255,6 +184,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                 level++;
                 x = sk_X509_value(certs, i);
                 cache = policy_cache_set(x);
+
                 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
                 level->cert = x;
 
@@ -283,13 +213,13 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                         level->flags |= X509_V_FLAG_INHIBIT_MAP;
                 else
                         {
-                        if (!(x->ex_flags & EXFLAG_SI))
-                                map_skip--;
+                        map_skip--;
                         if ((cache->map_skip >= 0)
                                 && (cache->map_skip < map_skip))
                                 map_skip = cache->map_skip;
                         }
 
+
                 }
 
         *ptree = tree;
@@ -307,32 +237,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 
         }
 
-static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-                                const X509_POLICY_DATA *data)
-        {
-        X509_POLICY_LEVEL *last = curr - 1;
-        X509_POLICY_NODE *node;
-        int i, matched = 0;
-        /* Iterate through all in nodes linking matches */
-        for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
-                {
-                node = sk_X509_POLICY_NODE_value(last->nodes, i);
-                if (policy_node_match(last, node, data->valid_policy))
-                        {
-                        if (!level_add_node(curr, data, node, NULL))
-                                return 0;
-                        matched = 1;
-                        }
-                }
-        if (!matched && last->anyPolicy)
-                {
-                if (!level_add_node(curr, data, last->anyPolicy, NULL))
-                        return 0;
-                }
-        return 1;
-        }
-
-/* This corresponds to RFC3280 6.1.3(d)(1):
+/* This corresponds to RFC3280 XXXX XXXXX:
  * link any data from CertificatePolicies onto matching parent
  * or anyPolicy if no match.
  */
@@ -343,6 +248,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
         int i;
         X509_POLICY_LEVEL *last;
         X509_POLICY_DATA *data;
+        X509_POLICY_NODE *parent;
         last = curr - 1;
         for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
                 {
@@ -355,109 +261,40 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
                  * link because then it will have the mapping flags
                  * right and we can prune it later.
                  */
-#if 0
                 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
                         && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
                         continue;
-#endif
-                /* Look for matching nodes in previous level */
-                if (!tree_link_matching_nodes(curr, data))
+                /* Look for matching node in parent */
+                parent = level_find_node(last, data->valid_policy);
+                /* If no match link to anyPolicy */
+                if (!parent)
+                        parent = last->anyPolicy;
+                if (parent && !level_add_node(curr, data, parent, NULL))
                                 return 0;
                 }
         return 1;
         }
 
-/* This corresponds to RFC3280 6.1.3(d)(2):
+/* This corresponds to RFC3280 XXXX XXXXX:
  * Create new data for any unmatched policies in the parent and link
  * to anyPolicy.
  */
 
-static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
-                        const X509_POLICY_CACHE *cache,
-                        const ASN1_OBJECT *id,
-                        X509_POLICY_NODE *node,
-                        X509_POLICY_TREE *tree)
-        {
-        X509_POLICY_DATA *data;
-        if (id == NULL)
-                id = node->data->valid_policy;
-        /* Create a new node with qualifiers from anyPolicy and
-         * id from unmatched node.
-         */
-        data = policy_data_new(NULL, id, node_critical(node));
-
-        if (data == NULL)
-                return 0;
-        /* Curr may not have anyPolicy */
-        data->qualifier_set = cache->anyPolicy->qualifier_set;
-        data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-        if (!level_add_node(curr, data, node, tree))
-                {
-                policy_data_free(data);
-                return 0;
-                }
-
-        return 1;
-        }
-
-static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
-                        const X509_POLICY_CACHE *cache,
-                        X509_POLICY_NODE *node,
-                        X509_POLICY_TREE *tree)
-        {
-        const X509_POLICY_LEVEL *last = curr - 1;
-        int i;
-
-        if (        (last->flags & X509_V_FLAG_INHIBIT_MAP)
-                || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
-                {
-                /* If no policy mapping: matched if one child present */
-                if (node->nchild)
-                        return 1;
-                if (!tree_add_unmatched(curr, cache, NULL, node, tree))
-                        return 0;
-                /* Add it */
-                }
-        else
-                {
-                /* If mapping: matched if one child per expected policy set */
-                STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
-                if (node->nchild == sk_ASN1_OBJECT_num(expset))
-                        return 1;
-                /* Locate unmatched nodes */
-                for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
-                        {
-                        ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
-                        if (level_find_node(curr, node, oid))
-                                continue;
-                        if (!tree_add_unmatched(curr, cache, oid, node, tree))
-                                return 0;
-                        }
-
-                }
-
-        return 1;
-
-        }
-
 static int tree_link_any(X509_POLICY_LEVEL *curr,
                         const X509_POLICY_CACHE *cache,
                         X509_POLICY_TREE *tree)
         {
         int i;
-        /*X509_POLICY_DATA *data;*/
+        X509_POLICY_DATA *data;
         X509_POLICY_NODE *node;
-        X509_POLICY_LEVEL *last = curr - 1;
+        X509_POLICY_LEVEL *last;
+
+        last = curr - 1;
 
         for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
                 {
                 node = sk_X509_POLICY_NODE_value(last->nodes, i);
 
-                if (!tree_link_unmatched(curr, cache, node, tree))
-                        return 0;
-
-#if 0
-
                 /* Skip any node with any children: we only want unmathced
                  * nodes.
                  *
@@ -466,7 +303,6 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
                  */
                 if (node->nchild)
                         continue;
-
                 /* Create a new node with qualifiers from anyPolicy and
                  * id from unmatched node.
                  */
@@ -483,9 +319,6 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
                         policy_data_free(data);
                         return 0;
                         }
-
-#endif
-
                 }
         /* Finally add link to anyPolicy */
         if (last->anyPolicy)
@@ -504,36 +337,30 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
 static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
         {
-        STACK_OF(X509_POLICY_NODE) *nodes;
         X509_POLICY_NODE *node;
         int i;
-        nodes = curr->nodes;
-        if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
+        for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
                 {
-                for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
+                node = sk_X509_POLICY_NODE_value(curr->nodes, i);
+                /* Delete any mapped data: see RFC3280 XXXX */
+                if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
                         {
-                        node = sk_X509_POLICY_NODE_value(nodes, i);
-                        /* Delete any mapped data: see RFC3280 XXXX */
-                        if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
-                                {
-                                node->parent->nchild--;
-                                OPENSSL_free(node);
-                                (void)sk_X509_POLICY_NODE_delete(nodes,i);
-                                }
+                        node->parent->nchild--;
+                        OPENSSL_free(node);
+                        (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
                         }
                 }
 
         for(;;) {
                 --curr;
-                nodes = curr->nodes;
-                for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
+                for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--)
                         {
-                        node = sk_X509_POLICY_NODE_value(nodes, i);
+                        node = sk_X509_POLICY_NODE_value(curr->nodes, i);
                         if (node->nchild == 0)
                                 {
                                 node->parent->nchild--;
                                 OPENSSL_free(node);
-                                (void)sk_X509_POLICY_NODE_delete(nodes, i);
+                                (void)sk_X509_POLICY_NODE_delete(curr->nodes, i);
                                 }
                         }
                 if (curr->anyPolicy && !curr->anyPolicy->nchild)
@@ -709,7 +536,6 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
                 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
                         && !tree_link_any(curr, cache, tree))
                         return 0;
-        tree_print("before tree_prune()", tree, curr);
                 ret = tree_prune(tree, curr);
                 if (ret != 1)
                         return ret;
@@ -778,6 +604,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
         *pexplicit_policy = 0;
         ret = tree_init(&tree, certs, flags);
 
+
         switch (ret)
                 {
 
@@ -786,10 +613,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
                 return 1;
 
                 /* Some internal error */
-                case -1:
-                return -1;
-
-                /* Some internal error */
                 case 0:
                 return 0;
 
@@ -823,8 +646,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
         if (!tree) goto error;
         ret = tree_evaluate(tree);
 
-        tree_print("tree_evaluate()", tree, NULL);
-
         if (ret <= 0)
                 goto error;
 
diff --git a/src/lib/libcrypto/x509v3/tabtest.c b/src/lib/libcrypto/x509v3/tabtest.c
new file mode 100644
index 0000000000..5ed6eb6891
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/tabtest.c
@@ -0,0 +1,88 @@
+/* tabtest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* Simple program to check the ext_dat.h is correct and print out
+ * problems if it is not.
+ */
+
+#include <stdio.h>
+
+#include <openssl/x509v3.h>
+
+#include "ext_dat.h"
+
+main()
+{
+        int i, prev = -1, bad = 0;
+        X509V3_EXT_METHOD **tmp;
+        i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
+        if(i != STANDARD_EXTENSION_COUNT)
+                fprintf(stderr, "Extension number invalid expecting %d\n", i);
+        tmp = standard_exts;
+        for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++) {
+                if((*tmp)->ext_nid < prev) bad = 1;
+                prev = (*tmp)->ext_nid;
+                
+        }
+        if(bad) {
+                tmp = standard_exts;
+                fprintf(stderr, "Extensions out of order!\n");
+                for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
+                printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
+        } else fprintf(stderr, "Order OK\n");
+}
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
new file mode 100644
index 0000000000..efdf7c3ba7
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -0,0 +1,1286 @@
+/*
+ * Contributed to the OpenSSL Project by the American Registry for
+ * Internet Numbers ("ARIN").
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ */
+
+/*
+ * Implementation of RFC 3779 section 2.2.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/buffer.h>
+#include <openssl/x509v3.h>
+
+#ifndef OPENSSL_NO_RFC3779
+
+/*
+ * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
+ */
+
+ASN1_SEQUENCE(IPAddressRange) = {
+  ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
+  ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(IPAddressRange)
+
+ASN1_CHOICE(IPAddressOrRange) = {
+  ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
+  ASN1_SIMPLE(IPAddressOrRange, u.addressRange,  IPAddressRange)
+} ASN1_CHOICE_END(IPAddressOrRange)
+
+ASN1_CHOICE(IPAddressChoice) = {
+  ASN1_SIMPLE(IPAddressChoice,      u.inherit,           ASN1_NULL),
+  ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
+} ASN1_CHOICE_END(IPAddressChoice)
+
+ASN1_SEQUENCE(IPAddressFamily) = {
+  ASN1_SIMPLE(IPAddressFamily, addressFamily,   ASN1_OCTET_STRING),
+  ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
+} ASN1_SEQUENCE_END(IPAddressFamily)
+
+ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 
+  ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                        IPAddrBlocks, IPAddressFamily)
+ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
+
+IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
+IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
+IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
+IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
+
+/*
+ * How much buffer space do we need for a raw address?
+ */
+#define ADDR_RAW_BUF_LEN        16
+
+/*
+ * What's the address length associated with this AFI?
+ */
+static int length_from_afi(const unsigned afi)
+{
+  switch (afi) {
+  case IANA_AFI_IPV4:
+    return 4;
+  case IANA_AFI_IPV6:
+    return 16;
+  default:
+    return 0;
+  }
+}
+
+/*
+ * Extract the AFI from an IPAddressFamily.
+ */
+unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+{
+  return ((f != NULL &&
+           f->addressFamily != NULL &&
+           f->addressFamily->data != NULL)
+          ? ((f->addressFamily->data[0] << 8) |
+             (f->addressFamily->data[1]))
+          : 0);
+}
+
+/*
+ * Expand the bitstring form of an address into a raw byte array.
+ * At the moment this is coded for simplicity, not speed.
+ */
+static void addr_expand(unsigned char *addr,
+                        const ASN1_BIT_STRING *bs,
+                        const int length,
+                        const unsigned char fill)
+{
+  OPENSSL_assert(bs->length >= 0 && bs->length <= length);
+  if (bs->length > 0) {
+    memcpy(addr, bs->data, bs->length);
+    if ((bs->flags & 7) != 0) {
+      unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
+      if (fill == 0)
+        addr[bs->length - 1] &= ~mask;
+      else
+        addr[bs->length - 1] |= mask;
+    }
+  }
+  memset(addr + bs->length, fill, length - bs->length);
+}
+
+/*
+ * Extract the prefix length from a bitstring.
+ */
+#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
+
+/*
+ * i2r handler for one address bitstring.
+ */
+static int i2r_address(BIO *out,
+                       const unsigned afi,
+                       const unsigned char fill,
+                       const ASN1_BIT_STRING *bs)
+{
+  unsigned char addr[ADDR_RAW_BUF_LEN];
+  int i, n;
+
+  switch (afi) {
+  case IANA_AFI_IPV4:
+    addr_expand(addr, bs, 4, fill);
+    BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
+    break;
+  case IANA_AFI_IPV6:
+    addr_expand(addr, bs, 16, fill);
+    for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
+      ;
+    for (i = 0; i < n; i += 2)
+      BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
+    if (i < 16)
+      BIO_puts(out, ":");
+    if (i == 0)
+      BIO_puts(out, ":");
+    break;
+  default:
+    for (i = 0; i < bs->length; i++)
+      BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
+    BIO_printf(out, "[%d]", (int) (bs->flags & 7));
+    break;
+  }
+  return 1;
+}
+
+/*
+ * i2r handler for a sequence of addresses and ranges.
+ */
+static int i2r_IPAddressOrRanges(BIO *out,
+                                 const int indent,
+                                 const IPAddressOrRanges *aors,
+                                 const unsigned afi)
+{
+  int i;
+  for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
+    const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
+    BIO_printf(out, "%*s", indent, "");
+    switch (aor->type) {
+    case IPAddressOrRange_addressPrefix:
+      if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
+        return 0;
+      BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
+      continue;
+    case IPAddressOrRange_addressRange:
+      if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
+        return 0;
+      BIO_puts(out, "-");
+      if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
+        return 0;
+      BIO_puts(out, "\n");
+      continue;
+    }
+  }
+  return 1;
+}
+
+/*
+ * i2r handler for an IPAddrBlocks extension.
+ */
+static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
+                            void *ext,
+                            BIO *out,
+                            int indent)
+{
+  const IPAddrBlocks *addr = ext;
+  int i;
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    const unsigned int afi = v3_addr_get_afi(f);
+    switch (afi) {
+    case IANA_AFI_IPV4:
+      BIO_printf(out, "%*sIPv4", indent, "");
+      break;
+    case IANA_AFI_IPV6:
+      BIO_printf(out, "%*sIPv6", indent, "");
+      break;
+    default:
+      BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
+      break;
+    }
+    if (f->addressFamily->length > 2) {
+      switch (f->addressFamily->data[2]) {
+      case   1:
+        BIO_puts(out, " (Unicast)");
+        break;
+      case   2:
+        BIO_puts(out, " (Multicast)");
+        break;
+      case   3:
+        BIO_puts(out, " (Unicast/Multicast)");
+        break;
+      case   4:
+        BIO_puts(out, " (MPLS)");
+        break;
+      case  64:
+        BIO_puts(out, " (Tunnel)");
+        break;
+      case  65:
+        BIO_puts(out, " (VPLS)");
+        break;
+      case  66:
+        BIO_puts(out, " (BGP MDT)");
+        break;
+      case 128:
+        BIO_puts(out, " (MPLS-labeled VPN)");
+        break;
+      default:  
+        BIO_printf(out, " (Unknown SAFI %u)",
+                   (unsigned) f->addressFamily->data[2]);
+        break;
+      }
+    }
+    switch (f->ipAddressChoice->type) {
+    case IPAddressChoice_inherit:
+      BIO_puts(out, ": inherit\n");
+      break;
+    case IPAddressChoice_addressesOrRanges:
+      BIO_puts(out, ":\n");
+      if (!i2r_IPAddressOrRanges(out,
+                                 indent + 2,
+                                 f->ipAddressChoice->u.addressesOrRanges,
+                                 afi))
+        return 0;
+      break;
+    }
+  }
+  return 1;
+}
+
+/*
+ * Sort comparison function for a sequence of IPAddressOrRange
+ * elements.
+ */
+static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
+                                const IPAddressOrRange *b,
+                                const int length)
+{
+  unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
+  int prefixlen_a = 0;
+  int prefixlen_b = 0;
+  int r;
+
+  switch (a->type) {
+  case IPAddressOrRange_addressPrefix:
+    addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
+    prefixlen_a = addr_prefixlen(a->u.addressPrefix);
+    break;
+  case IPAddressOrRange_addressRange:
+    addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
+    prefixlen_a = length * 8;
+    break;
+  }
+
+  switch (b->type) {
+  case IPAddressOrRange_addressPrefix:
+    addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
+    prefixlen_b = addr_prefixlen(b->u.addressPrefix);
+    break;
+  case IPAddressOrRange_addressRange:
+    addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
+    prefixlen_b = length * 8;
+    break;
+  }
+
+  if ((r = memcmp(addr_a, addr_b, length)) != 0)
+    return r;
+  else
+    return prefixlen_a - prefixlen_b;
+}
+
+/*
+ * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
+ * comparision routines are only allowed two arguments.
+ */
+static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
+                                  const IPAddressOrRange * const *b)
+{
+  return IPAddressOrRange_cmp(*a, *b, 4);
+}
+
+/*
+ * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
+ * comparision routines are only allowed two arguments.
+ */
+static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
+                                  const IPAddressOrRange * const *b)
+{
+  return IPAddressOrRange_cmp(*a, *b, 16);
+}
+
+/*
+ * Calculate whether a range collapses to a prefix.
+ * See last paragraph of RFC 3779 2.2.3.7.
+ */
+static int range_should_be_prefix(const unsigned char *min,
+                                  const unsigned char *max,
+                                  const int length)
+{
+  unsigned char mask;
+  int i, j;
+
+  for (i = 0; i < length && min[i] == max[i]; i++)
+    ;
+  for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
+    ;
+  if (i < j)
+    return -1;
+  if (i > j)
+    return i * 8;
+  mask = min[i] ^ max[i];
+  switch (mask) {
+  case 0x01: j = 7; break;
+  case 0x03: j = 6; break;
+  case 0x07: j = 5; break;
+  case 0x0F: j = 4; break;
+  case 0x1F: j = 3; break;
+  case 0x3F: j = 2; break;
+  case 0x7F: j = 1; break;
+  default:   return -1;
+  }
+  if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
+    return -1;
+  else
+    return i * 8 + j;
+}
+
+/*
+ * Construct a prefix.
+ */
+static int make_addressPrefix(IPAddressOrRange **result,
+                              unsigned char *addr,
+                              const int prefixlen)
+{
+  int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
+  IPAddressOrRange *aor = IPAddressOrRange_new();
+
+  if (aor == NULL)
+    return 0;
+  aor->type = IPAddressOrRange_addressPrefix;
+  if (aor->u.addressPrefix == NULL &&
+      (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
+    goto err;
+  if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
+    goto err;
+  aor->u.addressPrefix->flags &= ~7;
+  aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+  if (bitlen > 0) {
+    aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
+    aor->u.addressPrefix->flags |= 8 - bitlen;
+  }
+  
+  *result = aor;
+  return 1;
+
+ err:
+  IPAddressOrRange_free(aor);
+  return 0;
+}
+
+/*
+ * Construct a range.  If it can be expressed as a prefix,
+ * return a prefix instead.  Doing this here simplifies
+ * the rest of the code considerably.
+ */
+static int make_addressRange(IPAddressOrRange **result,
+                             unsigned char *min,
+                             unsigned char *max,
+                             const int length)
+{
+  IPAddressOrRange *aor;
+  int i, prefixlen;
+
+  if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
+    return make_addressPrefix(result, min, prefixlen);
+
+  if ((aor = IPAddressOrRange_new()) == NULL)
+    return 0;
+  aor->type = IPAddressOrRange_addressRange;
+  OPENSSL_assert(aor->u.addressRange == NULL);
+  if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
+    goto err;
+  if (aor->u.addressRange->min == NULL &&
+      (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
+    goto err;
+  if (aor->u.addressRange->max == NULL &&
+      (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
+    goto err;
+
+  for (i = length; i > 0 && min[i - 1] == 0x00; --i)
+    ;
+  if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
+    goto err;
+  aor->u.addressRange->min->flags &= ~7;
+  aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+  if (i > 0) {
+    unsigned char b = min[i - 1];
+    int j = 1;
+    while ((b & (0xFFU >> j)) != 0) 
+      ++j;
+    aor->u.addressRange->min->flags |= 8 - j;
+  }
+
+  for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
+    ;
+  if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
+    goto err;
+  aor->u.addressRange->max->flags &= ~7;
+  aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+  if (i > 0) {
+    unsigned char b = max[i - 1];
+    int j = 1;
+    while ((b & (0xFFU >> j)) != (0xFFU >> j))
+      ++j;
+    aor->u.addressRange->max->flags |= 8 - j;
+  }
+
+  *result = aor;
+  return 1;
+
+ err:
+  IPAddressOrRange_free(aor);
+  return 0;
+}
+
+/*
+ * Construct a new address family or find an existing one.
+ */
+static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
+                                             const unsigned afi,
+                                             const unsigned *safi)
+{
+  IPAddressFamily *f;
+  unsigned char key[3];
+  unsigned keylen;
+  int i;
+
+  key[0] = (afi >> 8) & 0xFF;
+  key[1] = afi & 0xFF;
+  if (safi != NULL) {
+    key[2] = *safi & 0xFF;
+    keylen = 3;
+  } else {
+    keylen = 2;
+  }
+
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    f = sk_IPAddressFamily_value(addr, i);
+    OPENSSL_assert(f->addressFamily->data != NULL);
+    if (f->addressFamily->length == keylen &&
+        !memcmp(f->addressFamily->data, key, keylen))
+      return f;
+  }
+
+  if ((f = IPAddressFamily_new()) == NULL)
+    goto err;
+  if (f->ipAddressChoice == NULL &&
+      (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
+    goto err;
+  if (f->addressFamily == NULL && 
+      (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
+    goto err;
+  if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
+    goto err;
+  if (!sk_IPAddressFamily_push(addr, f))
+    goto err;
+
+  return f;
+
+ err:
+  IPAddressFamily_free(f);
+  return NULL;
+}
+
+/*
+ * Add an inheritance element.
+ */
+int v3_addr_add_inherit(IPAddrBlocks *addr,
+                        const unsigned afi,
+                        const unsigned *safi)
+{
+  IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
+  if (f == NULL ||
+      f->ipAddressChoice == NULL ||
+      (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
+       f->ipAddressChoice->u.addressesOrRanges != NULL))
+    return 0;
+  if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
+      f->ipAddressChoice->u.inherit != NULL)
+    return 1;
+  if (f->ipAddressChoice->u.inherit == NULL &&
+      (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
+    return 0;
+  f->ipAddressChoice->type = IPAddressChoice_inherit;
+  return 1;
+}
+
+/*
+ * Construct an IPAddressOrRange sequence, or return an existing one.
+ */
+static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
+                                               const unsigned afi,
+                                               const unsigned *safi)
+{
+  IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
+  IPAddressOrRanges *aors = NULL;
+
+  if (f == NULL ||
+      f->ipAddressChoice == NULL ||
+      (f->ipAddressChoice->type == IPAddressChoice_inherit &&
+       f->ipAddressChoice->u.inherit != NULL))
+    return NULL;
+  if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
+    aors = f->ipAddressChoice->u.addressesOrRanges;
+  if (aors != NULL)
+    return aors;
+  if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
+    return NULL;
+  switch (afi) {
+  case IANA_AFI_IPV4:
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    break;
+  case IANA_AFI_IPV6:
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    break;
+  }
+  f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
+  f->ipAddressChoice->u.addressesOrRanges = aors;
+  return aors;
+}
+
+/*
+ * Add a prefix.
+ */
+int v3_addr_add_prefix(IPAddrBlocks *addr,
+                       const unsigned afi,
+                       const unsigned *safi,
+                       unsigned char *a,
+                       const int prefixlen)
+{
+  IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
+  IPAddressOrRange *aor;
+  if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
+    return 0;
+  if (sk_IPAddressOrRange_push(aors, aor))
+    return 1;
+  IPAddressOrRange_free(aor);
+  return 0;
+}
+
+/*
+ * Add a range.
+ */
+int v3_addr_add_range(IPAddrBlocks *addr,
+                      const unsigned afi,
+                      const unsigned *safi,
+                      unsigned char *min,
+                      unsigned char *max)
+{
+  IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
+  IPAddressOrRange *aor;
+  int length = length_from_afi(afi);
+  if (aors == NULL)
+    return 0;
+  if (!make_addressRange(&aor, min, max, length))
+    return 0;
+  if (sk_IPAddressOrRange_push(aors, aor))
+    return 1;
+  IPAddressOrRange_free(aor);
+  return 0;
+}
+
+/*
+ * Extract min and max values from an IPAddressOrRange.
+ */
+static void extract_min_max(IPAddressOrRange *aor,
+                            unsigned char *min,
+                            unsigned char *max,
+                            int length)
+{
+  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
+  switch (aor->type) {
+  case IPAddressOrRange_addressPrefix:
+    addr_expand(min, aor->u.addressPrefix, length, 0x00);
+    addr_expand(max, aor->u.addressPrefix, length, 0xFF);
+    return;
+  case IPAddressOrRange_addressRange:
+    addr_expand(min, aor->u.addressRange->min, length, 0x00);
+    addr_expand(max, aor->u.addressRange->max, length, 0xFF);
+    return;
+  }
+}
+
+/*
+ * Public wrapper for extract_min_max().
+ */
+int v3_addr_get_range(IPAddressOrRange *aor,
+                      const unsigned afi,
+                      unsigned char *min,
+                      unsigned char *max,
+                      const int length)
+{
+  int afi_length = length_from_afi(afi);
+  if (aor == NULL || min == NULL || max == NULL ||
+      afi_length == 0 || length < afi_length ||
+      (aor->type != IPAddressOrRange_addressPrefix &&
+       aor->type != IPAddressOrRange_addressRange))
+    return 0;
+  extract_min_max(aor, min, max, afi_length);
+  return afi_length;
+}
+
+/*
+ * Sort comparision function for a sequence of IPAddressFamily.
+ *
+ * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
+ * the ordering: I can read it as meaning that IPv6 without a SAFI
+ * comes before IPv4 with a SAFI, which seems pretty weird.  The
+ * examples in appendix B suggest that the author intended the
+ * null-SAFI rule to apply only within a single AFI, which is what I
+ * would have expected and is what the following code implements.
+ */
+static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
+                               const IPAddressFamily * const *b_)
+{
+  const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
+  const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
+  int len = ((a->length <= b->length) ? a->length : b->length);
+  int cmp = memcmp(a->data, b->data, len);
+  return cmp ? cmp : a->length - b->length;
+}
+
+/*
+ * Check whether an IPAddrBLocks is in canonical form.
+ */
+int v3_addr_is_canonical(IPAddrBlocks *addr)
+{
+  unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
+  unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
+  IPAddressOrRanges *aors;
+  int i, j, k;
+
+  /*
+   * Empty extension is cannonical.
+   */
+  if (addr == NULL)
+    return 1;
+
+  /*
+   * Check whether the top-level list is in order.
+   */
+  for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
+    const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
+    const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
+    if (IPAddressFamily_cmp(&a, &b) >= 0)
+      return 0;
+  }
+
+  /*
+   * Top level's ok, now check each address family.
+   */
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    int length = length_from_afi(v3_addr_get_afi(f));
+
+    /*
+     * Inheritance is canonical.  Anything other than inheritance or
+     * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
+     */
+    if (f == NULL || f->ipAddressChoice == NULL)
+      return 0;
+    switch (f->ipAddressChoice->type) {
+    case IPAddressChoice_inherit:
+      continue;
+    case IPAddressChoice_addressesOrRanges:
+      break;
+    default:
+      return 0;
+    }
+
+    /*
+     * It's an IPAddressOrRanges sequence, check it.
+     */
+    aors = f->ipAddressChoice->u.addressesOrRanges;
+    if (sk_IPAddressOrRange_num(aors) == 0)
+      return 0;
+    for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
+      IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+      IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
+
+      extract_min_max(a, a_min, a_max, length);
+      extract_min_max(b, b_min, b_max, length);
+
+      /*
+       * Punt misordered list, overlapping start, or inverted range.
+       */
+      if (memcmp(a_min, b_min, length) >= 0 ||
+          memcmp(a_min, a_max, length) > 0 ||
+          memcmp(b_min, b_max, length) > 0)
+        return 0;
+
+      /*
+       * Punt if adjacent or overlapping.  Check for adjacency by
+       * subtracting one from b_min first.
+       */
+      for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
+        ;
+      if (memcmp(a_max, b_min, length) >= 0)
+        return 0;
+
+      /*
+       * Check for range that should be expressed as a prefix.
+       */
+      if (a->type == IPAddressOrRange_addressRange &&
+          range_should_be_prefix(a_min, a_max, length) >= 0)
+        return 0;
+    }
+
+    /*
+     * Check final range to see if it should be a prefix.
+     */
+    j = sk_IPAddressOrRange_num(aors) - 1;
+    {
+      IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+      if (a->type == IPAddressOrRange_addressRange) {
+        extract_min_max(a, a_min, a_max, length);
+        if (range_should_be_prefix(a_min, a_max, length) >= 0)
+          return 0;
+      }
+    }
+  }
+
+  /*
+   * If we made it through all that, we're happy.
+   */
+  return 1;
+}
+
+/*
+ * Whack an IPAddressOrRanges into canonical form.
+ */
+static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
+                                      const unsigned afi)
+{
+  int i, j, length = length_from_afi(afi);
+
+  /*
+   * Sort the IPAddressOrRanges sequence.
+   */
+  sk_IPAddressOrRange_sort(aors);
+
+  /*
+   * Clean up representation issues, punt on duplicates or overlaps.
+   */
+  for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
+    IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
+    IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
+    unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
+    unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
+
+    extract_min_max(a, a_min, a_max, length);
+    extract_min_max(b, b_min, b_max, length);
+
+    /*
+     * Punt overlaps.
+     */
+    if (memcmp(a_max, b_min, length) >= 0)
+      return 0;
+
+    /*
+     * Merge if a and b are adjacent.  We check for
+     * adjacency by subtracting one from b_min first.
+     */
+    for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
+      ;
+    if (memcmp(a_max, b_min, length) == 0) {
+      IPAddressOrRange *merged;
+      if (!make_addressRange(&merged, a_min, b_max, length))
+        return 0;
+      sk_IPAddressOrRange_set(aors, i, merged);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
+      IPAddressOrRange_free(a);
+      IPAddressOrRange_free(b);
+      --i;
+      continue;
+    }
+  }
+
+  return 1;
+}
+
+/*
+ * Whack an IPAddrBlocks extension into canonical form.
+ */
+int v3_addr_canonize(IPAddrBlocks *addr)
+{
+  int i;
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
+        !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
+                                    v3_addr_get_afi(f)))
+      return 0;
+  }
+  (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
+  sk_IPAddressFamily_sort(addr);
+  OPENSSL_assert(v3_addr_is_canonical(addr));
+  return 1;
+}
+
+/*
+ * v2i handler for the IPAddrBlocks extension.
+ */
+static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
+                              struct v3_ext_ctx *ctx,
+                              STACK_OF(CONF_VALUE) *values)
+{
+  static const char v4addr_chars[] = "0123456789.";
+  static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
+  IPAddrBlocks *addr = NULL;
+  char *s = NULL, *t;
+  int i;
+  
+  if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
+    X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+    CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
+    unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
+    unsigned afi, *safi = NULL, safi_;
+    const char *addr_chars;
+    int prefixlen, i1, i2, delim, length;
+
+    if (       !name_cmp(val->name, "IPv4")) {
+      afi = IANA_AFI_IPV4;
+    } else if (!name_cmp(val->name, "IPv6")) {
+      afi = IANA_AFI_IPV6;
+    } else if (!name_cmp(val->name, "IPv4-SAFI")) {
+      afi = IANA_AFI_IPV4;
+      safi = &safi_;
+    } else if (!name_cmp(val->name, "IPv6-SAFI")) {
+      afi = IANA_AFI_IPV6;
+      safi = &safi_;
+    } else {
+      X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR);
+      X509V3_conf_err(val);
+      goto err;
+    }
+
+    switch (afi) {
+    case IANA_AFI_IPV4:
+      addr_chars = v4addr_chars;
+      break;
+    case IANA_AFI_IPV6:
+      addr_chars = v6addr_chars;
+      break;
+    }
+
+    length = length_from_afi(afi);
+
+    /*
+     * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
+     * the other input values.
+     */
+    if (safi != NULL) {
+      *safi = strtoul(val->value, &t, 0);
+      t += strspn(t, " \t");
+      if (*safi > 0xFF || *t++ != ':') {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      t += strspn(t, " \t");
+      s = BUF_strdup(t);
+    } else {
+      s = BUF_strdup(val->value);
+    }
+    if (s == NULL) {
+      X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
+      goto err;
+    }
+
+    /*
+     * Check for inheritance.  Not worth additional complexity to
+     * optimize this (seldom-used) case.
+     */
+    if (!strcmp(s, "inherit")) {
+      if (!v3_addr_add_inherit(addr, afi, safi)) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      OPENSSL_free(s);
+      s = NULL;
+      continue;
+    }
+
+    i1 = strspn(s, addr_chars);
+    i2 = i1 + strspn(s + i1, " \t");
+    delim = s[i2++];
+    s[i1] = '\0';
+
+    if (a2i_ipadd(min, s) != length) {
+      X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
+      X509V3_conf_err(val);
+      goto err;
+    }
+
+    switch (delim) {
+    case '/':
+      prefixlen = (int) strtoul(s + i2, &t, 10);
+      if (t == s + i2 || *t != '\0') {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+      break;
+    case '-':
+      i1 = i2 + strspn(s + i2, " \t");
+      i2 = i1 + strspn(s + i1, addr_chars);
+      if (i1 == i2 || s[i2] != '\0') {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      if (a2i_ipadd(max, s + i1) != length) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      if (!v3_addr_add_range(addr, afi, safi, min, max)) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+      break;
+    case '\0':
+      if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+      break;
+    default:
+      X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+      X509V3_conf_err(val);
+      goto err;
+    }
+
+    OPENSSL_free(s);
+    s = NULL;
+  }
+
+  /*
+   * Canonize the result, then we're done.
+   */
+  if (!v3_addr_canonize(addr))
+    goto err;    
+  return addr;
+
+ err:
+  OPENSSL_free(s);
+  sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
+  return NULL;
+}
+
+/*
+ * OpenSSL dispatch
+ */
+const X509V3_EXT_METHOD v3_addr = {
+  NID_sbgp_ipAddrBlock,         /* nid */
+  0,                            /* flags */
+  ASN1_ITEM_ref(IPAddrBlocks),  /* template */
+  0, 0, 0, 0,                   /* old functions, ignored */
+  0,                            /* i2s */
+  0,                            /* s2i */
+  0,                            /* i2v */
+  v2i_IPAddrBlocks,             /* v2i */
+  i2r_IPAddrBlocks,             /* i2r */
+  0,                            /* r2i */
+  NULL                          /* extension-specific data */
+};
+
+/*
+ * Figure out whether extension sues inheritance.
+ */
+int v3_addr_inherits(IPAddrBlocks *addr)
+{
+  int i;
+  if (addr == NULL)
+    return 0;
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    if (f->ipAddressChoice->type == IPAddressChoice_inherit)
+      return 1;
+  }
+  return 0;
+}
+
+/*
+ * Figure out whether parent contains child.
+ */
+static int addr_contains(IPAddressOrRanges *parent,
+                         IPAddressOrRanges *child,
+                         int length)
+{
+  unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
+  unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
+  int p, c;
+
+  if (child == NULL || parent == child)
+    return 1;
+  if (parent == NULL)
+    return 0;
+
+  p = 0;
+  for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
+    extract_min_max(sk_IPAddressOrRange_value(child, c),
+                    c_min, c_max, length);
+    for (;; p++) {
+      if (p >= sk_IPAddressOrRange_num(parent))
+        return 0;
+      extract_min_max(sk_IPAddressOrRange_value(parent, p),
+                      p_min, p_max, length);
+      if (memcmp(p_max, c_max, length) < 0)
+        continue;
+      if (memcmp(p_min, c_min, length) > 0)
+        return 0;
+      break;
+    }
+  }
+
+  return 1;
+}
+
+/*
+ * Test whether a is a subset of b.
+ */
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+{
+  int i;
+  if (a == NULL || a == b)
+    return 1;
+  if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
+    return 0;
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
+    IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
+    int j = sk_IPAddressFamily_find(b, fa);
+    IPAddressFamily *fb;
+    fb = sk_IPAddressFamily_value(b, j);
+    if (fb == NULL)
+       return 0;
+    if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 
+                       fa->ipAddressChoice->u.addressesOrRanges,
+                       length_from_afi(v3_addr_get_afi(fb))))
+      return 0;
+  }
+  return 1;
+}
+
+/*
+ * Validation error handling via callback.
+ */
+#define validation_err(_err_)           \
+  do {                                  \
+    if (ctx != NULL) {                  \
+      ctx->error = _err_;               \
+      ctx->error_depth = i;             \
+      ctx->current_cert = x;            \
+      ret = ctx->verify_cb(0, ctx);     \
+    } else {                            \
+      ret = 0;                          \
+    }                                   \
+    if (!ret)                           \
+      goto done;                        \
+  } while (0)
+
+/*
+ * Core code for RFC 3779 2.3 path validation.
+ */
+static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
+                                          STACK_OF(X509) *chain,
+                                          IPAddrBlocks *ext)
+{
+  IPAddrBlocks *child = NULL;
+  int i, j, ret = 1;
+  X509 *x = NULL;
+
+  OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+  OPENSSL_assert(ctx != NULL || ext != NULL);
+  OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
+
+  /*
+   * Figure out where to start.  If we don't have an extension to
+   * check, we're done.  Otherwise, check canonical form and
+   * set up for walking up the chain.
+   */
+  if (ext != NULL) {
+    i = -1;
+  } else {
+    i = 0;
+    x = sk_X509_value(chain, i);
+    OPENSSL_assert(x != NULL);
+    if ((ext = x->rfc3779_addr) == NULL)
+      goto done;
+  }
+  if (!v3_addr_is_canonical(ext))
+    validation_err(X509_V_ERR_INVALID_EXTENSION);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
+    X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
+    ret = 0;
+    goto done;
+  }
+
+  /*
+   * Now walk up the chain.  No cert may list resources that its
+   * parent doesn't list.
+   */
+  for (i++; i < sk_X509_num(chain); i++) {
+    x = sk_X509_value(chain, i);
+    OPENSSL_assert(x != NULL);
+    if (!v3_addr_is_canonical(x->rfc3779_addr))
+      validation_err(X509_V_ERR_INVALID_EXTENSION);
+    if (x->rfc3779_addr == NULL) {
+      for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
+        IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
+        if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
+          validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+          break;
+        }
+      }
+      continue;
+    }
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
+      IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
+      int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
+      IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
+      if (fp == NULL) {
+        if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+          validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+          break;
+        }
+        continue;
+      }
+      if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+        if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
+            addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 
+                          fc->ipAddressChoice->u.addressesOrRanges,
+                          length_from_afi(v3_addr_get_afi(fc))))
+          sk_IPAddressFamily_set(child, j, fp);
+        else
+          validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      }
+    }
+  }
+
+  /*
+   * Trust anchor can't inherit.
+   */
+  if (x->rfc3779_addr != NULL) {
+    for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
+      IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
+      if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
+          sk_IPAddressFamily_find(child, fp) >= 0)
+        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+    }
+  }
+
+ done:
+  sk_IPAddressFamily_free(child);
+  return ret;
+}
+
+#undef validation_err
+
+/*
+ * RFC 3779 2.3 path validation -- called from X509_verify_cert().
+ */
+int v3_addr_validate_path(X509_STORE_CTX *ctx)
+{
+  return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
+}
+
+/*
+ * RFC 3779 2.3 path validation of an extension.
+ * Test whether chain covers extension.
+ */
+int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+                                  IPAddrBlocks *ext,
+                                  int allow_inheritance)
+{
+  if (ext == NULL)
+    return 1;
+  if (chain == NULL || sk_X509_num(chain) == 0)
+    return 0;
+  if (!allow_inheritance && v3_addr_inherits(ext))
+    return 0;
+  return v3_addr_validate_path_internal(NULL, chain, ext);
+}
+
+#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index d29d94338e..75fda7f268 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -82,12 +82,6 @@ NULL, NULL, NULL},
 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
 (X509V3_EXT_V2I)v2i_issuer_alt,
 NULL, NULL, NULL},
-
-{ NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES),
-0,0,0,0,
-0,0,
-(X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-NULL, NULL, NULL, NULL},
 };
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
@@ -153,9 +147,9 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                                 BIO_snprintf(htmp, sizeof htmp,
                                              "%X", p[0] << 8 | p[1]);
                                 p += 2;
-                                strcat(oline, htmp);
+                                strlcat(oline, htmp, sizeof oline);
                                 if (i != 7)
-                                        strcat(oline, ":");
+                                        strlcat(oline, ":", sizeof oline);
                                 }
                         }
                 else
@@ -366,7 +360,6 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
                 if (move_p)
                         {
                         X509_NAME_delete_entry(nm, i);
-                        X509_NAME_ENTRY_free(ne);
                         i--;
                         }
                 if(!email || !(gen = GENERAL_NAME_new())) {
@@ -393,8 +386,8 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
         
 }
 
-GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
-                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         GENERAL_NAME *gen;
         GENERAL_NAMES *gens = NULL;
@@ -415,22 +408,28 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
         return NULL;
 }
 
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                               CONF_VALUE *cnf)
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                         CONF_VALUE *cnf)
         {
         return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
         }
 
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-                               const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                               int gen_type, char *value, int is_nc)
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+                                X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                 CONF_VALUE *cnf, int is_nc)
         {
         char is_string = 0;
+        int type;
         GENERAL_NAME *gen = NULL;
 
+        char *name, *value;
+
+        name = cnf->name;
+        value = cnf->value;
+
         if(!value)
                 {
-                X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
+                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
                 return NULL;
                 }
 
@@ -441,62 +440,74 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
                 gen = GENERAL_NAME_new();
                 if(gen == NULL)
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
                         return NULL;
                         }
                 }
 
-        switch (gen_type)
+        if(!name_cmp(name, "email"))
                 {
-                case GEN_URI:
-                case GEN_EMAIL:
-                case GEN_DNS:
                 is_string = 1;
-                break;
-                
-                case GEN_RID:
+                type = GEN_EMAIL;
+                }
+        else if(!name_cmp(name, "URI"))
+                {
+                is_string = 1;
+                type = GEN_URI;
+                }
+        else if(!name_cmp(name, "DNS"))
+                {
+                is_string = 1;
+                type = GEN_DNS;
+                }
+        else if(!name_cmp(name, "RID"))
                 {
                 ASN1_OBJECT *obj;
                 if(!(obj = OBJ_txt2obj(value,0)))
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_OBJECT);
                         ERR_add_error_data(2, "value=", value);
                         goto err;
                         }
                 gen->d.rid = obj;
+                type = GEN_RID;
                 }
-                break;
-
-                case GEN_IPADD:
+        else if(!name_cmp(name, "IP"))
+                {
                 if (is_nc)
                         gen->d.ip = a2i_IPADDRESS_NC(value);
                 else
                         gen->d.ip = a2i_IPADDRESS(value);
                 if(gen->d.ip == NULL)
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_BAD_IP_ADDRESS);
                         ERR_add_error_data(2, "value=", value);
                         goto err;
                         }
-                break;
-
-                case GEN_DIRNAME:
+                type = GEN_IPADD;
+                }
+        else if(!name_cmp(name, "dirName"))
+                {
+                type = GEN_DIRNAME;
                 if (!do_dirname(gen, value, ctx))
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_DIRNAME_ERROR);
                         goto err;
                         }
-                break;
-
-                case GEN_OTHERNAME:
+                }
+        else if(!name_cmp(name, "otherName"))
+                {
                 if (!do_othername(gen, value, ctx))
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_OTHERNAME_ERROR);
                         goto err;
                         }
-                break;
-                default:
-                X509V3err(X509V3_F_A2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_TYPE);
+                type = GEN_OTHERNAME;
+                }
+        else
+                {
+                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
+                ERR_add_error_data(2, "name=", name);
                 goto err;
                 }
 
@@ -506,12 +517,12 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
                               !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
                                                strlen(value)))
                         {
-                        X509V3err(X509V3_F_A2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
+                        X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,ERR_R_MALLOC_FAILURE);
                         goto err;
                         }
                 }
 
-        gen->type = gen_type;
+        gen->type = type;
 
         return gen;
 
@@ -521,48 +532,6 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
         return NULL;
         }
 
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-                                  const X509V3_EXT_METHOD *method,
-                                  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
-        {
-        int type;
-
-        char *name, *value;
-
-        name = cnf->name;
-        value = cnf->value;
-
-        if(!value)
-                {
-                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_MISSING_VALUE);
-                return NULL;
-                }
-
-        if(!name_cmp(name, "email"))
-                type = GEN_EMAIL;
-        else if(!name_cmp(name, "URI"))
-                type = GEN_URI;
-        else if(!name_cmp(name, "DNS"))
-                type = GEN_DNS;
-        else if(!name_cmp(name, "RID"))
-                type = GEN_RID;
-        else if(!name_cmp(name, "IP"))
-                type = GEN_IPADD;
-        else if(!name_cmp(name, "dirName"))
-                type = GEN_DIRNAME;
-        else if(!name_cmp(name, "otherName"))
-                type = GEN_OTHERNAME;
-        else
-                {
-                X509V3err(X509V3_F_V2I_GENERAL_NAME_EX,X509V3_R_UNSUPPORTED_OPTION);
-                ERR_add_error_data(2, "name=", name);
-                return NULL;
-                }
-
-        return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
-
-        }
-
 static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
         {
         char *objtmp = NULL, *p;
@@ -608,7 +577,6 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
         if (!ret)
                 X509_NAME_free(nm);
         gen->d.dirn = nm;
-        X509V3_section_free(ctx, sk);
                 
         return ret;
         }
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
new file mode 100644
index 0000000000..abd497ed1f
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -0,0 +1,842 @@
+/*
+ * Contributed to the OpenSSL Project by the American Registry for
+ * Internet Numbers ("ARIN").
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ */
+
+/*
+ * Implementation of RFC 3779 section 3.2.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <openssl/x509.h>
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_NO_RFC3779
+
+/*
+ * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
+ */
+
+ASN1_SEQUENCE(ASRange) = {
+  ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
+  ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(ASRange)
+
+ASN1_CHOICE(ASIdOrRange) = {
+  ASN1_SIMPLE(ASIdOrRange, u.id,    ASN1_INTEGER),
+  ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
+} ASN1_CHOICE_END(ASIdOrRange)
+
+ASN1_CHOICE(ASIdentifierChoice) = {
+  ASN1_SIMPLE(ASIdentifierChoice,      u.inherit,       ASN1_NULL),
+  ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
+} ASN1_CHOICE_END(ASIdentifierChoice)
+
+ASN1_SEQUENCE(ASIdentifiers) = {
+  ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
+  ASN1_EXP_OPT(ASIdentifiers, rdi,   ASIdentifierChoice, 1)
+} ASN1_SEQUENCE_END(ASIdentifiers)
+
+IMPLEMENT_ASN1_FUNCTIONS(ASRange)
+IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange)
+IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice)
+IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers)
+
+/*
+ * i2r method for an ASIdentifierChoice.
+ */
+static int i2r_ASIdentifierChoice(BIO *out,
+                                  ASIdentifierChoice *choice,
+                                  int indent,
+                                  const char *msg)
+{
+  int i;
+  char *s;
+  if (choice == NULL)
+    return 1;
+  BIO_printf(out, "%*s%s:\n", indent, "", msg);
+  switch (choice->type) {
+  case ASIdentifierChoice_inherit:
+    BIO_printf(out, "%*sinherit\n", indent + 2, "");
+    break;
+  case ASIdentifierChoice_asIdsOrRanges:
+    for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) {
+      ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
+      switch (aor->type) {
+      case ASIdOrRange_id:
+        if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL)
+          return 0;
+        BIO_printf(out, "%*s%s\n", indent + 2, "", s);
+        OPENSSL_free(s);
+        break;
+      case ASIdOrRange_range:
+        if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL)
+          return 0;
+        BIO_printf(out, "%*s%s-", indent + 2, "", s);
+        OPENSSL_free(s);
+        if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL)
+          return 0;
+        BIO_printf(out, "%s\n", s);
+        OPENSSL_free(s);
+        break;
+      default:
+        return 0;
+      }
+    }
+    break;
+  default:
+    return 0;
+  }
+  return 1;
+}
+
+/*
+ * i2r method for an ASIdentifier extension.
+ */
+static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method,
+                             void *ext,
+                             BIO *out,
+                             int indent)
+{
+  ASIdentifiers *asid = ext;
+  return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
+                                 "Autonomous System Numbers") &&
+          i2r_ASIdentifierChoice(out, asid->rdi, indent,
+                                 "Routing Domain Identifiers"));
+}
+
+/*
+ * Sort comparision function for a sequence of ASIdOrRange elements.
+ */
+static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
+                           const ASIdOrRange * const *b_)
+{
+  const ASIdOrRange *a = *a_, *b = *b_;
+
+  assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
+         (a->type == ASIdOrRange_range && a->u.range != NULL &&
+          a->u.range->min != NULL && a->u.range->max != NULL));
+
+  assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
+         (b->type == ASIdOrRange_range && b->u.range != NULL &&
+          b->u.range->min != NULL && b->u.range->max != NULL));
+
+  if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
+    return ASN1_INTEGER_cmp(a->u.id, b->u.id);
+
+  if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
+    int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
+    return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max);
+  }
+
+  if (a->type == ASIdOrRange_id)
+    return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
+  else
+    return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
+}
+
+/*
+ * Add an inherit element.
+ */
+int v3_asid_add_inherit(ASIdentifiers *asid, int which)
+{
+  ASIdentifierChoice **choice;
+  if (asid == NULL)
+    return 0;
+  switch (which) {
+  case V3_ASID_ASNUM:
+    choice = &asid->asnum;
+    break;
+  case V3_ASID_RDI:
+    choice = &asid->rdi;
+    break;
+  default:
+    return 0;
+  }
+  if (*choice == NULL) {
+    if ((*choice = ASIdentifierChoice_new()) == NULL)
+      return 0;
+    assert((*choice)->u.inherit == NULL);
+    if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
+      return 0;
+    (*choice)->type = ASIdentifierChoice_inherit;
+  }
+  return (*choice)->type == ASIdentifierChoice_inherit;
+}
+
+/*
+ * Add an ID or range to an ASIdentifierChoice.
+ */
+int v3_asid_add_id_or_range(ASIdentifiers *asid,
+                            int which,
+                            ASN1_INTEGER *min,
+                            ASN1_INTEGER *max)
+{
+  ASIdentifierChoice **choice;
+  ASIdOrRange *aor;
+  if (asid == NULL)
+    return 0;
+  switch (which) {
+  case V3_ASID_ASNUM:
+    choice = &asid->asnum;
+    break;
+  case V3_ASID_RDI:
+    choice = &asid->rdi;
+    break;
+  default:
+    return 0;
+  }
+  if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
+    return 0;
+  if (*choice == NULL) {
+    if ((*choice = ASIdentifierChoice_new()) == NULL)
+      return 0;
+    assert((*choice)->u.asIdsOrRanges == NULL);
+    (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
+    if ((*choice)->u.asIdsOrRanges == NULL)
+      return 0;
+    (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
+  }
+  if ((aor = ASIdOrRange_new()) == NULL)
+    return 0;
+  if (max == NULL) {
+    aor->type = ASIdOrRange_id;
+    aor->u.id = min;
+  } else {
+    aor->type = ASIdOrRange_range;
+    if ((aor->u.range = ASRange_new()) == NULL)
+      goto err;
+    ASN1_INTEGER_free(aor->u.range->min);
+    aor->u.range->min = min;
+    ASN1_INTEGER_free(aor->u.range->max);
+    aor->u.range->max = max;
+  }
+  if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
+    goto err;
+  return 1;
+
+ err:
+  ASIdOrRange_free(aor);
+  return 0;
+}
+
+/*
+ * Extract min and max values from an ASIdOrRange.
+ */
+static void extract_min_max(ASIdOrRange *aor,
+                            ASN1_INTEGER **min,
+                            ASN1_INTEGER **max)
+{
+  assert(aor != NULL && min != NULL && max != NULL);
+  switch (aor->type) {
+  case ASIdOrRange_id:
+    *min = aor->u.id;
+    *max = aor->u.id;
+    return;
+  case ASIdOrRange_range:
+    *min = aor->u.range->min;
+    *max = aor->u.range->max;
+    return;
+  }
+}
+
+/*
+ * Check whether an ASIdentifierChoice is in canonical form.
+ */
+static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
+{
+  ASN1_INTEGER *a_max_plus_one = NULL;
+  BIGNUM *bn = NULL;
+  int i, ret = 0;
+
+  /*
+   * Empty element or inheritance is canonical.
+   */
+  if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
+    return 1;
+
+  /*
+   * If not a list, or if empty list, it's broken.
+   */
+  if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
+      sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
+    return 0;
+
+  /*
+   * It's a list, check it.
+   */
+  for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
+    ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
+    ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
+    ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
+
+    extract_min_max(a, &a_min, &a_max);
+    extract_min_max(b, &b_min, &b_max);
+
+    /*
+     * Punt misordered list, overlapping start, or inverted range.
+     */
+    if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
+        ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
+        ASN1_INTEGER_cmp(b_min, b_max) > 0)
+      goto done;
+
+    /*
+     * Calculate a_max + 1 to check for adjacency.
+     */
+    if ((bn == NULL && (bn = BN_new()) == NULL) ||
+        ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
+        !BN_add_word(bn, 1) ||
+        (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
+                ERR_R_MALLOC_FAILURE);
+      goto done;
+    }
+    
+    /*
+     * Punt if adjacent or overlapping.
+     */
+    if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
+      goto done;
+  }
+
+  ret = 1;
+
+ done:
+  ASN1_INTEGER_free(a_max_plus_one);
+  BN_free(bn);
+  return ret;
+}
+
+/*
+ * Check whether an ASIdentifier extension is in canonical form.
+ */
+int v3_asid_is_canonical(ASIdentifiers *asid)
+{
+  return (asid == NULL ||
+          (ASIdentifierChoice_is_canonical(asid->asnum) ||
+           ASIdentifierChoice_is_canonical(asid->rdi)));
+}
+
+/*
+ * Whack an ASIdentifierChoice into canonical form.
+ */
+static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
+{
+  ASN1_INTEGER *a_max_plus_one = NULL;
+  BIGNUM *bn = NULL;
+  int i, ret = 0;
+
+  /*
+   * Nothing to do for empty element or inheritance.
+   */
+  if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
+    return 1;
+
+  /*
+   * We have a list.  Sort it.
+   */
+  assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
+  sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
+
+  /*
+   * Now check for errors and suboptimal encoding, rejecting the
+   * former and fixing the latter.
+   */
+  for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
+    ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
+    ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
+    ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
+
+    extract_min_max(a, &a_min, &a_max);
+    extract_min_max(b, &b_min, &b_max);
+
+    /*
+     * Make sure we're properly sorted (paranoia).
+     */
+    assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+
+    /*
+     * Check for overlaps.
+     */
+    if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
+                X509V3_R_EXTENSION_VALUE_ERROR);
+      goto done;
+    }
+
+    /*
+     * Calculate a_max + 1 to check for adjacency.
+     */
+    if ((bn == NULL && (bn = BN_new()) == NULL) ||
+        ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
+        !BN_add_word(bn, 1) ||
+        (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE);
+      goto done;
+    }
+    
+    /*
+     * If a and b are adjacent, merge them.
+     */
+    if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
+      ASRange *r;
+      switch (a->type) {
+      case ASIdOrRange_id:
+        if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
+          X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
+                    ERR_R_MALLOC_FAILURE);
+          goto done;
+        }
+        r->min = a_min;
+        r->max = b_max;
+        a->type = ASIdOrRange_range;
+        a->u.range = r;
+        break;
+      case ASIdOrRange_range:
+        ASN1_INTEGER_free(a->u.range->max);
+        a->u.range->max = b_max;
+        break;
+      }
+      switch (b->type) {
+      case ASIdOrRange_id:
+        b->u.id = NULL;
+        break;
+      case ASIdOrRange_range:
+        b->u.range->max = NULL;
+        break;
+      }
+      ASIdOrRange_free(b);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      i--;
+      continue;
+    }
+  }
+
+  assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
+
+  ret = 1;
+
+ done:
+  ASN1_INTEGER_free(a_max_plus_one);
+  BN_free(bn);
+  return ret;
+}
+
+/*
+ * Whack an ASIdentifier extension into canonical form.
+ */
+int v3_asid_canonize(ASIdentifiers *asid)
+{
+  return (asid == NULL ||
+          (ASIdentifierChoice_canonize(asid->asnum) &&
+           ASIdentifierChoice_canonize(asid->rdi)));
+}
+
+/*
+ * v2i method for an ASIdentifier extension.
+ */
+static void *v2i_ASIdentifiers(struct v3_ext_method *method,
+                               struct v3_ext_ctx *ctx,
+                               STACK_OF(CONF_VALUE) *values)
+{
+  ASIdentifiers *asid = NULL;
+  int i;
+
+  if ((asid = ASIdentifiers_new()) == NULL) {
+    X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+    CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
+    ASN1_INTEGER *min = NULL, *max = NULL;
+    int i1, i2, i3, is_range, which;
+
+    /*
+     * Figure out whether this is an AS or an RDI.
+     */
+    if (       !name_cmp(val->name, "AS")) {
+      which = V3_ASID_ASNUM;
+    } else if (!name_cmp(val->name, "RDI")) {
+      which = V3_ASID_RDI;
+    } else {
+      X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR);
+      X509V3_conf_err(val);
+      goto err;
+    }
+
+    /*
+     * Handle inheritance.
+     */
+    if (!strcmp(val->value, "inherit")) {
+      if (v3_asid_add_inherit(asid, which))
+        continue;
+      X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE);
+      X509V3_conf_err(val);
+      goto err;
+    }
+
+    /*
+     * Number, range, or mistake, pick it apart and figure out which.
+     */
+    i1 = strspn(val->value, "0123456789");
+    if (val->value[i1] == '\0') {
+      is_range = 0;
+    } else {
+      is_range = 1;
+      i2 = i1 + strspn(val->value + i1, " \t");
+      if (val->value[i2] != '-') {
+        X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER);
+        X509V3_conf_err(val);
+        goto err;
+      }
+      i2++;
+      i2 = i2 + strspn(val->value + i2, " \t");
+      i3 = i2 + strspn(val->value + i2, "0123456789");
+      if (val->value[i3] != '\0') {
+        X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE);
+        X509V3_conf_err(val);
+        goto err;
+      }
+    }
+
+    /*
+     * Syntax is ok, read and add it.
+     */
+    if (!is_range) {
+      if (!X509V3_get_value_int(val, &min)) {
+        X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+    } else {
+      char *s = BUF_strdup(val->value);
+      if (s == NULL) {
+        X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+      s[i1] = '\0';
+      min = s2i_ASN1_INTEGER(NULL, s);
+      max = s2i_ASN1_INTEGER(NULL, s + i2);
+      OPENSSL_free(s);
+      if (min == NULL || max == NULL) {
+        ASN1_INTEGER_free(min);
+        ASN1_INTEGER_free(max);
+        X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
+        goto err;
+      }
+    }
+    if (!v3_asid_add_id_or_range(asid, which, min, max)) {
+      ASN1_INTEGER_free(min);
+      ASN1_INTEGER_free(max);
+      X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
+      goto err;
+    }
+  }
+
+  /*
+   * Canonize the result, then we're done.
+   */
+  if (!v3_asid_canonize(asid))
+    goto err;
+  return asid;
+
+ err:
+  ASIdentifiers_free(asid);
+  return NULL;
+}
+
+/*
+ * OpenSSL dispatch.
+ */
+const X509V3_EXT_METHOD v3_asid = {
+  NID_sbgp_autonomousSysNum,    /* nid */
+  0,                            /* flags */
+  ASN1_ITEM_ref(ASIdentifiers), /* template */
+  0, 0, 0, 0,                   /* old functions, ignored */
+  0,                            /* i2s */
+  0,                            /* s2i */
+  0,                            /* i2v */
+  v2i_ASIdentifiers,            /* v2i */
+  i2r_ASIdentifiers,            /* i2r */
+  0,                            /* r2i */
+  NULL                          /* extension-specific data */
+};
+
+/*
+ * Figure out whether extension uses inheritance.
+ */
+int v3_asid_inherits(ASIdentifiers *asid)
+{
+  return (asid != NULL &&
+          ((asid->asnum != NULL &&
+            asid->asnum->type == ASIdentifierChoice_inherit) ||
+           (asid->rdi != NULL &&
+            asid->rdi->type == ASIdentifierChoice_inherit)));
+}
+
+/*
+ * Figure out whether parent contains child.
+ */
+static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
+{
+  ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
+  int p, c;
+
+  if (child == NULL || parent == child)
+    return 1;
+  if (parent == NULL)
+    return 0;
+
+  p = 0;
+  for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
+    extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);
+    for (;; p++) {
+      if (p >= sk_ASIdOrRange_num(parent))
+        return 0;
+      extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max);
+      if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
+        continue;
+      if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
+        return 0;
+      break;
+    }
+  }
+
+  return 1;
+}
+
+/*
+ * Test whether a is a subet of b.
+ */
+int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
+{
+  return (a == NULL ||
+          a == b ||
+          (b != NULL &&
+           !v3_asid_inherits(a) &&
+           !v3_asid_inherits(b) &&
+           asid_contains(b->asnum->u.asIdsOrRanges,
+                         a->asnum->u.asIdsOrRanges) &&
+           asid_contains(b->rdi->u.asIdsOrRanges,
+                         a->rdi->u.asIdsOrRanges)));
+}
+
+/*
+ * Validation error handling via callback.
+ */
+#define validation_err(_err_)           \
+  do {                                  \
+    if (ctx != NULL) {                  \
+      ctx->error = _err_;               \
+      ctx->error_depth = i;             \
+      ctx->current_cert = x;            \
+      ret = ctx->verify_cb(0, ctx);     \
+    } else {                            \
+      ret = 0;                          \
+    }                                   \
+    if (!ret)                           \
+      goto done;                        \
+  } while (0)
+
+/*
+ * Core code for RFC 3779 3.3 path validation.
+ */
+static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
+                                          STACK_OF(X509) *chain,
+                                          ASIdentifiers *ext)
+{
+  ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
+  int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
+  X509 *x = NULL;
+
+  assert(chain != NULL && sk_X509_num(chain) > 0);
+  assert(ctx != NULL || ext != NULL);
+  assert(ctx == NULL || ctx->verify_cb != NULL);
+
+  /*
+   * Figure out where to start.  If we don't have an extension to
+   * check, we're done.  Otherwise, check canonical form and
+   * set up for walking up the chain.
+   */
+  if (ext != NULL) {
+    i = -1;
+  } else {
+    i = 0;
+    x = sk_X509_value(chain, i);
+    assert(x != NULL);
+    if ((ext = x->rfc3779_asid) == NULL)
+      goto done;
+  }
+  if (!v3_asid_is_canonical(ext))
+    validation_err(X509_V_ERR_INVALID_EXTENSION);
+  if (ext->asnum != NULL)  {
+    switch (ext->asnum->type) {
+    case ASIdentifierChoice_inherit:
+      inherit_as = 1;
+      break;
+    case ASIdentifierChoice_asIdsOrRanges:
+      child_as = ext->asnum->u.asIdsOrRanges;
+      break;
+    }
+  }
+  if (ext->rdi != NULL) {
+    switch (ext->rdi->type) {
+    case ASIdentifierChoice_inherit:
+      inherit_rdi = 1;
+      break;
+    case ASIdentifierChoice_asIdsOrRanges:
+      child_rdi = ext->rdi->u.asIdsOrRanges;
+      break;
+    }
+  }
+
+  /*
+   * Now walk up the chain.  Extensions must be in canonical form, no
+   * cert may list resources that its parent doesn't list.
+   */
+  for (i++; i < sk_X509_num(chain); i++) {
+    x = sk_X509_value(chain, i);
+    assert(x != NULL);
+    if (x->rfc3779_asid == NULL) {
+      if (child_as != NULL || child_rdi != NULL)
+        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      continue;
+    }
+    if (!v3_asid_is_canonical(x->rfc3779_asid))
+      validation_err(X509_V_ERR_INVALID_EXTENSION);
+    if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
+      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      child_as = NULL;
+      inherit_as = 0;
+    }
+    if (x->rfc3779_asid->asnum != NULL &&
+        x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) {
+      if (inherit_as ||
+          asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) {
+        child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
+        inherit_as = 0;
+      } else {
+        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      }
+    }
+    if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
+      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      child_rdi = NULL;
+      inherit_rdi = 0;
+    }
+    if (x->rfc3779_asid->rdi != NULL &&
+        x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
+      if (inherit_rdi ||
+          asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) {
+        child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
+        inherit_rdi = 0;
+      } else {
+        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      }
+    }
+  }
+
+  /*
+   * Trust anchor can't inherit.
+   */
+  if (x->rfc3779_asid != NULL) {
+    if (x->rfc3779_asid->asnum != NULL &&
+        x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
+      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+    if (x->rfc3779_asid->rdi != NULL &&
+        x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
+      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+  }
+
+ done:
+  return ret;
+}
+
+#undef validation_err
+
+/*
+ * RFC 3779 3.3 path validation -- called from X509_verify_cert().
+ */
+int v3_asid_validate_path(X509_STORE_CTX *ctx)
+{
+  return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
+}
+
+/*
+ * RFC 3779 3.3 path validation of an extension.
+ * Test whether chain covers extension.
+ */
+int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
+                                  ASIdentifiers *ext,
+                                  int allow_inheritance)
+{
+  if (ext == NULL)
+    return 1;
+  if (chain == NULL || sk_X509_num(chain) == 0)
+    return 0;
+  if (!allow_inheritance && v3_asid_inherits(ext))
+    return 0;
+  return v3_asid_validate_path_internal(NULL, chain, ext);
+}
+
+#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 6730f9a6ee..11eb6b7fd5 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -72,14 +72,14 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, in
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
 static char *conf_lhash_get_string(void *db, char *section, char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
-static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
-                                  int crit, void *ext_struc);
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc);
 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
 /* CONF *conf:  Config file    */
 /* char *name:  Name    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
-                                 char *value)
+             char *value)
         {
         int crit;
         int ext_type;
@@ -99,7 +99,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                     char *value)
+             char *value)
         {
         int crit;
         int ext_type;
@@ -113,9 +113,9 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                    int crit, char *value)
+             int crit, char *value)
         {
-        const X509V3_EXT_METHOD *method;
+        X509V3_EXT_METHOD *method;
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
         void *ext_struc;
@@ -172,8 +172,8 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 
         }
 
-static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
-                                  int crit, void *ext_struc)
+static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+                                                 int crit, void *ext_struc)
         {
         unsigned char *ext_der;
         int ext_len;
@@ -214,7 +214,7 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
         {
-        const X509V3_EXT_METHOD *method;
+        X509V3_EXT_METHOD *method;
         if (!(method = X509V3_EXT_get_nid(ext_nid))) {
                 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
                 return NULL;
@@ -258,8 +258,7 @@ static int v3_check_generic(char **value)
 
 /* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
-                                            int crit, int gen_type,
-                                            X509V3_CTX *ctx)
+             int crit, int gen_type, X509V3_CTX *ctx)
         {
         unsigned char *ext_der=NULL;
         long ext_len;
@@ -323,7 +322,7 @@ static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len)
 
 
 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
-                            STACK_OF(X509_EXTENSION) **sk)
+             STACK_OF(X509_EXTENSION) **sk)
         {
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
@@ -344,7 +343,7 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
 /* Convenience functions to add extensions to a certificate, CRL and request */
 
 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
-                         X509 *cert)
+             X509 *cert)
         {
         STACK_OF(X509_EXTENSION) **sk = NULL;
         if (cert)
@@ -355,7 +354,7 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
 /* Same as above but for a CRL */
 
 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
-                             X509_CRL *crl)
+             X509_CRL *crl)
         {
         STACK_OF(X509_EXTENSION) **sk = NULL;
         if (crl)
@@ -444,7 +443,7 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
         }
 
 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
-                    X509_CRL *crl, int flags)
+             X509_CRL *crl, int flags)
         {
         ctx->issuer_cert = issuer;
         ctx->subject_cert = subj;
@@ -455,8 +454,8 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
 
 /* Old conf compatibility functions */
 
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                char *name, char *value)
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+             char *value)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -465,8 +464,8 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 
 /* LHASH *conf:  Config file    */
 /* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                    int ext_nid, char *value)
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             char *value)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -490,14 +489,14 @@ NULL,
 NULL
 };
 
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
         {
         ctx->db_meth = &conf_lhash_method;
         ctx->db = lhash;
         }
 
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                        char *section, X509 *cert)
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509 *cert)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -506,8 +505,8 @@ int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 
 /* Same as above but for a CRL */
 
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            char *section, X509_CRL *crl)
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_CRL *crl)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
@@ -516,8 +515,8 @@ int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 
 /* Add extensions to certificate request */
 
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            char *section, X509_REQ *req)
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_REQ *req)
         {
         CONF ctmp;
         CONF_set_nconf(&ctmp, conf);
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 1f0798b946..ad0506d75c 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -450,8 +450,5 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
         else
                 BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
         }
-
-
+        
 IMPLEMENT_STACK_OF(X509_POLICY_NODE)
-IMPLEMENT_STACK_OF(X509_POLICY_DATA)
-
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index 790a6dd032..181a8977b1 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,254 +63,45 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_crld(const X509V3_EXT_METHOD *method,
-                      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
-                     int indent);
-
-const X509V3_EXT_METHOD v3_crld =
-        {
-        NID_crl_distribution_points, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
-        0,0,0,0,
-        0,0,
-        0,
-        v2i_crld,
-        i2r_crldp,0,
-        NULL
-        };
-
-const X509V3_EXT_METHOD v3_freshest_crl =
-        {
-        NID_freshest_crl, 0, ASN1_ITEM_ref(CRL_DIST_POINTS),
-        0,0,0,0,
-        0,0,
-        0,
-        v2i_crld,
-        i2r_crldp,0,
-        NULL
-        };
-
-static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect)
-        {
-        STACK_OF(CONF_VALUE) *gnsect;
-        STACK_OF(GENERAL_NAME) *gens;
-        if (*sect == '@')
-                gnsect = X509V3_get_section(ctx, sect + 1);
-        else
-                gnsect = X509V3_parse_list(sect);
-        if (!gnsect)
-                {
-                X509V3err(X509V3_F_GNAMES_FROM_SECTNAME,
-                                                X509V3_R_SECTION_NOT_FOUND);
-                return NULL;
-                }
-        gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
-        if (*sect == '@')
-                X509V3_section_free(ctx, gnsect);
-        else
-                sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
-        return gens;
-        }
-
-static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
-                                                        CONF_VALUE *cnf)
-        {
-        STACK_OF(GENERAL_NAME) *fnm = NULL;
-        STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
-        if (!strncmp(cnf->name, "fullname", 9))
-                {
-                fnm = gnames_from_sectname(ctx, cnf->value);
-                if (!fnm)
-                        goto err;
-                }
-        else if (!strcmp(cnf->name, "relativename"))
-                {
-                int ret;
-                STACK_OF(CONF_VALUE) *dnsect;
-                X509_NAME *nm;
-                nm = X509_NAME_new();
-                if (!nm)
-                        return -1;
-                dnsect = X509V3_get_section(ctx, cnf->value);
-                if (!dnsect)
-                        {
-                        X509V3err(X509V3_F_SET_DIST_POINT_NAME,
-                                                X509V3_R_SECTION_NOT_FOUND);
-                        return -1;
-                        }
-                ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
-                X509V3_section_free(ctx, dnsect);
-                rnm = nm->entries;
-                nm->entries = NULL;
-                X509_NAME_free(nm);
-                if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
-                        goto err;
-                /* Since its a name fragment can't have more than one
-                 * RDNSequence
-                 */
-                if (sk_X509_NAME_ENTRY_value(rnm,
-                                sk_X509_NAME_ENTRY_num(rnm) - 1)->set)
-                        {
-                        X509V3err(X509V3_F_SET_DIST_POINT_NAME,
-                                                X509V3_R_INVALID_MULTIPLE_RDNS);
-                        goto err;
-                        }
-                }
-        else
-                return 0;
-
-        if (*pdp)
-                {
-                X509V3err(X509V3_F_SET_DIST_POINT_NAME,
-                                                X509V3_R_DISTPOINT_ALREADY_SET);
-                goto err;
-                }
-
-        *pdp = DIST_POINT_NAME_new();
-        if (!*pdp)
-                goto err;
-        if (fnm)
-                {
-                (*pdp)->type = 0;
-                (*pdp)->name.fullname = fnm;
-                }
-        else
-                {
-                (*pdp)->type = 1;
-                (*pdp)->name.relativename = rnm;
-                }
-
-        return 1;
-                
-        err:
-        if (fnm)
-                sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
-        if (rnm)
-                sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
-        return -1;
-        }
-
-static const BIT_STRING_BITNAME reason_flags[] = {
-{0, "Unused", "unused"},
-{1, "Key Compromise", "keyCompromise"},
-{2, "CA Compromise", "CACompromise"},
-{3, "Affiliation Changed", "affiliationChanged"},
-{4, "Superseded", "superseded"},
-{5, "Cessation Of Operation", "cessationOfOperation"},
-{6, "Certificate Hold", "certificateHold"},
-{7, "Privilege Withdrawn", "privilegeWithdrawn"},
-{8, "AA Compromise", "AACompromise"},
-{-1, NULL, NULL}
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+const X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
+0,0,0,0,
+0,0,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+0,0,
+NULL
 };
 
-static int set_reasons(ASN1_BIT_STRING **preas, char *value)
-        {
-        STACK_OF(CONF_VALUE) *rsk = NULL;
-        const BIT_STRING_BITNAME *pbn;
-        const char *bnam;
-        int i, ret = 0;
-        rsk = X509V3_parse_list(value);
-        if (!rsk)
-                return 0;
-        if (*preas)
-                return 0;
-        for (i = 0; i < sk_CONF_VALUE_num(rsk); i++)
-                {
-                bnam = sk_CONF_VALUE_value(rsk, i)->name;
-                if (!*preas)
-                        {
-                        *preas = ASN1_BIT_STRING_new();
-                        if (!*preas)
-                                goto err;
-                        }
-                for (pbn = reason_flags; pbn->lname; pbn++)
-                        {
-                        if (!strcmp(pbn->sname, bnam))
-                                {
-                                if (!ASN1_BIT_STRING_set_bit(*preas,
-                                                        pbn->bitnum, 1))
-                                        goto err;
-                                break;
-                                }
-                        }
-                if (!pbn->lname)
-                        goto err;
-                }
-        ret = 1;
-
-        err:
-        sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
-        return ret;
-        }
-
-static int print_reasons(BIO *out, const char *rname,
-                        ASN1_BIT_STRING *rflags, int indent)
-        {
-        int first = 1;
-        const BIT_STRING_BITNAME *pbn;
-        BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
-        for (pbn = reason_flags; pbn->lname; pbn++)
-                {
-                if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum))
-                        {
-                        if (first)
-                                first = 0;
-                        else
-                                BIO_puts(out, ", ");
-                        BIO_puts(out, pbn->lname);
-                        }
-                }
-        if (first)
-                BIO_puts(out, "<EMPTY>\n");
-        else
-                BIO_puts(out, "\n");
-        return 1;
-        }
-
-static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
-                                                STACK_OF(CONF_VALUE) *nval)
-        {
+static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
+                        STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts)
+{
+        DIST_POINT *point;
         int i;
-        CONF_VALUE *cnf;
-        DIST_POINT *point = NULL;
-        point = DIST_POINT_new();
-        if (!point)
-                goto err;
-        for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
-                {
-                int ret;
-                cnf = sk_CONF_VALUE_value(nval, i);
-                ret = set_dist_point_name(&point->distpoint, ctx, cnf);
-                if (ret > 0)
-                        continue;
-                if (ret < 0)
-                        goto err;
-                if (!strcmp(cnf->name, "reasons"))
-                        {
-                        if (!set_reasons(&point->reasons, cnf->value))
-                                goto err;
-                        }
-                else if (!strcmp(cnf->name, "CRLissuer"))
-                        {
-                        point->CRLissuer =
-                                gnames_from_sectname(ctx, cnf->value);
-                        if (!point->CRLissuer)
-                                goto err;
-                        }
+        for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+                point = sk_DIST_POINT_value(crld, i);
+                if(point->distpoint) {
+                        if(point->distpoint->type == 0)
+                                exts = i2v_GENERAL_NAMES(NULL,
+                                         point->distpoint->name.fullname, exts);
+                        else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
                 }
-
-        return point;
-                        
-
-        err:
-        if (point)
-                DIST_POINT_free(point);
-        return NULL;
+                if(point->reasons) 
+                        X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+                if(point->CRLissuer)
+                        X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
         }
+        return exts;
+}
 
-static void *v2i_crld(const X509V3_EXT_METHOD *method,
-                      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
-        {
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
         STACK_OF(DIST_POINT) *crld = NULL;
         GENERAL_NAMES *gens = NULL;
         GENERAL_NAME *gen = NULL;
@@ -320,44 +111,19 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
         for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
                 DIST_POINT *point;
                 cnf = sk_CONF_VALUE_value(nval, i);
-                if (!cnf->value)
-                        {
-                        STACK_OF(CONF_VALUE) *dpsect;
-                        dpsect = X509V3_get_section(ctx, cnf->name);
-                        if (!dpsect)
-                                goto err;
-                        point = crldp_from_section(ctx, dpsect);
-                        X509V3_section_free(ctx, dpsect);
-                        if (!point)
-                                goto err;
-                        if(!sk_DIST_POINT_push(crld, point))
-                                {
-                                DIST_POINT_free(point);
-                                goto merr;
-                                }
-                        }
-                else
-                        {
-                        if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
-                                goto err; 
-                        if(!(gens = GENERAL_NAMES_new()))
-                                goto merr;
-                        if(!sk_GENERAL_NAME_push(gens, gen))
-                                goto merr;
-                        gen = NULL;
-                        if(!(point = DIST_POINT_new()))
-                                goto merr;
-                        if(!sk_DIST_POINT_push(crld, point))
-                                {
-                                DIST_POINT_free(point);
-                                goto merr;
-                                }
-                        if(!(point->distpoint = DIST_POINT_NAME_new()))
-                                goto merr;
-                        point->distpoint->name.fullname = gens;
-                        point->distpoint->type = 0;
-                        gens = NULL;
-                        }
+                if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+                if(!(gens = GENERAL_NAMES_new())) goto merr;
+                if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+                gen = NULL;
+                if(!(point = DIST_POINT_new())) goto merr;
+                if(!sk_DIST_POINT_push(crld, point)) {
+                        DIST_POINT_free(point);
+                        goto merr;
+                }
+                if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+                point->distpoint->name.fullname = gens;
+                point->distpoint->type = 0;
+                gens = NULL;
         }
         return crld;
 
@@ -373,31 +139,11 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
 IMPLEMENT_STACK_OF(DIST_POINT)
 IMPLEMENT_ASN1_SET_OF(DIST_POINT)
 
-static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                                                void *exarg)
-        {
-        DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
-
-        switch(operation)
-                {
-                case ASN1_OP_NEW_POST:
-                dpn->dpname = NULL;
-                break;
-
-                case ASN1_OP_FREE_POST:
-                if (dpn->dpname)
-                        X509_NAME_free(dpn->dpname);
-                break;
-                }
-        return 1;
-        }
-
 
-ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {
+ASN1_CHOICE(DIST_POINT_NAME) = {
         ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
         ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
-} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)
-
+} ASN1_CHOICE_END(DIST_POINT_NAME)
 
 IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
 
@@ -414,203 +160,3 @@ ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) =
 ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
 
 IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
-
-ASN1_SEQUENCE(ISSUING_DIST_POINT) = {
-        ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),
-        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),
-        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),
-        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),
-        ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),
-        ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5)
-} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)
-
-IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
-
-static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
-                   int indent);
-static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                     STACK_OF(CONF_VALUE) *nval);
-
-const X509V3_EXT_METHOD v3_idp =
-        {
-        NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
-        ASN1_ITEM_ref(ISSUING_DIST_POINT),
-        0,0,0,0,
-        0,0,
-        0,
-        v2i_idp,
-        i2r_idp,0,
-        NULL
-        };
-
-static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                     STACK_OF(CONF_VALUE) *nval)
-        {
-        ISSUING_DIST_POINT *idp = NULL;
-        CONF_VALUE *cnf;
-        char *name, *val;
-        int i, ret;
-        idp = ISSUING_DIST_POINT_new();
-        if (!idp)
-                goto merr;
-        for(i = 0; i < sk_CONF_VALUE_num(nval); i++)
-                {
-                cnf = sk_CONF_VALUE_value(nval, i);
-                name = cnf->name;
-                val = cnf->value;
-                ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
-                if (ret > 0)
-                        continue;
-                if (ret < 0)
-                        goto err;
-                if (!strcmp(name, "onlyuser"))
-                        {
-                        if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
-                                goto err;
-                        }
-                else if (!strcmp(name, "onlyCA"))
-                        {
-                        if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
-                                goto err;
-                        }
-                else if (!strcmp(name, "onlyAA"))
-                        {
-                        if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
-                                goto err;
-                        }
-                else if (!strcmp(name, "indirectCRL"))
-                        {
-                        if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
-                                goto err;
-                        }
-                else if (!strcmp(name, "onlysomereasons"))
-                        {
-                        if (!set_reasons(&idp->onlysomereasons, val))
-                                goto err;
-                        }
-                else
-                        {
-                        X509V3err(X509V3_F_V2I_IDP, X509V3_R_INVALID_NAME);
-                        X509V3_conf_err(cnf);
-                        goto err;
-                        }
-                }
-        return idp;
-
-        merr:
-        X509V3err(X509V3_F_V2I_IDP,ERR_R_MALLOC_FAILURE);
-        err:
-        ISSUING_DIST_POINT_free(idp);
-        return NULL;
-        }
-
-static int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
-        {
-        int i;
-        for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
-                {
-                BIO_printf(out, "%*s", indent + 2, "");
-                GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
-                BIO_puts(out, "\n");
-                }
-        return 1;
-        }
-
-static int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
-        {
-        if (dpn->type == 0)
-                {
-                BIO_printf(out, "%*sFull Name:\n", indent, "");
-                print_gens(out, dpn->name.fullname, indent);
-                }
-        else
-                {
-                X509_NAME ntmp;
-                ntmp.entries = dpn->name.relativename;
-                BIO_printf(out, "%*sRelative Name:\n%*s",
-                                                indent, "", indent + 2, "");
-                X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
-                BIO_puts(out, "\n");
-                }
-        return 1;
-        }
-
-static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
-                   int indent)
-        {
-        ISSUING_DIST_POINT *idp = pidp;
-        if (idp->distpoint)
-                print_distpoint(out, idp->distpoint, indent);
-        if (idp->onlyuser > 0)
-                BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
-        if (idp->onlyCA > 0)
-                BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
-        if (idp->indirectCRL > 0)
-                BIO_printf(out, "%*sIndirect CRL\n", indent, "");
-        if (idp->onlysomereasons)
-                print_reasons(out, "Only Some Reasons", 
-                                idp->onlysomereasons, indent);
-        if (idp->onlyattr > 0)
-                BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
-        if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0)
-                && (idp->indirectCRL <= 0) && !idp->onlysomereasons
-                && (idp->onlyattr <= 0))
-                BIO_printf(out, "%*s<EMPTY>\n", indent, "");
-                
-        return 1;
-        }
-
-static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
-                     int indent)
-        {
-        STACK_OF(DIST_POINT) *crld = pcrldp;
-        DIST_POINT *point;
-        int i;
-        for(i = 0; i < sk_DIST_POINT_num(crld); i++)
-                {
-                BIO_puts(out, "\n");
-                point = sk_DIST_POINT_value(crld, i);
-                if(point->distpoint)
-                        print_distpoint(out, point->distpoint, indent);
-                if(point->reasons) 
-                        print_reasons(out, "Reasons", point->reasons,
-                                                                indent);
-                if(point->CRLissuer)
-                        {
-                        BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
-                        print_gens(out, point->CRLissuer, indent);
-                        }
-                }
-        return 1;
-        }
-
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
-        {
-        int i;
-        STACK_OF(X509_NAME_ENTRY) *frag;
-        X509_NAME_ENTRY *ne;
-        if (!dpn || (dpn->type != 1))
-                return 1;
-        frag = dpn->name.relativename;
-        dpn->dpname = X509_NAME_dup(iname);
-        if (!dpn->dpname)
-                return 0;
-        for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++)
-                {
-                ne = sk_X509_NAME_ENTRY_value(frag, i);
-                if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1))
-                        {
-                        X509_NAME_free(dpn->dpname);
-                        dpn->dpname = NULL;
-                        return 0;
-                        }
-                }
-        /* generate cached encoding of name */
-        if (i2d_X509_NAME(dpn->dpname, NULL) < 0)
-                {
-                X509_NAME_free(dpn->dpname);
-                dpn->dpname = NULL;
-                return 0;
-                }
-        return 1;
-        }
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index c0575e368d..36576eaa4d 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -61,17 +61,14 @@
 #include <openssl/x509v3.h>
 
 static ENUMERATED_NAMES crl_reasons[] = {
-{CRL_REASON_UNSPECIFIED,         "Unspecified", "unspecified"},
-{CRL_REASON_KEY_COMPROMISE,      "Key Compromise", "keyCompromise"},
-{CRL_REASON_CA_COMPROMISE,       "CA Compromise", "CACompromise"},
-{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
-{CRL_REASON_SUPERSEDED,          "Superseded", "superseded"},
-{CRL_REASON_CESSATION_OF_OPERATION,
-                        "Cessation Of Operation", "cessationOfOperation"},
-{CRL_REASON_CERTIFICATE_HOLD,    "Certificate Hold", "certificateHold"},
-{CRL_REASON_REMOVE_FROM_CRL,     "Remove From CRL", "removeFromCRL"},
-{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
-{CRL_REASON_AA_COMPROMISE,       "AA Compromise", "AACompromise"},
+{0, "Unspecified", "unspecified"},
+{1, "Key Compromise", "keyCompromise"},
+{2, "CA Compromise", "CACompromise"},
+{3, "Affiliation Changed", "affiliationChanged"},
+{4, "Superseded", "superseded"},
+{5, "Cessation Of Operation", "cessationOfOperation"},
+{6, "Certificate Hold", "certificateHold"},
+{8, "Remove From CRL", "removeFromCRL"},
 {-1, NULL, NULL}
 };
 
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index 1c66532757..c0d14500ed 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -63,10 +63,9 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
-                                    X509V3_CTX *ctx,
-                                    STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
                 void *eku, STACK_OF(CONF_VALUE) *extlist);
 
 const X509V3_EXT_METHOD v3_ext_ku = {
@@ -98,9 +97,8 @@ ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
 
 IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
 
-static STACK_OF(CONF_VALUE) *
-  i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
-                         STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+                void *a, STACK_OF(CONF_VALUE) *ext_list)
 {
         EXTENDED_KEY_USAGE *eku = a;
         int i;
@@ -114,8 +112,8 @@ static STACK_OF(CONF_VALUE) *
         return ext_list;
 }
 
-static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
-                                    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         EXTENDED_KEY_USAGE *extku;
         char *extval;
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index b628357301..84b4b1c881 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -99,154 +99,3 @@ ASN1_ITEM_TEMPLATE(GENERAL_NAMES) =
 ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
 
 IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
-
-GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
-        {
-        return (GENERAL_NAME *) ASN1_dup((i2d_of_void *) i2d_GENERAL_NAME,
-                                         (d2i_of_void *) d2i_GENERAL_NAME,
-                                         (char *) a);
-        }
-
-/* Returns 0 if they are equal, != 0 otherwise. */
-int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
-        {
-        int result = -1;
-
-        if (!a || !b || a->type != b->type) return -1;
-        switch(a->type)
-                {
-        case GEN_X400:
-        case GEN_EDIPARTY:
-                result = ASN1_TYPE_cmp(a->d.other, b->d.other);
-                break;
-
-        case GEN_OTHERNAME:
-                result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
-                break;
-
-        case GEN_EMAIL:
-        case GEN_DNS:
-        case GEN_URI:
-                result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
-                break;
-
-        case GEN_DIRNAME:
-                result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
-                break;
-
-        case GEN_IPADD:
-                result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
-                break;
-        
-        case GEN_RID:
-                result = OBJ_cmp(a->d.rid, b->d.rid);
-                break;
-                }
-        return result;
-        }
-
-/* Returns 0 if they are equal, != 0 otherwise. */
-int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
-        {
-        int result = -1;
-
-        if (!a || !b) return -1;
-        /* Check their type first. */
-        if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
-                return result;
-        /* Check the value. */
-        result = ASN1_TYPE_cmp(a->value, b->value);
-        return result;
-        }
-
-void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
-        {
-        switch(type)
-                {
-        case GEN_X400:
-        case GEN_EDIPARTY:
-                a->d.other = value;
-                break;
-
-        case GEN_OTHERNAME:
-                a->d.otherName = value;
-                break;
-
-        case GEN_EMAIL:
-        case GEN_DNS:
-        case GEN_URI:
-                a->d.ia5 = value;
-                break;
-
-        case GEN_DIRNAME:
-                a->d.dirn = value;
-                break;
-
-        case GEN_IPADD:
-                a->d.ip = value;
-                break;
-        
-        case GEN_RID:
-                a->d.rid = value;
-                break;
-                }
-        a->type = type;
-        }
-
-void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
-        {
-        if (ptype)
-                *ptype = a->type;
-        switch(a->type)
-                {
-        case GEN_X400:
-        case GEN_EDIPARTY:
-                return a->d.other;
-
-        case GEN_OTHERNAME:
-                return a->d.otherName;
-
-        case GEN_EMAIL:
-        case GEN_DNS:
-        case GEN_URI:
-                return a->d.ia5;
-
-        case GEN_DIRNAME:
-                return a->d.dirn;
-
-        case GEN_IPADD:
-                return a->d.ip;
-        
-        case GEN_RID:
-                return a->d.rid;
-
-        default:
-                return NULL;
-                }
-        }
-
-int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
-                                ASN1_OBJECT *oid, ASN1_TYPE *value)
-        {
-        OTHERNAME *oth;
-        oth = OTHERNAME_new();
-        if (!oth)
-                return 0;
-        oth->type_id = oid;
-        oth->value = value;
-        GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
-        return 1;
-        }
-
-int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
-                                ASN1_OBJECT **poid, ASN1_TYPE **pvalue)
-        {
-        if (gen->type != GEN_OTHERNAME)
-                return 0;
-        if (poid)
-                *poid = gen->d.otherName->type_id;
-        if (pvalue)
-                *pvalue = gen->d.otherName->value;
-        return 1;
-        }
-
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index 0f1e1d4422..df3a48f43e 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -84,24 +84,20 @@ int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
 }
 
 static int ext_cmp(const X509V3_EXT_METHOD * const *a,
-                   const X509V3_EXT_METHOD * const *b)
+                const X509V3_EXT_METHOD * const *b)
 {
         return ((*a)->ext_nid - (*b)->ext_nid);
 }
 
-DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
-                           ext);
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
-                             const X509V3_EXT_METHOD *, ext);
-
-const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 {
-        X509V3_EXT_METHOD tmp;
-        const X509V3_EXT_METHOD *t = &tmp, * const *ret;
+        X509V3_EXT_METHOD tmp, *t = &tmp, **ret;
         int idx;
         if(nid < 0) return NULL;
         tmp.ext_nid = nid;
-        ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
+        ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
+                        (char *)standard_exts, STANDARD_EXTENSION_COUNT,
+                        sizeof(X509V3_EXT_METHOD *), (int (*)(const void *, const void *))ext_cmp);
         if(ret) return *ret;
         if(!ext_list) return NULL;
         idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
@@ -109,7 +105,7 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
         return sk_X509V3_EXT_METHOD_value(ext_list, idx);
 }
 
-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
 {
         int nid;
         if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
@@ -126,9 +122,7 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
 
 int X509V3_EXT_add_alias(int nid_to, int nid_from)
 {
-        const X509V3_EXT_METHOD *ext;
-        X509V3_EXT_METHOD *tmpext;
-
+        X509V3_EXT_METHOD *ext, *tmpext;
         if(!(ext = X509V3_EXT_get_nid(nid_from))) {
                 X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
                 return 0;
@@ -167,7 +161,7 @@ int X509V3_add_standard_extensions(void)
 
 void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
-        const X509V3_EXT_METHOD *method;
+        X509V3_EXT_METHOD *method;
         const unsigned char *p;
 
         if(!(method = X509V3_EXT_get(ext))) return NULL;
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index 0c165af314..e426ea930c 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -68,26 +68,19 @@
 /* OCSP extensions and a couple of CRL entry extensions
  */
 
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
-                          BIO *out, int indent);
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
-                            BIO *out, int indent);
-static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
-                      int indent);
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
 
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
 static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
 static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
-                          BIO *out, int indent);
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
 
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
-                            void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                              const char *str);
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
-                               BIO *bp, int ind);
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
 
 const X509V3_EXT_METHOD v3_ocsp_crlid = {
         NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
@@ -155,47 +148,44 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
         NULL
 };
 
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
-                          int ind)
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
 {
         OCSP_CRLID *a = in;
         if (a->crlUrl)
                 {
-                if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
+                if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
                 if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
-                if (BIO_write(bp, "\n", 1) <= 0) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
                 }
         if (a->crlNum)
                 {
-                if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
-                if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
-                if (BIO_write(bp, "\n", 1) <= 0) goto err;
+                if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
+                if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
                 }
         if (a->crlTime)
                 {
-                if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
+                if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
                 if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
-                if (BIO_write(bp, "\n", 1) <= 0) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
                 }
         return 1;
         err:
         return 0;
 }
 
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
-                            BIO *bp, int ind)
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
 {
-        if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
         if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
         return 1;
 }
 
 
-static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
-                      int ind)
+static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
 {
-        if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
-        if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
         return 1;
 }
 
@@ -242,8 +232,7 @@ static void ocsp_nonce_free(void *a)
         M_ASN1_OCTET_STRING_free(a);
 }
 
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
-                          BIO *out, int indent)
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
 {
         if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
         if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
@@ -252,20 +241,17 @@ static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
 
 /* Nocheck is just a single NULL. Don't print anything and always set it */
 
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
-                            BIO *out, int indent)
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
 {
         return 1;
 }
 
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                              const char *str)
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
 {
         return ASN1_NULL_new();
 }
 
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
-                               BIO *bp, int ind)
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
         {
         int i;
         OCSP_SERVICELOC *a = in;
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index 3146218708..c1bb17f105 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -110,7 +110,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde
         void *ext_str = NULL;
         char *value = NULL;
         const unsigned char *p;
-        const X509V3_EXT_METHOD *method;        
+        X509V3_EXT_METHOD *method;      
         STACK_OF(CONF_VALUE) *nval = NULL;
         int ok = 1;
 
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 181bd34979..e18751e01c 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -71,7 +71,6 @@ static int purpose_smime(const X509 *x, int ca);
 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
 
@@ -88,7 +87,6 @@ static X509_PURPOSE xstandard[] = {
         {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
         {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
         {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
-        {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
 };
 
 #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
@@ -267,14 +265,11 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
         return xp->trust;
 }
 
-static int nid_cmp(const int *a, const int *b)
+static int nid_cmp(int *a, int *b)
         {
         return *a - *b;
         }
 
-DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
-IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);
-
 int X509_supported_extension(X509_EXTENSION *ex)
         {
         /* This table is a list of the NIDs of supported extensions:
@@ -285,7 +280,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
          * searched using bsearch.
          */
 
-        static const int supported_nids[] = {
+        static int supported_nids[] = {
                 NID_netscape_cert_type, /* 71 */
                 NID_key_usage,          /* 83 */
                 NID_subject_alt_name,   /* 85 */
@@ -297,62 +292,24 @@ int X509_supported_extension(X509_EXTENSION *ex)
                 NID_sbgp_autonomousSysNum, /* 291 */
 #endif
                 NID_policy_constraints, /* 401 */
-                NID_proxyCertInfo,      /* 663 */
-                NID_name_constraints,   /* 666 */
-                NID_policy_mappings,    /* 747 */
+                NID_proxyCertInfo,      /* 661 */
                 NID_inhibit_any_policy  /* 748 */
         };
 
-        int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+        int ex_nid;
+
+        ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
 
         if (ex_nid == NID_undef) 
                 return 0;
 
-        if (OBJ_bsearch_nid(&ex_nid, supported_nids,
-                        sizeof(supported_nids)/sizeof(int)))
+        if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids,
+                sizeof(supported_nids)/sizeof(int), sizeof(int),
+                (int (*)(const void *, const void *))nid_cmp))
                 return 1;
         return 0;
         }
-
-static void setup_dp(X509 *x, DIST_POINT *dp)
-        {
-        X509_NAME *iname = NULL;
-        int i;
-        if (dp->reasons)
-                {
-                if (dp->reasons->length > 0)
-                        dp->dp_reasons = dp->reasons->data[0];
-                if (dp->reasons->length > 1)
-                        dp->dp_reasons |= (dp->reasons->data[1] << 8);
-                dp->dp_reasons &= CRLDP_ALL_REASONS;
-                }
-        else
-                dp->dp_reasons = CRLDP_ALL_REASONS;
-        if (!dp->distpoint || (dp->distpoint->type != 1))
-                return;
-        for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
-                {
-                GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
-                if (gen->type == GEN_DIRNAME)
-                        {
-                        iname = gen->d.directoryName;
-                        break;
-                        }
-                }
-        if (!iname)
-                iname = X509_get_issuer_name(x);
-
-        DIST_POINT_set_dpname(dp->distpoint, iname);
-
-        }
-
-static void setup_crldp(X509 *x)
-        {
-        int i;
-        x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
-        for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
-                setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
-        }
+ 
 
 static void x509v3_cache_extensions(X509 *x)
 {
@@ -460,25 +417,16 @@ static void x509v3_cache_extensions(X509 *x)
         }
         x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
         x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
-        x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
-        x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
-        if (!x->nc && (i != -1))
-                x->ex_flags |= EXFLAG_INVALID;
-        setup_crldp(x);
-
 #ifndef OPENSSL_NO_RFC3779
-        x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
-        x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
-                                          NULL, NULL);
+        x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
+        x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
+                                          NULL, NULL);
 #endif
         for (i = 0; i < X509_get_ext_count(x); i++)
                 {
                 ex = X509_get_ext(x, i);
                 if (!X509_EXTENSION_get_critical(ex))
                         continue;
-                if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
-                                        == NID_freshest_crl)
-                        x->ex_flags |= EXFLAG_FRESHEST;
                 if (!X509_supported_extension(ex))
                         {
                         x->ex_flags |= EXFLAG_CRITICAL;
@@ -646,41 +594,6 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
         return 1;
 }
 
-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
-                                        int ca)
-{
-        int i_ext;
-
-        /* If ca is true we must return if this is a valid CA certificate. */
-        if (ca) return check_ca(x);
-
-        /* 
-         * Check the optional key usage field:
-         * if Key Usage is present, it must be one of digitalSignature 
-         * and/or nonRepudiation (other values are not consistent and shall
-         * be rejected).
-         */
-        if ((x->ex_flags & EXFLAG_KUSAGE)
-            && ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
-                !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
-                return 0;
-
-        /* Only time stamp key usage is permitted and it's required. */
-        if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
-                return 0;
-
-        /* Extended Key Usage MUST be critical */
-        i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
-        if (i_ext >= 0)
-                {
-                X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
-                if (!X509_EXTENSION_get_critical(ext))
-                        return 0;
-                }
-
-        return 1;
-}
-
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         return 1;
@@ -705,14 +618,39 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                 return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
         x509v3_cache_extensions(issuer);
         x509v3_cache_extensions(subject);
-
-        if(subject->akid)
-                {
-                int ret = X509_check_akid(issuer, subject->akid);
-                if (ret != X509_V_OK)
-                        return ret;
+        if(subject->akid) {
+                /* Check key ids (if present) */
+                if(subject->akid->keyid && issuer->skid &&
+                 ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) )
+                                return X509_V_ERR_AKID_SKID_MISMATCH;
+                /* Check serial number */
+                if(subject->akid->serial &&
+                        ASN1_INTEGER_cmp(X509_get_serialNumber(issuer),
+                                                subject->akid->serial))
+                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+                /* Check issuer name */
+                if(subject->akid->issuer) {
+                        /* Ugh, for some peculiar reason AKID includes
+                         * SEQUENCE OF GeneralName. So look for a DirName.
+                         * There may be more than one but we only take any
+                         * notice of the first.
+                         */
+                        GENERAL_NAMES *gens;
+                        GENERAL_NAME *gen;
+                        X509_NAME *nm = NULL;
+                        int i;
+                        gens = subject->akid->issuer;
+                        for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+                                gen = sk_GENERAL_NAME_value(gens, i);
+                                if(gen->type == GEN_DIRNAME) {
+                                        nm = gen->d.dirn;
+                                        break;
+                                }
+                        }
+                        if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                 }
-
+        }
         if(subject->ex_flags & EXFLAG_PROXY)
                 {
                 if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
@@ -723,45 +661,3 @@ int X509_check_issued(X509 *issuer, X509 *subject)
         return X509_V_OK;
 }
 
-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
-        {
-
-        if(!akid)
-                return X509_V_OK;
-
-        /* Check key ids (if present) */
-        if(akid->keyid && issuer->skid &&
-                 ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
-                                return X509_V_ERR_AKID_SKID_MISMATCH;
-        /* Check serial number */
-        if(akid->serial &&
-                ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
-                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-        /* Check issuer name */
-        if(akid->issuer)
-                {
-                /* Ugh, for some peculiar reason AKID includes
-                 * SEQUENCE OF GeneralName. So look for a DirName.
-                 * There may be more than one but we only take any
-                 * notice of the first.
-                 */
-                GENERAL_NAMES *gens;
-                GENERAL_NAME *gen;
-                X509_NAME *nm = NULL;
-                int i;
-                gens = akid->issuer;
-                for(i = 0; i < sk_GENERAL_NAME_num(gens); i++)
-                        {
-                        gen = sk_GENERAL_NAME_value(gens, i);
-                        if(gen->type == GEN_DIRNAME)
-                                {
-                                nm = gen->d.dirn;
-                                break;
-                                }
-                        }
-                if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
-                        return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-                }
-        return X509_V_OK;
-        }
-
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index e030234540..2cb53008e3 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -67,9 +67,9 @@
 
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char * const *a, const char * const *b);
-static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens);
-static void str_free(OPENSSL_STRING str);
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
+static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
+static void str_free(void *str);
+static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
 
 static int ipv4_from_asc(unsigned char *v4, const char *in);
 static int ipv6_from_asc(unsigned char *v6, const char *in);
@@ -344,7 +344,7 @@ static char *strip_spaces(char *name)
         char *p, *q;
         /* Skip over leading spaces */
         p = name;
-        while(*p && isspace((unsigned char)*p)) p++;
+        while(isspace((unsigned char)*p)) p++;
         if(!*p) return NULL;
         q = p + strlen(p) - 1;
         while((q != p) && isspace((unsigned char)*q)) q--;
@@ -360,10 +360,10 @@ static char *strip_spaces(char *name)
  * @@@ (Contents of buffer are always kept in ASCII, also on EBCDIC machines)
  */
 
-char *hex_to_string(const unsigned char *buffer, long len)
+char *hex_to_string(unsigned char *buffer, long len)
 {
         char *tmp, *q;
-        const unsigned char *p;
+        unsigned char *p;
         int i;
         const static char hexdig[] = "0123456789ABCDEF";
         if(!buffer || !len) return NULL;
@@ -389,7 +389,7 @@ char *hex_to_string(const unsigned char *buffer, long len)
  * a buffer
  */
 
-unsigned char *string_to_hex(const char *str, long *len)
+unsigned char *string_to_hex(char *str, long *len)
 {
         unsigned char *hexbuf, *q;
         unsigned char ch, cl, *p;
@@ -463,23 +463,21 @@ static int sk_strcmp(const char * const *a, const char * const *b)
         return strcmp(*a, *b);
 }
 
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
+STACK *X509_get1_email(X509 *x)
 {
         GENERAL_NAMES *gens;
-        STACK_OF(OPENSSL_STRING) *ret;
-
+        STACK *ret;
         gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
         ret = get_email(X509_get_subject_name(x), gens);
         sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
         return ret;
 }
 
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
+STACK *X509_get1_ocsp(X509 *x)
 {
         AUTHORITY_INFO_ACCESS *info;
-        STACK_OF(OPENSSL_STRING) *ret = NULL;
+        STACK *ret = NULL;
         int i;
-
         info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
         if (!info)
                 return NULL;
@@ -499,12 +497,11 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
         return ret;
 }
 
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
+STACK *X509_REQ_get1_email(X509_REQ *x)
 {
         GENERAL_NAMES *gens;
         STACK_OF(X509_EXTENSION) *exts;
-        STACK_OF(OPENSSL_STRING) *ret;
-
+        STACK *ret;
         exts = X509_REQ_get_extensions(x);
         gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
         ret = get_email(X509_REQ_get_subject_name(x), gens);
@@ -514,9 +511,9 @@ STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
 }
 
 
-static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
+static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
 {
-        STACK_OF(OPENSSL_STRING) *ret = NULL;
+        STACK *ret = NULL;
         X509_NAME_ENTRY *ne;
         ASN1_IA5STRING *email;
         GENERAL_NAME *gen;
@@ -539,23 +536,23 @@ static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens)
         return ret;
 }
 
-static void str_free(OPENSSL_STRING str)
+static void str_free(void *str)
 {
         OPENSSL_free(str);
 }
 
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
+static int append_ia5(STACK **sk, ASN1_IA5STRING *email)
 {
         char *emtmp;
         /* First some sanity checks */
         if(email->type != V_ASN1_IA5STRING) return 1;
         if(!email->data || !email->length) return 1;
-        if(!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp);
+        if(!*sk) *sk = sk_new(sk_strcmp);
         if(!*sk) return 0;
         /* Don't add duplicates */
-        if(sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1) return 1;
+        if(sk_find(*sk, (char *)email->data) != -1) return 1;
         emtmp = BUF_strdup((char *)email->data);
-        if(!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
+        if(!emtmp || !sk_push(*sk, emtmp)) {
                 X509_email_free(*sk);
                 *sk = NULL;
                 return 0;
@@ -563,9 +560,9 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
         return 1;
 }
 
-void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
+void X509_email_free(STACK *sk)
 {
-        sk_OPENSSL_STRING_pop_free(sk, str_free);
+        sk_pop_free(sk, str_free);
 }
 
 /* Convert IP addresses both IPv4 and IPv6 into an 
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
new file mode 100644
index 0000000000..a9e6ca3542
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3conf.c
@@ -0,0 +1,127 @@
+/* v3conf.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+/* Test application to add extensions from a config file */
+
+int main(int argc, char **argv)
+{
+        LHASH *conf;
+        X509 *cert;
+        FILE *inf;
+        char *conf_file;
+        int i;
+        int count;
+        X509_EXTENSION *ext;
+        X509V3_add_standard_extensions();
+        ERR_load_crypto_strings();
+        if(!argv[1]) {
+                fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n");
+                exit(1);
+        }
+        conf_file = argv[2];
+        if(!conf_file) conf_file = "test.cnf";
+        conf = CONF_load(NULL, "test.cnf", NULL);
+        if(!conf) {
+                fprintf(stderr, "Error opening Config file %s\n", conf_file);
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+
+        inf = fopen(argv[1], "r");
+        if(!inf) {
+                fprintf(stderr, "Can't open certificate file %s\n", argv[1]);
+                exit(1);
+        }
+        cert = PEM_read_X509(inf, NULL, NULL);
+        if(!cert) {
+                fprintf(stderr, "Error reading certificate file %s\n", argv[1]);
+                exit(1);
+        }
+        fclose(inf);
+
+        sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free);
+        cert->cert_info->extensions = NULL;
+
+        if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) {
+                fprintf(stderr, "Error adding extensions\n");
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+
+        count = X509_get_ext_count(cert);
+        printf("%d extensions\n", count);
+        for(i = 0; i < count; i++) {
+                ext = X509_get_ext(cert, i);
+                printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+                if(ext->critical) printf(",critical:\n");
+                else printf(":\n");
+                X509V3_EXT_print_fp(stdout, ext, 0, 0);
+                printf("\n");
+                
+        }
+        return 0;
+}
+
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index f9f6f1f91f..d538ad8b80 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,7 +70,6 @@
 
 static ERR_STRING_DATA X509V3_str_functs[]=
         {
-{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME),   "A2I_GENERAL_NAME"},
 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),        "ASIDENTIFIERCHOICE_CANONIZE"},
 {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),    "ASIDENTIFIERCHOICE_IS_CANONICAL"},
 {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
@@ -80,7 +79,6 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
 {ERR_FUNC(X509V3_F_DO_EXT_NCONF),       "DO_EXT_NCONF"},
 {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS),    "DO_I2V_NAME_CONSTRAINTS"},
-{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME),       "GNAMES_FROM_SECTNAME"},
 {ERR_FUNC(X509V3_F_HEX_TO_STRING),      "hex_to_string"},
 {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),        "i2s_ASN1_ENUMERATED"},
 {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
@@ -97,7 +95,6 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),      "s2i_ASN1_OCTET_STRING"},
 {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),   "S2I_ASN1_SKEY_ID"},
 {ERR_FUNC(X509V3_F_S2I_SKEY_ID),        "S2I_SKEY_ID"},
-{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME),        "SET_DIST_POINT_NAME"},
 {ERR_FUNC(X509V3_F_STRING_TO_HEX),      "string_to_hex"},
 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC),   "SXNET_add_id_asc"},
 {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),       "SXNET_add_id_INTEGER"},
@@ -113,7 +110,6 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE),     "V2I_EXTENDED_KEY_USAGE"},
 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),  "v2i_GENERAL_NAMES"},
 {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX),        "v2i_GENERAL_NAME_ex"},
-{ERR_FUNC(X509V3_F_V2I_IDP),    "V2I_IDP"},
 {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS),   "V2I_IPADDRBLOCKS"},
 {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT),     "V2I_ISSUER_ALT"},
 {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS),       "V2I_NAME_CONSTRAINTS"},
@@ -145,7 +141,6 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    ,"bn dec2bn error"},
 {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),"bn to asn1 integer error"},
 {ERR_REASON(X509V3_R_DIRNAME_ERROR)      ,"dirname error"},
-{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET),"distpoint already set"},
 {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  ,"duplicate zone id"},
 {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE),"error converting zone"},
 {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION),"error creating extension"},
@@ -159,7 +154,6 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"},
 {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  ,"illegal hex digit"},
 {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"},
-{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS),"invalid multiple rdns"},
 {ERR_REASON(X509V3_R_INVALID_ASNUMBER)   ,"invalid asnumber"},
 {ERR_REASON(X509V3_R_INVALID_ASRANGE)    ,"invalid asrange"},
 {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"},
@@ -193,9 +187,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS),"odd number of digits"},
 {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED),"operation not defined"},
 {ERR_REASON(X509V3_R_OTHERNAME_ERROR)    ,"othername error"},
-{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),"policy language already defined"},
+{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED),"policy language alreadty defined"},
 {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) ,"policy path length"},
-{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),"policy path length already defined"},
+{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED),"policy path length alreadty defined"},
 {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),"policy syntax not currently supported"},
 {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),"policy when proxy language requires no policy"},
 {ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  ,"section not found"},
@@ -206,7 +200,6 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME),"unknown extension name"},
 {ERR_REASON(X509V3_R_UNKNOWN_OPTION)     ,"unknown option"},
 {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) ,"unsupported option"},
-{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE)   ,"unsupported type"},
 {ERR_REASON(X509V3_R_USER_TOO_LONG)      ,"user too long"},
 {0,NULL}
         };
diff --git a/src/lib/libcrypto/x509v3/v3prin.c b/src/lib/libcrypto/x509v3/v3prin.c
new file mode 100644
index 0000000000..d5ff268296
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3prin.c
@@ -0,0 +1,99 @@
+/* v3prin.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+int main(int argc, char **argv)
+{
+        X509 *cert;
+        FILE *inf;
+        int i, count;
+        X509_EXTENSION *ext;
+        X509V3_add_standard_extensions();
+        ERR_load_crypto_strings();
+        if(!argv[1]) {
+                fprintf(stderr, "Usage v3prin cert.pem\n");
+                exit(1);
+        }
+        if(!(inf = fopen(argv[1], "r"))) {
+                fprintf(stderr, "Can't open %s\n", argv[1]);
+                exit(1);
+        }
+        if(!(cert = PEM_read_X509(inf, NULL, NULL))) {
+                fprintf(stderr, "Can't read certificate %s\n", argv[1]);
+                ERR_print_errors_fp(stderr);
+                exit(1);
+        }
+        fclose(inf);
+        count = X509_get_ext_count(cert);
+        printf("%d extensions\n", count);
+        for(i = 0; i < count; i++) {
+                ext = X509_get_ext(cert, i);
+                printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
+                if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr);
+                printf("\n");
+                
+        }
+        return 0;
+}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index b308abe7cd..9ef83da755 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -76,19 +76,12 @@ typedef void * (*X509V3_EXT_NEW)(void);
 typedef void (*X509V3_EXT_FREE)(void *);
 typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
 typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) *
-  (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
-                    STACK_OF(CONF_VALUE) *extlist);
-typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
-                                 struct v3_ext_ctx *ctx,
-                                 STACK_OF(CONF_VALUE) *values);
-typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
-                                 struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
-                              BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
-                                 struct v3_ext_ctx *ctx, const char *str);
+typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
+typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
+typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
+typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
+typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
+typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
 
 /* V3 extension structure */
 
@@ -227,41 +220,24 @@ union {
         GENERAL_NAMES *fullname;
         STACK_OF(X509_NAME_ENTRY) *relativename;
 } name;
-/* If relativename then this contains the full distribution point name */
-X509_NAME *dpname;
 } DIST_POINT_NAME;
-/* All existing reasons */
-#define CRLDP_ALL_REASONS       0x807f
-
-#define CRL_REASON_NONE                         -1
-#define CRL_REASON_UNSPECIFIED                  0
-#define CRL_REASON_KEY_COMPROMISE               1
-#define CRL_REASON_CA_COMPROMISE                2
-#define CRL_REASON_AFFILIATION_CHANGED          3
-#define CRL_REASON_SUPERSEDED                   4
-#define CRL_REASON_CESSATION_OF_OPERATION       5
-#define CRL_REASON_CERTIFICATE_HOLD             6
-#define CRL_REASON_REMOVE_FROM_CRL              8
-#define CRL_REASON_PRIVILEGE_WITHDRAWN          9
-#define CRL_REASON_AA_COMPROMISE                10
-
-struct DIST_POINT_st {
+
+typedef struct DIST_POINT_st {
 DIST_POINT_NAME *distpoint;
 ASN1_BIT_STRING *reasons;
 GENERAL_NAMES *CRLissuer;
-int dp_reasons;
-};
+} DIST_POINT;
 
 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
 
 DECLARE_STACK_OF(DIST_POINT)
 DECLARE_ASN1_SET_OF(DIST_POINT)
 
-struct AUTHORITY_KEYID_st {
+typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 GENERAL_NAMES *issuer;
 ASN1_INTEGER *serial;
-};
+} AUTHORITY_KEYID;
 
 /* Strong extranet structures */
 
@@ -327,10 +303,10 @@ typedef struct GENERAL_SUBTREE_st {
 
 DECLARE_STACK_OF(GENERAL_SUBTREE)
 
-struct NAME_CONSTRAINTS_st {
+typedef struct NAME_CONSTRAINTS_st {
         STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
         STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
-};
+} NAME_CONSTRAINTS;
 
 typedef struct POLICY_CONSTRAINTS_st {
         ASN1_INTEGER *requireExplicitPolicy;
@@ -353,31 +329,6 @@ typedef struct PROXY_CERT_INFO_EXTENSION_st
 DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
 DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 
-struct ISSUING_DIST_POINT_st
-        {
-        DIST_POINT_NAME *distpoint;
-        int onlyuser;
-        int onlyCA;
-        ASN1_BIT_STRING *onlysomereasons;
-        int indirectCRL;
-        int onlyattr;
-        };
-
-/* Values in idp_flags field */
-/* IDP present */
-#define IDP_PRESENT     0x1
-/* IDP values inconsistent */
-#define IDP_INVALID     0x2
-/* onlyuser true */
-#define IDP_ONLYUSER    0x4
-/* onlyCA true */
-#define IDP_ONLYCA      0x8
-/* onlyattr true */
-#define IDP_ONLYATTR    0x10
-/* indirectCRL true */
-#define IDP_INDIRECT    0x20
-/* onlysomereasons present */
-#define IDP_REASONS     0x40
 
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
@@ -422,7 +373,6 @@ struct ISSUING_DIST_POINT_st
 #define EXFLAG_PROXY            0x400
 
 #define EXFLAG_INVALID_POLICY   0x800
-#define EXFLAG_FRESHEST         0x1000
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
@@ -474,10 +424,9 @@ typedef struct x509_purpose_st {
 #define X509_PURPOSE_CRL_SIGN           6
 #define X509_PURPOSE_ANY                7
 #define X509_PURPOSE_OCSP_HELPER        8
-#define X509_PURPOSE_TIMESTAMP_SIGN     9
 
 #define X509_PURPOSE_MIN                1
-#define X509_PURPOSE_MAX                9
+#define X509_PURPOSE_MAX                8
 
 /* Flags for X509V3_EXT_print() */
 
@@ -522,9 +471,6 @@ DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
 DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
 
 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
-GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
-int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
-
 
 
 ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
@@ -540,18 +486,11 @@ DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                 GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
-                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
 DECLARE_ASN1_FUNCTIONS(OTHERNAME)
 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
-int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
-void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
-void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
-int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
-                                ASN1_OBJECT *oid, ASN1_TYPE *value);
-int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
-                                ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
 
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
@@ -568,11 +507,6 @@ DECLARE_ASN1_FUNCTIONS(NOTICEREF)
 DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
 DECLARE_ASN1_FUNCTIONS(DIST_POINT)
 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
-DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
-
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
-
-int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
 
 DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
 DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
@@ -590,16 +524,11 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
 DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
 
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-                               const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                               int gen_type, char *value, int is_nc);
-
 #ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-                               CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-                                  const X509V3_EXT_METHOD *method,
-                                  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
+GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                                                        CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
+                                X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
 void X509V3_conf_free(CONF_VALUE *val);
 
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -609,23 +538,18 @@ int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert)
 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                    int ext_nid, char *value);
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                char *name, char *value);
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                        char *section, X509 *cert);
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            char *section, X509_REQ *req);
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            char *section, X509_CRL *crl);
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
-                             STACK_OF(CONF_VALUE) **extlist);
+                                                STACK_OF(CONF_VALUE) **extlist);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
 void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
 #endif
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
@@ -652,8 +576,8 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
 int X509V3_EXT_add_alias(int nid_to, int nid_from);
 void X509V3_EXT_cleanup(void);
 
-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
+X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
@@ -663,8 +587,8 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
 
-char *hex_to_string(const unsigned char *buffer, long len);
-unsigned char *string_to_hex(const char *str, long *len);
+char *hex_to_string(unsigned char *buffer, long len);
+unsigned char *string_to_hex(char *str, long *len);
 int name_cmp(const char *name, const char *cmp);
 
 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
@@ -679,7 +603,6 @@ int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
 int X509_PURPOSE_get_by_sname(char *sname);
@@ -693,10 +616,10 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
 void X509_PURPOSE_cleanup(void);
 int X509_PURPOSE_get_id(X509_PURPOSE *);
 
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
-void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
+STACK *X509_get1_email(X509 *x);
+STACK *X509_REQ_get1_email(X509_REQ *x);
+void X509_email_free(STACK *sk);
+STACK *X509_get1_ocsp(X509 *x);
 
 ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
 ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
@@ -705,7 +628,6 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
                                                 unsigned long chtype);
 
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-DECLARE_STACK_OF(X509_POLICY_NODE)
 
 #ifndef OPENSSL_NO_RFC3779
 
@@ -865,9 +787,8 @@ void ERR_load_X509V3_strings(void);
 /* Error codes for the X509V3 functions. */
 
 /* Function codes. */
-#define X509V3_F_A2I_GENERAL_NAME                        164
-#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE             161
-#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL         162
+#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE             156
+#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL         157
 #define X509V3_F_COPY_EMAIL                              122
 #define X509V3_F_COPY_ISSUER                             123
 #define X509V3_F_DO_DIRNAME                              144
@@ -875,7 +796,6 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_DO_EXT_I2D                              135
 #define X509V3_F_DO_EXT_NCONF                            151
 #define X509V3_F_DO_I2V_NAME_CONSTRAINTS                 148
-#define X509V3_F_GNAMES_FROM_SECTNAME                    156
 #define X509V3_F_HEX_TO_STRING                           111
 #define X509V3_F_I2S_ASN1_ENUMERATED                     121
 #define X509V3_F_I2S_ASN1_IA5STRING                      149
@@ -892,14 +812,13 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_S2I_ASN1_OCTET_STRING                   112
 #define X509V3_F_S2I_ASN1_SKEY_ID                        114
 #define X509V3_F_S2I_SKEY_ID                             115
-#define X509V3_F_SET_DIST_POINT_NAME                     158
 #define X509V3_F_STRING_TO_HEX                           113
 #define X509V3_F_SXNET_ADD_ID_ASC                        125
 #define X509V3_F_SXNET_ADD_ID_INTEGER                    126
 #define X509V3_F_SXNET_ADD_ID_ULONG                      127
 #define X509V3_F_SXNET_GET_ID_ASC                        128
 #define X509V3_F_SXNET_GET_ID_ULONG                      129
-#define X509V3_F_V2I_ASIDENTIFIERS                       163
+#define X509V3_F_V2I_ASIDENTIFIERS                       158
 #define X509V3_F_V2I_ASN1_BIT_STRING                     101
 #define X509V3_F_V2I_AUTHORITY_INFO_ACCESS               139
 #define X509V3_F_V2I_AUTHORITY_KEYID                     119
@@ -908,7 +827,6 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_V2I_EXTENDED_KEY_USAGE                  103
 #define X509V3_F_V2I_GENERAL_NAMES                       118
 #define X509V3_F_V2I_GENERAL_NAME_EX                     117
-#define X509V3_F_V2I_IDP                                 157
 #define X509V3_F_V2I_IPADDRBLOCKS                        159
 #define X509V3_F_V2I_ISSUER_ALT                          153
 #define X509V3_F_V2I_NAME_CONSTRAINTS                    147
@@ -937,7 +855,6 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_BN_DEC2BN_ERROR                         100
 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR                101
 #define X509V3_R_DIRNAME_ERROR                           149
-#define X509V3_R_DISTPOINT_ALREADY_SET                   160
 #define X509V3_R_DUPLICATE_ZONE_ID                       133
 #define X509V3_R_ERROR_CONVERTING_ZONE                   131
 #define X509V3_R_ERROR_CREATING_EXTENSION                144
@@ -951,13 +868,12 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ILLEGAL_EMPTY_EXTENSION                 151
 #define X509V3_R_ILLEGAL_HEX_DIGIT                       113
 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG             152
-#define X509V3_R_INVALID_MULTIPLE_RDNS                   161
-#define X509V3_R_INVALID_ASNUMBER                        162
-#define X509V3_R_INVALID_ASRANGE                         163
+#define X509V3_R_INVALID_ASNUMBER                        160
+#define X509V3_R_INVALID_ASRANGE                         161
 #define X509V3_R_INVALID_BOOLEAN_STRING                  104
 #define X509V3_R_INVALID_EXTENSION_STRING                105
-#define X509V3_R_INVALID_INHERITANCE                     165
-#define X509V3_R_INVALID_IPADDRESS                       166
+#define X509V3_R_INVALID_INHERITANCE                     162
+#define X509V3_R_INVALID_IPADDRESS                       163
 #define X509V3_R_INVALID_NAME                            106
 #define X509V3_R_INVALID_NULL_ARGUMENT                   107
 #define X509V3_R_INVALID_NULL_NAME                       108
@@ -985,9 +901,9 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                    112
 #define X509V3_R_OPERATION_NOT_DEFINED                   148
 #define X509V3_R_OTHERNAME_ERROR                         147
-#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED         155
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED        155
 #define X509V3_R_POLICY_PATH_LENGTH                      156
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED      157
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED     157
 #define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED   158
 #define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
 #define X509V3_R_SECTION_NOT_FOUND                       150
@@ -998,7 +914,6 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_UNKNOWN_EXTENSION_NAME                  130
 #define X509V3_R_UNKNOWN_OPTION                          120
 #define X509V3_R_UNSUPPORTED_OPTION                      117
-#define X509V3_R_UNSUPPORTED_TYPE                        167
 #define X509V3_R_USER_TOO_LONG                           132
 
 #ifdef  __cplusplus